From upananda.singha at motorolasolutions.com Thu Feb 1 00:16:29 2018 From: upananda.singha at motorolasolutions.com (Upananda Singha) Date: Thu, 1 Feb 2018 10:46:29 +0530 Subject: [keycloak-user] Keycloak 3.4 and Oracle Timesten Message-ID: Hi all, I have been trying to configure Keycloak with Oracle Timesten but without any success. Anybody ever tried Timesten as backend Database for Keycloak? It would be of great help if anyone can give some pointer whether Timesten can be at all used with Keycloak 3.4. Thanks & regds, *Upananda * From subodhcjoshi82 at gmail.com Thu Feb 1 00:22:05 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Thu, 1 Feb 2018 10:52:05 +0530 Subject: [keycloak-user] Keycloak 3.4 and Oracle Timesten In-Reply-To: References: Message-ID: Not Oracle Timesten but I tried with postgres and Maridb and it work well. On Thu, Feb 1, 2018 at 10:46 AM, Upananda Singha < upananda.singha at motorolasolutions.com> wrote: > Hi all, > > I have been trying to configure Keycloak with Oracle Timesten but without > any success. > > Anybody ever tried Timesten as backend Database for Keycloak? It would be > of great help if anyone can give some pointer whether Timesten can be at > all > used with Keycloak 3.4. > > Thanks & regds, > > *Upananda * > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.trendsinnews.com From upananda.singha at motorolasolutions.com Thu Feb 1 00:26:59 2018 From: upananda.singha at motorolasolutions.com (Upananda Singha) Date: Thu, 1 Feb 2018 10:56:59 +0530 Subject: [keycloak-user] Keycloak 3.4 and Oracle Timesten In-Reply-To: References: Message-ID: Thank you Subodh, Yes my specific use case is to try to integrate with Oracle TimesTen. I too experimented with MySQL and PostgreSQL and both works fine, but not able to get it working with TimesTen. Thanks & Regds, *Upananda * On Thu, Feb 1, 2018 at 10:52 AM, Subodh Joshi wrote: > Not Oracle Timesten but I tried with postgres and Maridb and it work well. > > On Thu, Feb 1, 2018 at 10:46 AM, Upananda Singha motorolasolutions.com> wrote: > >> Hi all, >> >> I have been trying to configure Keycloak with Oracle Timesten but without >> any success. >> >> Anybody ever tried Timesten as backend Database for Keycloak? It would be >> of great help if anyone can give some pointer whether Timesten can be at >> all >> used with Keycloak 3.4. >> >> Thanks & regds, >> >> *Upananda * >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > > > -- > Subodh Chandra Joshi > subodh1_joshi82 at yahoo.co.in > http://www.trendsinnews.com > > From subodhcjoshi82 at gmail.com Thu Feb 1 00:32:30 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Thu, 1 Feb 2018 11:02:30 +0530 Subject: [keycloak-user] Keycloak 3.4 and Oracle Timesten In-Reply-To: References: Message-ID: Is their any exception ? If yes please share it as well. If Keycloak support this DB surely you will get reply from core team member. On 1 Feb 2018 10:57 am, "Upananda Singha" wrote: > > Thank you Subodh, > > Yes my specific use case is to try to integrate with Oracle TimesTen. > I too experimented with MySQL and PostgreSQL and both works fine, but not > able to get it working with TimesTen. > > > Thanks & Regds, > > *Upananda * > > > > > On Thu, Feb 1, 2018 at 10:52 AM, Subodh Joshi > wrote: > >> Not Oracle Timesten but I tried with postgres and Maridb and it work >> well. >> >> On Thu, Feb 1, 2018 at 10:46 AM, Upananda Singha < >> upananda.singha at motorolasolutions.com> wrote: >> >>> Hi all, >>> >>> I have been trying to configure Keycloak with Oracle Timesten but without >>> any success. >>> >>> Anybody ever tried Timesten as backend Database for Keycloak? It would be >>> of great help if anyone can give some pointer whether Timesten can be at >>> all >>> used with Keycloak 3.4. >>> >>> Thanks & regds, >>> >>> *Upananda * >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >> >> >> >> -- >> Subodh Chandra Joshi >> subodh1_joshi82 at yahoo.co.in >> http://www.trendsinnews.com >> >> > > From upananda.singha at motorolasolutions.com Thu Feb 1 01:42:59 2018 From: upananda.singha at motorolasolutions.com (Upananda Singha) Date: Thu, 1 Feb 2018 12:12:59 +0530 Subject: [keycloak-user] Keycloak 3.4 and Oracle Timesten In-Reply-To: References: Message-ID: Hi All, Please find the configurations I am having for Timesten... jdbc:timesten:client:TTC_Server=172.27.9.23;TTC_Server_DSN=DG_010231;TCP_PORT=53389;uid=testuser;pwd=testpwd;tcp_timeout=180 TimesTenDriver 20 testuser testpwd com.timesten.jdbc.xa.TimesTenXADataSource module.xml configuration ("/modules/system/layers/keycloak/com/timesten/main/module.xml") ------------------------ My LD_LIBRARY_PATH is havng all the Timesten libraries ------------------------------------------------------ libodbc.so libttclasses.so.gcc410 libttco.so libttJdbc.so libttutilD.so ttjdbc6.jar libttclassesCS.so libttclient.so libttco.so.noplsql libttjmsxla.so libttutil.so ttjdbc7.jar libttclassesCS.so.gcc346 libttclient.so.gcc346 libttcrs.so libttorD.so orai18n.jar ttjdbc8.jar libttclassesCS.so.gcc410 libttclient.so.gcc410 libttenD.so libttor.so README.TXT ucp.jar libttclasses.so libttcoD.so libtten.so libttplD.so timestenjmsxla.jar libttclasses.so.gcc346 libttcoD.so.noplsql libttJdbcCS.so libttpl.so ttjdbc5.jar I am getting he below error: 11:57:08,980 INFO [org.keycloak.services] (ServerService Thread Pool -- 51) KC-SERVICES0001: Loading config from standalone.xml or domain.xml 11:57:09,342 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0002: Started realmRevisions cache from keycloak container 11:57:09,352 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0002: Started userRevisions cache from keycloak container 11:57:09,359 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) WFLYCLINF0002: Started authorizationRevisions cache from keycloak container 11:57:09,359 INFO [org.keycloak.connections.infinispan.DefaultInfinispanConnectionProviderFactory] (ServerService Thread Pool -- 51) Node name: proc500_9_23, Site name: null 11:57:09,940 ERROR [stderr] (ServerService Thread Pool -- 51) WARNING 2/1/18 11:57 AM: liquibase: Unknown database: TimesTen 11:57:10,108 WARN [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] (ServerService Thread Pool -- 51) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 11:57:10,111 ERROR [stderr] (ServerService Thread Pool -- 51) WARNING 2/1/18 11:57 AM: liquibase: Unknown database: TimesTen 11:57:10,136 WARN [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] (ServerService Thread Pool -- 51) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 11:57:10,138 ERROR [stderr] (ServerService Thread Pool -- 51) WARNING 2/1/18 11:57 AM: liquibase: Unknown database: TimesTen 11:57:10,166 WARN [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] (ServerService Thread Pool -- 51) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 11:57:10,169 ERROR [stderr] (ServerService Thread Pool -- 51) WARNING 2/1/18 11:57 AM: liquibase: Unknown database: TimesTen 11:57:10,319 ERROR [stderr] (ServerService Thread Pool -- 51) WARNING 2/1/18 11:57 AM: liquibase: Unknown database: TimesTen 11:57:12,220 ERROR [stderr] (ServerService Thread Pool -- 51) WARNING 2/1/18 11:57 AM: liquibase: Unknown database: TimesTen 11:57:12,253 WARN [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] (ServerService Thread Pool -- 51) Failed to create lock table. Maybe other transaction created in the meantime. Retrying... 11:57:12,255 ERROR [stderr] (ServerService Thread Pool -- 51) WARNING 2/1/18 11:57 AM: liquibase: Unknown database: TimesTen 11:57:12,277 WARN [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] (ServerService Thread Pool -- 51) Failed to create lock table. Maybe other transaction created in the meant ... ... ... 11:57:12,767 INFO [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 51) Initializing database schema. Using changelog META-INF/jpa-changelog-master.xml 11:57:12,794 WARN [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] (ServerService Thread Pool -- 51) Attempt to release lock, which is not owned by current transaction 11:57:12,804 WARN [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] (ServerService Thread Pool -- 51) Attempt to release lock, which is not owned by current transaction 11:57:12,807 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS signal 11:57:12,819 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 51) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:84) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.j Thanks & Regds, *Upananda* On Thu, Feb 1, 2018 at 10:46 AM, Upananda Singha wrote: > Hi all, > > I have been trying to configure Keycloak with Oracle Timesten but without > any success. > > Anybody ever tried Timesten as backend Database for Keycloak? It would be > of great help if anyone can give some pointer whether Timesten can be at > all > used with Keycloak 3.4. > > Thanks & regds, > > *Upananda * > > > From mposolda at redhat.com Thu Feb 1 03:51:51 2018 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 1 Feb 2018 09:51:51 +0100 Subject: [keycloak-user] User registration flow - Can UID mapped into SN and CN ? In-Reply-To: References: Message-ID: <077280d3-c8fd-ab1a-0d7d-af3e9e6dac06@redhat.com> If you go to "Mappers" tab of your LDAP Federation Provider and go to UserAttributes mappers for "firstName" and "lastName" and change switch "Is Mandatory In LDAP" to On, then Keycloak will send some "temporary" values (Just space by default) for CN and SN during user registration. Those are then changed to real firstName and lastName of user in next request (assuming firstName and lastName are provided). You can enable TRACE logging for LDAP in standalone.xml (Category org.keycloak.storage.ldap) to see the requests to LDAP and when they pass. Marek On 31/01/18 20:50, Min Han Lee wrote: > Hello guys,, > > Our LDAP environment have a schema which required sn and cn to be stated > when creating a new user, therefore the User Registration in the KC will > not work as the KC can only use UID as the main attribute to register a new > user, > > I'm thinking if anyone able to work this around by changing the UID to > another attribute? > > Kind Regards > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From jlieskov at redhat.com Thu Feb 1 05:32:57 2018 From: jlieskov at redhat.com (Jan Lieskovsky) Date: Thu, 1 Feb 2018 11:32:57 +0100 Subject: [keycloak-user] Keycloak OpenShift Template part of the openshift library project In-Reply-To: References: Message-ID: Hello Charles, thank you for checking. On Wed, Jan 31, 2018 at 6:47 PM, Charles Moulliard wrote: > Hi, > > The only Openshift Keycloak Template available (i think so) is part of the > xpaas project and can be deployed according to this doc [1] on Openshift > with the xpaas templates (A-MQ, ....) > > Is there any plans to have an openshift keycloak template available from > the openshift library project [2] > I can confirm we are currently actively investigating the possibility to have some of Red Hat SSO template(s) available from the OpenShift library project too. For now this is WIP effort though. There are multiple conditions / inputs that need to met first, this template to be available. As such it is currently not possible to specify an exact timeline (ETA), when this template will be delivered. But we are working at it, and the plan is to have such template available as soon as possible. > > Without such info part of the library, then we can't install keycloak as it > will not appear when you will browse the openshift catalog of your > openshift cluster instance (running using minishift, ....) > > [1] > https://access.redhat.com/documentation/en-us/red_hat_ > jboss_middleware_for_openshift/3/html-single/red_ > hat_jboss_sso_for_openshift/ > [2] https://github.com/openshift/library > > Regards, > Hope this helps Thank you && Regards, Jan -- Jan iankko Lieskovsky / Keycloak / RH-SSO Team > > Charles > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jpperata at gmail.com Thu Feb 1 08:29:54 2018 From: jpperata at gmail.com (Juan Pablo Perata) Date: Thu, 01 Feb 2018 13:29:54 +0000 Subject: [keycloak-user] User session logout in Keycloak Console seems not to work if using User Federation Provider In-Reply-To: References: Message-ID: To add something else: I discovered I was changing JSESSIONID after successfull login in a callback servlet. I removed that because Keycloak itself is invalidating old session and assigning a new id. Otherwise, for my surprise after logout session from keycloak admin console, session remains active and I am still logged in application. Any tip is appreciated. Regards, Juan On Wed, Jan 31, 2018 at 12:20 PM Juan Pablo Perata wrote: > Hello, > > This issue seems application specific, but I could not reach to the root > yet. > > I would like to know if someone faced this in Keycloak Admin Console or > some tips you could give me to see what is going on. > > *Environment* > Web application running on Wildfly 10.1.0.Final and secured with Keycloak. > Keycloak 3.4.3.Final server running in : > Wildfly 10.1.0.Final server running in : > *Description* > Found that session logout from Keycloak admin does not have effect for > federated users in my web application. > Steps: > - develop your own user federation provider to connect to internal > database (implements interfaces _UserStorageProvider, > CredentialInputValidator, UserLookupProvider, OnUserCache_) > - properly configured user federation provider in keycloak realm > - configure and deploy a JSF based web OIDC client application in Wildfly > secured by Keycloak > - Go to: _:/_ and authenticate using > federation provider > Authentication succeeded > - Go to Keycloak Console -> Realm -> Sessions -> (select web application > client) -> Show sessions. Then select from displayed > table -> "Sessions" tab > - Click "Logout all sessions" or "Logout" the specific session. A success > message is displayed and session disappears from table. > - Go to _:/_ and check that session is > still alive and user is authenticated. > - Checked in a Filter in web application that > "org.keycloak.KeycloakSecurityContext" security context is present with > information from logged in user. > > *To note:* > - (correct behaviour) If logout is performed from web application, single > sign on session is logged out properly (HttpRequest.logout()). > - (correct behaviour) Tested behaviour with [product-portal sample | > https://github.com/keycloak/keycloak/tree/master/examples/demo-template/product-app] > application and *it works ok as expected*. > Tested with users loaded in "demo" json and also using my own user > federation provider and works well. > > Thanks in advance, > Juan > From d.weirshousky at xsb.com Thu Feb 1 10:26:48 2018 From: d.weirshousky at xsb.com (Drew Weirshousky) Date: Thu, 1 Feb 2018 09:26:48 -0600 (CST) Subject: [keycloak-user] OIDC Identity provider redirect_uri using wrong hostname Message-ID: <1407610676.25912018.1517498808545.JavaMail.zimbra@xsb.com> Hi, I've setup an OIDC Idenity provider in Keycloak 3.4.3 and it works correctly. Our production servers are using 3.2.1. Both servers are behind haproxy and have different internal and external host names. 3.2.1 seems to be modifying the redirect_uri I have set in the IDP to use the internal hostname. Does anyone know when this was changed? I'm currently digging through the recently closed bugs, should probably look for the change log. Thanks Drew From d.weirshousky at xsb.com Thu Feb 1 10:56:48 2018 From: d.weirshousky at xsb.com (Drew Weirshousky) Date: Thu, 1 Feb 2018 09:56:48 -0600 (CST) Subject: [keycloak-user] OIDC Identity provider redirect_uri using wrong hostname In-Reply-To: <1407610676.25912018.1517498808545.JavaMail.zimbra@xsb.com> References: <1407610676.25912018.1517498808545.JavaMail.zimbra@xsb.com> Message-ID: <1357359697.25920164.1517500608252.JavaMail.zimbra@xsb.com> Hi, Never mind found the problem in the proxy config. Thanks Drew ----- Original Message ----- From: "Drew Weirshousky" To: "keycloak-user" Sent: Thursday, February 1, 2018 10:26:48 AM Subject: [keycloak-user] OIDC Identity provider redirect_uri using wrong hostname Hi, I've setup an OIDC Idenity provider in Keycloak 3.4.3 and it works correctly. Our production servers are using 3.2.1. Both servers are behind haproxy and have different internal and external host names. 3.2.1 seems to be modifying the redirect_uri I have set in the IDP to use the internal hostname. Does anyone know when this was changed? I'm currently digging through the recently closed bugs, should probably look for the change log. Thanks Drew _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From scott.finlay at sixt.com Thu Feb 1 11:25:57 2018 From: scott.finlay at sixt.com (Scott Finlay) Date: Thu, 1 Feb 2018 16:25:57 +0000 Subject: [keycloak-user] Validate User Credentials Without Creating a Session In-Reply-To: <97c207c9-6f96-bd7c-b37f-27449b0b033a@redhat.com> References: , <97c207c9-6f96-bd7c-b37f-27449b0b033a@redhat.com> Message-ID: Hi Marek, Thanks for the suggestion. Could you maybe point me in the right direction there? I'm having some difficulties finding the actual place where credentials are checked in the Keycloak code and where the session is being created. Additionally I've looked the documentation (http://www.keycloak.org/docs/3.1/server_development/topics/extensions.html) but I'm having trouble understanding from that what these pieces described are actually for, where the entry point is, and how I can connect it to the actual Keycloak storage. I also don't really know how to actually integrate the endpoint into Keycloak once I have one built Regards, Scott ________________________________ From: Marek Posolda Sent: Wednesday, January 24, 2018 1:59:05 PM To: Scott Finlay; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Validate User Credentials Without Creating a Session Hi Scott, it's not available OOTB, but you can add your own REST endpoint to verify username/password. Or alternatively you can just do directGrant login (OAuth2 Resource Owner Password Credentials Grant) and then logout session. Marek On 23/01/18 09:49, Scott Finlay wrote: > Hi, > > > We're currently using Keycloak 2.5.5.Final, and in this version it's not possible > > to validate a user's credentials (username / password combination) without > > actually logging the user in which results in a session (and our sessions are long- > > lived). Is there any new functionality introduced in the later versions of Keycloak > > to validate the credentials without actually logging the user in? > > > Our use-case is that we have very long-lived tokens, but we want to require the > > user to re-enter his/her password in order to perform some certain sensitive tasks > > such as changing the password or username. > > > If such functionality is not available, would it be possible to add this? > > > Regards, > > Scott > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From adr_gonzalez at yahoo.fr Thu Feb 1 13:23:16 2018 From: adr_gonzalez at yahoo.fr (Adrian Gonzalez) Date: Thu, 1 Feb 2018 18:23:16 +0000 (UTC) Subject: [keycloak-user] Entreprise IDP References: <494202474.2032996.1517509396110.ref@mail.yahoo.com> Message-ID: <494202474.2032996.1517509396110@mail.yahoo.com> Hello, I'm using Social IDP in Keycloak, that's working awesome ! Now, I need to integrate more entreprise IDP, and show those IDP only to users in these entreprises. ?1. an entreprise IDP will need to be associated with a list of email domains. ? ? (entreprise IDP will be automatically used if the user email matches).?2. in the Login UI, only the links for social IDPs will be shown, the entreprise IDPs will be hidden.?3. if the user enters an email corresponding to one of the entreprise IDP:? ? * we hide the password field? ? * if the user clicks on submit, he's redirected to the entreprise idp.?4. as a bonus: if he's redirected to the entreprise IDP, I'd like to have the email/username field already pre-filled. ?I don't think a similar feature exist for the moment.?If yes, please someone tell me :) ?What I did for the moment is :? - REST Service providing IDPs info to the front end (RealmResourceProviderFactory extension)? - I hacked the login page (custom theme) and added a js script that :? ? - calls the previous REST Service? ? - hides/shows the password label and field? ? - intercepts submit call and redirects to the entreprise idp What I'm missing is :?- is there a way to add custom information in an idp i.e. like isEntreprise boolean (how ?).? ? if not, I'd need to create an additional table and create a custom UI to handle that (a bit awkward :( )?- didn't pass the email to the external idp Would someone have an idea of how to do this (if I could add this custom info in the idp it would be great !)Is there a better way to achieve that ? Or more generic ? Thanks for the insights !Adrian? N.B. some links around this subject (just as reference material)http://lists.jboss.org/pipermail/keycloak-dev/2014-November/003073.html (see 4 - Selecting provider)http://lists.jboss.org/pipermail/keycloak-user/2017-January/008965.htmlhttps://issues.jboss.org/browse/KEYCLOAK-1515 From sthorger at redhat.com Thu Feb 1 14:12:46 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 1 Feb 2018 20:12:46 +0100 Subject: [keycloak-user] how retrievie access token only with roles for specific target service(keycloak client)? In-Reply-To: References: Message-ID: Looking at your PR again I see I made a quick conclusion last time as I thought you where talking about scope query parameter in OIDC, not about client scopes. For clients scopes it would make sense to have a button that allows full scope for a specific client. At the moment we have full scope for everything so that would be a sensible addition. Could you drop an email about this to the keycloak-dev mailing list? That's where implementation/contributions discussions belong. I'd like to get the opinion from the rest of the team, but I'm on board with the idea. On 31 January 2018 at 12:34, Daniel Charczy?ski wrote: > Here are more details about use case > > > backgroud: > we are using bearer access tokens in case of authorization between services > this is JWT signed by keycloak and contains all roles assignet to this > specific client > we are using "service account" in case of authorization service to service > > > eg: > if we have following screnario > > service A ---> service B > | > |------------- > service C > > service A receives JWT with roles to service B and C > > If Service A comunicates with B, B is able to reuse this token and > communicate with C as service A > Token that B receives from A is valid and there is possibility to reuse it > That is CRITICAL security issue in my oppinion. > > Out plan is to use Roles that requires scope parameter and it is OK for us > but at the moment there is only possibility to query for specific Role but > there is NO possibility to ask keycloak for JWT in with all roles but only > in service B context. > > Of course we can use composite roles but this is workaround that requeires > extra maintanence - we do not want to do that in that way > > We just need support scope parameter like > > *scope = serviceB/** > > > Regards > Daniel Charczy?ski > > > > > From adr_gonzalez at yahoo.fr Thu Feb 1 17:02:48 2018 From: adr_gonzalez at yahoo.fr (Adrian Gonzalez) Date: Thu, 1 Feb 2018 22:02:48 +0000 (UTC) Subject: [keycloak-user] Entreprise IDP In-Reply-To: <494202474.2032996.1517509396110@mail.yahoo.com> References: <494202474.2032996.1517509396110.ref@mail.yahoo.com> <494202474.2032996.1517509396110@mail.yahoo.com> Message-ID: <1600820599.2246070.1517522568461@mail.yahoo.com> Hello, Little update:I configured the idp email domains in config.domainAliases attribute.I need to call the REST API?ttp://localhost:8080/auth/admin/realms/realm1/identity-provider/instances/ to set this value. My code is a little quirky (my js code in login UI needs to retrieve the entreprise idp url from the link - which is ugly : I need to set?Hide on Login Page = OFF to have the url available, but at the same time I need to hide the entreprise idp button. I think I'll change the REST API to a custom Authenticator that will retrieve the Idp configuration (and its?domainAliases), will compute the idpUrl (in a similar way to what is done in?FreeMarkerLoginFormsProvider#prepareBaseUriBuilder) and make that available to the login.ftl. This way I'll end up with :- custom authenticator- custom theme with a custom login.ftl page. I'd have liked to add the?domainAliases in Keycloak Admin UI, but I don't find a way.Also I'd have like to propagate the users email to the external idp (as pre-fill value) but don't find. Cheers,Adrian Le jeudi 1 f?vrier 2018 ? 19:23:16 UTC+1, Adrian Gonzalez a ?crit : Hello, I'm using Social IDP in Keycloak, that's working awesome ! Now, I need to integrate more entreprise IDP, and show those IDP only to users in these entreprises. ?1. an entreprise IDP will need to be associated with a list of email domains. ? ? (entreprise IDP will be automatically used if the user email matches).?2. in the Login UI, only the links for social IDPs will be shown, the entreprise IDPs will be hidden.?3. if the user enters an email corresponding to one of the entreprise IDP:? ? * we hide the password field? ? * if the user clicks on submit, he's redirected to the entreprise idp.?4. as a bonus: if he's redirected to the entreprise IDP, I'd like to have the email/username field already pre-filled. ?I don't think a similar feature exist for the moment.?If yes, please someone tell me :) ?What I did for the moment is :? - REST Service providing IDPs info to the front end (RealmResourceProviderFactory extension)? - I hacked the login page (custom theme) and added a js script that :? ? - calls the previous REST Service? ? - hides/shows the password label and field? ? - intercepts submit call and redirects to the entreprise idp What I'm missing is :?- is there a way to add custom information in an idp i.e. like isEntreprise boolean (how ?).? ? if not, I'd need to create an additional table and create a custom UI to handle that (a bit awkward :( )?- didn't pass the email to the external idp Would someone have an idea of how to do this (if I could add this custom info in the idp it would be great !)Is there a better way to achieve that ? Or more generic ? Thanks for the insights !Adrian? N.B. some links around this subject (just as reference material)http://lists.jboss.org/pipermail/keycloak-dev/2014-November/003073.html (see 4 - Selecting provider)http://lists.jboss.org/pipermail/keycloak-user/2017-January/008965.htmlhttps://issues.jboss.org/browse/KEYCLOAK-1515 From joshua.k.harness at gmail.com Thu Feb 1 20:01:11 2018 From: joshua.k.harness at gmail.com (Josh Harness) Date: Thu, 1 Feb 2018 20:01:11 -0500 Subject: [keycloak-user] Allow Client to Create User in Realm without Granting manage-users Role from realm-management Message-ID: Hi - We're wanting to use keycloak as our IdP but aren't fully able to allow users to register since we need to use an existing application to do this. I need to be able to allow the legacy application to do the following within the realm: * Create user * Reset user password I'm wanting to avoid giving the application permissions to assign roles, etc that it ought not be able to. Fine grained permissions looked promising but it appears that approach won't work since there's no fine-grained 'create user' type permission (that I can tell). As such, I'm stuck using the all powerful 'manage-users' role of the realm-management client. Any ideas for alternative approaches to explore? Afraid I might be swimming upstream here and need to just bite off user registration the correct way... Thanks! Josh From hmlnarik at redhat.com Fri Feb 2 03:25:42 2018 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Fri, 2 Feb 2018 09:25:42 +0100 Subject: [keycloak-user] Keycloak 3.4 and Oracle Timesten In-Reply-To: References: Message-ID: The cause is in "Unknown database: TimesTen" message from Liquibase - Liquibase does not recognize the dialect and thus refuses to operate. Liquibase is used to create the initial DB schema. You may try implement class to support TimesTen similarly to EnterpriseDB [1, 2] since TimesTen should be compatible with other Oracle Database products. Feel free to raise a RFE though we cannot promise it would be picked anytime soon. [1] https://github.com/keycloak/keycloak/blob/3.4.3.Final/model/jpa/src/main/java/org/keycloak/connections/jpa/updater/liquibase/PostgresPlusDatabase.java [2] https://github.com/keycloak/keycloak/blob/3.4.3.Final/model/jpa/src/main/java/org/keycloak/connections/jpa/updater/liquibase/conn/DefaultLiquibaseConnectionProvider.java#L95 On Thu, Feb 1, 2018 at 7:42 AM, Upananda Singha < upananda.singha at motorolasolutions.com> wrote: > Hi All, > > Please find the configurations I am having for Timesten... > > > pool-name="KeycloakDS" enabled="true" use-java-context="true"> > jdbc:timesten:client:TTC_Server=172.27.9.23; > TTC_Server_DSN=DG_010231;TCP_PORT=53389;uid=testuser;pwd= > testpwd;tcp_timeout=180 > TimesTenDriver > 20 > testuser testpwd > module="com.timesten"> > com.timesten.jdbc.xa.TimesTenXADataSource datasource-class> > module.xml configuration (" HOME>/modules/system/layers/keycloak/com/timesten/main/module.xml") > ------------------------ xmlns="urn:jboss:module:1.3" name="com.timesten"> > name="javax.api"/> > > > > My LD_LIBRARY_PATH is havng all the Timesten libraries > ------------------------------------------------------ libodbc.so > libttclasses.so.gcc410 libttco.so libttJdbc.so libttutilD.so ttjdbc6.jar > libttclassesCS.so libttclient.so libttco.so.noplsql libttjmsxla.so > libttutil.so ttjdbc7.jar libttclassesCS.so.gcc346 libttclient.so.gcc346 > libttcrs.so libttorD.so orai18n.jar ttjdbc8.jar libttclassesCS.so.gcc410 > libttclient.so.gcc410 libttenD.so libttor.so README.TXT ucp.jar > libttclasses.so libttcoD.so libtten.so libttplD.so timestenjmsxla.jar > libttclasses.so.gcc346 libttcoD.so.noplsql libttJdbcCS.so libttpl.so > ttjdbc5.jar > > > > I am getting he below error: > > 11:57:08,980 INFO [org.keycloak.services] (ServerService Thread Pool -- 51) > KC-SERVICES0001: Loading config from standalone.xml or domain.xml > 11:57:09,342 INFO [org.jboss.as.clustering.infinispan] (ServerService > Thread Pool -- 51) WFLYCLINF0002: Started realmRevisions cache from > keycloak container 11:57:09,352 INFO [org.jboss.as.clustering.infinispan] > (ServerService Thread Pool -- 51) WFLYCLINF0002: Started userRevisions > cache from keycloak container 11:57:09,359 INFO > [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) > WFLYCLINF0002: Started authorizationRevisions cache from keycloak container > 11:57:09,359 INFO > [org.keycloak.connections.infinispan.DefaultInfinispanConnectionPro > viderFactory] > (ServerService Thread Pool -- 51) Node name: proc500_9_23, Site name: null > 11:57:09,940 ERROR [stderr] (ServerService Thread Pool -- 51) WARNING > 2/1/18 11:57 AM: liquibase: Unknown database: TimesTen 11:57:10,108 WARN > [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] > (ServerService Thread Pool -- 51) Failed to create lock table. Maybe other > transaction created in the meantime. Retrying... 11:57:10,111 ERROR > [stderr] (ServerService Thread Pool -- 51) WARNING 2/1/18 11:57 AM: > liquibase: Unknown database: TimesTen 11:57:10,136 WARN > [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] > (ServerService Thread Pool -- 51) Failed to create lock table. Maybe other > transaction created in the meantime. Retrying... 11:57:10,138 ERROR > [stderr] (ServerService Thread Pool -- 51) WARNING 2/1/18 11:57 AM: > liquibase: Unknown database: TimesTen 11:57:10,166 WARN > [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] > (ServerService Thread Pool -- 51) Failed to create lock table. Maybe other > transaction created in the meantime. Retrying... 11:57:10,169 ERROR > [stderr] (ServerService Thread Pool -- 51) WARNING 2/1/18 11:57 AM: > liquibase: Unknown database: TimesTen 11:57:10,319 ERROR [stderr] > (ServerService Thread Pool -- 51) WARNING 2/1/18 11:57 AM: liquibase: > Unknown database: TimesTen 11:57:12,220 ERROR [stderr] (ServerService > Thread Pool -- 51) WARNING 2/1/18 11:57 AM: liquibase: Unknown database: > TimesTen 11:57:12,253 WARN > [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] > (ServerService Thread Pool -- 51) Failed to create lock table. Maybe other > transaction created in the meantime. Retrying... 11:57:12,255 ERROR > [stderr] (ServerService Thread Pool -- 51) WARNING 2/1/18 11:57 AM: > liquibase: Unknown database: TimesTen 11:57:12,277 WARN > [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] > (ServerService Thread Pool -- 51) Failed to create lock table. Maybe other > transaction created in the meant > ... > ... > ... > 11:57:12,767 INFO > [org.keycloak.connections.jpa.updater.liquibase. > LiquibaseJpaUpdaterProvider] > (ServerService Thread Pool -- 51) Initializing database schema. Using > changelog META-INF/jpa-changelog-master.xml 11:57:12,794 WARN > [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] > (ServerService Thread Pool -- 51) Attempt to release lock, which is not > owned by current transaction 11:57:12,804 WARN > [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] > (ServerService Thread Pool -- 51) Attempt to release lock, which is not > owned by current transaction 11:57:12,807 INFO [org.jboss.as.server] > (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS signal > 11:57:12,819 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool > -- 51) MSC000001: Failed to start service > jboss.undertow.deployment.default-server.default-host./auth: > org.jboss.msc.service.StartException in service > jboss.undertow.deployment.default-server.default-host./auth: > java.lang.RuntimeException: RESTEASY003325: Failed to construct public > org.keycloak.services.resources.KeycloakApplication( > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1. > run(UndertowDeploymentService.java:84) > at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) at > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1149) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:624) > at java.lang.Thread.run(Thread.java:748) at > org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: > java.lang.RuntimeException: RESTEASY003325: Failed to construct public > org.keycloak.services.resources.KeycloakApplication( > javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) > at > org.jboss.resteasy.core.ConstructorInjectorImpl.construct( > ConstructorInjectorImpl.java:162) > at > org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance( > ResteasyProviderFactory.java:2298) > at > org.jboss.resteasy.spi.ResteasyDeployment.createApplication( > ResteasyDeployment.j > > > > Thanks & Regds, > > *Upananda* > > > > > On Thu, Feb 1, 2018 at 10:46 AM, Upananda Singha motorolasolutions.com> wrote: > > > Hi all, > > > > I have been trying to configure Keycloak with Oracle Timesten but without > > any success. > > > > Anybody ever tried Timesten as backend Database for Keycloak? It would be > > of great help if anyone can give some pointer whether Timesten can be at > > all > > used with Keycloak 3.4. > > > > Thanks & regds, > > > > *Upananda * > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- --Hynek From mposolda at redhat.com Fri Feb 2 05:49:39 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 2 Feb 2018 11:49:39 +0100 Subject: [keycloak-user] Validate User Credentials Without Creating a Session In-Reply-To: References: <97c207c9-6f96-bd7c-b37f-27449b0b033a@redhat.com> Message-ID: <5ca5c54f-31ae-11ee-f4d4-02fc9aa40cdd@redhat.com> The easiest is to login through directGrant and then logout session with the refreshToken. We have an example, which is doing that and shows logout as well - It's admin-access-app from the preconfigured-demo examples. The place where the credentials are checked is Pbkdf2PasswordHashProvider. You can try to debug/investigate for seeing further how to get there and what code calls this. If it's too much trouble, I suggest to stick with directGrant + logout approach. Marek On 01/02/18 17:25, Scott Finlay wrote: > > Hi Marek, > > > Thanks for the suggestion. Could you maybe point me in the right > direction there? > > I'm having some difficulties finding the actual place where > credentials are checked > > in the Keycloak code and where the session is being created. > > > Additionally I've looked the documentation > (http://www.keycloak.org/docs/3.1/server_development/topics/extensions.html) > > but I'm having trouble understanding from that what these pieces > described are actually for, > where the entry point is, and how I can connect it to the actual > Keycloak storage. I also don't > really know how to actually integrate the endpoint into Keycloak once > I have one built > > Regards, > Scott > > > ------------------------------------------------------------------------ > *From:* Marek Posolda > *Sent:* Wednesday, January 24, 2018 1:59:05 PM > *To:* Scott Finlay; keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Validate User Credentials Without > Creating a Session > Hi Scott, > > it's not available OOTB, but you can add your own REST endpoint to > verify username/password. Or alternatively you can just do directGrant > login (OAuth2 Resource Owner Password Credentials Grant) and then logout > session. > > Marek > > On 23/01/18 09:49, Scott Finlay wrote: > > Hi, > > > > > > We're currently using Keycloak 2.5.5.Final, and in this version it's > not possible > > > > to validate a user's credentials (username / password combination) > without > > > > actually logging the user in which results in a session (and our > sessions are long- > > > > lived). Is there any new functionality introduced in the later > versions of? Keycloak > > > > to validate the credentials without actually logging the user in? > > > > > > Our use-case is that we have very long-lived tokens, but we want to > require the > > > > user to re-enter his/her password in order to perform some certain > sensitive tasks > > > > such as changing the password or username. > > > > > > If such functionality? is not available, would it be possible to add > this? > > > > > > Regards, > > > > Scott > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From cmoullia at redhat.com Fri Feb 2 07:29:18 2018 From: cmoullia at redhat.com (Charles Moulliard) Date: Fri, 2 Feb 2018 13:29:18 +0100 Subject: [keycloak-user] Keycloak OpenShift Template part of the openshift library project In-Reply-To: References: Message-ID: Hi Jan Is there a ticket opened to keep track of that request ? Regards Charles On Thu, Feb 1, 2018 at 11:32 AM, Jan Lieskovsky wrote: > Hello Charles, > > thank you for checking. > > On Wed, Jan 31, 2018 at 6:47 PM, Charles Moulliard > wrote: > >> Hi, >> >> The only Openshift Keycloak Template available (i think so) is part of the >> xpaas project and can be deployed according to this doc [1] on Openshift >> with the xpaas templates (A-MQ, ....) >> >> Is there any plans to have an openshift keycloak template available from >> the openshift library project [2] >> > > I can confirm we are currently actively investigating the possibility to > have > some of Red Hat SSO template(s) available from the OpenShift library > project > too. For now this is WIP effort though. There are multiple conditions / > inputs > that need to met first, this template to be available. As such it is > currently not > possible to specify an exact timeline (ETA), when this template will be > delivered. > > But we are working at it, and the plan is to have such template available > as soon as possible. > > >> >> Without such info part of the library, then we can't install keycloak as >> it >> will not appear when you will browse the openshift catalog of your >> openshift cluster instance (running using minishift, ....) >> >> [1] >> https://access.redhat.com/documentation/en-us/red_hat_jboss_ >> middleware_for_openshift/3/html-single/red_hat_jboss_sso_for_openshift/ >> [2] https://github.com/openshift/library >> >> Regards, >> > > Hope this helps > > Thank you && Regards, Jan > -- > Jan iankko Lieskovsky / Keycloak / RH-SSO Team > > >> >> Charles >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From psilva at redhat.com Fri Feb 2 08:23:09 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 2 Feb 2018 11:23:09 -0200 Subject: [keycloak-user] Validate User Credentials Without Creating a Session In-Reply-To: <5ca5c54f-31ae-11ee-f4d4-02fc9aa40cdd@redhat.com> References: <97c207c9-6f96-bd7c-b37f-27449b0b033a@redhat.com> <5ca5c54f-31ae-11ee-f4d4-02fc9aa40cdd@redhat.com> Message-ID: We have a similar behavior when doing client credentials where sessions are created on every single invocation to the token endpoint. For grant types other than authoriation code, can we review this behavior ? I think I sent an e-mail about this some time ago ... On Fri, Feb 2, 2018 at 8:49 AM, Marek Posolda wrote: > The easiest is to login through directGrant and then logout session with > the refreshToken. We have an example, which is doing that and shows > logout as well - It's admin-access-app from the preconfigured-demo > examples. > > The place where the credentials are checked is > Pbkdf2PasswordHashProvider. You can try to debug/investigate for seeing > further how to get there and what code calls this. If it's too much > trouble, I suggest to stick with directGrant + logout approach. > > Marek > > On 01/02/18 17:25, Scott Finlay wrote: > > > > Hi Marek, > > > > > > Thanks for the suggestion. Could you maybe point me in the right > > direction there? > > > > I'm having some difficulties finding the actual place where > > credentials are checked > > > > in the Keycloak code and where the session is being created. > > > > > > Additionally I've looked the documentation > > (http://www.keycloak.org/docs/3.1/server_development/topics/ > extensions.html) > > > > but I'm having trouble understanding from that what these pieces > > described are actually for, > > where the entry point is, and how I can connect it to the actual > > Keycloak storage. I also don't > > really know how to actually integrate the endpoint into Keycloak once > > I have one built > > > > Regards, > > Scott > > > > > > ------------------------------------------------------------------------ > > *From:* Marek Posolda > > *Sent:* Wednesday, January 24, 2018 1:59:05 PM > > *To:* Scott Finlay; keycloak-user at lists.jboss.org > > *Subject:* Re: [keycloak-user] Validate User Credentials Without > > Creating a Session > > Hi Scott, > > > > it's not available OOTB, but you can add your own REST endpoint to > > verify username/password. Or alternatively you can just do directGrant > > login (OAuth2 Resource Owner Password Credentials Grant) and then logout > > session. > > > > Marek > > > > On 23/01/18 09:49, Scott Finlay wrote: > > > Hi, > > > > > > > > > We're currently using Keycloak 2.5.5.Final, and in this version it's > > not possible > > > > > > to validate a user's credentials (username / password combination) > > without > > > > > > actually logging the user in which results in a session (and our > > sessions are long- > > > > > > lived). Is there any new functionality introduced in the later > > versions of Keycloak > > > > > > to validate the credentials without actually logging the user in? > > > > > > > > > Our use-case is that we have very long-lived tokens, but we want to > > require the > > > > > > user to re-enter his/her password in order to perform some certain > > sensitive tasks > > > > > > such as changing the password or username. > > > > > > > > > If such functionality is not available, would it be possible to add > > this? > > > > > > > > > Regards, > > > > > > Scott > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sbasset at softwaymedical.fr Fri Feb 2 08:26:52 2018 From: sbasset at softwaymedical.fr (BASSET Simon) Date: Fri, 2 Feb 2018 13:26:52 +0000 Subject: [keycloak-user] Forgotten password workflow redirecting to account client Message-ID: Hello, We are developing an application which relies on keycloak for authentication (with custom theme) and we are facing a problem with the keycloak forgotten password workflow. With keycloak 3.2.1: When a user want to access our application, she goes to app.swm.cloud ("frontend" client for keycloak) then she is redirected to auth.swm.cloud (keycloak), she starts the forgotten password workflow and receives an email with a link to reset her password. If she clicks on the link and change her password, she is logged in and redirected to the frontend client app.swm.cloud. frontend app -> login page -> forgotten password -> mail -> change password -> logged in frontend app However if she kills her browser before following the link from the forgotten password mail, she is redirected to the login page after changing her password and then to the account client after logging in. frontend app -> login page -> forgotten password -> kill the browser -> mail -> change password -> login page -> logged in account client With keycloak 3.4.3: It seems that she is always redirected to the account client after changing her password. frontend app -> login page -> forgotten password -> mail -> change password -> login page -> logged in account client How to configure keycloak so our user is redirected to our frontend app after she changes her password? Thank you, Simon From jcain at redhat.com Fri Feb 2 09:18:28 2018 From: jcain at redhat.com (Josh Cain) Date: Fri, 2 Feb 2018 08:18:28 -0600 Subject: [keycloak-user] Validate User Credentials Without Creating a Session In-Reply-To: References: <97c207c9-6f96-bd7c-b37f-27449b0b033a@redhat.com> <5ca5c54f-31ae-11ee-f4d4-02fc9aa40cdd@redhat.com> Message-ID: <7d7f3ffe-2a94-650e-4318-f503c023a51e@redhat.com> Would be +1 for reviewing an option to alter this behavior. Doing work again on docker flows, and they're truly stateless clients (you can send session cookies/info, but they'll just be discarded by the client). We get the session creation overhead for no reason. I also think of SAML ECP profile (if anyone is even using that these days). Does that need to create a session? Josh Cain Senior Software Applications Engineer, RHCE Red Hat North America jcain at redhat.com IRC: jcain On 02/02/2018 07:23 AM, Pedro Igor Silva wrote: > We have a similar behavior when doing client credentials where sessions are > created on every single invocation to the token endpoint. > > For grant types other than authoriation code, can we review this behavior ? > I think I sent an e-mail about this some time ago ... > > > On Fri, Feb 2, 2018 at 8:49 AM, Marek Posolda wrote: > >> The easiest is to login through directGrant and then logout session with >> the refreshToken. We have an example, which is doing that and shows >> logout as well - It's admin-access-app from the preconfigured-demo >> examples. >> >> The place where the credentials are checked is >> Pbkdf2PasswordHashProvider. You can try to debug/investigate for seeing >> further how to get there and what code calls this. If it's too much >> trouble, I suggest to stick with directGrant + logout approach. >> >> Marek >> >> On 01/02/18 17:25, Scott Finlay wrote: >>> >>> Hi Marek, >>> >>> >>> Thanks for the suggestion. Could you maybe point me in the right >>> direction there? >>> >>> I'm having some difficulties finding the actual place where >>> credentials are checked >>> >>> in the Keycloak code and where the session is being created. >>> >>> >>> Additionally I've looked the documentation >>> (http://www.keycloak.org/docs/3.1/server_development/topics/ >> extensions.html) >>> >>> but I'm having trouble understanding from that what these pieces >>> described are actually for, >>> where the entry point is, and how I can connect it to the actual >>> Keycloak storage. I also don't >>> really know how to actually integrate the endpoint into Keycloak once >>> I have one built >>> >>> Regards, >>> Scott >>> >>> >>> ------------------------------------------------------------------------ >>> *From:* Marek Posolda >>> *Sent:* Wednesday, January 24, 2018 1:59:05 PM >>> *To:* Scott Finlay; keycloak-user at lists.jboss.org >>> *Subject:* Re: [keycloak-user] Validate User Credentials Without >>> Creating a Session >>> Hi Scott, >>> >>> it's not available OOTB, but you can add your own REST endpoint to >>> verify username/password. Or alternatively you can just do directGrant >>> login (OAuth2 Resource Owner Password Credentials Grant) and then logout >>> session. >>> >>> Marek >>> >>> On 23/01/18 09:49, Scott Finlay wrote: >>>> Hi, >>>> >>>> >>>> We're currently using Keycloak 2.5.5.Final, and in this version it's >>> not possible >>>> >>>> to validate a user's credentials (username / password combination) >>> without >>>> >>>> actually logging the user in which results in a session (and our >>> sessions are long- >>>> >>>> lived). Is there any new functionality introduced in the later >>> versions of Keycloak >>>> >>>> to validate the credentials without actually logging the user in? >>>> >>>> >>>> Our use-case is that we have very long-lived tokens, but we want to >>> require the >>>> >>>> user to re-enter his/her password in order to perform some certain >>> sensitive tasks >>>> >>>> such as changing the password or username. >>>> >>>> >>>> If such functionality is not available, would it be possible to add >>> this? >>>> >>>> >>>> Regards, >>>> >>>> Scott >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180202/311adb41/attachment.bin From psilva at redhat.com Fri Feb 2 09:46:46 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 2 Feb 2018 12:46:46 -0200 Subject: [keycloak-user] Validate User Credentials Without Creating a Session In-Reply-To: <7d7f3ffe-2a94-650e-4318-f503c023a51e@redhat.com> References: <97c207c9-6f96-bd7c-b37f-27449b0b033a@redhat.com> <5ca5c54f-31ae-11ee-f4d4-02fc9aa40cdd@redhat.com> <7d7f3ffe-2a94-650e-4318-f503c023a51e@redhat.com> Message-ID: Same thing with SAML ECP. This profile is basically a POST binding over SOAP. On Fri, Feb 2, 2018 at 12:18 PM, Josh Cain wrote: > Would be +1 for reviewing an option to alter this behavior. > > Doing work again on docker flows, and they're truly stateless clients > (you can send session cookies/info, but they'll just be discarded by the > client). We get the session creation overhead for no reason. > > I also think of SAML ECP profile (if anyone is even using that these > days). Does that need to create a session? > > Josh Cain > Senior Software Applications Engineer, RHCE > Red Hat North America > jcain at redhat.com IRC: jcain > > On 02/02/2018 07:23 AM, Pedro Igor Silva wrote: > > We have a similar behavior when doing client credentials where sessions > are > > created on every single invocation to the token endpoint. > > > > For grant types other than authoriation code, can we review this > behavior ? > > I think I sent an e-mail about this some time ago ... > > > > > > On Fri, Feb 2, 2018 at 8:49 AM, Marek Posolda > wrote: > > > >> The easiest is to login through directGrant and then logout session with > >> the refreshToken. We have an example, which is doing that and shows > >> logout as well - It's admin-access-app from the preconfigured-demo > >> examples. > >> > >> The place where the credentials are checked is > >> Pbkdf2PasswordHashProvider. You can try to debug/investigate for seeing > >> further how to get there and what code calls this. If it's too much > >> trouble, I suggest to stick with directGrant + logout approach. > >> > >> Marek > >> > >> On 01/02/18 17:25, Scott Finlay wrote: > >>> > >>> Hi Marek, > >>> > >>> > >>> Thanks for the suggestion. Could you maybe point me in the right > >>> direction there? > >>> > >>> I'm having some difficulties finding the actual place where > >>> credentials are checked > >>> > >>> in the Keycloak code and where the session is being created. > >>> > >>> > >>> Additionally I've looked the documentation > >>> (http://www.keycloak.org/docs/3.1/server_development/topics/ > >> extensions.html) > >>> > >>> but I'm having trouble understanding from that what these pieces > >>> described are actually for, > >>> where the entry point is, and how I can connect it to the actual > >>> Keycloak storage. I also don't > >>> really know how to actually integrate the endpoint into Keycloak once > >>> I have one built > >>> > >>> Regards, > >>> Scott > >>> > >>> > >>> ------------------------------------------------------------ > ------------ > >>> *From:* Marek Posolda > >>> *Sent:* Wednesday, January 24, 2018 1:59:05 PM > >>> *To:* Scott Finlay; keycloak-user at lists.jboss.org > >>> *Subject:* Re: [keycloak-user] Validate User Credentials Without > >>> Creating a Session > >>> Hi Scott, > >>> > >>> it's not available OOTB, but you can add your own REST endpoint to > >>> verify username/password. Or alternatively you can just do directGrant > >>> login (OAuth2 Resource Owner Password Credentials Grant) and then > logout > >>> session. > >>> > >>> Marek > >>> > >>> On 23/01/18 09:49, Scott Finlay wrote: > >>>> Hi, > >>>> > >>>> > >>>> We're currently using Keycloak 2.5.5.Final, and in this version it's > >>> not possible > >>>> > >>>> to validate a user's credentials (username / password combination) > >>> without > >>>> > >>>> actually logging the user in which results in a session (and our > >>> sessions are long- > >>>> > >>>> lived). Is there any new functionality introduced in the later > >>> versions of Keycloak > >>>> > >>>> to validate the credentials without actually logging the user in? > >>>> > >>>> > >>>> Our use-case is that we have very long-lived tokens, but we want to > >>> require the > >>>> > >>>> user to re-enter his/her password in order to perform some certain > >>> sensitive tasks > >>>> > >>>> such as changing the password or username. > >>>> > >>>> > >>>> If such functionality is not available, would it be possible to add > >>> this? > >>>> > >>>> > >>>> Regards, > >>>> > >>>> Scott > >>>> _______________________________________________ > >>>> keycloak-user mailing list > >>>> keycloak-user at lists.jboss.org > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >>> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From psilva at redhat.com Fri Feb 2 09:48:22 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 2 Feb 2018 12:48:22 -0200 Subject: [keycloak-user] Validate User Credentials Without Creating a Session In-Reply-To: <7d7f3ffe-2a94-650e-4318-f503c023a51e@redhat.com> References: <97c207c9-6f96-bd7c-b37f-27449b0b033a@redhat.com> <5ca5c54f-31ae-11ee-f4d4-02fc9aa40cdd@redhat.com> <7d7f3ffe-2a94-650e-4318-f503c023a51e@redhat.com> Message-ID: Btw, you can avoid creating sessions by using refresh tokens. On Fri, Feb 2, 2018 at 12:18 PM, Josh Cain wrote: > Would be +1 for reviewing an option to alter this behavior. > > Doing work again on docker flows, and they're truly stateless clients > (you can send session cookies/info, but they'll just be discarded by the > client). We get the session creation overhead for no reason. > > I also think of SAML ECP profile (if anyone is even using that these > days). Does that need to create a session? > > Josh Cain > Senior Software Applications Engineer, RHCE > Red Hat North America > jcain at redhat.com IRC: jcain > > On 02/02/2018 07:23 AM, Pedro Igor Silva wrote: > > We have a similar behavior when doing client credentials where sessions > are > > created on every single invocation to the token endpoint. > > > > For grant types other than authoriation code, can we review this > behavior ? > > I think I sent an e-mail about this some time ago ... > > > > > > On Fri, Feb 2, 2018 at 8:49 AM, Marek Posolda > wrote: > > > >> The easiest is to login through directGrant and then logout session with > >> the refreshToken. We have an example, which is doing that and shows > >> logout as well - It's admin-access-app from the preconfigured-demo > >> examples. > >> > >> The place where the credentials are checked is > >> Pbkdf2PasswordHashProvider. You can try to debug/investigate for seeing > >> further how to get there and what code calls this. If it's too much > >> trouble, I suggest to stick with directGrant + logout approach. > >> > >> Marek > >> > >> On 01/02/18 17:25, Scott Finlay wrote: > >>> > >>> Hi Marek, > >>> > >>> > >>> Thanks for the suggestion. Could you maybe point me in the right > >>> direction there? > >>> > >>> I'm having some difficulties finding the actual place where > >>> credentials are checked > >>> > >>> in the Keycloak code and where the session is being created. > >>> > >>> > >>> Additionally I've looked the documentation > >>> (http://www.keycloak.org/docs/3.1/server_development/topics/ > >> extensions.html) > >>> > >>> but I'm having trouble understanding from that what these pieces > >>> described are actually for, > >>> where the entry point is, and how I can connect it to the actual > >>> Keycloak storage. I also don't > >>> really know how to actually integrate the endpoint into Keycloak once > >>> I have one built > >>> > >>> Regards, > >>> Scott > >>> > >>> > >>> ------------------------------------------------------------ > ------------ > >>> *From:* Marek Posolda > >>> *Sent:* Wednesday, January 24, 2018 1:59:05 PM > >>> *To:* Scott Finlay; keycloak-user at lists.jboss.org > >>> *Subject:* Re: [keycloak-user] Validate User Credentials Without > >>> Creating a Session > >>> Hi Scott, > >>> > >>> it's not available OOTB, but you can add your own REST endpoint to > >>> verify username/password. Or alternatively you can just do directGrant > >>> login (OAuth2 Resource Owner Password Credentials Grant) and then > logout > >>> session. > >>> > >>> Marek > >>> > >>> On 23/01/18 09:49, Scott Finlay wrote: > >>>> Hi, > >>>> > >>>> > >>>> We're currently using Keycloak 2.5.5.Final, and in this version it's > >>> not possible > >>>> > >>>> to validate a user's credentials (username / password combination) > >>> without > >>>> > >>>> actually logging the user in which results in a session (and our > >>> sessions are long- > >>>> > >>>> lived). Is there any new functionality introduced in the later > >>> versions of Keycloak > >>>> > >>>> to validate the credentials without actually logging the user in? > >>>> > >>>> > >>>> Our use-case is that we have very long-lived tokens, but we want to > >>> require the > >>>> > >>>> user to re-enter his/her password in order to perform some certain > >>> sensitive tasks > >>>> > >>>> such as changing the password or username. > >>>> > >>>> > >>>> If such functionality is not available, would it be possible to add > >>> this? > >>>> > >>>> > >>>> Regards, > >>>> > >>>> Scott > >>>> _______________________________________________ > >>>> keycloak-user mailing list > >>>> keycloak-user at lists.jboss.org > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > >>> > >>> > >> > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From adr_gonzalez at yahoo.fr Fri Feb 2 10:28:03 2018 From: adr_gonzalez at yahoo.fr (Adrian Gonzalez) Date: Fri, 2 Feb 2018 15:28:03 +0000 (UTC) Subject: [keycloak-user] KEYCLOAK-4509 Support IDP Initiated to OIDC RP References: <726601824.2989811.1517585283694.ref@mail.yahoo.com> Message-ID: <726601824.2989811.1517585283694@mail.yahoo.com> Hello, I just created this PR :?https://github.com/keycloak/keycloak/pull/4965. This allows to use IDP initiated logins with OIDC Clients (for now it's limited to SAML clients). My use case is:- My OIDC Client uses Keycloak as OIDC Authorization Server.- users use Okta as IDP.? Hence:* I register my OIDC Client in Okta portal using a url like http:///auth/realms//broker//endpoint/clients/).? In a similar way to http://www.keycloak.org/docs/latest/server_admin/index.html#idp-initiated-login.?* When a user access his Okta portal, he authenticates to Okta (no KC involved)* In Okta portal he see a list of application.* he click on OIDC Client app.* Okta initiates a SAML authentication with Keycloak.* once it succeeds, Keycloak calls a URL of OIDC Client.* the OIDC Client will initiate a OIDC flow with keycloak.* Keycloak will redirect back to the OIDC Client (using the same identity as the one initiated by Okta SAML flow) My Client is registered in a way that Okta will? This work like :* the user is authenticated in external IDP.* external IDP dashboard page lists all available Client.* user clicks on a Client.* external IDP redirects to KC (using SAML).* KC validates the authentication.* KC redirects to the OIDC RP (IDP Initiated Target URL).* OIDC RP initiates a OIDC authentication flow, and redirects to KC* KC creates automatically a session and redirects back to OIDC RP. The code is far from bullet-proof, I'll gladly accept some feedback. Cheers,Adrian From to_sud at yahoo.com Fri Feb 2 14:56:33 2018 From: to_sud at yahoo.com (Sud Ramasamy) Date: Fri, 2 Feb 2018 14:56:33 -0500 Subject: [keycloak-user] Custom User SPI implementation and user records Message-ID: Hi, We wrote and deployed a custom implementation for the User SPI that authenticates a username and password against an external REST API. We?ve been able to get it to work but had some questions on how Keycloak handles this. Our implementation is based on the user-storage-properties-example from the Keycloak repo. We see that a session is created in Keycloak for the logged in user (but no record is created in the USER_SESSION table - but this appears to be how keycloak in general works. When are records inserted into USER_SESSION if at all?). Our primary question was that no user record is created in the USER_ENTITY table for the federated user even though we see that the session is established with the user name of the federation user who logged in (we see this the sessions area of the admin console). We were wondering if this is expected behavior since we were under the impression that all users authenticated via Keycloak (whether via federation, brokered, or internal) would always get a user record in the Keycloak database. A second question is when we create the User federation via the admin console, the records are inserted in the COMPONENT table. We do see there is the USER_FEDERATION_PROVIDER table but that remains empty. Is this table deprecated and no longer used. This is on Keycloak 2.5.5. Thanks in advance for your help. -sud From Ori.Doolman at amdocs.com Sun Feb 4 08:48:33 2018 From: Ori.Doolman at amdocs.com (Ori Doolman) Date: Sun, 4 Feb 2018 13:48:33 +0000 Subject: [keycloak-user] keep login state after closing browser Message-ID: Hi, My web application is using the Keycloak JS adapter, and I'm using the 'implicit' flow for getting the access token. I have a requirement to prevent the user from keying again passwords for 24 hours (assuming the token is expired after 24 hours), even after browser is closed and re-opened. There is a cookie called 'KEYCLOAK_IDENTITY', which I assume preserve the login state, but it is a session cookie and it is deleted after closing the browser window. I also see that in the initOptions of the adapter, I can pass an existing access token by the 'token' property. Hence, I was thinking to persist the 24hours access token into localStorage and then read it and pass as part of initOptions to the adapter when my application starts. However, I cannot make it work and I'm not even sure this is possible to do so. Is it possible to use the 'token' initOption like that? If not, is there a recommended approach for implementing such requirement ? Thanks, Ori Doolman Lead Software Architect Amdocs Optima +972 9 778 6914 (office) +972 50 9111442 (mobile) [cid:image001.png at 01D2C8DE.BFF33E10] This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at https://www.amdocs.com/about/email-disclaimer -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 3506 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180204/b183069d/attachment.png From joshua.k.harness at gmail.com Sun Feb 4 17:02:03 2018 From: joshua.k.harness at gmail.com (Josh Harness) Date: Sun, 4 Feb 2018 17:02:03 -0500 Subject: [keycloak-user] Prevent Users from Modifying Certain Custom User Attributes Message-ID: Hi - I have some custom user attributes that I want users to be able to modify. Others, though, I want to forbid since they are set at account creation via internal procedures. Does anybody know how to prevent users from being able to edit these attributes? It isn't enough to leave it out of the account template, since formulating the correct POST as the user will cause the attribute to be updated (whether I modified the itl template to include it or not). Thanks! Josh From johnreytanquinco at gmail.com Sun Feb 4 20:42:31 2018 From: johnreytanquinco at gmail.com (John Rey Tanquinco) Date: Mon, 5 Feb 2018 09:42:31 +0800 Subject: [keycloak-user] Use JWT Keycloak Generated Token Message-ID: Hi, We are developing mobile application against a headless Drupal using Keycloak as SSO. How can we use the generated JWT token and validate it in Drupal? This is an example event log we are getting from Keycloak. http://site/openid-connect/generic?code=uss.LFgEKlE3AD5MJUlmsiNZ4Vz6tkwv1yhuhnNGGfhdzbQ.1c030743-0487-494f-9e4e-246380e6e96f.46a09a43-5450-4376-a918-ef826188f7b8&state=sNNipgAjbVnZ73znvZaCQQt7JFkIs2p81ThNaFoZ1OM We tried the following steps from http://lists.jboss.org/pipermail/keycloak-user/2015-May/002254.html but didnt work. When checking the value *LFgEKlE3AD5MJUlmsiNZ4Vz6tkwv1yhuhnNGGfhdzbQ.1c030743-0487-494f-9e4e-246380e6e96f.46a09a43-5450-4376-a918-ef826188f7b8* from jwt.io we are getting strange reponse. -- *hanks for your reply. We use Keycloak as a SSO and IDP, so the users dont exist in Drupal. Do you have any suggestions on how Drupal can use externally generated jwt tokens when the user doesnt already exist in Drupal? ?* owever, Im also developing a mobile client against a headless drupal. In this case I get a jwt token from Keycloak. Im looking to use this token with drupal. *-------------------------------* * John Rey Tanquinco* *-------------------------------* From mposolda at redhat.com Mon Feb 5 03:18:01 2018 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 5 Feb 2018 09:18:01 +0100 Subject: [keycloak-user] keep login state after closing browser In-Reply-To: References: Message-ID: <8334b46c-035b-b93f-8229-d69ad8a0657a@redhat.com> Few tips: - If you enable "Remember me" for the realm, the KEYCLOAK_IDENTITY cookie won't be cleared at the end of browser session. - There is callback "onTokenExpired", which you can use in keycloak.js adapter when the accessToken is expired. You will be redirected back to Keycloak server and re-logged with SSO (as long as KEYCLOAK_IDENTITY is still valid). The approach with "token" may work, but I would personally use the approach with shorter token timeouts and redirect to the SSO, assuming that rememberMe will work. This has some downsides (redirect to the Keycloak needed periodically, rememberMe available), so not sure if it works for you. If you want the approach with "token", you may need to disable session iframe in that case (as the SSO session on Keycloak side may not be longer valid after browser restart). Marek Dne 4.2.2018 v 14:48 Ori Doolman napsal(a): > Hi, > My web application is using the Keycloak JS adapter, and I'm using the 'implicit' flow for getting the access token. > I have a requirement to prevent the user from keying again passwords for 24 hours (assuming the token is expired after 24 hours), even after browser is closed and re-opened. > > There is a cookie called 'KEYCLOAK_IDENTITY', which I assume preserve the login state, but it is a session cookie and it is deleted after closing the browser window. > I also see that in the initOptions of the adapter, I can pass an existing access token by the 'token' property. Hence, I was thinking to persist the 24hours access token into localStorage and then read it and pass as part of initOptions to the adapter when my application starts. > However, I cannot make it work and I'm not even sure this is possible to do so. > > Is it possible to use the 'token' initOption like that? > If not, is there a recommended approach for implementing such requirement ? > > > Thanks, > > Ori Doolman > Lead Software Architect > Amdocs Optima > > +972 9 778 6914 (office) > +972 50 9111442 (mobile) > > [cid:image001.png at 01D2C8DE.BFF33E10] > > This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, > > you may review at https://www.amdocs.com/about/email-disclaimer > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Feb 5 03:19:23 2018 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 5 Feb 2018 09:19:23 +0100 Subject: [keycloak-user] keep login state after closing browser In-Reply-To: <8334b46c-035b-b93f-8229-d69ad8a0657a@redhat.com> References: <8334b46c-035b-b93f-8229-d69ad8a0657a@redhat.com> Message-ID: <70f347aa-d777-795a-83d2-e3f21a925360@redhat.com> Dne 5.2.2018 v 09:18 Marek Posolda napsal(a): > Few tips: > - If you enable "Remember me" for the realm, the KEYCLOAK_IDENTITY > cookie won't be cleared at the end of browser session. > - There is callback "onTokenExpired", which you can use in keycloak.js > adapter when the accessToken is expired. You will be redirected back > to Keycloak server and re-logged with SSO (as long as > KEYCLOAK_IDENTITY is still valid). > > The approach with "token" may work, but I would personally use the > approach with shorter token timeouts and redirect to the SSO, assuming > that rememberMe will work. This has some downsides (redirect to the > Keycloak needed periodically, rememberMe available), so not sure if it > works for you. If you want the approach with "token", you may need to > disable session iframe in that case (as the SSO session on Keycloak > side may not be longer valid after browser restart). One thing, I am not 100% sure if you need to disable session iframe if you want to use "token" approach. Just a tip, that it's maybe a reason why it doesn't work for you, but don't know for sure. Marek > > Marek > > Dne 4.2.2018 v 14:48 Ori Doolman napsal(a): >> Hi, >> My web application is using the Keycloak JS adapter, and I'm using the 'implicit' flow for getting the access token. >> I have a requirement to prevent the user from keying again passwords for 24 hours (assuming the token is expired after 24 hours), even after browser is closed and re-opened. >> >> There is a cookie called 'KEYCLOAK_IDENTITY', which I assume preserve the login state, but it is a session cookie and it is deleted after closing the browser window. >> I also see that in the initOptions of the adapter, I can pass an existing access token by the 'token' property. Hence, I was thinking to persist the 24hours access token into localStorage and then read it and pass as part of initOptions to the adapter when my application starts. >> However, I cannot make it work and I'm not even sure this is possible to do so. >> >> Is it possible to use the 'token' initOption like that? >> If not, is there a recommended approach for implementing such requirement ? >> >> >> Thanks, >> >> Ori Doolman >> Lead Software Architect >> Amdocs Optima >> >> +972 9 778 6914 (office) >> +972 50 9111442 (mobile) >> >> [cid:image001.png at 01D2C8DE.BFF33E10] >> >> This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, >> >> you may review athttps://www.amdocs.com/about/email-disclaimer >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From dz at scoutsengidsenvlaanderen.be Mon Feb 5 04:20:14 2018 From: dz at scoutsengidsenvlaanderen.be (Daan Zwaenepoel) Date: Mon, 5 Feb 2018 10:20:14 +0100 Subject: [keycloak-user] Custom regstration flow Message-ID: <20b65b47-700f-82bc-5a60-10641b6b7bf2@scoutsengidsenvlaanderen.be> Hi, I am Daan Zwaenepoel, A last year student ict. For my student job I have to intragte keycloak into a angular app. What I already did setup the keycloack sever, making the link to the angular app, start a custom theme and the login flow works. My next task is to build the registration page and? make it work. The last point is where i have been stuck for a while. In the keycloack base regastration flow you have the base fields username,firstname, lastname,email,password and password-confirm. Now the point where I have been stuck, In our registration we have one more field and I dont no how to add this costume field to the flow. Is there anyone who can help me or give me tips by buidling this custom registration flow? Thanks! Daan From subodhcjoshi82 at gmail.com Mon Feb 5 04:28:53 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Mon, 5 Feb 2018 14:58:53 +0530 Subject: [keycloak-user] Custom regstration flow In-Reply-To: <20b65b47-700f-82bc-5a60-10641b6b7bf2@scoutsengidsenvlaanderen.be> References: <20b65b47-700f-82bc-5a60-10641b6b7bf2@scoutsengidsenvlaanderen.be> Message-ID: Hope this will help you http://keycloak-user.88327.x6.nabble.com/keycloak-user-Custom-user-registration-td3328.html http://www.keycloak.org/docs/3.0/server_development/topics/custom-attributes.html Thanks & regards On Mon, Feb 5, 2018 at 2:50 PM, Daan Zwaenepoel < dz at scoutsengidsenvlaanderen.be> wrote: > Hi, > > I am Daan Zwaenepoel, A last year student ict. For my student job I have > to intragte keycloak into a angular app. > > What I already did setup the keycloack sever, making the link to the > angular app, start a custom theme and the login flow works. > > My next task is to build the registration page and make it work. The > last point is where i have been stuck for a while. > > In the keycloack base regastration flow you have the base fields > username,firstname, lastname,email,password and password-confirm. Now > the point where I have been stuck, In our registration we have one more > field and I dont no how to add this costume field to the flow. Is there > anyone who can help me or give me tips by buidling this custom > registration flow? > > Thanks! > > Daan > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.questioninmind.com From sblanc at redhat.com Mon Feb 5 04:30:15 2018 From: sblanc at redhat.com (Sebastien Blanc) Date: Mon, 5 Feb 2018 10:30:15 +0100 Subject: [keycloak-user] Custom regstration flow In-Reply-To: <20b65b47-700f-82bc-5a60-10641b6b7bf2@scoutsengidsenvlaanderen.be> References: <20b65b47-700f-82bc-5a60-10641b6b7bf2@scoutsengidsenvlaanderen.be> Message-ID: Hi, I have you try to follow this doc http://www.keycloak.org/docs/latest/server_development/index.html#registration-page , it shows you how to add a "mobile number" to your registration page. That should give you all the info you need for your own custom field. On Mon, Feb 5, 2018 at 10:20 AM, Daan Zwaenepoel < dz at scoutsengidsenvlaanderen.be> wrote: > Hi, > > I am Daan Zwaenepoel, A last year student ict. For my student job I have > to intragte keycloak into a angular app. > > What I already did setup the keycloack sever, making the link to the > angular app, start a custom theme and the login flow works. > > My next task is to build the registration page and make it work. The > last point is where i have been stuck for a while. > > In the keycloack base regastration flow you have the base fields > username,firstname, lastname,email,password and password-confirm. Now > the point where I have been stuck, In our registration we have one more > field and I dont no how to add this costume field to the flow. Is there > anyone who can help me or give me tips by buidling this custom > registration flow? > > Thanks! > > Daan > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From rickt15392 at googlemail.com Mon Feb 5 04:40:55 2018 From: rickt15392 at googlemail.com (RickT153 .) Date: Mon, 5 Feb 2018 10:40:55 +0100 Subject: [keycloak-user] RH-SSO security patches in Keycloak Message-ID: Hello, I have found that there have been a few security issues, which have been patched for RH-SSO. https://access.redhat.com/errata/RHSA-2017:2904 I assume that Keycloak has been affected by the same problems, as RH-SSO is based on Keycloak. However, I could not find any resources indicating that any fixes have been applied to Keycloak. So what is the current status on this subject? Is the latest version of Keycloak affected by those vulnerabilities? Have they been patched? I will appreciate any answer to those questions. More so, if the answers include links from which I can confirm the answers for myself. Thanks and best regards, Patrick From sblanc at redhat.com Mon Feb 5 04:53:36 2018 From: sblanc at redhat.com (Sebastien Blanc) Date: Mon, 5 Feb 2018 10:53:36 +0100 Subject: [keycloak-user] RH-SSO security patches in Keycloak In-Reply-To: References: Message-ID: Hi, In the document you shared, in the fixes list, if you click one you will see that each bugzilla issue has also an upstream issue linked and that it is fixed. For instance : https://bugzilla.redhat.com/show_bug.cgi?id=1484111 indicates in the comment a link to https://issues.jboss.org/browse/KEYCLOAK-5234 Seb On Mon, Feb 5, 2018 at 10:40 AM, RickT153 . wrote: > Hello, > > I have found that there have been a few security issues, which have been > patched for RH-SSO. > > https://access.redhat.com/errata/RHSA-2017:2904 > > I assume that Keycloak has been affected by the same problems, as RH-SSO is > based on Keycloak. However, I could not find any resources indicating that > any fixes have been applied to Keycloak. > > So what is the current status on this subject? Is the latest version of > Keycloak affected by those vulnerabilities? Have they been patched? I will > appreciate any answer to those questions. More so, if the answers include > links from which I can confirm the answers for myself. > > Thanks and best regards, > Patrick > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From dz at scoutsengidsenvlaanderen.be Mon Feb 5 04:53:16 2018 From: dz at scoutsengidsenvlaanderen.be (Daan Zwaenepoel) Date: Mon, 5 Feb 2018 10:53:16 +0100 Subject: [keycloak-user] Custom regstration flow In-Reply-To: References: <20b65b47-700f-82bc-5a60-10641b6b7bf2@scoutsengidsenvlaanderen.be> Message-ID: <36b21737-2219-6086-a8b1-4e1be29c1262@scoutsengidsenvlaanderen.be> Hi, Yes I try this but how do I add a custom control on this field. In the end I have to create a costume flow who check the existing users in the already existing database and link those to there login account. The way to link them is whit a number of 13 char and that is my custom field. thanks Daan Op 5-2-2018 om 10:28 schreef Subodh Joshi: > Hope this will help you > > http://keycloak-user.88327.x6.nabble.com/keycloak-user-Custom-user-registration-td3328.html > http://www.keycloak.org/docs/3.0/server_development/topics/custom-attributes.html > > Thanks & regards > > On Mon, Feb 5, 2018 at 2:50 PM, Daan Zwaenepoel > > wrote: > > Hi, > > I am Daan Zwaenepoel, A last year student ict. For my student job > I have > to intragte keycloak into a angular app. > > What I already did setup the keycloack sever, making the link to the > angular app, start a custom theme and the login flow works. > > My next task is to build the registration page and? make it work. The > last point is where i have been stuck for a while. > > In the keycloack base regastration flow you have the base fields > username,firstname, lastname,email,password and password-confirm. Now > the point where I have been stuck, In our registration we have one > more > field and I dont no how to add this costume field to the flow. Is > there > anyone who can help me or give me tips by buidling this custom > registration flow? > > Thanks! > > Daan > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > Subodh Chandra Joshi > subodh1_joshi82 at yahoo.co.in > http://www.questioninmind.com From Aymeric.LAGIER at ext.imprimerienationale.fr Mon Feb 5 04:55:24 2018 From: Aymeric.LAGIER at ext.imprimerienationale.fr (LAGIER Aymeric) Date: Mon, 5 Feb 2018 09:55:24 +0000 Subject: [keycloak-user] RH-SSO security patches in Keycloak In-Reply-To: References: Message-ID: <97670dfa8ae04e7b89d2e24acfaa20a7@EXDVDRARIMP002.EQ1IMP.lan> Hi, I have already ask about theses vulnerabilities (cf my previous email in attachments). I didn't receive answers. Thanks -----Message d'origine----- De?: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] De la part de RickT153 . Envoy??: lundi 5 f?vrier 2018 10:41 ??: keycloak-user at lists.jboss.org Objet?: [keycloak-user] RH-SSO security patches in Keycloak Hello, I have found that there have been a few security issues, which have been patched for RH-SSO. https://access.redhat.com/errata/RHSA-2017:2904 I assume that Keycloak has been affected by the same problems, as RH-SSO is based on Keycloak. However, I could not find any resources indicating that any fixes have been applied to Keycloak. So what is the current status on this subject? Is the latest version of Keycloak affected by those vulnerabilities? Have they been patched? I will appreciate any answer to those questions. More so, if the answers include links from which I can confirm the answers for myself. Thanks and best regards, Patrick _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- An embedded message was scrubbed... From: "LAGIER Aymeric" Subject: Keycloak CVE Date: Fri, 8 Dec 2017 11:14:48 +0100 Size: 9364 Url: http://lists.jboss.org/pipermail/keycloak-user/attachments/20180205/c8334628/attachment.mht -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5589 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180205/c8334628/attachment.bin From lists at merit.unu.edu Mon Feb 5 05:05:49 2018 From: lists at merit.unu.edu (mj) Date: Mon, 5 Feb 2018 11:05:49 +0100 Subject: [keycloak-user] RH-SSO security patches in Keycloak In-Reply-To: References: Message-ID: <347cccdd-f321-74d3-39d9-e457f755ae2e@merit.unu.edu> Well...I tried that, but was getting: "This issue can't be viewed" for KEYCLOAK-5225 for example. Anyway, I guess that even though we cannot see the fix, the fix does actually exist and work :-) Thanks! MJ On 02/05/2018 10:53 AM, Sebastien Blanc wrote: > Hi, > > In the document you shared, in the fixes list, if you click one you will > see that each bugzilla issue has also an upstream issue linked and that it > is fixed. > For instance : https://bugzilla.redhat.com/show_bug.cgi?id=1484111 > indicates in the comment a link to > https://issues.jboss.org/browse/KEYCLOAK-5234 > > Seb > > > On Mon, Feb 5, 2018 at 10:40 AM, RickT153 . > wrote: > >> Hello, >> >> I have found that there have been a few security issues, which have been >> patched for RH-SSO. >> >> https://access.redhat.com/errata/RHSA-2017:2904 >> >> I assume that Keycloak has been affected by the same problems, as RH-SSO is >> based on Keycloak. However, I could not find any resources indicating that >> any fixes have been applied to Keycloak. >> >> So what is the current status on this subject? Is the latest version of >> Keycloak affected by those vulnerabilities? Have they been patched? I will >> appreciate any answer to those questions. More so, if the answers include >> links from which I can confirm the answers for myself. >> >> Thanks and best regards, >> Patrick >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sblanc at redhat.com Mon Feb 5 05:33:19 2018 From: sblanc at redhat.com (Sebastien Blanc) Date: Mon, 5 Feb 2018 11:33:19 +0100 Subject: [keycloak-user] Custom regstration flow In-Reply-To: <36b21737-2219-6086-a8b1-4e1be29c1262@scoutsengidsenvlaanderen.be> References: <20b65b47-700f-82bc-5a60-10641b6b7bf2@scoutsengidsenvlaanderen.be> <36b21737-2219-6086-a8b1-4e1be29c1262@scoutsengidsenvlaanderen.be> Message-ID: You have to implement a FormAction interface , and you will probably do the user retrieval in the validate() method : http://www.keycloak.org/docs/latest/server_development/index.html#implementation-formaction-interface On Mon, Feb 5, 2018 at 10:53 AM, Daan Zwaenepoel < dz at scoutsengidsenvlaanderen.be> wrote: > Hi, > > Yes I try this but how do I add a custom control on this field. In the > end I have to create a costume flow who check the existing users in the > already existing database and link those to there login account. The way > to link them is whit a number of 13 char and that is my custom field. > > thanks > > Daan > > Op 5-2-2018 om 10:28 schreef Subodh Joshi: > > Hope this will help you > > > > http://keycloak-user.88327.x6.nabble.com/keycloak-user- > Custom-user-registration-td3328.html > > http://www.keycloak.org/docs/3.0/server_development/topics/ > custom-attributes.html > > > > Thanks & regards > > > > On Mon, Feb 5, 2018 at 2:50 PM, Daan Zwaenepoel > > > > wrote: > > > > Hi, > > > > I am Daan Zwaenepoel, A last year student ict. For my student job > > I have > > to intragte keycloak into a angular app. > > > > What I already did setup the keycloack sever, making the link to the > > angular app, start a custom theme and the login flow works. > > > > My next task is to build the registration page and make it work. The > > last point is where i have been stuck for a while. > > > > In the keycloack base regastration flow you have the base fields > > username,firstname, lastname,email,password and password-confirm. Now > > the point where I have been stuck, In our registration we have one > > more > > field and I dont no how to add this costume field to the flow. Is > > there > > anyone who can help me or give me tips by buidling this custom > > registration flow? > > > > Thanks! > > > > Daan > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > -- > > Subodh Chandra Joshi > > subodh1_joshi82 at yahoo.co.in > > http://www.questioninmind.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Ori.Doolman at amdocs.com Mon Feb 5 05:48:08 2018 From: Ori.Doolman at amdocs.com (Ori Doolman) Date: Mon, 5 Feb 2018 10:48:08 +0000 Subject: [keycloak-user] keep login state after closing browser In-Reply-To: <70f347aa-d777-795a-83d2-e3f21a925360@redhat.com> References: <8334b46c-035b-b93f-8229-d69ad8a0657a@redhat.com> <70f347aa-d777-795a-83d2-e3f21a925360@redhat.com> Message-ID: Marek, Thank you very much for that answer. Seems that 'remember me' feature was exactly what I needed. So simple... :) Thanks, Ori Doolman Lead Software Architect Amdocs Optima +972 9 778 6914 (office) +972 50 9111442 (mobile) [cid:image001.png at 01D2C8DE.BFF33E10] From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Monday, February 5, 2018 10:19 To: Ori Doolman ; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] keep login state after closing browser Dne 5.2.2018 v 09:18 Marek Posolda napsal(a): Few tips: - If you enable "Remember me" for the realm, the KEYCLOAK_IDENTITY cookie won't be cleared at the end of browser session. - There is callback "onTokenExpired", which you can use in keycloak.js adapter when the accessToken is expired. You will be redirected back to Keycloak server and re-logged with SSO (as long as KEYCLOAK_IDENTITY is still valid). The approach with "token" may work, but I would personally use the approach with shorter token timeouts and redirect to the SSO, assuming that rememberMe will work. This has some downsides (redirect to the Keycloak needed periodically, rememberMe available), so not sure if it works for you. If you want the approach with "token", you may need to disable session iframe in that case (as the SSO session on Keycloak side may not be longer valid after browser restart). One thing, I am not 100% sure if you need to disable session iframe if you want to use "token" approach. Just a tip, that it's maybe a reason why it doesn't work for you, but don't know for sure. Marek Marek Dne 4.2.2018 v 14:48 Ori Doolman napsal(a): Hi, My web application is using the Keycloak JS adapter, and I'm using the 'implicit' flow for getting the access token. I have a requirement to prevent the user from keying again passwords for 24 hours (assuming the token is expired after 24 hours), even after browser is closed and re-opened. There is a cookie called 'KEYCLOAK_IDENTITY', which I assume preserve the login state, but it is a session cookie and it is deleted after closing the browser window. I also see that in the initOptions of the adapter, I can pass an existing access token by the 'token' property. Hence, I was thinking to persist the 24hours access token into localStorage and then read it and pass as part of initOptions to the adapter when my application starts. However, I cannot make it work and I'm not even sure this is possible to do so. Is it possible to use the 'token' initOption like that? If not, is there a recommended approach for implementing such requirement ? Thanks, Ori Doolman Lead Software Architect Amdocs Optima +972 9 778 6914 (office) +972 50 9111442 (mobile) [cid:image001.png at 01D2C8DE.BFF33E10] This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at https://www.amdocs.com/about/email-disclaimer _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement, you may review at https://www.amdocs.com/about/email-disclaimer -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 3506 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180205/c9adadaa/attachment.png From upananda.singha at motorolasolutions.com Mon Feb 5 06:41:02 2018 From: upananda.singha at motorolasolutions.com (Upananda Singha) Date: Mon, 5 Feb 2018 17:11:02 +0530 Subject: [keycloak-user] Keycloak 3.4 and Oracle Timesten In-Reply-To: References: Message-ID: Hi Hynek, Thanks for the clarification and valuable information regarding Keycloak and T10 integration. Thanks & Regds, *Upananda Singha* On Fri, Feb 2, 2018 at 1:55 PM, Hynek Mlnarik wrote: > The cause is in "Unknown database: TimesTen" message from Liquibase - > Liquibase does not recognize the dialect and thus refuses to operate. > Liquibase is used to create the initial DB schema. You may try implement > class to support TimesTen similarly to EnterpriseDB [1, 2] since TimesTen > should be compatible with other Oracle Database products. Feel free to > raise a RFE though we cannot promise it would be picked anytime soon. > > [1] https://github.com/keycloak/keycloak/blob/3.4.3. > Final/model/jpa/src/main/java/org/keycloak/connections/jpa/ > updater/liquibase/PostgresPlusDatabase.java > > [2] https://github.com/keycloak/keycloak/blob/3.4.3. > Final/model/jpa/src/main/java/org/keycloak/connections/jpa/ > updater/liquibase/conn/DefaultLiquibaseConnectionProvider.java#L95 > > > On Thu, Feb 1, 2018 at 7:42 AM, Upananda Singha motorolasolutions.com> wrote: > >> Hi All, >> >> Please find the configurations I am having for Timesten... >> >> >> > pool-name="KeycloakDS" enabled="true" use-java-context="true"> >> jdbc:timesten:client:TTC_Server=172.27.9.23; >> TTC_Server_DSN=DG_010231;TCP_PORT=53389;uid=testuser;pwd=tes >> tpwd;tcp_timeout=180 >> TimesTenDriver >> 20 >> testuser testpwd >> > module="com.timesten"> >> com.timesten.jdbc.xa.TimesTenXADataSour >> ce >> module.xml configuration ("> HOME>/modules/system/layers/keycloak/com/timesten/main/module.xml") >> ------------------------ > xmlns="urn:jboss:module:1.3" name="com.timesten"> >> > name="javax.api"/> >> >> >> >> My LD_LIBRARY_PATH is havng all the Timesten libraries >> ------------------------------------------------------ libodbc.so >> libttclasses.so.gcc410 libttco.so libttJdbc.so libttutilD.so ttjdbc6.jar >> libttclassesCS.so libttclient.so libttco.so.noplsql libttjmsxla.so >> libttutil.so ttjdbc7.jar libttclassesCS.so.gcc346 libttclient.so.gcc346 >> libttcrs.so libttorD.so orai18n.jar ttjdbc8.jar libttclassesCS.so.gcc410 >> libttclient.so.gcc410 libttenD.so libttor.so README.TXT ucp.jar >> libttclasses.so libttcoD.so libtten.so libttplD.so timestenjmsxla.jar >> libttclasses.so.gcc346 libttcoD.so.noplsql libttJdbcCS.so libttpl.so >> ttjdbc5.jar >> >> >> >> I am getting he below error: >> >> 11:57:08,980 INFO [org.keycloak.services] (ServerService Thread Pool -- >> 51) >> KC-SERVICES0001: Loading config from standalone.xml or domain.xml >> 11:57:09,342 INFO [org.jboss.as.clustering.infinispan] (ServerService >> Thread Pool -- 51) WFLYCLINF0002: Started realmRevisions cache from >> keycloak container 11:57:09,352 INFO [org.jboss.as.clustering.infinispan] >> (ServerService Thread Pool -- 51) WFLYCLINF0002: Started userRevisions >> cache from keycloak container 11:57:09,359 INFO >> [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 51) >> WFLYCLINF0002: Started authorizationRevisions cache from keycloak >> container >> 11:57:09,359 INFO >> [org.keycloak.connections.infinispan.DefaultInfinispanConnec >> tionProviderFactory] >> (ServerService Thread Pool -- 51) Node name: proc500_9_23, Site name: null >> 11:57:09,940 ERROR [stderr] (ServerService Thread Pool -- 51) WARNING >> 2/1/18 11:57 AM: liquibase: Unknown database: TimesTen 11:57:10,108 WARN >> [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] >> (ServerService Thread Pool -- 51) Failed to create lock table. Maybe other >> transaction created in the meantime. Retrying... 11:57:10,111 ERROR >> [stderr] (ServerService Thread Pool -- 51) WARNING 2/1/18 11:57 AM: >> liquibase: Unknown database: TimesTen 11:57:10,136 WARN >> [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] >> (ServerService Thread Pool -- 51) Failed to create lock table. Maybe other >> transaction created in the meantime. Retrying... 11:57:10,138 ERROR >> [stderr] (ServerService Thread Pool -- 51) WARNING 2/1/18 11:57 AM: >> liquibase: Unknown database: TimesTen 11:57:10,166 WARN >> [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] >> (ServerService Thread Pool -- 51) Failed to create lock table. Maybe other >> transaction created in the meantime. Retrying... 11:57:10,169 ERROR >> [stderr] (ServerService Thread Pool -- 51) WARNING 2/1/18 11:57 AM: >> liquibase: Unknown database: TimesTen 11:57:10,319 ERROR [stderr] >> (ServerService Thread Pool -- 51) WARNING 2/1/18 11:57 AM: liquibase: >> Unknown database: TimesTen 11:57:12,220 ERROR [stderr] (ServerService >> Thread Pool -- 51) WARNING 2/1/18 11:57 AM: liquibase: Unknown database: >> TimesTen 11:57:12,253 WARN >> [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] >> (ServerService Thread Pool -- 51) Failed to create lock table. Maybe other >> transaction created in the meantime. Retrying... 11:57:12,255 ERROR >> [stderr] (ServerService Thread Pool -- 51) WARNING 2/1/18 11:57 AM: >> liquibase: Unknown database: TimesTen 11:57:12,277 WARN >> [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] >> (ServerService Thread Pool -- 51) Failed to create lock table. Maybe other >> transaction created in the meant >> ... >> ... >> ... >> 11:57:12,767 INFO >> [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpa >> UpdaterProvider] >> (ServerService Thread Pool -- 51) Initializing database schema. Using >> changelog META-INF/jpa-changelog-master.xml 11:57:12,794 WARN >> [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] >> (ServerService Thread Pool -- 51) Attempt to release lock, which is not >> owned by current transaction 11:57:12,804 WARN >> [org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService] >> (ServerService Thread Pool -- 51) Attempt to release lock, which is not >> owned by current transaction 11:57:12,807 INFO [org.jboss.as.server] >> (Thread-2) WFLYSRV0220: Server shutdown has been requested via an OS >> signal >> 11:57:12,819 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool >> -- 51) MSC000001: Failed to start service >> jboss.undertow.deployment.default-server.default-host./auth: >> org.jboss.msc.service.StartException in service >> jboss.undertow.deployment.default-server.default-host./auth: >> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >> org.keycloak.services.resources.KeycloakApplication(javax. >> servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >> at >> org.wildfly.extension.undertow.deployment.UndertowDeployment >> Service$1.run(UndertowDeploymentService.java:84) >> at java.util.concurrent.Executors$RunnableAdapter.call( >> Executors.java:511) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1149) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:624) >> at java.lang.Thread.run(Thread.java:748) at >> org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: >> java.lang.RuntimeException: RESTEASY003325: Failed to construct public >> org.keycloak.services.resources.KeycloakApplication(javax. >> servlet.ServletContext,org.jboss.resteasy.core.Dispatcher) >> at >> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(Co >> nstructorInjectorImpl.java:162) >> at >> org.jboss.resteasy.spi.ResteasyProviderFactory.createProvide >> rInstance(ResteasyProviderFactory.java:2298) >> at >> org.jboss.resteasy.spi.ResteasyDeployment.createApplication( >> ResteasyDeployment.j >> >> >> >> Thanks & Regds, >> >> *Upananda* >> >> >> >> >> On Thu, Feb 1, 2018 at 10:46 AM, Upananda Singha > motorolasolutions.com> wrote: >> >> > Hi all, >> > >> > I have been trying to configure Keycloak with Oracle Timesten but >> without >> > any success. >> > >> > Anybody ever tried Timesten as backend Database for Keycloak? It would >> be >> > of great help if anyone can give some pointer whether Timesten can be at >> > all >> > used with Keycloak 3.4. >> > >> > Thanks & regds, >> > >> > *Upananda * >> > >> > >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > > > -- > > --Hynek > From celso.agra at gmail.com Mon Feb 5 07:16:05 2018 From: celso.agra at gmail.com (Celso Agra) Date: Mon, 5 Feb 2018 09:16:05 -0300 Subject: [keycloak-user] (no subject) Message-ID: All, Please. need some help on admin client. I'm trying change a LDAP attribute from my Keycloak server. When I change this info, my user just disappear from Keycloak, and I have to synchronize it again. Am I doing something wrong? Here is my code below: *public void setAttribute(String id, String attr) {* * RealmResource realmResource = keycloak.realm(properties.getKeycloakAppRealm());* * UserResource userResource = realmResource.users().get(id);* * UserRepresentation userRepresentation = userResource.toRepresentation();* * userRepresentation.setAttributes(mapAttribute("LDAPAttribute", attr));* * userResource.update(userRepresentation);}* PS.: this info is set on LDAP user when I call this method, but it looks like the user is removed or unsynck from keycloak. PS.2: I'm using slapd (openLDAP) Best Regards, -- --- *Celso Agra* From carrbrpoa at gmail.com Mon Feb 5 13:23:24 2018 From: carrbrpoa at gmail.com (carrbrpoa) Date: Mon, 5 Feb 2018 11:23:24 -0700 (MST) Subject: [keycloak-user] Refreshing Tokens In-Reply-To: References: Message-ID: <1517855004663-0.post@n6.nabble.com> I'm facing the same problem. I use JavaScript adapter and do login with a POST request to /.../protocol/openid-connect/token/ (no Keycloak login screen involved). What should I do to keep things working after a refresh fail due to lack of roles? Thanks in advance -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From carrbrpoa at gmail.com Mon Feb 5 13:42:53 2018 From: carrbrpoa at gmail.com (carrbrpoa) Date: Mon, 5 Feb 2018 11:42:53 -0700 (MST) Subject: [keycloak-user] Refreshing Tokens In-Reply-To: References: Message-ID: <1517856173881-0.post@n6.nabble.com> I'm facing the same problem. I use JavaScript adapter and do login with a POST request to /.../protocol/openid-connect/token/ (no Keycloak login screen involved). What should I do to keep things working after a refresh fail due to lack of roles? -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From dan.nemes at ymail.com Mon Feb 5 13:57:34 2018 From: dan.nemes at ymail.com (Dan Nemes) Date: Mon, 5 Feb 2018 18:57:34 +0000 (UTC) Subject: [keycloak-user] =?utf-8?q?Keycloak_logout_not_working_for_?= =?utf-8?q?=E2=80=9Cbearer-only=E2=80=9D_application_exposing_REST_service?= =?utf-8?q?s?= In-Reply-To: References: <1745158990.1861044.1516526258657.ref@mail.yahoo.com> <1745158990.1861044.1516526258657@mail.yahoo.com> <1573618343.1905908.1516537177732@mail.yahoo.com> Message-ID: <1272807275.3514626.1517857054027@mail.yahoo.com> Hello, I'm coming back after trying to invalidate the token. I have implemented the steps written in the previous mail and the token has been successfully invalidated and it was no longer possible to access the REST services using it. The problem with this workflow is the fact that all tokens that have been generated before that "not_before" field are invalidated. In my case this isn't correct because I must support multiple users logged in at the same time. I have also tried to implement the same steps by executing the revocation endpoint for a specific client application (instead of using it on a realm level (eg.?http://localhost:8180/auth/admin/realms/demo/clients/{client_id} and?http://localhost:8180/auth/admin/realms/demo/push-revocation) but this doesn't seem to work because the users can still access the REST services (but I don't think this will work either for my case). Is there a way to invalidate only one specific token so that the REST services are not accessible anymore using that specific token? Thank you,Dan Nemes On Sunday, January 21, 2018 4:57 PM, Sebastien Blanc wrote: Hi, Thx a lot for the sample, I could reproduce your issue. Keep in mind that you bearer-only app just verify the signature of the token, it has no session with your kc server. It will validate it until it's valid (if you wait the access token lifespan (5min by default) you will see it does not work anymore).? So how to invalidate the token ? 1. Be sure to set an admin URL for your bearer client : http://localhost:8080/TestRestProject/rest/service 2. Then after your do the logout, you must also invocate the revocation endpoint : ? 2.1 You can do that through the admin console in sessions > revocation and you push the new notBefore value ? 2.2 You use the admin REST endpoint to invalidate the token? , it's a 2 step flow : update the notBefore value of the realm by doing a PUT on the realm and then calling the POST revocation endpoint. Check the network console of your browser to see the flow when you are in the admin console and check the admin REST doc) Hope this helps, Sebi On Sun, Jan 21, 2018 at 1:19 PM, Dan Nemes wrote: Hello, Thank you for your quick response. I am using?keycloak-3.4.0 and?wildfly-10.1.0.Final.I have just added on github the projects I have created for working with keycloak. You can find them here:?https://github.com/ NemesDan/keycloak Please note that these projects have been started as a POC of how keycloak can be used so there are other functions that are out of the scope of the problem I'm having. I am still in the learning phase of how keycloak can be used at it's full potential. | | | | | | | | | | | NemesDan/keycloak keycloak POC projects | | | | There are multiple maven projects on this branch.1. Project GSDKeycloakProject with 3 modules:?customer-app,? product-app and?database-service. The last mentioned module is the bearer-only application in which the REST services are implemented.? ? database-service: contains two classes?ProductService and?CustomerService which implement REST services that are accessible only to logged users that have the correct role assigned. 2. KeycloakAccess - should be ignored, out of the scope of the problem 3. RestClientApplication - a maven web project in which the entire workflow is implemented. This simulates a client application that will login a user using keycloak, retrieve a token and use that token to access the "database-service" bearer-only application. ????In class?RestService you can find the following implemented REST web services? ? ? ? 3.1 GET request on?http://localhost:8080/ TestRestProject/rest/service/ login -> redirects user to the keycloak login page to perform the login. After login, keycloak redirects the user to to?http://localhost:8080/ TestRestProject/rest/service/ user_logged_in .?At this point the code is exchanged for token. ? ? ? ? 3.2 GET request on?http://localhost:8080/ TestRestProject/rest/service/ call_database/{param} ? ? ? ? ? ? - {param} could be either?products or?customers ? ? ? ? ? ? - this web service call will use the token from step 3.1 to access the database-service bearer only REST services ? ? ? ? 3.3 GET request on {URL}/logout or {URL}/logout_2 ? ? ? ? ? ? - these requests were created in order to test the logout functionality but it seems that the database-service REST services are still accessible after the logout has been performed which after my knowledge means that the token has not been invalidated? The key point of these projects is to avoid using any keycloak classes to implement the client application because we do not want to force the clients to use a specific library. If I missed something please let me know.I appreciate your help. Thank you,Dan Nemes On Sunday, January 21, 2018 12:11 PM, Sebastien Blanc wrote: Hi, Which version of Keycloak are you using ? Which adapters are you using for the client and bearer-only apps ? We need this info. And yes sharing your project (through github for instance) could be really helpful. ? On Sun, Jan 21, 2018 at 10:17 AM, Dan Nemes wrote: Hello, I am unable to logout an user. The logout works for a "confidential" applications but it doesn't for a "bearer-only" application (the REST services are still accessible after logout). I have the following configuration: ? ?- I have one "database" client application defined in Keycloak having access type "bearer-only" (created with the intent of exposing REST web services protected by Keycloak based on user roles) ? ?- I have one "rest_service" client application defined in keycloak having access type "confidential" (created with the intent of logging in users and allowing access to the "bearer-only" REST services after a successful login). The below described workflow is implemented in this application using REST web services I am performing the following steps: ? ?- An http GET request is performed on URL?http://localhost:8180/ auth/realms/demo/protocol/ openid-connect/auth?which redirects the user to the login page handled by Keycloak ? ?- The user performs the login using his credentials (using the credentials of a user defined in Keycloak) ? ?- Keycloak redirects the user to the "redirect_uri" which was passed in step 1. In this step Keycloak also provides as request parameters the "state" and "code" values. ? ?- After the user has been redirected back to the application I exchange the "code" received in step 3 for a token doing a POST request on?http://localhost:8180/auth/ realms/demo/protocol/openid- connect/token?which is done successfully ? ?- After the access token is available I proceed to access the "bearer-only" REST web services. note: the REST web services exposed by the "bearer-only" service are not accessible unless the user has been logged in and it has the correct "role" assigned to it.Problem: As stated at the start of the post the user is still able to access the "bearer-only" REST web services after the logout has been done. The only thing that seems to work is the logout from the "confidential" application (the user is not able to access the application unless he logs in again).If I perform the logout of the user then the REST web services exposed by the bearer-only application are still accessible. In the Keycloak server I get the following WARN message: " Some clients have been not been logged out for user adminuser in demo realm: rest_service"I tried implementing the logout in three ways: ? ?- A redirect to URL?http://localhost:8180/ auth/realms/demo/protocol/ openid-connect/logoutpassing in the redirect_uri and client_id parameters ? ?- A POST request to?http://localhost:8180/auth/ realms/demo/protocol/openid- connect/logoutpassing in the Authorization Bearer in the header and the client_id, refresh_token, client_secret and redirect_uri ? ?- A REST service exposed by the "bearer-only" service which does the following method call: HttpServletRequest request.logout() Neither of the above methods is working.PS: I did not want to go in to many details because even so the post is long enough. If I missed something please tell me and I will provide the additional information (if possible I can also attach the actual projects) Thank you,Dan Nemes |? | Virus-free. www.avg.com? | ______________________________ _________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/ mailman/listinfo/keycloak-user From celso.agra at gmail.com Mon Feb 5 15:52:27 2018 From: celso.agra at gmail.com (Celso Agra) Date: Mon, 5 Feb 2018 17:52:27 -0300 Subject: [keycloak-user] (no subject) In-Reply-To: References: Message-ID: I'm really sorry. I forgot to set a subject in this email. Also, I'm doing something wrong, I was just subscribing the user attributes, on LDAP For now I solve that using code below *Map> attributes = userRepresentation.getAttributes();* *values.add(attr);* *attributes.put("LDAPAttribute", values);* *userRepresentation.setAttributes(attributes);* Best Regards, Celso Agra 2018-02-05 9:16 GMT-03:00 Celso Agra : > All, > > Please. need some help on admin client. I'm trying change a LDAP attribute > from my Keycloak server. When I change this info, my user just disappear > from Keycloak, and I have to synchronize it again. > > Am I doing something wrong? > > Here is my code below: > > > *public void setAttribute(String id, String attr) {* > > > * RealmResource realmResource = > keycloak.realm(properties.getKeycloakAppRealm());* > > > * UserResource userResource = realmResource.users().get(id);* > > > * UserRepresentation userRepresentation = userResource.toRepresentation();* > > > * userRepresentation.setAttributes(mapAttribute("LDAPAttribute", attr));* > > > * userResource.update(userRepresentation);}* > > PS.: this info is set on LDAP user when I call this method, but it looks > like the user is removed or unsynck from keycloak. > > PS.2: I'm using slapd (openLDAP) > > Best Regards, > > -- > --- > *Celso Agra* > -- --- *Celso Agra* From rkgunnam120 at gmail.com Mon Feb 5 16:04:13 2018 From: rkgunnam120 at gmail.com (Ravi Kiran) Date: Mon, 5 Feb 2018 14:04:13 -0700 Subject: [keycloak-user] Client specific enumerated roles In-Reply-To: References: Message-ID: Currently in our application we use LDAP and each LDAP role is mapped to multiple CRUD permissions roles with in the application. For example HUMAN_RESOURCE_DIRECTOR role in LDAP is mapped to CREATE_Employee, Update_Employee, Read_Department and etc. We are adding these enumerated roles by extending LdapExtLoginModule. Now we are planning to switch to Keycloak (rh-sso), what is the best approach to achieve this? According to the issue, https://issues.jboss.org/browse/KEYCLOAK-1382, looks like extending LoginModule is not an option. Thank you and appreciate it. From adr_gonzalez at yahoo.fr Tue Feb 6 05:53:08 2018 From: adr_gonzalez at yahoo.fr (Adrian Gonzalez) Date: Tue, 6 Feb 2018 10:53:08 +0000 (UTC) Subject: [keycloak-user] Email verification before user registration References: <1889320015.6330672.1517914388408.ref@mail.yahoo.com> Message-ID: <1889320015.6330672.1517914388408@mail.yahoo.com> Hello, Is there a way to verify user email before completing the user registration ? Thanks for the tips ! P.S. I've tried to create custom FormAuthenticator and FormAction to display a first page in Registration Flow, adn send a verification email, but I'd need to resume the registration flow when the user clicks on an email link (and I don't know how).So I suppose, this is not the way to go. From samikader at hotmail.com Tue Feb 6 06:06:00 2018 From: samikader at hotmail.com (abdelkader samir) Date: Tue, 6 Feb 2018 11:06:00 +0000 Subject: [keycloak-user] avoiding save external-Provider-Users localy In-Reply-To: References: Message-ID: Hi all, We are currently using a Keycloak (3.3.0.Final), there you are binding a external sso Provider as "Identity Providers" Until now everything is working fine. Now we figure out that Keycloak are saving the user in its local database ( see http://www.keycloak.org/docs/3.0/server_admin/topics/identity-broker/first-login-flow.html ) According to Keyclaok documentation: Keycloak needs the local users, but we don't know why? It is possibile to avoid saving the user in Keycloak? Thanks and regards Adam From aabella at bkool.com Tue Feb 6 06:09:02 2018 From: aabella at bkool.com (Angel Abella) Date: Tue, 6 Feb 2018 12:09:02 +0100 Subject: [keycloak-user] cache replication problems? Message-ID: Hello, We have a 2 server standalone-ha installation. When the number of sessions alive increases we get this errors: 2018-02-06 11:42:07,161 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (default task-22) ISPN000136: Error executing command PutKeyValueCommand, writing keys [f75b436f-d316-4442-8d9b-c7313647c5b8]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for sson2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 2018-02-06 11:42:07,162 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-22) Uncaught server error: org.infinispan.util.concurrent.TimeoutException: Replication timeout for sson2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 2018-02-06 11:42:07,166 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (default task-17) ISPN000136: Error executing command RemoveCommand, writing keys [0d8d4c5c-7971-46dd-b414-cb5f16862085]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for sson2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 2018-02-06 11:42:07,171 ERROR [org.infinispan.interceptors.InvocationContextInterceptor] (default task-11) ISPN000136: Error executing command PutKeyValueCommand, writing keys [dfd69644-e241-465c-8a92-ef84e76caf62]: org.infinispan.util.concurrent.TimeoutException: Replication timeout for sson2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 2018-02-06 11:42:07,173 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-11) Uncaught server error: org.infinispan.util.concurrent.TimeoutException: Replication timeout for sson2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) 2018-02-06 11:42:07,205 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-17) Uncaught server error: org.infinispan.util.concurrent.TimeoutException: Replication timeout for sson2 at org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) at org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) at java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) at java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) at java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) at java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) at org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Any idea of what's going on? -- Angel Abella *IT * *BKOOL* *Connect* *| Sport* mail: aabella at bkool.com mob: +34 691 77 18 98 add: C/ San Joaqu?n 3 - 28231 Las Rozas - Madrid www.bkool.com From corentin.dupont at gmail.com Tue Feb 6 06:09:08 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Tue, 6 Feb 2018 12:09:08 +0100 Subject: [keycloak-user] backup strategy Message-ID: Hi guys, I wonder what the backup strategy is? Is it good practice to export regularly all Keycloak configuration? I can export with the command: ./keycloak/bin/standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=export-`date +"%m-%d-%y"`.json -Djboss.http.port=8888 -Djboss.https.port=9999 -Djboss.management.http.port=7777 It exports the current configuration (realms, users...). I set different ports so it can run concurently with the running instance of keycloak. I can set a cron job with the command, but unfortunately this command need to be stopped by Ctrl-C. -> How to make it stop after the export? Other question, the export need to be run on the same container than Keycloak, but this is not very practical in a Cloud setting. I use Amazon ECS, so I have to log in the VM and then the container. I have then to extract the file with various scp. Is there any way to make this easier (i.e. with an API command)? Cheers Corentin From sblanc at redhat.com Tue Feb 6 07:31:21 2018 From: sblanc at redhat.com (Sebastien Blanc) Date: Tue, 6 Feb 2018 13:31:21 +0100 Subject: [keycloak-user] =?utf-8?q?Keycloak_logout_not_working_for_?= =?utf-8?q?=E2=80=9Cbearer-only=E2=80=9D_application_exposing_REST_?= =?utf-8?q?services?= In-Reply-To: <1272807275.3514626.1517857054027@mail.yahoo.com> References: <1745158990.1861044.1516526258657.ref@mail.yahoo.com> <1745158990.1861044.1516526258657@mail.yahoo.com> <1573618343.1905908.1516537177732@mail.yahoo.com> <1272807275.3514626.1517857054027@mail.yahoo.com> Message-ID: yeah with Keycloak you can not invalidate a particular token that would be too much state to handle for the server. On Mon, Feb 5, 2018 at 7:57 PM, Dan Nemes wrote: > Hello, > > I'm coming back after trying to invalidate the token. > > I have implemented the steps written in the previous mail and the token > has been successfully invalidated and it was no longer possible to access > the REST services using it. > > The problem with this workflow is the fact that all tokens that have been > generated before that "not_before" field are invalidated. In my case this > isn't correct because I must support multiple users logged in at the same > time. > > I have also tried to implement the same steps by executing the revocation > endpoint for a specific client application (instead of using it on a realm > level (eg. *http://localhost:8180/auth/admin/realms/demo/clients/{client_id} > * > and *http://localhost:8180/auth/admin/realms/demo/push-revocation > *) but this > doesn't seem to work because the users can still access the REST services > (but I don't think this will work either for my case). > > Is there a way to invalidate only one specific token so that the REST > services are not accessible anymore using that specific token? > > Thank you, > Dan Nemes > > > > On Sunday, January 21, 2018 4:57 PM, Sebastien Blanc > wrote: > > > Hi, > > Thx a lot for the sample, I could reproduce your issue. Keep in mind that > you bearer-only app just verify the signature of the token, it has no > session with your kc server. It will validate it until it's valid (if you > wait the access token lifespan (5min by default) you will see it does not > work anymore). > > So how to invalidate the token ? > 1. Be sure to set an admin URL for your bearer client : > http://localhost:8080/TestRestProject/rest/service > 2. Then after your do the logout, you must also invocate the revocation > endpoint : > 2.1 You can do that through the admin console in sessions > revocation > and you push the new notBefore value > 2.2 You use the admin REST endpoint to invalidate the token , it's a 2 > step flow : update the notBefore value of the realm by doing a PUT on the > realm and then calling the POST revocation endpoint. > Check the network console of your browser to see the flow when you are in > the admin console and check the admin REST doc) > > Hope this helps, > > Sebi > > > On Sun, Jan 21, 2018 at 1:19 PM, Dan Nemes wrote: > > Hello, > > Thank you for your quick response. > > I am using keycloak-3.4.0 and wildfly-10.1.0.Final. > I have just added on github the projects I have created for working with > keycloak. You can find them here: https://github.com/ NemesDan/keycloak > > > Please note that these projects have been started as a POC of how keycloak > can be used so there are other functions that are out of the scope of the > problem I'm having. I am still in the learning phase of how keycloak can be > used at it's full potential. > > NemesDan/keycloak > keycloak POC projects > > > > There are multiple maven projects on this branch. > 1. Project GSDKeycloakProject with 3 modules: customer-app, product-app > and database-service. The last mentioned module is the bearer-only > application in which the REST services are implemented. > database-service: contains two classes ProductService > and CustomerService which implement REST services that are accessible only > to logged users that have the correct role assigned. > > 2. KeycloakAccess - should be ignored, out of the scope of the problem > > 3. RestClientApplication - a maven web project in which the entire > workflow is implemented. This simulates a client application that will > login a user using keycloak, retrieve a token and use that token to access > the "database-service" bearer-only application. > > In class RestService you can find the following implemented REST web > services > 3.1 GET request on *http://localhost:8080/ > TestRestProject/rest/service/ login > * -> redirects > user to the keycloak login page to perform the login. After login, keycloak > redirects the user to to *http://localhost:8080/ > TestRestProject/rest/service/ user_logged_in > .* At > this point the code is exchanged for token. > 3.2 GET request on *http://localhost:8080/ > TestRestProject/rest/service/ call_database/{param} > * > - *{param}* could be either *products *or *customers* > * - *this web service call will use the token from step 3.1 to > access the database-service bearer only REST services > 3.3 GET request on {URL}/logout or {URL}/logout_2 > - these requests were created in order to test the logout > functionality but it seems that the database-service REST services are > still accessible after the logout has been performed which after my > knowledge means that the token has not been invalidated > > The key point of these projects is to avoid using any keycloak classes to > implement the client application because we do not want to force the > clients to use a specific library. > > If I missed something please let me know. > I appreciate your help. > > Thank you, > Dan Nemes > > > > On Sunday, January 21, 2018 12:11 PM, Sebastien Blanc > wrote: > > > Hi, > > Which version of Keycloak are you using ? Which adapters are you using for > the client and bearer-only apps ? We need this info. And yes sharing your > project (through github for instance) could be really helpful. > > > > On Sun, Jan 21, 2018 at 10:17 AM, Dan Nemes wrote: > > Hello, > I am unable to logout an user. The logout works for a "confidential" > applications but it doesn't for a "bearer-only" application (the REST > services are still accessible after logout). > I have the following configuration: > > - I have one "database" client application defined in Keycloak having > access type "bearer-only" (created with the intent of exposing REST web > services protected by Keycloak based on user roles) > - I have one "rest_service" client application defined in keycloak > having access type "confidential" (created with the intent of logging in > users and allowing access to the "bearer-only" REST services after a > successful login). The below described workflow is implemented in this > application using REST web services > I am performing the following steps: > - An http GET request is performed on URL http://localhost:8180/ > auth/realms/demo/protocol/ openid-connect/auth > which > redirects the user to the login page handled by Keycloak > - The user performs the login using his credentials (using the > credentials of a user defined in Keycloak) > - Keycloak redirects the user to the "redirect_uri" which was passed in > step 1. In this step Keycloak also provides as request parameters the > "state" and "code" values. > - After the user has been redirected back to the application I exchange > the "code" received in step 3 for a token doing a POST request on http://localhost:8180/auth/ > realms/demo/protocol/openid- connect/token > which > is done successfully > - After the access token is available I proceed to access the > "bearer-only" REST web services. > note: the REST web services exposed by the "bearer-only" service are not > accessible unless the user has been logged in and it has the correct "role" > assigned to it.Problem: As stated at the start of the post the user is > still able to access the "bearer-only" REST web services after the logout > has been done. The only thing that seems to work is the logout from the > "confidential" application (the user is not able to access the application > unless he logs in again).If I perform the logout of the user then the REST > web services exposed by the bearer-only application are still accessible. > In the Keycloak server I get the following WARN message: " Some clients > have been not been logged out for user adminuser in demo realm: > rest_service"I tried implementing the logout in three ways: > - A redirect to URL http://localhost:8180/ auth/realms/demo/protocol/ > openid-connect/logoutpassing > > in the redirect_uri and client_id parameters > - A POST request to http://localhost:8180/auth/ > realms/demo/protocol/openid- connect/logoutpassing > > in the Authorization Bearer in the header and the client_id, refresh_token, > client_secret and redirect_uri > - A REST service exposed by the "bearer-only" service which does the > following method call: HttpServletRequest request.logout() > Neither of the above methods is working.PS: I did not want to go in to > many details because even so the post is long enough. If I missed something > please tell me and I will provide the additional information (if possible I > can also attach the actual projects) > Thank you,Dan Nemes > > | | Virus-free. www.avg.com | > > ______________________________ _________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/ mailman/listinfo/keycloak-user > > > > > > > > > From joseph.boctor at syntlogo.de Tue Feb 6 08:12:13 2018 From: joseph.boctor at syntlogo.de (Boctor, Joseph) Date: Tue, 6 Feb 2018 13:12:13 +0000 Subject: [keycloak-user] Keycloak as an identity provider to Tableau Message-ID: <3F6648B4B54AF54582921C708D7952C44E6EF1@EX10MBOX1H.hosting.inetserver.de> I'm trying to use Keycloak as an OpenID Connect Identity provider to a data analysis software called Tableau. I tried with two different instances of Keycloak.. one is locally hosted, and the other is from the master Realm in a remotely hosted development instance. I tried creating a Realm for the client, and tried also using the master Realm.. both came with the same result. Each time I get a message telling me that my Identity provider is not reachable. I tried editing Keycloak authentication request URL by adding the realm name, since it's not on Tableau's OpenID Connect setup (see screenshot), with no use. [cid:image001.png at 01D39F54.7BE7E2A0] Am I missing something? Or doing something wrong? -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 14116 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180206/35b4b232/attachment-0001.png From jonas.schoenenberger at gmail.com Tue Feb 6 08:15:55 2018 From: jonas.schoenenberger at gmail.com (=?UTF-8?Q?Jonas_Sch=C3=B6nenberger?=) Date: Tue, 6 Feb 2018 14:15:55 +0100 Subject: [keycloak-user] "Default" Client Template Message-ID: Hi everyone Is it possible to define a default client template that every new dynamic client (OpenID Connect Dynamic Client Registration) receives during registration? Thank you for your help and Best Regards Jonas From jonas.schoenenberger at gmail.com Tue Feb 6 08:22:11 2018 From: jonas.schoenenberger at gmail.com (=?UTF-8?Q?Jonas_Sch=C3=B6nenberger?=) Date: Tue, 6 Feb 2018 14:22:11 +0100 Subject: [keycloak-user] Default Client Template for Dynamic Clients Message-ID: Hi everyone Is it possible to define a default client template that every new dynamic client (OpenID Connect Dynamic Client Registration) receives during registration? Thank you for your help and Best Regards Jonas From jcain at redhat.com Tue Feb 6 09:16:45 2018 From: jcain at redhat.com (Josh Cain) Date: Tue, 6 Feb 2018 08:16:45 -0600 Subject: [keycloak-user] cache replication problems? In-Reply-To: References: Message-ID: <3e361faf-29ae-6497-794f-231ee78b7a96@redhat.com> I'd start checking your resources - are the boxes under heavy load? What about the Infinispan caches? We saw some increased timeouts for a spell as a function of load and had to do some JVM + Cache tuning to make sure they were sized properly for our workload. Josh Cain Senior Software Applications Engineer, RHCE Red Hat North America jcain at redhat.com IRC: jcain On 02/06/2018 05:09 AM, Angel Abella wrote: > Hello, > > We have a 2 server standalone-ha installation. When the number of sessions > alive increases we get this errors: > > > 2018-02-06 11:42:07,161 ERROR > [org.infinispan.interceptors.InvocationContextInterceptor] (default > task-22) ISPN000136: Error executing command PutKeyValueCommand, writing > keys [f75b436f-d316-4442-8d9b-c7313647c5b8]: > org.infinispan.util.concurrent.TimeoutException: Replication timeout for > sson2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > 2018-02-06 11:42:07,162 ERROR > [org.keycloak.services.error.KeycloakErrorHandler] (default task-22) > Uncaught server error: org.infinispan.util.concurrent.TimeoutException: > Replication timeout for sson2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > 2018-02-06 11:42:07,166 ERROR > [org.infinispan.interceptors.InvocationContextInterceptor] (default > task-17) ISPN000136: Error executing command RemoveCommand, writing keys > [0d8d4c5c-7971-46dd-b414-cb5f16862085]: > org.infinispan.util.concurrent.TimeoutException: Replication timeout for > sson2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > 2018-02-06 11:42:07,171 ERROR > [org.infinispan.interceptors.InvocationContextInterceptor] (default > task-11) ISPN000136: Error executing command PutKeyValueCommand, writing > keys [dfd69644-e241-465c-8a92-ef84e76caf62]: > org.infinispan.util.concurrent.TimeoutException: Replication timeout for > sson2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > 2018-02-06 11:42:07,173 ERROR > [org.keycloak.services.error.KeycloakErrorHandler] (default task-11) > Uncaught server error: org.infinispan.util.concurrent.TimeoutException: > Replication timeout for sson2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > 2018-02-06 11:42:07,205 ERROR > [org.keycloak.services.error.KeycloakErrorHandler] (default task-17) > Uncaught server error: org.infinispan.util.concurrent.TimeoutException: > Replication timeout for sson2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > > > Any idea of what's going on? > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180206/bdd35e4d/attachment.bin From aabella at bkool.com Tue Feb 6 09:24:21 2018 From: aabella at bkool.com (Angel Abella) Date: Tue, 6 Feb 2018 15:24:21 +0100 Subject: [keycloak-user] cache replication problems? In-Reply-To: <3e361faf-29ae-6497-794f-231ee78b7a96@redhat.com> References: <3e361faf-29ae-6497-794f-231ee78b7a96@redhat.com> Message-ID: Yes, they are under heavy load. Is there some kind of guide for that kind of tunning I can read? 2018-02-06 15:16 GMT+01:00 Josh Cain : > I'd start checking your resources - are the boxes under heavy load? > What about the Infinispan caches? > > We saw some increased timeouts for a spell as a function of load and had > to do some JVM + Cache tuning to make sure they were sized properly for > our workload. > > Josh Cain > Senior Software Applications Engineer, RHCE > Red Hat North America > jcain at redhat.com IRC: jcain > > On 02/06/2018 05:09 AM, Angel Abella wrote: > > Hello, > > > > We have a 2 server standalone-ha installation. When the number of > sessions > > alive increases we get this errors: > > > > > > 2018-02-06 11:42:07,161 ERROR > > [org.infinispan.interceptors.InvocationContextInterceptor] (default > > task-22) ISPN000136: Error executing command PutKeyValueCommand, writing > > keys [f75b436f-d316-4442-8d9b-c7313647c5b8]: > > org.infinispan.util.concurrent.TimeoutException: Replication timeout for > > sson2 > > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp( > JGroupsTransport.java:827) > > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$ > invokeRemotelyAsync$0(JGroupsTransport.java:628) > > at > > java.util.concurrent.CompletableFuture.uniApply( > CompletableFuture.java:602) > > at > > java.util.concurrent.CompletableFuture$UniApply. > tryFire(CompletableFuture.java:577) > > at > > java.util.concurrent.CompletableFuture.postComplete( > CompletableFuture.java:474) > > at > > java.util.concurrent.CompletableFuture.complete( > CompletableFuture.java:1962) > > at > > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call( > SingleResponseFuture.java:46) > > at > > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call( > SingleResponseFuture.java:17) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ > ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ > ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > > at > > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > > > 2018-02-06 11:42:07,162 ERROR > > [org.keycloak.services.error.KeycloakErrorHandler] (default task-22) > > Uncaught server error: org.infinispan.util.concurrent.TimeoutException: > > Replication timeout for sson2 > > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp( > JGroupsTransport.java:827) > > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$ > invokeRemotelyAsync$0(JGroupsTransport.java:628) > > at > > java.util.concurrent.CompletableFuture.uniApply( > CompletableFuture.java:602) > > at > > java.util.concurrent.CompletableFuture$UniApply. > tryFire(CompletableFuture.java:577) > > at > > java.util.concurrent.CompletableFuture.postComplete( > CompletableFuture.java:474) > > at > > java.util.concurrent.CompletableFuture.complete( > CompletableFuture.java:1962) > > at > > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call( > SingleResponseFuture.java:46) > > at > > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call( > SingleResponseFuture.java:17) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ > ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ > ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > > at > > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > > > 2018-02-06 11:42:07,166 ERROR > > [org.infinispan.interceptors.InvocationContextInterceptor] (default > > task-17) ISPN000136: Error executing command RemoveCommand, writing keys > > [0d8d4c5c-7971-46dd-b414-cb5f16862085]: > > org.infinispan.util.concurrent.TimeoutException: Replication timeout for > > sson2 > > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp( > JGroupsTransport.java:827) > > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$ > invokeRemotelyAsync$0(JGroupsTransport.java:628) > > at > > java.util.concurrent.CompletableFuture.uniApply( > CompletableFuture.java:602) > > at > > java.util.concurrent.CompletableFuture$UniApply. > tryFire(CompletableFuture.java:577) > > at > > java.util.concurrent.CompletableFuture.postComplete( > CompletableFuture.java:474) > > at > > java.util.concurrent.CompletableFuture.complete( > CompletableFuture.java:1962) > > at > > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call( > SingleResponseFuture.java:46) > > at > > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call( > SingleResponseFuture.java:17) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ > ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ > ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > > at > > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > > > 2018-02-06 11:42:07,171 ERROR > > [org.infinispan.interceptors.InvocationContextInterceptor] (default > > task-11) ISPN000136: Error executing command PutKeyValueCommand, writing > > keys [dfd69644-e241-465c-8a92-ef84e76caf62]: > > org.infinispan.util.concurrent.TimeoutException: Replication timeout for > > sson2 > > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp( > JGroupsTransport.java:827) > > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$ > invokeRemotelyAsync$0(JGroupsTransport.java:628) > > at > > java.util.concurrent.CompletableFuture.uniApply( > CompletableFuture.java:602) > > at > > java.util.concurrent.CompletableFuture$UniApply. > tryFire(CompletableFuture.java:577) > > at > > java.util.concurrent.CompletableFuture.postComplete( > CompletableFuture.java:474) > > at > > java.util.concurrent.CompletableFuture.complete( > CompletableFuture.java:1962) > > at > > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call( > SingleResponseFuture.java:46) > > at > > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call( > SingleResponseFuture.java:17) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ > ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ > ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > > at > > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > > > 2018-02-06 11:42:07,173 ERROR > > [org.keycloak.services.error.KeycloakErrorHandler] (default task-11) > > Uncaught server error: org.infinispan.util.concurrent.TimeoutException: > > Replication timeout for sson2 > > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp( > JGroupsTransport.java:827) > > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$ > invokeRemotelyAsync$0(JGroupsTransport.java:628) > > at > > java.util.concurrent.CompletableFuture.uniApply( > CompletableFuture.java:602) > > at > > java.util.concurrent.CompletableFuture$UniApply. > tryFire(CompletableFuture.java:577) > > at > > java.util.concurrent.CompletableFuture.postComplete( > CompletableFuture.java:474) > > at > > java.util.concurrent.CompletableFuture.complete( > CompletableFuture.java:1962) > > at > > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call( > SingleResponseFuture.java:46) > > at > > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call( > SingleResponseFuture.java:17) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ > ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ > ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > > at > > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > > > 2018-02-06 11:42:07,205 ERROR > > [org.keycloak.services.error.KeycloakErrorHandler] (default task-17) > > Uncaught server error: org.infinispan.util.concurrent.TimeoutException: > > Replication timeout for sson2 > > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp( > JGroupsTransport.java:827) > > at > > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$ > invokeRemotelyAsync$0(JGroupsTransport.java:628) > > at > > java.util.concurrent.CompletableFuture.uniApply( > CompletableFuture.java:602) > > at > > java.util.concurrent.CompletableFuture$UniApply. > tryFire(CompletableFuture.java:577) > > at > > java.util.concurrent.CompletableFuture.postComplete( > CompletableFuture.java:474) > > at > > java.util.concurrent.CompletableFuture.complete( > CompletableFuture.java:1962) > > at > > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call( > SingleResponseFuture.java:46) > > at > > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call( > SingleResponseFuture.java:17) > > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ > ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > > at > > java.util.concurrent.ScheduledThreadPoolExecutor$ > ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > > at > > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > > at > > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > > at java.lang.Thread.run(Thread.java:745) > > > > > > > > Any idea of what's going on? > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Angel Abella *IT * *BKOOL* *Connect* *| Sport* mail: aabella at bkool.com mob: +34 691 77 18 98 add: C/ San Joaqu?n 3 - 28231 Las Rozas - Madrid www.bkool.com From dz at scoutsengidsenvlaanderen.be Tue Feb 6 09:26:52 2018 From: dz at scoutsengidsenvlaanderen.be (Daan Zwaenepoel) Date: Tue, 6 Feb 2018 15:26:52 +0100 Subject: [keycloak-user] Add provider to flow Message-ID: <593527f9-ddbb-557b-20e4-90c8d34ce940@scoutsengidsenvlaanderen.be> Hi, I am building a custom registration flow in our keycloak app. What I already did is written a new provider that implements FormActoin and FormActionFactory. I also did add a new flow in the admin panel. The problem that I have is that I don't know how to link my flow to my new provider (it dont show up in the drop down when I do /Add execution/).? Do I need to add something to standalone.xml or do I miss something bigger? The documentation is not very useful , from http://www.keycloak.org/docs/3.3/server_development/topics/auth-spi.html :/" I?m hoping the UI is intuitive enough so that you can figure out for yourself how to create a flow and add the FormAction."/ Thanks Daan From logan.hauspie.pro at gmail.com Tue Feb 6 09:39:17 2018 From: logan.hauspie.pro at gmail.com (Logan HAUSPIE) Date: Tue, 6 Feb 2018 15:39:17 +0100 Subject: [keycloak-user] Wrap a Legacy Identification / Authentication Service Message-ID: Hello there, I'm a french guy so forgive my poor english. I'm very new to Keycloak. I know a bit of things about OAuth2 but not usual to tweak it with Plugins/Provider/Mapper and so on. So you maybe could help me. My Legacy Service ------------------------------------------------------------------- Input (application/x-www-form-urlencoded) : login password flag Output JSON : { "identity": { "civilite": "Mr", "email": "", "iad": "USER_IDENTIFIER", "mes": "", "nom": "HAUSPIE", "prenom": "Logan", "rcd": "ACC", "sid": "0MZvh5mJVfQ5sPsZS10JW6mcTQPGxJSJzy2J6" <1> } } <1> This is the JSessionID, so it's a session-specific data, not user-specific data or this one if something goes wrong : { "identity": { "rcd": "ERR", } } My purpose is to implement OAuth2 (OIDC) based on my legacy service without modifying it and without migrating all my users to Keycloak local storage. I also want to add all these properties (especially sid) to the access token at `LOGIN` time but it's maybe another topic, or not. My Keycloak installation ------------------------------------------------------------------- Version 3.4.3.Final with Docker Java 8 developper What I've already tried ------------------------------------------------------------------- I found some information about that here : - https://github.com/keycloak/keycloak/tree/master/examples/providers - http://lists.jboss.org/pipermail/keycloak-user/2016-June/006470.html (too old to be usefull because it deals with UserFederationProvider that does not exist anymore in 3.4.3.Final version) - https://github.com/Smartling/keycloak-user-migration-provider (too old to be useful, for same reason) Authenticator doesn't seem to be what I need (according to this maybe too old answer : http://lists.jboss.org/pipermail/keycloak-user/2016-June/006470.html) because I don't want to add some additionnal authentication information/form. Maybe I'm wrong. So according to this documentation about "[migrating from an earlier UserFederationProvider]( http://www.keycloak.org/docs/3.4/server_development/#migrating-from-an-earlier-user-federation-spi)" and based on my previous research, I tried to write my own implementation of UserLookupProvider mixin CredentialInputValidator (a.k.a. UserStorageProvider) to call my legacy service. The first problem is that when Keycloak is calling getUserByUsername it doesn't provide the user password so I'm not able to get the user information from my legacy service at this time. The second problem is that getUserByUsername is called before isValid so I can't "store" the user password during the call to isValid in order to use it in getUserByUsername. Secondary subject ------------------------------------------------------------------- During these tries, I tested to inject a random JSessionID data into UserModel.attribute map but this data is "stored" (I don't know how and why). So when I log in again (using the authorization code grant flow) the getUserByEmail method of my Provider is not called again so the JSessionID is not updated. As far as I understand, adding information inside UserModel.attribute map makes this information user-specific and not session-specific. I need to request my Legacy Authentication Service on each login to update the JSessionID coming from the legacy service. My Questions ------------------------------------------------------------------- Am I on the wrong way about calling my legacy service? Did I miss something in the identification/authentication sequence of Keycloak? Is there an other way to do what I need to do ? How to inject session-specific data as claim inside JWT ? Thank's in advance for your valuable support. Best regards, *Logan HAUSPIE* From JTeaw at carbonite.com Tue Feb 6 09:41:12 2018 From: JTeaw at carbonite.com (Justin Teaw) Date: Tue, 6 Feb 2018 14:41:12 +0000 Subject: [keycloak-user] How do add trusted hosts in client registration->client registration policies->Trusted hosts using kcadm.bat Message-ID: Hi, I want to be able to add trusted hosts using kcadm. Anyone has any idea? Thanks, justin This message is the property of CARBONITE, INC. and may contain confidential or privileged information. If this message has been delivered to you by mistake, then do not copy or deliver this message to anyone. Instead, destroy it and notify me by reply e-mail From corentin.dupont at gmail.com Tue Feb 6 10:05:07 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Tue, 6 Feb 2018 16:05:07 +0100 Subject: [keycloak-user] backup strategy In-Reply-To: References: Message-ID: Another question, can I import a configuration in Keycloak while it is running or do I need to stop it? On Tue, Feb 6, 2018 at 12:09 PM, Corentin Dupont wrote: > Hi guys, > I wonder what the backup strategy is? > Is it good practice to export regularly all Keycloak configuration? > > I can export with the command: > ./keycloak/bin/standalone.sh -Dkeycloak.migration.action=export > -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=export-`date > +"%m-%d-%y"`.json -Djboss.http.port=8888 -Djboss.https.port=9999 > -Djboss.management.http.port=7777 > > It exports the current configuration (realms, users...). > I set different ports so it can run concurently with the running instance > of keycloak. > I can set a cron job with the command, but unfortunately this command need > to be stopped by Ctrl-C. > > -> How to make it stop after the export? > > Other question, the export need to be run on the same container than > Keycloak, but this is not very practical in a Cloud setting. I use Amazon > ECS, so I have to log in the VM and then the container. I have then to > extract the file with various scp. > Is there any way to make this easier (i.e. with an API command)? > > Cheers > Corentin > From bburke at redhat.com Tue Feb 6 13:00:23 2018 From: bburke at redhat.com (Bill Burke) Date: Tue, 6 Feb 2018 13:00:23 -0500 Subject: [keycloak-user] Keycloak as an identity provider to Tableau In-Reply-To: <3F6648B4B54AF54582921C708D7952C44E6EF1@EX10MBOX1H.hosting.inetserver.de> References: <3F6648B4B54AF54582921C708D7952C44E6EF1@EX10MBOX1H.hosting.inetserver.de> Message-ID: You are running on your PC or laptop? Then you have to do standalone.sh -b X.X.X.X where X.X.X.X is the IP address of your laptop. By default, Keycloak binds to localhost. On Tue, Feb 6, 2018 at 8:12 AM, Boctor, Joseph wrote: > I'm trying to use Keycloak as an OpenID Connect Identity provider to a data analysis software called Tableau. I tried with two different instances of Keycloak.. one is locally hosted, and the other is from the master Realm in a remotely hosted development instance. > I tried creating a Realm for the client, and tried also using the master Realm.. both came with the same result. Each time I get a message telling me that my Identity provider is not reachable. > I tried editing Keycloak authentication request URL by adding the realm name, since it's not on Tableau's OpenID Connect setup (see screenshot), with no use. > [cid:image001.png at 01D39F54.7BE7E2A0] > Am I missing something? Or doing something wrong? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke Red Hat From bburke at redhat.com Tue Feb 6 13:04:35 2018 From: bburke at redhat.com (Bill Burke) Date: Tue, 6 Feb 2018 13:04:35 -0500 Subject: [keycloak-user] "Default" Client Template In-Reply-To: References: Message-ID: No. We will be doing work in this area soon. I'm thinking of renaming templates to "Client Scope" and allow clients to inherit from multiple scopes A client scope would only be able to specify allowed roles, groups, attributes and protocol mappers. no other config option. We would also do away with per-role and per-protocol mapper consent messages and instead allow the scope and/or client to define the consent message to give to the user. All this to support the OIDC scope parameter better. I think a default scope would be an important addition. On Tue, Feb 6, 2018 at 8:15 AM, Jonas Sch?nenberger wrote: > Hi everyone > > Is it possible to define a default client template that every new dynamic > client (OpenID Connect Dynamic Client Registration) receives during > registration? > > Thank you for your help and Best Regards > Jonas > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -- Bill Burke Red Hat From rkgunnam120 at gmail.com Tue Feb 6 13:20:01 2018 From: rkgunnam120 at gmail.com (Ravi Kiran) Date: Tue, 6 Feb 2018 11:20:01 -0700 Subject: [keycloak-user] Client specific enumerated roles In-Reply-To: References: Message-ID: I am sorry but I forgot to mention in my mail that client is running on EAP7 environment. Original Question: Currently in our application we use LDAP and each LDAP role is mapped to multiple CRUD permissions roles with in the application. For example HUMAN_RESOURCE_DIRECTOR role in LDAP is mapped to CREATE_Employee, Update_Employee, Read_Department and etc. We are adding these enumerated roles by extending LdapExtLoginModule. Now we are planning to switch to Keycloak (rh-sso), what is the best approach to achieve this? According to the issue https://issues.jboss.org/browse/KEYCLOAK-1382 , looks like extending LoginModule is not an option*.* Also, so far I have tried to override wildfly request authenticator but ran to class loading issues. Here are code snippets for overridden implementations: *public* *class* CustomWildflyKeycloakServletExtension*extends* KeycloakServletExtension { *protected* *static* Logger *log* = Logger.*getLogger*( WildflyKeycloakServletExtension.*class*); @Override *protected* ServletKeycloakAuthMech createAuthenticationMechanism( DeploymentInfodeploymentInfo, AdapterDeploymentContext deploymentContext, UndertowUserSessionManagementuserSessionManagement, NodesRegistrationManagementnodesRegistrationManagement) { *log*.info("Creating CustomWildflyKeycloakServletExtension"); *return* *new* CustomWildflyAuthenticationMachanism(deploymentContext , userSessionManagement, nodesRegistrationManagement, deploymentInfo.getConfidentialPortManager(), getErrorPage(deploymentInfo)); } } -------- *public* *class* CustomWildflyAuthenticationMachanism*extends* WildflyAuthenticationMechanism { *public* CustomWildflyAuthenticationMachanism(AdapterDeploymentContext deploymentContext, UndertowUserSessionManagementuserSessionManagement, NodesRegistrationManagementnodesRegistrationManagement, ConfidentialPortManagerportManager, String errorPage) { *super*(deploymentContext, userSessionManagement, nodesRegistrationManagement, portManager, errorPage); } @Override *protected* ServletRequestAuthenticator createRequestAuthenticator( KeycloakDeploymentdeployment, HttpServerExchange exchange, SecurityContextsecurityContext, UndertowHttpFacade facade) { *int* confidentialPort = getConfidentilPort(exchange); AdapterTokenStore tokenStore = getTokenStore(exchange, facade, deployment,securityContext); *return* *new* CustomWildflyRequestAuthenticator(facade,deployment, confidentialPort, securityContext, exchange, tokenStore); } } -------- *public* *class* CustomWildflyRequestAuthenticator *extends*WildflyRequestAuthenticator { *public* CustomWildflyRequestAuthenticator(HttpFacadefacade, KeycloakDeployment deployment, *int*sslRedirectPort, SecurityContext securityContext, HttpServerExchangeexchange, AdapterTokenStore tokenStore) { *super*(facade, deployment, sslRedirectPort,securityContext, exchange , tokenStore); } @Override *protected* Group[] getRoleSets(Collection roleSet) { ArrayList groups = Lists.*newArrayList*(*super*.getRoleSets( roleSet)); // Planning to add client specific roles here. *return* groups.toArray(*new* Group[0]); } } But I ran into some class loading issues, [I have checked the modules that were added as part of the adapter and see the all jars exists]. I am not sure what could be the issue here: 10:33:05,230 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 67) MSC000001: Failed to start service jboss.undertow.deployment. default-server.default-host./eligibility: *org.jboss.msc.service.StartException* in service jboss.undertow.deployment. default-server.default-host./eligibility: java.lang.NoClassDefFoundError: org/keycloak/adapters/spi/HttpFacade at org.wildfly.extension.undertow.deployment. UndertowDeploymentService$1.run(*UndertowDeploymentService.java:85*) at java.util.concurrent.Executors$RunnableAdapter.call( *Executors.java:511*) [rt.jar:1.8.0_131-1-redhat] at java.util.concurrent.FutureTask.run(*FutureTask.java:266*) [rt.jar:1.8.0_131-1-redhat] at java.util.concurrent.ThreadPoolExecutor.runWorker( *ThreadPoolExecutor.java:1142*) [rt.jar:1.8.0_131-1-redhat] at java.util.concurrent.ThreadPoolExecutor$Worker.run( *ThreadPoolExecutor.java:617*) [rt.jar:1.8.0_131-1-redhat] at java.lang.Thread.run(*Thread.java:748*) [rt.jar:1.8.0_131-1-redhat] at org.jboss.threads.JBossThread.run(*JBossThread.java:320*) [jboss-threads-2.2.1.Final-redhat-1.jar:2.2.1.Final-redhat-1] Caused by: java.lang.NoClassDefFoundError: org/keycloak/adapters/spi/ HttpFacade at org.test.keycloak.adapters.CustomWildflyKeycloakServletExtension. createAuthenticationMechanism( *CustomWildflyKeycloakServletExtension.java:21*) at org.keycloak.adapters.undertow.KeycloakServletExtension. handleDeployment(*KeycloakServletExtension.java:144*) at io.undertow.servlet.core.DeploymentManagerImpl.handleExtensions( *DeploymentManagerImpl.java:252*) at io.undertow.servlet.core.DeploymentManagerImpl.deploy( *DeploymentManagerImpl.java:152*) at org.wildfly.extension.undertow.deployment. UndertowDeploymentService.startContext(*UndertowDeploymentService.java:100*) at org.wildfly.extension.undertow.deployment. UndertowDeploymentService$1.run(*UndertowDeploymentService.java:82*) ... 6 more Caused by: *java.lang.ClassNotFoundException*: org.keycloak.adapters.spi.HttpFacade from [Module "deployment.eligibility.war:main" from Service Module Loader] at org.jboss.modules.ModuleClassLoader.findClass( *ModuleClassLoader.java:196*) [jboss-modules.jar:1.5.3.Final-redhat-1] at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked( *ConcurrentClassLoader.java:363*) [jboss-modules.jar:1.5.3.Final-redhat-1] at org.jboss.modules.ConcurrentClassLoader.performLoadClass( *ConcurrentClassLoader.java:351*) [jboss-modules.jar:1.5.3.Final-redhat-1] at org.jboss.modules.ConcurrentClassLoader.loadClass( *ConcurrentClassLoader.java:93*) [jboss-modules.jar:1.5.3.Final-redhat-1] ... 12 more The other option is to add custom SPI implementation. But I wanted to make sure that I am on right path here. Thank you very much and highly appreciate any help. Thanks, Ravi G. On Feb 5, 2018 2:04 PM, "Ravi Kiran" wrote: Currently in our application we use LDAP and each LDAP role is mapped to multiple CRUD permissions roles with in the application. For example HUMAN_RESOURCE_DIRECTOR role in LDAP is mapped to CREATE_Employee, Update_Employee, Read_Department and etc. We are adding these enumerated roles by extending LdapExtLoginModule. Now we are planning to switch to Keycloak (rh-sso), what is the best approach to achieve this? According to the issue, https://issues.jboss.org/browse/KEYCLOAK-1382, looks like extending LoginModule is not an option. Thank you and appreciate it. From to_sud at yahoo.com Tue Feb 6 13:25:12 2018 From: to_sud at yahoo.com (Sud Ramasamy) Date: Tue, 6 Feb 2018 13:25:12 -0500 Subject: [keycloak-user] =?utf-8?q?sessions_when_using_prompt=3Dlogin?= Message-ID: When using the OIDC prompt=login URL parameter I?m able to successfully get Keycloak to force the user to authenticate even if he/she had previously authenticated. But I noticed that when the user re-authenticates the session associated with the previous authentication in Keycloak is being replaced with a new session. This would break the first client no? For example, user authenticates in Keycloak via client1 which established session1 (and associated RefreshToken1). The user then attempts to access client2 which also redirects to Keycloak with prompt=login by design. The user as expected is forced to re-authenticate in Keycloak. Upon successful authentication Keycloak zaps session1 and creates a new user session (session2 with new associated RefreshToken2) associated with client2.? Now the RefreshToken1 in client1 that is associated to session1 in Keycloak is no longer valid and attempts by client1 to get a new access token based on RefreshToken1 will fail requiring authentication. Is this expected when using prompt=login. It seems like when using prompt=login we can not be using the access token as a bearer token to pass to downstream resource servers for authentication purposes. This is our primary use case - ie. to have the user required to authenticate when they access each client and use the access token in each client as a bearer token for backend service authentication. Doesn?t seem like this use case is supported. Is this a right assessment. Does feel like I?m missing something. Shouldn?t it be possible to have Keycloak track a user session per client that the user authenticates for? -sud From knikolla at bu.edu Tue Feb 6 13:26:14 2018 From: knikolla at bu.edu (Kristi Nikolla) Date: Tue, 6 Feb 2018 13:26:14 -0500 Subject: [keycloak-user] SAML doesn't work when logging in through Identity Providers Message-ID: <37A6BBFA-3575-4EAF-90BE-F1CC6B61A511@bu.edu> Hi, I?ve recently setup Keycloak for SSO in our organization. I?m using two docker containers in standalone-ha with Apache as a proxy. I?ve allowed GitHub, and an external SAML provider for logging in, and everything works fine. Users are able to login to the account page, and login to our OpenID Connect and OAuth2 clients. The issue is when using a SAML client. Login works perfectly fine with SAML/Shibboleth when using the username/password field in Keycloak. It also works perfectly with an existing session regardless of login method. It doesn?t work however when login is first initiated through the SAML client with Shibboleth. User is redirected to Keycloak, they click GitHub/University Login, input their credentials in the external IdP, and come back to Keycloak to be greeted with a "An error occurred, please login again through your application.? The error is the same regardless if Github (OAuth) or University Login (SAML) is used, but works perfectly when using username and password directly in Keycloak. The only thing that I see in the logs is: 21:54:01,682 WARN [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=moc, clientId=null, userId=null, ipAddress=155.41.80.192, error=invalid_code Even turning on debug logging doesn?t provide anything useful. Thank you, Kristi Nikolla -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180206/a9c3b1b7/attachment.bin From d.weirshousky at xsb.com Tue Feb 6 13:51:47 2018 From: d.weirshousky at xsb.com (Drew Weirshousky) Date: Tue, 6 Feb 2018 12:51:47 -0600 (CST) Subject: [keycloak-user] SAML doesn't work when logging in through Identity Providers In-Reply-To: <37A6BBFA-3575-4EAF-90BE-F1CC6B61A511@bu.edu> References: <37A6BBFA-3575-4EAF-90BE-F1CC6B61A511@bu.edu> Message-ID: <325396701.27881655.1517943107583.JavaMail.zimbra@xsb.com> Hi Kristi, I believe there are some fixes coming for SAML in Keycloak 4.0 related to this. I am assuming you are using Keycloak > 3.2. Drew Weirshousky ----- Original Message ----- From: "Kristi Nikolla" To: "keycloak-user" Sent: Tuesday, February 6, 2018 1:26:14 PM Subject: [keycloak-user] SAML doesn't work when logging in through Identity Providers Hi, I?ve recently setup Keycloak for SSO in our organization. I?m using two docker containers in standalone-ha with Apache as a proxy. I?ve allowed GitHub, and an external SAML provider for logging in, and everything works fine. Users are able to login to the account page, and login to our OpenID Connect and OAuth2 clients. The issue is when using a SAML client. Login works perfectly fine with SAML/Shibboleth when using the username/password field in Keycloak. It also works perfectly with an existing session regardless of login method. It doesn?t work however when login is first initiated through the SAML client with Shibboleth. User is redirected to Keycloak, they click GitHub/University Login, input their credentials in the external IdP, and come back to Keycloak to be greeted with a "An error occurred, please login again through your application.? The error is the same regardless if Github (OAuth) or University Login (SAML) is used, but works perfectly when using username and password directly in Keycloak. The only thing that I see in the logs is: 21:54:01,682 WARN [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=moc, clientId=null, userId=null, ipAddress=155.41.80.192, error=invalid_code Even turning on debug logging doesn?t provide anything useful. Thank you, Kristi Nikolla _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From knikolla at bu.edu Tue Feb 6 14:06:34 2018 From: knikolla at bu.edu (Kristi Nikolla) Date: Tue, 6 Feb 2018 14:06:34 -0500 Subject: [keycloak-user] SAML doesn't work when logging in through Identity Providers In-Reply-To: <325396701.27881655.1517943107583.JavaMail.zimbra@xsb.com> References: <37A6BBFA-3575-4EAF-90BE-F1CC6B61A511@bu.edu> <325396701.27881655.1517943107583.JavaMail.zimbra@xsb.com> Message-ID: <7B6CCF87-0D28-49AE-B55D-C948437BD9A8@bu.edu> Hi Drew, I?m on 3.4.1.CR1. I?ll keep my eyes open for the 4.0 release. Is there an ETA? Thank you, Kristi > On Feb 6, 2018, at 1:51 PM, Drew Weirshousky wrote: > > Hi Kristi, > > I believe there are some fixes coming for SAML in Keycloak 4.0 related to this. I am assuming you are using Keycloak > 3.2. > > Drew Weirshousky > > ----- Original Message ----- > From: "Kristi Nikolla" > To: "keycloak-user" > Sent: Tuesday, February 6, 2018 1:26:14 PM > Subject: [keycloak-user] SAML doesn't work when logging in through Identity Providers > > Hi, > > I?ve recently setup Keycloak for SSO in our organization. I?m using two docker containers in standalone-ha with Apache as a proxy. I?ve allowed GitHub, and an external SAML provider for logging in, and everything works fine. Users are able to login to the account page, and login to our OpenID Connect and OAuth2 clients. > > The issue is when using a SAML client. > > Login works perfectly fine with SAML/Shibboleth when using the username/password field in Keycloak. It also works perfectly with an existing session regardless of login method. > > It doesn?t work however when login is first initiated through the SAML client with Shibboleth. User is redirected to Keycloak, they click GitHub/University Login, input their credentials in the external IdP, and come back to Keycloak to be greeted with a "An error occurred, please login again through your application.? The error is the same regardless if Github (OAuth) or University Login (SAML) is used, but works perfectly when using username and password directly in Keycloak. > > The only thing that I see in the logs is: > 21:54:01,682 WARN [org.keycloak.events] (default task-30) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=moc, clientId=null, userId=null, ipAddress=155.41.80.192, error=invalid_code > > Even turning on debug logging doesn?t provide anything useful. > > Thank you, > Kristi Nikolla > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180206/29954da4/attachment.bin From ryans at jlab.org Tue Feb 6 14:16:32 2018 From: ryans at jlab.org (Ryan Slominski) Date: Tue, 6 Feb 2018 14:16:32 -0500 (EST) Subject: [keycloak-user] kcadm CLI for kerberos user storage API needs updating? Message-ID: <1499329272.8253056.1517944592901.JavaMail.zimbra@jlab.org> I'm following the latest CLI documentation (http://www.keycloak.org/docs/latest/server_admin/index.html#the-admin-cli), but the section about managing Kerberos user storage providers seems to be out-of-date. The related REST API documentation (http://www.keycloak.org/docs/latest/server_development/index.html#rest-management-api) points out major changes occurred after version 2.4.0. In particular the following command no longer works: kcadm.sh create user-federation/instances -r demorealm ... Instead it seems it should be something like the following: kcadm.sh create components -r demorealm -s parentId=demorealm -s name="kerberos" -s providerId="kerberos" -s providerType="org.keycloak.storage.UserStorageProvider"\ -s config.enabled=["true"] -s config.allowPasswordAuthentication=["true"] -s config.debug=["false"] -s config.priority=["0"] -s config.updateProfileFirstLogin=["false"] However, this "create components" command only seems to work if I don't include the following otherwise desirable attributes: -s config.keyTab=["path-to-keytab"] -s config.kerberosRealm=["kerberos-realm-name"] -s config.cachePolicy=["DEFAULT"] -s config.editMode=["READ_ONLY"] -s config.serverPrincipal=["http-principal-name"] Including any one of them results in the server throwing the following exception: Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of VALUE_STRING token Further, even if I leave these attributes out and attempt to finish the job using the web console I noticed the new user storage provider doesn't show up in the list on the web. It DOES show up when queried from the command line with: kcadm.sh get components -r demorealm But oddly doesn't show up if you filter as the web does with: kcadm.sh get components -r demorealm -q type=org.keycloak.storage.UserStorageProvider Any help is appreciated. Thanks, Ryan From sthorger at redhat.com Tue Feb 6 14:23:19 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 6 Feb 2018 20:23:19 +0100 Subject: [keycloak-user] Updated release cadence Message-ID: As we've started working in 3 week sprints we are considering a new release model for Keycloak. What we are considering is doing a Beta release for every sprint, then for every 4th sprint (each quarter) we plan to do a Final release. For a beta release existing features will be considered stable, while new features may not be ready for prime time. The recommendation will still be to upgrade to always update to the latest release to receive the latest security fixes and other fixes. However, care should be taken before using new features in production until a Final release is available. Thoughts? From psilva at redhat.com Tue Feb 6 14:30:08 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 6 Feb 2018 17:30:08 -0200 Subject: [keycloak-user] Atrributes in resources into Keycloak Authorization services In-Reply-To: References: Message-ID: Hey Thiago. Yes, you are not first one asking for this. I've created https://issues.jboss.org/browse/KEYCLOAK-6529. Could you please fill that JIRA with more details about your use case and requirements ? Thanks. On Mon, Jan 22, 2018 at 9:51 AM, Thiago Presa wrote: > Hi, > > We're looking into Keycloak Authorization services, but currently, we can't > get our heads around configuring in Keycloak a policy the following > authorization requirement: > > Suppose we have a corporate Google-docs-like app, where every document has > a clearance level (e.g. confidential, internal, public). Every user has its > own permission level, which indicates whether the user is allowed to access > confidential, internal or public documents. > > Could you please advise as to how to implement such requirements into > Keycloak Authorization services? > > Assuming this isn't currently supported, a simple solution seems to be > implementing the ability to set resource attributes and make them available > to policy construction. Would you be considering implementing such approach > (or any other)? > > Best regards, > Thiago Presa > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From carreraariel at gmail.com Tue Feb 6 14:42:22 2018 From: carreraariel at gmail.com (Ariel Carrera) Date: Tue, 6 Feb 2018 16:42:22 -0300 Subject: [keycloak-user] Updated release cadence In-Reply-To: References: Message-ID: +1 2018-02-06 16:23 GMT-03:00 Stian Thorgersen : > As we've started working in 3 week sprints we are considering a new release > model for Keycloak. > > What we are considering is doing a Beta release for every sprint, then for > every 4th sprint (each quarter) we plan to do a Final release. > > For a beta release existing features will be considered stable, while new > features may not be ready for prime time. The recommendation will still be > to upgrade to always update to the latest release to receive the latest > security fixes and other fixes. > > However, care should be taken before using new features in production until > a Final release is available. > > Thoughts? > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Ariel Carrera From lists at merit.unu.edu Tue Feb 6 14:53:22 2018 From: lists at merit.unu.edu (lists) Date: Tue, 6 Feb 2018 20:53:22 +0100 Subject: [keycloak-user] Updated release cadence In-Reply-To: References: Message-ID: <06f84692-1a93-7c8e-fd71-d7f96e53a22d@merit.unu.edu> On 6-2-2018 20:23, Stian Thorgersen wrote: > Thoughts? Sounds good to us! From Alexander.Bloor at kandy.io Tue Feb 6 15:35:27 2018 From: Alexander.Bloor at kandy.io (Alexander Bloor) Date: Tue, 6 Feb 2018 20:35:27 +0000 Subject: [keycloak-user] Id token returned with Direct Access Grant? Message-ID: Hi all, Based on my understanding of the Direct Access Grant and its documentation, an id token should be returned along with the access and refresh tokens. http://www.keycloak.org/docs/3.1/server_admin/topics/sso-protocols/oidc.html However, I'm not receiving one when I POST /token requests. Only the access and refresh tokens are coming back. Is there a setting I need to configure, have I misunderstood the documentation, or is this a bug? Alex Bloor CPaaS 2.0 Platform Developer, Kandy 500 Palladium Drive | Kanata, ON, K2V 1C2, CA office: +1.613.699.9767 | mobile: +1.613.929.4302 [GENBAND.com] -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 8069 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180206/7d3b60a5/attachment.png From sthorger at redhat.com Wed Feb 7 02:46:37 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 7 Feb 2018 08:46:37 +0100 Subject: [keycloak-user] "Default" Client Template In-Reply-To: References: Message-ID: Should I remove the option to set theme in the client template? On 6 February 2018 at 19:04, Bill Burke wrote: > No. We will be doing work in this area soon. I'm thinking of > renaming templates to "Client Scope" and allow clients to inherit from > multiple scopes A client scope would only be able to specify allowed > roles, groups, attributes and protocol mappers. no other config > option. We would also do away with per-role and per-protocol mapper > consent messages and instead allow the scope and/or client to define > the consent message to give to the user. All this to support the OIDC > scope parameter better. > > I think a default scope would be an important addition. > > On Tue, Feb 6, 2018 at 8:15 AM, Jonas Sch?nenberger > wrote: > > Hi everyone > > > > Is it possible to define a default client template that every new dynamic > > client (OpenID Connect Dynamic Client Registration) receives during > > registration? > > > > Thank you for your help and Best Regards > > Jonas > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > Red Hat > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Feb 7 02:47:12 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 7 Feb 2018 08:47:12 +0100 Subject: [keycloak-user] "Default" Client Template In-Reply-To: References: Message-ID: There already is a default for new clients - it's the realm theme ;) You can also create your own ThemeSelectorProvider and to whatever logic you want to select themes. On 6 February 2018 at 14:15, Jonas Sch?nenberger < jonas.schoenenberger at gmail.com> wrote: > Hi everyone > > Is it possible to define a default client template that every new dynamic > client (OpenID Connect Dynamic Client Registration) receives during > registration? > > Thank you for your help and Best Regards > Jonas > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Feb 7 02:48:37 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 7 Feb 2018 08:48:37 +0100 Subject: [keycloak-user] backup strategy In-Reply-To: References: Message-ID: Export is not really that great for backups. It can be rather slow if you have loads of entries in the DB and it also requires the server to be stopped prior. You should rather use DB specific tools to backup the DB directly. That will be faster and more reliable as well. On 6 February 2018 at 16:05, Corentin Dupont wrote: > Another question, can I import a configuration in Keycloak while it is > running or do I need to stop it? > > > On Tue, Feb 6, 2018 at 12:09 PM, Corentin Dupont < > corentin.dupont at gmail.com> > wrote: > > > Hi guys, > > I wonder what the backup strategy is? > > Is it good practice to export regularly all Keycloak configuration? > > > > I can export with the command: > > ./keycloak/bin/standalone.sh -Dkeycloak.migration.action=export > > -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file= > export-`date > > +"%m-%d-%y"`.json -Djboss.http.port=8888 -Djboss.https.port=9999 > > -Djboss.management.http.port=7777 > > > > It exports the current configuration (realms, users...). > > I set different ports so it can run concurently with the running instance > > of keycloak. > > I can set a cron job with the command, but unfortunately this command > need > > to be stopped by Ctrl-C. > > > > -> How to make it stop after the export? > > > > Other question, the export need to be run on the same container than > > Keycloak, but this is not very practical in a Cloud setting. I use Amazon > > ECS, so I have to log in the VM and then the container. I have then to > > extract the file with various scp. > > Is there any way to make this easier (i.e. with an API command)? > > > > Cheers > > Corentin > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Wed Feb 7 02:54:03 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 7 Feb 2018 08:54:03 +0100 Subject: [keycloak-user] =?utf-8?q?Keycloak_logout_not_working_for_?= =?utf-8?q?=E2=80=9Cbearer-only=E2=80=9D_application_exposing_REST_?= =?utf-8?q?services?= In-Reply-To: References: <1745158990.1861044.1516526258657.ref@mail.yahoo.com> <1745158990.1861044.1516526258657@mail.yahoo.com> <1573618343.1905908.1516537177732@mail.yahoo.com> <1272807275.3514626.1517857054027@mail.yahoo.com> Message-ID: That perhaps may be a bit over simplified answer ;) When a session is logged out (through admin console, account management or from an application) the whole session and all associated tokens are invalidated. However, bearer only clients verify tokens offline (without consulting the server). There's two options to mitigate this. First is to use a short expiration on access tokens. Second is to make the bearer only service call the token introspection endpoint for every request. For non-bearer clients they the Keycloak adapters have a admin URL that can be configured for the clients. This will make Keycloak send a logout request to logout which will invalidate the HTTP session and clear associated tokens. If you don't do this you rely on the access token timeout to make the client refresh the token to be aware that the session is removed. On 6 February 2018 at 13:31, Sebastien Blanc wrote: > yeah with Keycloak you can not invalidate a particular token that would be > too much state to handle for the server. > > On Mon, Feb 5, 2018 at 7:57 PM, Dan Nemes wrote: > > > Hello, > > > > I'm coming back after trying to invalidate the token. > > > > I have implemented the steps written in the previous mail and the token > > has been successfully invalidated and it was no longer possible to access > > the REST services using it. > > > > The problem with this workflow is the fact that all tokens that have been > > generated before that "not_before" field are invalidated. In my case this > > isn't correct because I must support multiple users logged in at the same > > time. > > > > I have also tried to implement the same steps by executing the revocation > > endpoint for a specific client application (instead of using it on a > realm > > level (eg. *http://localhost:8180/auth/admin/realms/demo/clients/{ > client_id} > > * > > and *http://localhost:8180/auth/admin/realms/demo/push-revocation > > *) but > this > > doesn't seem to work because the users can still access the REST services > > (but I don't think this will work either for my case). > > > > Is there a way to invalidate only one specific token so that the REST > > services are not accessible anymore using that specific token? > > > > Thank you, > > Dan Nemes > > > > > > > > On Sunday, January 21, 2018 4:57 PM, Sebastien Blanc > > wrote: > > > > > > Hi, > > > > Thx a lot for the sample, I could reproduce your issue. Keep in mind that > > you bearer-only app just verify the signature of the token, it has no > > session with your kc server. It will validate it until it's valid (if you > > wait the access token lifespan (5min by default) you will see it does not > > work anymore). > > > > So how to invalidate the token ? > > 1. Be sure to set an admin URL for your bearer client : > > http://localhost:8080/TestRestProject/rest/service > > 2. Then after your do the logout, you must also invocate the revocation > > endpoint : > > 2.1 You can do that through the admin console in sessions > revocation > > and you push the new notBefore value > > 2.2 You use the admin REST endpoint to invalidate the token , it's a 2 > > step flow : update the notBefore value of the realm by doing a PUT on the > > realm and then calling the POST revocation endpoint. > > Check the network console of your browser to see the flow when you are in > > the admin console and check the admin REST doc) > > > > Hope this helps, > > > > Sebi > > > > > > On Sun, Jan 21, 2018 at 1:19 PM, Dan Nemes wrote: > > > > Hello, > > > > Thank you for your quick response. > > > > I am using keycloak-3.4.0 and wildfly-10.1.0.Final. > > I have just added on github the projects I have created for working with > > keycloak. You can find them here: https://github.com/ NemesDan/keycloak > > > > > > Please note that these projects have been started as a POC of how > keycloak > > can be used so there are other functions that are out of the scope of the > > problem I'm having. I am still in the learning phase of how keycloak can > be > > used at it's full potential. > > > > NemesDan/keycloak > > keycloak POC projects > > > > > > > > There are multiple maven projects on this branch. > > 1. Project GSDKeycloakProject with 3 modules: customer-app, product-app > > and database-service. The last mentioned module is the bearer-only > > application in which the REST services are implemented. > > database-service: contains two classes ProductService > > and CustomerService which implement REST services that are accessible > only > > to logged users that have the correct role assigned. > > > > 2. KeycloakAccess - should be ignored, out of the scope of the problem > > > > 3. RestClientApplication - a maven web project in which the entire > > workflow is implemented. This simulates a client application that will > > login a user using keycloak, retrieve a token and use that token to > access > > the "database-service" bearer-only application. > > > > In class RestService you can find the following implemented REST web > > services > > 3.1 GET request on *http://localhost:8080/ > > TestRestProject/rest/service/ login > > * -> redirects > > user to the keycloak login page to perform the login. After login, > keycloak > > redirects the user to to *http://localhost:8080/ > > TestRestProject/rest/service/ user_logged_in > > .* > At > > this point the code is exchanged for token. > > 3.2 GET request on *http://localhost:8080/ > > TestRestProject/rest/service/ call_database/{param} > > call_database/%7Bparam%7D>* > > - *{param}* could be either *products *or *customers* > > * - *this web service call will use the token from step 3.1 to > > access the database-service bearer only REST services > > 3.3 GET request on {URL}/logout or {URL}/logout_2 > > - these requests were created in order to test the logout > > functionality but it seems that the database-service REST services are > > still accessible after the logout has been performed which after my > > knowledge means that the token has not been invalidated > > > > The key point of these projects is to avoid using any keycloak classes to > > implement the client application because we do not want to force the > > clients to use a specific library. > > > > If I missed something please let me know. > > I appreciate your help. > > > > Thank you, > > Dan Nemes > > > > > > > > On Sunday, January 21, 2018 12:11 PM, Sebastien Blanc > > > wrote: > > > > > > Hi, > > > > Which version of Keycloak are you using ? Which adapters are you using > for > > the client and bearer-only apps ? We need this info. And yes sharing your > > project (through github for instance) could be really helpful. > > > > > > > > On Sun, Jan 21, 2018 at 10:17 AM, Dan Nemes wrote: > > > > Hello, > > I am unable to logout an user. The logout works for a "confidential" > > applications but it doesn't for a "bearer-only" application (the REST > > services are still accessible after logout). > > I have the following configuration: > > > > - I have one "database" client application defined in Keycloak having > > access type "bearer-only" (created with the intent of exposing REST web > > services protected by Keycloak based on user roles) > > - I have one "rest_service" client application defined in keycloak > > having access type "confidential" (created with the intent of logging in > > users and allowing access to the "bearer-only" REST services after a > > successful login). The below described workflow is implemented in this > > application using REST web services > > I am performing the following steps: > > - An http GET request is performed on URL http://localhost:8180/ > > auth/realms/demo/protocol/ openid-connect/auth > > > which > > redirects the user to the login page handled by Keycloak > > - The user performs the login using his credentials (using the > > credentials of a user defined in Keycloak) > > - Keycloak redirects the user to the "redirect_uri" which was passed > in > > step 1. In this step Keycloak also provides as request parameters the > > "state" and "code" values. > > - After the user has been redirected back to the application I > exchange > > the "code" received in step 3 for a token doing a POST request on > http://localhost:8180/auth/ > > realms/demo/protocol/openid- connect/token > > > which > > is done successfully > > - After the access token is available I proceed to access the > > "bearer-only" REST web services. > > note: the REST web services exposed by the "bearer-only" service are not > > accessible unless the user has been logged in and it has the correct > "role" > > assigned to it.Problem: As stated at the start of the post the user is > > still able to access the "bearer-only" REST web services after the logout > > has been done. The only thing that seems to work is the logout from the > > "confidential" application (the user is not able to access the > application > > unless he logs in again).If I perform the logout of the user then the > REST > > web services exposed by the bearer-only application are still accessible. > > In the Keycloak server I get the following WARN message: " Some clients > > have been not been logged out for user adminuser in demo realm: > > rest_service"I tried implementing the logout in three ways: > > - A redirect to URL http://localhost:8180/ auth/realms/demo/protocol/ > > openid-connect/logoutpassing > > connect/logoutpassing> > > in the redirect_uri and client_id parameters > > - A POST request to http://localhost:8180/auth/ > > realms/demo/protocol/openid- connect/logoutpassing > > connect/logoutpassing> > > in the Authorization Bearer in the header and the client_id, > refresh_token, > > client_secret and redirect_uri > > - A REST service exposed by the "bearer-only" service which does the > > following method call: HttpServletRequest request.logout() > > Neither of the above methods is working.PS: I did not want to go in to > > many details because even so the post is long enough. If I missed > something > > please tell me and I will provide the additional information (if > possible I > > can also attach the actual projects) > > Thank you,Dan Nemes > > > > | | Virus-free. www.avg.com | > > > > ______________________________ _________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/ mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From cedric.thiebault at sensefly.com Wed Feb 7 03:33:50 2018 From: cedric.thiebault at sensefly.com (Cedric Thiebault) Date: Wed, 7 Feb 2018 08:33:50 +0000 Subject: [keycloak-user] backup strategy In-Reply-To: References: , Message-ID: Hello, Just to be sure: we just need to backup DB, there are no other file within JBOSS_HOME (/opt/jboss/keycloak) that needs to be backup? Cedric ________________________________ From: keycloak-user-bounces at lists.jboss.org on behalf of Stian Thorgersen Sent: Wednesday, February 7, 2018 8:48:37 AM To: Corentin Dupont Cc: keycloak-user Subject: Re: [keycloak-user] backup strategy Export is not really that great for backups. It can be rather slow if you have loads of entries in the DB and it also requires the server to be stopped prior. You should rather use DB specific tools to backup the DB directly. That will be faster and more reliable as well. On 6 February 2018 at 16:05, Corentin Dupont wrote: > Another question, can I import a configuration in Keycloak while it is > running or do I need to stop it? > > > On Tue, Feb 6, 2018 at 12:09 PM, Corentin Dupont < > corentin.dupont at gmail.com> > wrote: > > > Hi guys, > > I wonder what the backup strategy is? > > Is it good practice to export regularly all Keycloak configuration? > > > > I can export with the command: > > ./keycloak/bin/standalone.sh -Dkeycloak.migration.action=export > > -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file= > export-`date > > +"%m-%d-%y"`.json -Djboss.http.port=8888 -Djboss.https.port=9999 > > -Djboss.management.http.port=7777 > > > > It exports the current configuration (realms, users...). > > I set different ports so it can run concurently with the running instance > > of keycloak. > > I can set a cron job with the command, but unfortunately this command > need > > to be stopped by Ctrl-C. > > > > -> How to make it stop after the export? > > > > Other question, the export need to be run on the same container than > > Keycloak, but this is not very practical in a Cloud setting. I use Amazon > > ECS, so I have to log in the VM and then the container. I have then to > > extract the file with various scp. > > Is there any way to make this easier (i.e. with an API command)? > > > > Cheers > > Corentin > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From upananda.singha at motorolasolutions.com Wed Feb 7 04:13:24 2018 From: upananda.singha at motorolasolutions.com (Upananda Singha) Date: Wed, 7 Feb 2018 14:43:24 +0530 Subject: [keycloak-user] Creating initial admin usr to login to master realm Message-ID: Hi, Can anybody quickly let me know how to create Keycloak initial admin user/pwd if Keycloak is installed on a remote machine (linux) and can't access locally using localhost:? What is the use of Admin CLI (kcadm.sh)? on executing this script I get Java Major minor version problem. *I am using "jdk1.8.0_121". Does kcadm.sh has any issue with JDK 1.8?* Thanks & Regds, *Upananda Singha* From upananda.singha at motorolasolutions.com Wed Feb 7 04:24:07 2018 From: upananda.singha at motorolasolutions.com (Upananda Singha) Date: Wed, 7 Feb 2018 14:54:07 +0530 Subject: [keycloak-user] Creating initial admin usr to login to master realm In-Reply-To: References: Message-ID: Also, I am trying this with Domain configuration and not stand-alone. Thanks & Regds, *Upananda Singha* On Wed, Feb 7, 2018 at 2:43 PM, Upananda Singha < upananda.singha at motorolasolutions.com> wrote: > Hi, > > Can anybody quickly let me know how to create Keycloak initial admin > user/pwd > if Keycloak is installed on a remote machine (linux) and can't access > locally > using localhost:? > > What is the use of Admin CLI (kcadm.sh)? on executing this script I get > Java Major minor version problem. > > *I am using "jdk1.8.0_121". Does kcadm.sh has any issue with JDK 1.8?* > > > Thanks & Regds, > > *Upananda Singha* > From cedric.thiebault at sensefly.com Wed Feb 7 04:31:10 2018 From: cedric.thiebault at sensefly.com (Cedric Thiebault) Date: Wed, 7 Feb 2018 09:31:10 +0000 Subject: [keycloak-user] Hardcoded LDAP group mapper (like hardcoded-ldap-role-mapper)? Message-ID: Hello, With user federation it's possible to automatically add a role to a user imported from LDAP (using hardcoded-ldap-role-mapper) but is it possible to add it to a group? I have no group configured within my LDAP but I'd like to add LDAP users to a specific Keycloak group. Thanks Cedric From mstrukel at redhat.com Wed Feb 7 04:43:45 2018 From: mstrukel at redhat.com (Marko Strukelj) Date: Wed, 7 Feb 2018 10:43:45 +0100 Subject: [keycloak-user] Creating initial admin usr to login to master realm In-Reply-To: References: Message-ID: Ssh to remote machine and use instructions in http://www.keycloak.org/docs/latest/server_admin/index.html#server-initialization kcadm tool is not used for that. There is no known issues with kcadm tool and java 1.8. On Wed, Feb 7, 2018 at 10:24 AM, Upananda Singha < upananda.singha at motorolasolutions.com> wrote: > Also, I am trying this with Domain configuration and not stand-alone. > > > Thanks & Regds, > > *Upananda Singha* > > > > On Wed, Feb 7, 2018 at 2:43 PM, Upananda Singha < > upananda.singha at motorolasolutions.com> wrote: > > > Hi, > > > > Can anybody quickly let me know how to create Keycloak initial admin > > user/pwd > > if Keycloak is installed on a remote machine (linux) and can't access > > locally > > using localhost:? > > > > What is the use of Admin CLI (kcadm.sh)? on executing this script I get > > Java Major minor version problem. > > > > *I am using "jdk1.8.0_121". Does kcadm.sh has any issue with JDK 1.8?* > > > > > > Thanks & Regds, > > > > *Upananda Singha* > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From corentin.dupont at gmail.com Wed Feb 7 04:43:47 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Wed, 7 Feb 2018 10:43:47 +0100 Subject: [keycloak-user] backup strategy In-Reply-To: References: Message-ID: Good idea. By the way, we still use H2 database, so I guess it is recommended to update to MySQL/postgreSQL? On Wed, Feb 7, 2018 at 8:48 AM, Stian Thorgersen wrote: > Export is not really that great for backups. It can be rather slow if you > have loads of entries in the DB and it also requires the server to be > stopped prior. > > You should rather use DB specific tools to backup the DB directly. That > will be faster and more reliable as well. > > On 6 February 2018 at 16:05, Corentin Dupont > wrote: > >> Another question, can I import a configuration in Keycloak while it is >> running or do I need to stop it? >> >> >> On Tue, Feb 6, 2018 at 12:09 PM, Corentin Dupont < >> corentin.dupont at gmail.com> >> wrote: >> >> > Hi guys, >> > I wonder what the backup strategy is? >> > Is it good practice to export regularly all Keycloak configuration? >> > >> > I can export with the command: >> > ./keycloak/bin/standalone.sh -Dkeycloak.migration.action=export >> > -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=expo >> rt-`date >> > +"%m-%d-%y"`.json -Djboss.http.port=8888 -Djboss.https.port=9999 >> > -Djboss.management.http.port=7777 >> > >> > It exports the current configuration (realms, users...). >> > I set different ports so it can run concurently with the running >> instance >> > of keycloak. >> > I can set a cron job with the command, but unfortunately this command >> need >> > to be stopped by Ctrl-C. >> > >> > -> How to make it stop after the export? >> > >> > Other question, the export need to be run on the same container than >> > Keycloak, but this is not very practical in a Cloud setting. I use >> Amazon >> > ECS, so I have to log in the VM and then the container. I have then to >> > extract the file with various scp. >> > Is there any way to make this easier (i.e. with an API command)? >> > >> > Cheers >> > Corentin >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From Michael.Knurr at adesso.ch Wed Feb 7 04:44:35 2018 From: Michael.Knurr at adesso.ch (Knurr, Michael) Date: Wed, 7 Feb 2018 09:44:35 +0000 Subject: [keycloak-user] backup strategy References: Message-ID: Hi Corentin For my Keycloak installation I am doing daily exports/backups to the file system. Especially the question "how to make it stop" gave me a major headache. In order to work around this problem, I wrote a script which does all the work for me. You can just schedule it in crontab and it will start a second keycloak instance, do the export and eventually kill the second instance. I uploaded it as a gist, so you may also use it if you like: https://gist.github.com/michaelknurr/a8f1941c6f40c0d784b1e467fbc694ba Cheers Michael -----Urspr?ngliche Nachricht----- Von: Corentin Dupont [mailto:corentin.dupont at gmail.com] Gesendet: Dienstag, 6. Februar 2018 12:09 An: keycloak-user Betreff: [keycloak-user] backup strategy Hi guys, I wonder what the backup strategy is? Is it good practice to export regularly all Keycloak configuration? I can export with the command: ./keycloak/bin/standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=export-`date +"%m-%d-%y"`.json -Djboss.http.port=8888 -Djboss.https.port=9999 -Djboss.management.http.port=7777 It exports the current configuration (realms, users...). I set different ports so it can run concurently with the running instance of keycloak. I can set a cron job with the command, but unfortunately this command need to be stopped by Ctrl-C. -> How to make it stop after the export? Other question, the export need to be run on the same container than Keycloak, but this is not very practical in a Cloud setting. I use Amazon ECS, so I have to log in the VM and then the container. I have then to extract the file with various scp. Is there any way to make this easier (i.e. with an API command)? Cheers Corentin From mposolda at redhat.com Wed Feb 7 04:52:04 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 7 Feb 2018 10:52:04 +0100 Subject: [keycloak-user] Hardcoded LDAP group mapper (like hardcoded-ldap-role-mapper)? In-Reply-To: References: Message-ID: <339ac4a9-9bc4-4cff-cdf6-0326c624f538@redhat.com> It's not yet available. Feel free to create JIRA. Just a note that JIRA will be rather postponed unless you provide the PR by yourself (including the test) :) Thanks, Marek On 07/02/18 10:31, Cedric Thiebault wrote: > Hello, > > > With user federation it's possible to automatically add a role to a user imported from LDAP (using hardcoded-ldap-role-mapper) but is it possible to add it to a group? > > > I have no group configured within my LDAP but I'd like to add LDAP users to a specific Keycloak group. > > > Thanks > > > Cedric > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Wed Feb 7 04:56:26 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 7 Feb 2018 10:56:26 +0100 Subject: [keycloak-user] backup strategy In-Reply-To: References: Message-ID: Exporting while live is really not recommended as you can get inconsistent data that you won't be able to use. On 7 Feb 2018 10:46 am, "Knurr, Michael" wrote: Hi Corentin For my Keycloak installation I am doing daily exports/backups to the file system. Especially the question "how to make it stop" gave me a major headache. In order to work around this problem, I wrote a script which does all the work for me. You can just schedule it in crontab and it will start a second keycloak instance, do the export and eventually kill the second instance. I uploaded it as a gist, so you may also use it if you like: https://gist.github.com/michaelknurr/a8f1941c6f40c0d784b1e467fbc694ba Cheers Michael -----Urspr?ngliche Nachricht----- Von: Corentin Dupont [mailto:corentin.dupont at gmail.com] Gesendet: Dienstag, 6. Februar 2018 12:09 An: keycloak-user Betreff: [keycloak-user] backup strategy Hi guys, I wonder what the backup strategy is? Is it good practice to export regularly all Keycloak configuration? I can export with the command: ./keycloak/bin/standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=export-`date +"%m-%d-%y"`.json -Djboss.http.port=8888 -Djboss.https.port=9999 -Djboss.management.http.port=7777 It exports the current configuration (realms, users...). I set different ports so it can run concurently with the running instance of keycloak. I can set a cron job with the command, but unfortunately this command need to be stopped by Ctrl-C. -> How to make it stop after the export? Other question, the export need to be run on the same container than Keycloak, but this is not very practical in a Cloud setting. I use Amazon ECS, so I have to log in the VM and then the container. I have then to extract the file with various scp. Is there any way to make this easier (i.e. with an API command)? Cheers Corentin _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Wed Feb 7 04:57:12 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 7 Feb 2018 10:57:12 +0100 Subject: [keycloak-user] backup strategy In-Reply-To: References: Message-ID: Absolutely. H2 is not recommended for production use. You may want to backup KC for as well, but that's for config data only so you'd only need to do that if you make configuration changes. On 7 Feb 2018 10:43 am, "Corentin Dupont" wrote: > Good idea. By the way, we still use H2 database, so I guess it is > recommended to update to MySQL/postgreSQL? > > > On Wed, Feb 7, 2018 at 8:48 AM, Stian Thorgersen > wrote: > >> Export is not really that great for backups. It can be rather slow if you >> have loads of entries in the DB and it also requires the server to be >> stopped prior. >> >> You should rather use DB specific tools to backup the DB directly. That >> will be faster and more reliable as well. >> >> On 6 February 2018 at 16:05, Corentin Dupont >> wrote: >> >>> Another question, can I import a configuration in Keycloak while it is >>> running or do I need to stop it? >>> >>> >>> On Tue, Feb 6, 2018 at 12:09 PM, Corentin Dupont < >>> corentin.dupont at gmail.com> >>> wrote: >>> >>> > Hi guys, >>> > I wonder what the backup strategy is? >>> > Is it good practice to export regularly all Keycloak configuration? >>> > >>> > I can export with the command: >>> > ./keycloak/bin/standalone.sh -Dkeycloak.migration.action=export >>> > -Dkeycloak.migration.provider=singleFile >>> -Dkeycloak.migration.file=export-`date >>> > +"%m-%d-%y"`.json -Djboss.http.port=8888 -Djboss.https.port=9999 >>> > -Djboss.management.http.port=7777 >>> > >>> > It exports the current configuration (realms, users...). >>> > I set different ports so it can run concurently with the running >>> instance >>> > of keycloak. >>> > I can set a cron job with the command, but unfortunately this command >>> need >>> > to be stopped by Ctrl-C. >>> > >>> > -> How to make it stop after the export? >>> > >>> > Other question, the export need to be run on the same container than >>> > Keycloak, but this is not very practical in a Cloud setting. I use >>> Amazon >>> > ECS, so I have to log in the VM and then the container. I have then to >>> > extract the file with various scp. >>> > Is there any way to make this easier (i.e. with an API command)? >>> > >>> > Cheers >>> > Corentin >>> > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From mposolda at redhat.com Wed Feb 7 05:03:14 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 7 Feb 2018 11:03:14 +0100 Subject: [keycloak-user] cache replication problems? In-Reply-To: References: Message-ID: What is your Keycloak version? If you used 2.X and you will migrate to latest 3.4.3, there is some chance that issues might be solved as we did some performance improvements. Overally, it depends on number of sessions, network connection between cluster servers etc. If network can't be tweaked, then maybe it's possible to increase replication timeout? See infinispan and Wildfly Infinispan Subsystem docs for how to do it. Marek On 06/02/18 12:09, Angel Abella wrote: > Hello, > > We have a 2 server standalone-ha installation. When the number of sessions > alive increases we get this errors: > > > 2018-02-06 11:42:07,161 ERROR > [org.infinispan.interceptors.InvocationContextInterceptor] (default > task-22) ISPN000136: Error executing command PutKeyValueCommand, writing > keys [f75b436f-d316-4442-8d9b-c7313647c5b8]: > org.infinispan.util.concurrent.TimeoutException: Replication timeout for > sson2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > 2018-02-06 11:42:07,162 ERROR > [org.keycloak.services.error.KeycloakErrorHandler] (default task-22) > Uncaught server error: org.infinispan.util.concurrent.TimeoutException: > Replication timeout for sson2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > 2018-02-06 11:42:07,166 ERROR > [org.infinispan.interceptors.InvocationContextInterceptor] (default > task-17) ISPN000136: Error executing command RemoveCommand, writing keys > [0d8d4c5c-7971-46dd-b414-cb5f16862085]: > org.infinispan.util.concurrent.TimeoutException: Replication timeout for > sson2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > 2018-02-06 11:42:07,171 ERROR > [org.infinispan.interceptors.InvocationContextInterceptor] (default > task-11) ISPN000136: Error executing command PutKeyValueCommand, writing > keys [dfd69644-e241-465c-8a92-ef84e76caf62]: > org.infinispan.util.concurrent.TimeoutException: Replication timeout for > sson2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > 2018-02-06 11:42:07,173 ERROR > [org.keycloak.services.error.KeycloakErrorHandler] (default task-11) > Uncaught server error: org.infinispan.util.concurrent.TimeoutException: > Replication timeout for sson2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > 2018-02-06 11:42:07,205 ERROR > [org.keycloak.services.error.KeycloakErrorHandler] (default task-17) > Uncaught server error: org.infinispan.util.concurrent.TimeoutException: > Replication timeout for sson2 > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.checkRsp(JGroupsTransport.java:827) > at > org.infinispan.remoting.transport.jgroups.JGroupsTransport.lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > at > java.util.concurrent.CompletableFuture.uniApply(CompletableFuture.java:602) > at > java.util.concurrent.CompletableFuture$UniApply.tryFire(CompletableFuture.java:577) > at > java.util.concurrent.CompletableFuture.postComplete(CompletableFuture.java:474) > at > java.util.concurrent.CompletableFuture.complete(CompletableFuture.java:1962) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:46) > at > org.infinispan.remoting.transport.jgroups.SingleResponseFuture.call(SingleResponseFuture.java:17) > at java.util.concurrent.FutureTask.run(FutureTask.java:266) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) > at > java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > > > Any idea of what's going on? > From jlieskov at redhat.com Wed Feb 7 05:05:50 2018 From: jlieskov at redhat.com (Jan Lieskovsky) Date: Wed, 7 Feb 2018 11:05:50 +0100 Subject: [keycloak-user] Keycloak OpenShift Template part of the openshift library project In-Reply-To: References: Message-ID: Hey Charles, On Fri, Feb 2, 2018 at 1:29 PM, Charles Moulliard wrote: > Hi Jan > > Is there a ticket opened to keep track of that request ? > It's tracked under: https://issues.jboss.org/browse/KEYCLOAK-6537 (was tracked only internally before, but let's track it in open way from now on). Added you to the watchers list of that one. > > Regards > > Charles > HTH Thank you && Regards, Jan -- Jan iankko Lieskovsky / Keycloak / RH-SSO Team > > On Thu, Feb 1, 2018 at 11:32 AM, Jan Lieskovsky > wrote: > >> Hello Charles, >> >> thank you for checking. >> >> On Wed, Jan 31, 2018 at 6:47 PM, Charles Moulliard >> wrote: >> >>> Hi, >>> >>> The only Openshift Keycloak Template available (i think so) is part of >>> the >>> xpaas project and can be deployed according to this doc [1] on Openshift >>> with the xpaas templates (A-MQ, ....) >>> >>> Is there any plans to have an openshift keycloak template available from >>> the openshift library project [2] >>> >> >> I can confirm we are currently actively investigating the possibility to >> have >> some of Red Hat SSO template(s) available from the OpenShift library >> project >> too. For now this is WIP effort though. There are multiple conditions / >> inputs >> that need to met first, this template to be available. As such it is >> currently not >> possible to specify an exact timeline (ETA), when this template will be >> delivered. >> >> But we are working at it, and the plan is to have such template available >> as soon as possible. >> >> >>> >>> Without such info part of the library, then we can't install keycloak as >>> it >>> will not appear when you will browse the openshift catalog of your >>> openshift cluster instance (running using minishift, ....) >>> >>> [1] >>> https://access.redhat.com/documentation/en-us/red_hat_jboss_ >>> middleware_for_openshift/3/html-single/red_hat_jboss_sso_for_openshift/ >>> [2] https://github.com/openshift/library >>> >>> Regards, >>> >> >> Hope this helps >> >> Thank you && Regards, Jan >> -- >> Jan iankko Lieskovsky / Keycloak / RH-SSO Team >> >> >>> >>> Charles >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From mposolda at redhat.com Wed Feb 7 05:07:20 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 7 Feb 2018 11:07:20 +0100 Subject: [keycloak-user] avoiding save external-Provider-Users localy In-Reply-To: References: Message-ID: <45f2a196-2eb6-7b95-4e8d-9d0c1351903e@redhat.com> It's not available OOTB. I think that JIRA for this already exists. You may possibly tweak by yourself and override first-broker-login to flow to not register user to the database, but instead put him just in-memory. I think there are ways to do it. Maybe see some quickstarts/examples for authentication providers and UserStorageProviders. Depends also if you are in cluster as then in-memory users may not be sufficient (EG. Currently UserSession requires existing UserModel. So if UserModel is just in memory on cluster-node1 and can't be found on the other cluster-node2, it may be an issue) Marek On 06/02/18 12:06, abdelkader samir wrote: > Hi all, > > > We are currently using a Keycloak (3.3.0.Final), there you are binding a external sso Provider as "Identity Providers" > > Until now everything is working fine. > > > Now we figure out that Keycloak are saving the user in its local database ( > > see http://www.keycloak.org/docs/3.0/server_admin/topics/identity-broker/first-login-flow.html ) > > > According to Keyclaok documentation: Keycloak needs the local users, but we don't know why? > > > It is possibile to avoid saving the user in Keycloak? > > > Thanks and regards > > Adam > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From aabella at bkool.com Wed Feb 7 05:15:09 2018 From: aabella at bkool.com (Angel Abella) Date: Wed, 7 Feb 2018 11:15:09 +0100 Subject: [keycloak-user] cache replication problems? In-Reply-To: References: Message-ID: This test are with the latest KC version. The problems starts when the number of sessions raise above 800.000. We have tried to lower the access token lifespan, sso session max and sso session idle and it helped. Sadly the docs are not as usefull as they should. :-( 2018-02-07 11:03 GMT+01:00 Marek Posolda : > What is your Keycloak version? If you used 2.X and you will migrate to > latest 3.4.3, there is some chance that issues might be solved as we did > some performance improvements. > > Overally, it depends on number of sessions, network connection between > cluster servers etc. If network can't be tweaked, then maybe it's possible > to increase replication timeout? See infinispan and Wildfly Infinispan > Subsystem docs for how to do it. > > Marek > > > On 06/02/18 12:09, Angel Abella wrote: > >> Hello, >> >> We have a 2 server standalone-ha installation. When the number of sessions >> alive increases we get this errors: >> >> >> 2018-02-06 11:42:07,161 ERROR >> [org.infinispan.interceptors.InvocationContextInterceptor] (default >> task-22) ISPN000136: Error executing command PutKeyValueCommand, writing >> keys [f75b436f-d316-4442-8d9b-c7313647c5b8]: >> org.infinispan.util.concurrent.TimeoutException: Replication timeout for >> sson2 >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >> checkRsp(JGroupsTransport.java:827) >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >> at >> java.util.concurrent.CompletableFuture.uniApply(CompletableF >> uture.java:602) >> at >> java.util.concurrent.CompletableFuture$UniApply.tryFire( >> CompletableFuture.java:577) >> at >> java.util.concurrent.CompletableFuture.postComplete(Completa >> bleFuture.java:474) >> at >> java.util.concurrent.CompletableFuture.complete(CompletableF >> uture.java:1962) >> at >> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >> re.call(SingleResponseFuture.java:46) >> at >> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >> re.call(SingleResponseFuture.java:17) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >> tureTask.run(ScheduledThreadPoolExecutor.java:293) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> >> 2018-02-06 11:42:07,162 ERROR >> [org.keycloak.services.error.KeycloakErrorHandler] (default task-22) >> Uncaught server error: org.infinispan.util.concurrent.TimeoutException: >> Replication timeout for sson2 >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >> checkRsp(JGroupsTransport.java:827) >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >> at >> java.util.concurrent.CompletableFuture.uniApply(CompletableF >> uture.java:602) >> at >> java.util.concurrent.CompletableFuture$UniApply.tryFire( >> CompletableFuture.java:577) >> at >> java.util.concurrent.CompletableFuture.postComplete(Completa >> bleFuture.java:474) >> at >> java.util.concurrent.CompletableFuture.complete(CompletableF >> uture.java:1962) >> at >> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >> re.call(SingleResponseFuture.java:46) >> at >> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >> re.call(SingleResponseFuture.java:17) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >> tureTask.run(ScheduledThreadPoolExecutor.java:293) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> >> 2018-02-06 11:42:07,166 ERROR >> [org.infinispan.interceptors.InvocationContextInterceptor] (default >> task-17) ISPN000136: Error executing command RemoveCommand, writing keys >> [0d8d4c5c-7971-46dd-b414-cb5f16862085]: >> org.infinispan.util.concurrent.TimeoutException: Replication timeout for >> sson2 >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >> checkRsp(JGroupsTransport.java:827) >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >> at >> java.util.concurrent.CompletableFuture.uniApply(CompletableF >> uture.java:602) >> at >> java.util.concurrent.CompletableFuture$UniApply.tryFire( >> CompletableFuture.java:577) >> at >> java.util.concurrent.CompletableFuture.postComplete(Completa >> bleFuture.java:474) >> at >> java.util.concurrent.CompletableFuture.complete(CompletableF >> uture.java:1962) >> at >> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >> re.call(SingleResponseFuture.java:46) >> at >> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >> re.call(SingleResponseFuture.java:17) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >> tureTask.run(ScheduledThreadPoolExecutor.java:293) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> >> 2018-02-06 11:42:07,171 ERROR >> [org.infinispan.interceptors.InvocationContextInterceptor] (default >> task-11) ISPN000136: Error executing command PutKeyValueCommand, writing >> keys [dfd69644-e241-465c-8a92-ef84e76caf62]: >> org.infinispan.util.concurrent.TimeoutException: Replication timeout for >> sson2 >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >> checkRsp(JGroupsTransport.java:827) >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >> at >> java.util.concurrent.CompletableFuture.uniApply(CompletableF >> uture.java:602) >> at >> java.util.concurrent.CompletableFuture$UniApply.tryFire( >> CompletableFuture.java:577) >> at >> java.util.concurrent.CompletableFuture.postComplete(Completa >> bleFuture.java:474) >> at >> java.util.concurrent.CompletableFuture.complete(CompletableF >> uture.java:1962) >> at >> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >> re.call(SingleResponseFuture.java:46) >> at >> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >> re.call(SingleResponseFuture.java:17) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >> tureTask.run(ScheduledThreadPoolExecutor.java:293) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> >> 2018-02-06 11:42:07,173 ERROR >> [org.keycloak.services.error.KeycloakErrorHandler] (default task-11) >> Uncaught server error: org.infinispan.util.concurrent.TimeoutException: >> Replication timeout for sson2 >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >> checkRsp(JGroupsTransport.java:827) >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >> at >> java.util.concurrent.CompletableFuture.uniApply(CompletableF >> uture.java:602) >> at >> java.util.concurrent.CompletableFuture$UniApply.tryFire( >> CompletableFuture.java:577) >> at >> java.util.concurrent.CompletableFuture.postComplete(Completa >> bleFuture.java:474) >> at >> java.util.concurrent.CompletableFuture.complete(CompletableF >> uture.java:1962) >> at >> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >> re.call(SingleResponseFuture.java:46) >> at >> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >> re.call(SingleResponseFuture.java:17) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >> tureTask.run(ScheduledThreadPoolExecutor.java:293) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> >> 2018-02-06 11:42:07,205 ERROR >> [org.keycloak.services.error.KeycloakErrorHandler] (default task-17) >> Uncaught server error: org.infinispan.util.concurrent.TimeoutException: >> Replication timeout for sson2 >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >> checkRsp(JGroupsTransport.java:827) >> at >> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >> at >> java.util.concurrent.CompletableFuture.uniApply(CompletableF >> uture.java:602) >> at >> java.util.concurrent.CompletableFuture$UniApply.tryFire( >> CompletableFuture.java:577) >> at >> java.util.concurrent.CompletableFuture.postComplete(Completa >> bleFuture.java:474) >> at >> java.util.concurrent.CompletableFuture.complete(CompletableF >> uture.java:1962) >> at >> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >> re.call(SingleResponseFuture.java:46) >> at >> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >> re.call(SingleResponseFuture.java:17) >> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) >> at >> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >> tureTask.run(ScheduledThreadPoolExecutor.java:293) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >> Executor.java:1142) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >> lExecutor.java:617) >> at java.lang.Thread.run(Thread.java:745) >> >> >> >> Any idea of what's going on? >> >> > -- Angel Abella *IT * *BKOOL* *Connect* *| Sport* mail: aabella at bkool.com mob: +34 691 77 18 98 add: C/ San Joaqu?n 3 - 28231 Las Rozas - Madrid www.bkool.com From upananda.singha at motorolasolutions.com Wed Feb 7 05:26:16 2018 From: upananda.singha at motorolasolutions.com (Upananda Singha) Date: Wed, 7 Feb 2018 15:56:16 +0530 Subject: [keycloak-user] Creating initial admin usr to login to master realm In-Reply-To: References: Message-ID: Hi Marko, Thanks for the quick reply. By the way I resolved the User creation issue. Followed the following steps: 1. sh bin/add-user-keycloak.sh -r master -u -p --domain 2. copied "keycloak-3.4.3.Final/domain/configuration/keycloak-add-user.json" file to respective server instances under "keycloak-3.4.3.Final/domain/servers/server-one/configuration/" 3. Restarted the server in domain mode. And I am able to login now into master realm. Thanks & Regds, *Upananda Singha* On Wed, Feb 7, 2018 at 3:13 PM, Marko Strukelj wrote: > Ssh to remote machine and use instructions in > http://www.keycloak.org/docs/latest/server_admin/index. > html#server-initialization > > > kcadm tool is not used for that. There is no known issues with kcadm tool > and java 1.8. > > On Wed, Feb 7, 2018 at 10:24 AM, Upananda Singha motorolasolutions.com> wrote: > >> Also, I am trying this with Domain configuration and not stand-alone. >> >> >> Thanks & Regds, >> >> *Upananda Singha* >> >> >> >> On Wed, Feb 7, 2018 at 2:43 PM, Upananda Singha < >> upananda.singha at motorolasolutions.com> wrote: >> >> > Hi, >> > >> > Can anybody quickly let me know how to create Keycloak initial admin >> > user/pwd >> > if Keycloak is installed on a remote machine (linux) and can't access >> > locally >> > using localhost:? >> > >> > What is the use of Admin CLI (kcadm.sh)? on executing this script I get >> > Java Major minor version problem. >> > >> > *I am using "jdk1.8.0_121". Does kcadm.sh has any issue with JDK 1.8?* >> > >> > >> > Thanks & Regds, >> > >> > *Upananda Singha* >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > From lists at merit.unu.edu Wed Feb 7 05:32:46 2018 From: lists at merit.unu.edu (lists) Date: Wed, 7 Feb 2018 11:32:46 +0100 Subject: [keycloak-user] backup strategy In-Reply-To: References: Message-ID: <337d7c2c-c6e5-e7c7-584e-f0e65e32b1c7@merit.unu.edu> Hi, On 7-2-2018 10:44, Knurr, Michael wrote: > For my Keycloak installation I am doing daily exports/backups to the file system. Especially the question "how to make it stop" gave me a major headache. How to make it stop is not that difficult..? Or perhaps I misunderstand, but for us stopping keycloak is as simple as: pkill java (as keycloak is the only java application on this machine) MJ From corentin.dupont at gmail.com Wed Feb 7 05:36:20 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Wed, 7 Feb 2018 11:36:20 +0100 Subject: [keycloak-user] backup strategy In-Reply-To: References: Message-ID: In the case of a MySQL DB, what do you recommend? I see they have several kind of backups: https://dev.mysql.com/doc/refman/5.7/en/backup-types.html - Physical backup is just copying the DB files on the disk. - Logical backup involves some tool as mysqldump. It creates lists of SQL statements, so the data is more structured/editable. Online or offline backup? On Wed, Feb 7, 2018 at 10:57 AM, Stian Thorgersen wrote: > Absolutely. H2 is not recommended for production use. > > You may want to backup KC for as well, but that's for config data only so > you'd only need to do that if you make configuration changes. > > On 7 Feb 2018 10:43 am, "Corentin Dupont" > wrote: > >> Good idea. By the way, we still use H2 database, so I guess it is >> recommended to update to MySQL/postgreSQL? >> >> >> On Wed, Feb 7, 2018 at 8:48 AM, Stian Thorgersen >> wrote: >> >>> Export is not really that great for backups. It can be rather slow if >>> you have loads of entries in the DB and it also requires the server to be >>> stopped prior. >>> >>> You should rather use DB specific tools to backup the DB directly. That >>> will be faster and more reliable as well. >>> >>> On 6 February 2018 at 16:05, Corentin Dupont >>> wrote: >>> >>>> Another question, can I import a configuration in Keycloak while it is >>>> running or do I need to stop it? >>>> >>>> >>>> On Tue, Feb 6, 2018 at 12:09 PM, Corentin Dupont < >>>> corentin.dupont at gmail.com> >>>> wrote: >>>> >>>> > Hi guys, >>>> > I wonder what the backup strategy is? >>>> > Is it good practice to export regularly all Keycloak configuration? >>>> > >>>> > I can export with the command: >>>> > ./keycloak/bin/standalone.sh -Dkeycloak.migration.action=export >>>> > -Dkeycloak.migration.provider=singleFile >>>> -Dkeycloak.migration.file=export-`date >>>> > +"%m-%d-%y"`.json -Djboss.http.port=8888 -Djboss.https.port=9999 >>>> > -Djboss.management.http.port=7777 >>>> > >>>> > It exports the current configuration (realms, users...). >>>> > I set different ports so it can run concurently with the running >>>> instance >>>> > of keycloak. >>>> > I can set a cron job with the command, but unfortunately this command >>>> need >>>> > to be stopped by Ctrl-C. >>>> > >>>> > -> How to make it stop after the export? >>>> > >>>> > Other question, the export need to be run on the same container than >>>> > Keycloak, but this is not very practical in a Cloud setting. I use >>>> Amazon >>>> > ECS, so I have to log in the VM and then the container. I have then to >>>> > extract the file with various scp. >>>> > Is there any way to make this easier (i.e. with an API command)? >>>> > >>>> > Cheers >>>> > Corentin >>>> > >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> From blackbellamy at posteo.de Wed Feb 7 05:42:13 2018 From: blackbellamy at posteo.de (BlackBellamy) Date: Wed, 7 Feb 2018 11:42:13 +0100 Subject: [keycloak-user] Disable 'secret question credentials' fails Message-ID: <32732604-535e-109c-f0a6-0725ccc66ab0@posteo.de> Hey all, I'm having troubles with the custom authenticator example 'Secret Question'. Setup and workflow works fine, but I cannot disable the credential type for the users once set up. On a users credentials tab I select 'SECRET_QUESTION' and try to disable it, but it throws the following Error: Failed to disable credentials. The wildfly log states a stack overflow: Uncaught server error: java.lang.StackOverflowError at java.util.AbstractCollection.toArray(AbstractCollection.java:136) at java.util.LinkedList.addAll(LinkedList.java:408) at java.util.LinkedList.addAll(LinkedList.java:387) at org.keycloak.services.DefaultKeycloakSessionFactory.getProviderFactories(DefaultKeycloakSessionFactory.java:338) at org.keycloak.credential.UserCredentialStoreManager.getCredentialProviders(UserCredentialStoreManager.java:151) at org.keycloak.credential.UserCredentialStoreManager.disableCredentialType(UserCredentialStoreManager.java:214) at org.keycloak.examples.authenticator.SecretQuestionCredentialProvider.disableCredentialType(SecretQuestionCredentialProvider.java:88) and is repeating from then on. I've created a JIRA ticket that seems to be unnoticed so far https://issues.jboss.org/browse/KEYCLOAK-6308 I built a phone TAN authenticator using it as reference and there I am facing the same problem. I would like to share it as soon as I finish development. I don't know if it is caused by a misconfigured authenticator example or by keycloak itself, but I guess it is Keycloak. Any help is appreciated. Thanks, Benno From Michael.Knurr at adesso.ch Wed Feb 7 06:02:29 2018 From: Michael.Knurr at adesso.ch (Knurr, Michael) Date: Wed, 7 Feb 2018 11:02:29 +0000 Subject: [keycloak-user] backup strategy In-Reply-To: References: Message-ID: <5420b48ec46840e289060a01f82af4d4@EX2013-DB02.adesso.local> Hi Stian I am a bit confused by this answer. Especially because I already brought up this question last November and got the advice from Sebasien Blanc to ?just start another instance?. You had a thought whether using a DB tool would be more efficient. http://lists.jboss.org/pipermail/keycloak-user/2017-November/012156.html Can you explain why there is a chance that we would get inconsistent data? Cheers Michael Von: Stian Thorgersen [mailto:sthorger at redhat.com] Gesendet: Mittwoch, 7. Februar 2018 10:56 An: Knurr, Michael Cc: Corentin Dupont ; keycloak-user Betreff: Re: [keycloak-user] backup strategy Exporting while live is really not recommended as you can get inconsistent data that you won't be able to use. On 7 Feb 2018 10:46 am, "Knurr, Michael" > wrote: Hi Corentin For my Keycloak installation I am doing daily exports/backups to the file system. Especially the question "how to make it stop" gave me a major headache. In order to work around this problem, I wrote a script which does all the work for me. You can just schedule it in crontab and it will start a second keycloak instance, do the export and eventually kill the second instance. I uploaded it as a gist, so you may also use it if you like: https://gist.github.com/michaelknurr/a8f1941c6f40c0d784b1e467fbc694ba Cheers Michael -----Urspr?ngliche Nachricht----- Von: Corentin Dupont [mailto:corentin.dupont at gmail.com] Gesendet: Dienstag, 6. Februar 2018 12:09 An: keycloak-user > Betreff: [keycloak-user] backup strategy Hi guys, I wonder what the backup strategy is? Is it good practice to export regularly all Keycloak configuration? I can export with the command: ./keycloak/bin/standalone.sh -Dkeycloak.migration.action=export -Dkeycloak.migration.provider=singleFile -Dkeycloak.migration.file=export-`date +"%m-%d-%y"`.json -Djboss.http.port=8888 -Djboss.https.port=9999 -Djboss.management.http.port=7777 It exports the current configuration (realms, users...). I set different ports so it can run concurently with the running instance of keycloak. I can set a cron job with the command, but unfortunately this command need to be stopped by Ctrl-C. -> How to make it stop after the export? Other question, the export need to be run on the same container than Keycloak, but this is not very practical in a Cloud setting. I use Amazon ECS, so I have to log in the VM and then the container. I have then to extract the file with various scp. Is there any way to make this easier (i.e. with an API command)? Cheers Corentin _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Wed Feb 7 06:16:23 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 7 Feb 2018 12:16:23 +0100 Subject: [keycloak-user] backup strategy In-Reply-To: <5420b48ec46840e289060a01f82af4d4@EX2013-DB02.adesso.local> References: <5420b48ec46840e289060a01f82af4d4@EX2013-DB02.adesso.local> Message-ID: Export simply iterates over the data available and if it's changed while it's doing so (admin changes some config, users does something, etc..) that can result in inconsistent data that simply won't even work. On 7 February 2018 at 12:02, Knurr, Michael wrote: > Hi Stian > > > > I am a bit confused by this answer. Especially because I already brought > up this question last November and got the advice from Sebasien Blanc to > ?just start another instance?. > > > > You had a thought whether using a DB tool would be more efficient. > > http://lists.jboss.org/pipermail/keycloak-user/2017-November/012156.html > > > > Can you explain why there is a chance that we would get inconsistent data? > > > > > > Cheers > > Michael > > > > *Von:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Gesendet:* Mittwoch, 7. Februar 2018 10:56 > *An:* Knurr, Michael > *Cc:* Corentin Dupont ; keycloak-user < > keycloak-user at lists.jboss.org> > *Betreff:* Re: [keycloak-user] backup strategy > > > > Exporting while live is really not recommended as you can get inconsistent > data that you won't be able to use. > > > > On 7 Feb 2018 10:46 am, "Knurr, Michael" wrote: > > Hi Corentin > > For my Keycloak installation I am doing daily exports/backups to the file > system. Especially the question "how to make it stop" gave me a major > headache. > > In order to work around this problem, I wrote a script which does all the > work for me. You can just schedule it in crontab and it will start a second > keycloak instance, do the export and eventually kill the second instance. I > uploaded it as a gist, so you may also use it if you like: > https://gist.github.com/michaelknurr/a8f1941c6f40c0d784b1e467fbc694ba > > Cheers > Michael > > -----Urspr?ngliche Nachricht----- > Von: Corentin Dupont [mailto:corentin.dupont at gmail.com] > Gesendet: Dienstag, 6. Februar 2018 12:09 > An: keycloak-user > Betreff: [keycloak-user] backup strategy > > > Hi guys, > I wonder what the backup strategy is? > Is it good practice to export regularly all Keycloak configuration? > > I can export with the command: > ./keycloak/bin/standalone.sh -Dkeycloak.migration.action=export > -Dkeycloak.migration.provider=singleFile > -Dkeycloak.migration.file=export-`date +"%m-%d-%y"`.json > -Djboss.http.port=8888 -Djboss.https.port=9999 > -Djboss.management.http.port=7777 > > It exports the current configuration (realms, users...). > I set different ports so it can run concurently with the running instance > of keycloak. > I can set a cron job with the command, but unfortunately this command need > to be stopped by Ctrl-C. > > -> How to make it stop after the export? > > Other question, the export need to be run on the same container than > Keycloak, but this is not very practical in a Cloud setting. I use Amazon > ECS, so I have to log in the VM and then the container. I have then to > extract the file with various scp. > Is there any way to make this easier (i.e. with an API command)? > > Cheers > Corentin > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From jonas.schoenenberger at gmail.com Wed Feb 7 08:29:48 2018 From: jonas.schoenenberger at gmail.com (=?UTF-8?Q?Jonas_Sch=C3=B6nenberger?=) Date: Wed, 7 Feb 2018 14:29:48 +0100 Subject: [keycloak-user] "Default" Client Template In-Reply-To: References: Message-ID: Hi Bill Our clients are Oauth Clients that register dynamically and they expect certain user information in the tokens. Is there a way to set default mappers on realm-level until such a "client scope" feature is available? Setting mappers manually (or apply templates manually) on each dynamically registered client would kind of break the dynamic registration. Thank you and Best Regards Jonas On Tue, Feb 6, 2018 at 7:04 PM, Bill Burke wrote: > No. We will be doing work in this area soon. I'm thinking of > renaming templates to "Client Scope" and allow clients to inherit from > multiple scopes A client scope would only be able to specify allowed > roles, groups, attributes and protocol mappers. no other config > option. We would also do away with per-role and per-protocol mapper > consent messages and instead allow the scope and/or client to define > the consent message to give to the user. All this to support the OIDC > scope parameter better. > > I think a default scope would be an important addition. > > On Tue, Feb 6, 2018 at 8:15 AM, Jonas Sch?nenberger > wrote: > > Hi everyone > > > > Is it possible to define a default client template that every new dynamic > > client (OpenID Connect Dynamic Client Registration) receives during > > registration? > > > > Thank you for your help and Best Regards > > Jonas > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > Red Hat > From srinivas.nangunoori at microfocus.com Wed Feb 7 08:39:22 2018 From: srinivas.nangunoori at microfocus.com (Nangunoori, Srinivas) Date: Wed, 7 Feb 2018 13:39:22 +0000 Subject: [keycloak-user] Keycloak 2.5.5 Ldap user group member ship is not syncing In-Reply-To: References: Message-ID: Hi, I am using Keycloak 2.5.5 and I have created group-ldap-mapper. When I press ?Sync LDAP Groups to Keycloak?, only groups are syncing to keycloak but not the users. I can sync users by pressing ?Synchronize all users?. But I am missing ldap group membership info. Can someone help me to solve this issue. --Srini From Michael.Knurr at adesso.ch Wed Feb 7 09:11:21 2018 From: Michael.Knurr at adesso.ch (Knurr, Michael) Date: Wed, 7 Feb 2018 14:11:21 +0000 Subject: [keycloak-user] backup strategy In-Reply-To: <337d7c2c-c6e5-e7c7-584e-f0e65e32b1c7@merit.unu.edu> References: <337d7c2c-c6e5-e7c7-584e-f0e65e32b1c7@merit.unu.edu> Message-ID: <88408d5f15fe43b496d170e71f5149a8@EX2013-DB02.adesso.local> This might be true when you assume that there is only one java process running on this machine. When you are able to stop keycloak anyway, there is nothing to worry about. My original question however was: "What is the recommended procedure to export domain configuration and users in an actively running keycloak instance?" http://lists.jboss.org/pipermail/keycloak-user/2017-November/012156.html The recommendation back then was to start a second instance for the export. Cheers Michael -----Urspr?ngliche Nachricht----- Von: lists [mailto:lists at merit.unu.edu] Gesendet: Mittwoch, 7. Februar 2018 11:33 An: keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] backup strategy Hi, On 7-2-2018 10:44, Knurr, Michael wrote: > For my Keycloak installation I am doing daily exports/backups to the file system. Especially the question "how to make it stop" gave me a major headache. How to make it stop is not that difficult..? Or perhaps I misunderstand, but for us stopping keycloak is as simple as: pkill java (as keycloak is the only java application on this machine) MJ From bburke at redhat.com Wed Feb 7 10:04:55 2018 From: bburke at redhat.com (Bill Burke) Date: Wed, 7 Feb 2018 10:04:55 -0500 Subject: [keycloak-user] "Default" Client Template In-Reply-To: References: Message-ID: You can define a template, but not a default template. You'd have to add the template when registering the client. On Wed, Feb 7, 2018 at 8:29 AM, Jonas Sch?nenberger wrote: > Hi Bill > > Our clients are Oauth Clients that register dynamically and they expect > certain user information in the tokens. Is there a way to set default > mappers on realm-level until such a "client scope" feature is available? > Setting mappers manually (or apply templates manually) on each dynamically > registered client would kind of break the dynamic registration. > > Thank you and Best Regards > Jonas > > > On Tue, Feb 6, 2018 at 7:04 PM, Bill Burke wrote: >> >> No. We will be doing work in this area soon. I'm thinking of >> renaming templates to "Client Scope" and allow clients to inherit from >> multiple scopes A client scope would only be able to specify allowed >> roles, groups, attributes and protocol mappers. no other config >> option. We would also do away with per-role and per-protocol mapper >> consent messages and instead allow the scope and/or client to define >> the consent message to give to the user. All this to support the OIDC >> scope parameter better. >> >> I think a default scope would be an important addition. >> >> On Tue, Feb 6, 2018 at 8:15 AM, Jonas Sch?nenberger >> wrote: >> > Hi everyone >> > >> > Is it possible to define a default client template that every new >> > dynamic >> > client (OpenID Connect Dynamic Client Registration) receives during >> > registration? >> > >> > Thank you for your help and Best Regards >> > Jonas >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> -- >> Bill Burke >> Red Hat > > -- Bill Burke Red Hat From jcain at redhat.com Wed Feb 7 10:07:28 2018 From: jcain at redhat.com (Josh Cain) Date: Wed, 7 Feb 2018 09:07:28 -0600 Subject: [keycloak-user] cache replication problems? In-Reply-To: References: Message-ID: <62db1dc8-cf7c-5233-15be-744a5641ba6d@redhat.com> I know for us, we keep a close eye on JVM statistics. However, if your infinispan cluster is on the same box as your Keycloak server (not running anything like JDG) as ours is atm, then your JVM statistics are only part of the story. Iif you can *safely* enable JMX and set up a service account appropriately, MBean statistics on cache usage would give you a really clear picture of what Infinispan is doing: ... ... From there, you can get a better idea of how the cache-container settings can be tuned in your server config. Josh Cain Senior Software Applications Engineer, RHCE Red Hat North America jcain at redhat.com IRC: jcain On 02/07/2018 04:15 AM, Angel Abella wrote: > This test are with the latest KC version. > The problems starts when the number of sessions raise above 800.000. We > have tried to lower the access token lifespan, sso session max and sso > session idle and it helped. > > Sadly the docs are not as usefull as they should. :-( > > 2018-02-07 11:03 GMT+01:00 Marek Posolda : > >> What is your Keycloak version? If you used 2.X and you will migrate to >> latest 3.4.3, there is some chance that issues might be solved as we did >> some performance improvements. >> >> Overally, it depends on number of sessions, network connection between >> cluster servers etc. If network can't be tweaked, then maybe it's possible >> to increase replication timeout? See infinispan and Wildfly Infinispan >> Subsystem docs for how to do it. >> >> Marek >> >> >> On 06/02/18 12:09, Angel Abella wrote: >> >>> Hello, >>> >>> We have a 2 server standalone-ha installation. When the number of sessions >>> alive increases we get this errors: >>> >>> >>> 2018-02-06 11:42:07,161 ERROR >>> [org.infinispan.interceptors.InvocationContextInterceptor] (default >>> task-22) ISPN000136: Error executing command PutKeyValueCommand, writing >>> keys [f75b436f-d316-4442-8d9b-c7313647c5b8]: >>> org.infinispan.util.concurrent.TimeoutException: Replication timeout for >>> sson2 >>> at >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >>> checkRsp(JGroupsTransport.java:827) >>> at >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >>> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >>> at >>> java.util.concurrent.CompletableFuture.uniApply(CompletableF >>> uture.java:602) >>> at >>> java.util.concurrent.CompletableFuture$UniApply.tryFire( >>> CompletableFuture.java:577) >>> at >>> java.util.concurrent.CompletableFuture.postComplete(Completa >>> bleFuture.java:474) >>> at >>> java.util.concurrent.CompletableFuture.complete(CompletableF >>> uture.java:1962) >>> at >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >>> re.call(SingleResponseFuture.java:46) >>> at >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >>> re.call(SingleResponseFuture.java:17) >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>> at >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) >>> at >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1142) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:617) >>> at java.lang.Thread.run(Thread.java:745) >>> >>> 2018-02-06 11:42:07,162 ERROR >>> [org.keycloak.services.error.KeycloakErrorHandler] (default task-22) >>> Uncaught server error: org.infinispan.util.concurrent.TimeoutException: >>> Replication timeout for sson2 >>> at >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >>> checkRsp(JGroupsTransport.java:827) >>> at >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >>> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >>> at >>> java.util.concurrent.CompletableFuture.uniApply(CompletableF >>> uture.java:602) >>> at >>> java.util.concurrent.CompletableFuture$UniApply.tryFire( >>> CompletableFuture.java:577) >>> at >>> java.util.concurrent.CompletableFuture.postComplete(Completa >>> bleFuture.java:474) >>> at >>> java.util.concurrent.CompletableFuture.complete(CompletableF >>> uture.java:1962) >>> at >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >>> re.call(SingleResponseFuture.java:46) >>> at >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >>> re.call(SingleResponseFuture.java:17) >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>> at >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) >>> at >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1142) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:617) >>> at java.lang.Thread.run(Thread.java:745) >>> >>> 2018-02-06 11:42:07,166 ERROR >>> [org.infinispan.interceptors.InvocationContextInterceptor] (default >>> task-17) ISPN000136: Error executing command RemoveCommand, writing keys >>> [0d8d4c5c-7971-46dd-b414-cb5f16862085]: >>> org.infinispan.util.concurrent.TimeoutException: Replication timeout for >>> sson2 >>> at >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >>> checkRsp(JGroupsTransport.java:827) >>> at >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >>> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >>> at >>> java.util.concurrent.CompletableFuture.uniApply(CompletableF >>> uture.java:602) >>> at >>> java.util.concurrent.CompletableFuture$UniApply.tryFire( >>> CompletableFuture.java:577) >>> at >>> java.util.concurrent.CompletableFuture.postComplete(Completa >>> bleFuture.java:474) >>> at >>> java.util.concurrent.CompletableFuture.complete(CompletableF >>> uture.java:1962) >>> at >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >>> re.call(SingleResponseFuture.java:46) >>> at >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >>> re.call(SingleResponseFuture.java:17) >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>> at >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) >>> at >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1142) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:617) >>> at java.lang.Thread.run(Thread.java:745) >>> >>> 2018-02-06 11:42:07,171 ERROR >>> [org.infinispan.interceptors.InvocationContextInterceptor] (default >>> task-11) ISPN000136: Error executing command PutKeyValueCommand, writing >>> keys [dfd69644-e241-465c-8a92-ef84e76caf62]: >>> org.infinispan.util.concurrent.TimeoutException: Replication timeout for >>> sson2 >>> at >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >>> checkRsp(JGroupsTransport.java:827) >>> at >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >>> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >>> at >>> java.util.concurrent.CompletableFuture.uniApply(CompletableF >>> uture.java:602) >>> at >>> java.util.concurrent.CompletableFuture$UniApply.tryFire( >>> CompletableFuture.java:577) >>> at >>> java.util.concurrent.CompletableFuture.postComplete(Completa >>> bleFuture.java:474) >>> at >>> java.util.concurrent.CompletableFuture.complete(CompletableF >>> uture.java:1962) >>> at >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >>> re.call(SingleResponseFuture.java:46) >>> at >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >>> re.call(SingleResponseFuture.java:17) >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>> at >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) >>> at >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1142) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:617) >>> at java.lang.Thread.run(Thread.java:745) >>> >>> 2018-02-06 11:42:07,173 ERROR >>> [org.keycloak.services.error.KeycloakErrorHandler] (default task-11) >>> Uncaught server error: org.infinispan.util.concurrent.TimeoutException: >>> Replication timeout for sson2 >>> at >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >>> checkRsp(JGroupsTransport.java:827) >>> at >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >>> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >>> at >>> java.util.concurrent.CompletableFuture.uniApply(CompletableF >>> uture.java:602) >>> at >>> java.util.concurrent.CompletableFuture$UniApply.tryFire( >>> CompletableFuture.java:577) >>> at >>> java.util.concurrent.CompletableFuture.postComplete(Completa >>> bleFuture.java:474) >>> at >>> java.util.concurrent.CompletableFuture.complete(CompletableF >>> uture.java:1962) >>> at >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >>> re.call(SingleResponseFuture.java:46) >>> at >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >>> re.call(SingleResponseFuture.java:17) >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>> at >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) >>> at >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1142) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:617) >>> at java.lang.Thread.run(Thread.java:745) >>> >>> 2018-02-06 11:42:07,205 ERROR >>> [org.keycloak.services.error.KeycloakErrorHandler] (default task-17) >>> Uncaught server error: org.infinispan.util.concurrent.TimeoutException: >>> Replication timeout for sson2 >>> at >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >>> checkRsp(JGroupsTransport.java:827) >>> at >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. >>> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) >>> at >>> java.util.concurrent.CompletableFuture.uniApply(CompletableF >>> uture.java:602) >>> at >>> java.util.concurrent.CompletableFuture$UniApply.tryFire( >>> CompletableFuture.java:577) >>> at >>> java.util.concurrent.CompletableFuture.postComplete(Completa >>> bleFuture.java:474) >>> at >>> java.util.concurrent.CompletableFuture.complete(CompletableF >>> uture.java:1962) >>> at >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >>> re.call(SingleResponseFuture.java:46) >>> at >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu >>> re.call(SingleResponseFuture.java:17) >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) >>> at >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) >>> at >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool >>> Executor.java:1142) >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo >>> lExecutor.java:617) >>> at java.lang.Thread.run(Thread.java:745) >>> >>> >>> >>> Any idea of what's going on? >>> >>> >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180207/534c1dd4/attachment-0001.bin From ryans at jlab.org Wed Feb 7 10:25:09 2018 From: ryans at jlab.org (Ryan Slominski) Date: Wed, 7 Feb 2018 10:25:09 -0500 (EST) Subject: [keycloak-user] kcadm CLI for kerberos user storage API needs updating? In-Reply-To: <1006213065.8455966.1518017060958.JavaMail.zimbra@jlab.org> References: <1499329272.8253056.1517944592901.JavaMail.zimbra@jlab.org> Message-ID: <1165784646.8456228.1518017109049.JavaMail.zimbra@jlab.org> I figured out why the kerberos component wasn't showing up in the web console. I now see that realm name and realm ID are not identical by default. It might make sense to update the CLI docs to suggest that when creating a realm you explicitly set the ID to be the same as the realm name as the web console automatically does. That is why I was seeing the command line listing the component as part of the realm, but not visible when browsing from the web console. The first part of my question still remains. It seems the kcadm tool cannot be used to create or modify a user storage provider with all of the fields. Some fields seem to cause parsing errors on the server. Including these fields in the initial create command doesn't work. Neither does including them in an update command: kcadm.sh update components/my-kerberos-component-id -r demorealm -s config.kerberosRealm=["my-kerberos-realm-name"] Also results in: Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of VALUE_STRING token ----- Original Message ----- From: "Ryan Slominski" To: "keycloak-user" Sent: Tuesday, February 6, 2018 2:16:32 PM Subject: [keycloak-user] kcadm CLI for kerberos user storage API needs updating? I'm following the latest CLI documentation (https://urldefense.proofpoint.com/v2/url?u=http-3A__www.keycloak.org_docs_latest_server-5Fadmin_index.html-23the-2Dadmin-2Dcli&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=hvmhpahktF5agMlqV9WVmRD98uOlyXta9CpsyHxWJFY&s=bT2q3wiP7nDXfTYtZfXWJkFa87aNGSVSoGm7PZ02KYI&e= ), but the section about managing Kerberos user storage providers seems to be out-of-date. The related REST API documentation (https://urldefense.proofpoint.com/v2/url?u=http-3A__www.keycloak.org_docs_latest_server-5Fdevelopment_index.html-23rest-2Dmanagement-2Dapi&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=hvmhpahktF5agMlqV9WVmRD98uOlyXta9CpsyHxWJFY&s=Ktm4rb5xZR1h3YMxKOuhfpb3w-eh11mR7LRbXYJFTSs&e= ) points out major changes occurred after version 2.4.0. In particular the following command no longer works: kcadm.sh create user-federation/instances -r demorealm ... Instead it seems it should be something like the following: kcadm.sh create components -r demorealm -s parentId=demorealm -s name="kerberos" -s providerId="kerberos" -s providerType="org.keycloak.storage.UserStorageProvider"\ -s config.enabled=["true"] -s config.allowPasswordAuthentication=["true"] -s config.debug=["false"] -s config.priority=["0"] -s config.updateProfileFirstLogin=["false"] However, this "create components" command only seems to work if I don't include the following otherwise desirable attributes: -s config.keyTab=["path-to-keytab"] -s config.kerberosRealm=["kerberos-realm-name"] -s config.cachePolicy=["DEFAULT"] -s config.editMode=["READ_ONLY"] -s config.serverPrincipal=["http-principal-name"] Including any one of them results in the server throwing the following exception: Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of VALUE_STRING token Further, even if I leave these attributes out and attempt to finish the job using the web console I noticed the new user storage provider doesn't show up in the list on the web. It DOES show up when queried from the command line with: kcadm.sh get components -r demorealm But oddly doesn't show up if you filter as the web does with: kcadm.sh get components -r demorealm -q type=org.keycloak.storage.UserStorageProvider Any help is appreciated. Thanks, Ryan _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=hvmhpahktF5agMlqV9WVmRD98uOlyXta9CpsyHxWJFY&s=gX1vT4iLApiLig4EggteIwULHvrU60HiyY3AdR3rGkI&e= From aabella at bkool.com Wed Feb 7 10:43:34 2018 From: aabella at bkool.com (Angel Abella) Date: Wed, 7 Feb 2018 16:43:34 +0100 Subject: [keycloak-user] cache replication problems? In-Reply-To: <62db1dc8-cf7c-5233-15be-744a5641ba6d@redhat.com> References: <62db1dc8-cf7c-5233-15be-744a5641ba6d@redhat.com> Message-ID: It would be great to be able to access JMX, but I am not able to connect to the JMX subsystem from my local machine to the servers on AWS. I have this In the standalone-ha.xml file, and ports 9090 an 8081 open, but I cannot connect from my machine to the remote server using jconsole with: service:jmx:http-remoting-jmx://servername:9990 OR service:jmx:http-remoting-jmx://servername:8081 :-( 2018-02-07 16:07 GMT+01:00 Josh Cain : > I know for us, we keep a close eye on JVM statistics. However, if your > infinispan cluster is on the same box as your Keycloak server (not > running anything like JDG) as ours is atm, then your JVM statistics are > only part of the story. > > Iif you can *safely* enable JMX and set up a service account > appropriately, MBean statistics on cache usage would give you a really > clear picture of what Infinispan is doing: > > statistics-enabled="true"> > ... > statistics-enabled="true"/> > statistics-enabled="true"/> > ... > > From there, you can get a better idea of how the cache-container > settings can be tuned in your server config. > > Josh Cain > Senior Software Applications Engineer, RHCE > Red Hat North America > jcain at redhat.com IRC: jcain > > On 02/07/2018 04:15 AM, Angel Abella wrote: > > This test are with the latest KC version. > > The problems starts when the number of sessions raise above 800.000. We > > have tried to lower the access token lifespan, sso session max and sso > > session idle and it helped. > > > > Sadly the docs are not as usefull as they should. :-( > > > > 2018-02-07 11:03 GMT+01:00 Marek Posolda : > > > >> What is your Keycloak version? If you used 2.X and you will migrate to > >> latest 3.4.3, there is some chance that issues might be solved as we did > >> some performance improvements. > >> > >> Overally, it depends on number of sessions, network connection between > >> cluster servers etc. If network can't be tweaked, then maybe it's > possible > >> to increase replication timeout? See infinispan and Wildfly Infinispan > >> Subsystem docs for how to do it. > >> > >> Marek > >> > >> > >> On 06/02/18 12:09, Angel Abella wrote: > >> > >>> Hello, > >>> > >>> We have a 2 server standalone-ha installation. When the number of > sessions > >>> alive increases we get this errors: > >>> > >>> > >>> 2018-02-06 11:42:07,161 ERROR > >>> [org.infinispan.interceptors.InvocationContextInterceptor] (default > >>> task-22) ISPN000136: Error executing command PutKeyValueCommand, > writing > >>> keys [f75b436f-d316-4442-8d9b-c7313647c5b8]: > >>> org.infinispan.util.concurrent.TimeoutException: Replication timeout > for > >>> sson2 > >>> at > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > >>> checkRsp(JGroupsTransport.java:827) > >>> at > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > >>> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > >>> at > >>> java.util.concurrent.CompletableFuture.uniApply(CompletableF > >>> uture.java:602) > >>> at > >>> java.util.concurrent.CompletableFuture$UniApply.tryFire( > >>> CompletableFuture.java:577) > >>> at > >>> java.util.concurrent.CompletableFuture.postComplete(Completa > >>> bleFuture.java:474) > >>> at > >>> java.util.concurrent.CompletableFuture.complete(CompletableF > >>> uture.java:1962) > >>> at > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > >>> re.call(SingleResponseFuture.java:46) > >>> at > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > >>> re.call(SingleResponseFuture.java:17) > >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > >>> at > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) > >>> at > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) > >>> at > >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool > >>> Executor.java:1142) > >>> at > >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo > >>> lExecutor.java:617) > >>> at java.lang.Thread.run(Thread.java:745) > >>> > >>> 2018-02-06 11:42:07,162 ERROR > >>> [org.keycloak.services.error.KeycloakErrorHandler] (default task-22) > >>> Uncaught server error: org.infinispan.util. > concurrent.TimeoutException: > >>> Replication timeout for sson2 > >>> at > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > >>> checkRsp(JGroupsTransport.java:827) > >>> at > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > >>> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > >>> at > >>> java.util.concurrent.CompletableFuture.uniApply(CompletableF > >>> uture.java:602) > >>> at > >>> java.util.concurrent.CompletableFuture$UniApply.tryFire( > >>> CompletableFuture.java:577) > >>> at > >>> java.util.concurrent.CompletableFuture.postComplete(Completa > >>> bleFuture.java:474) > >>> at > >>> java.util.concurrent.CompletableFuture.complete(CompletableF > >>> uture.java:1962) > >>> at > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > >>> re.call(SingleResponseFuture.java:46) > >>> at > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > >>> re.call(SingleResponseFuture.java:17) > >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > >>> at > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) > >>> at > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) > >>> at > >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool > >>> Executor.java:1142) > >>> at > >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo > >>> lExecutor.java:617) > >>> at java.lang.Thread.run(Thread.java:745) > >>> > >>> 2018-02-06 11:42:07,166 ERROR > >>> [org.infinispan.interceptors.InvocationContextInterceptor] (default > >>> task-17) ISPN000136: Error executing command RemoveCommand, writing > keys > >>> [0d8d4c5c-7971-46dd-b414-cb5f16862085]: > >>> org.infinispan.util.concurrent.TimeoutException: Replication timeout > for > >>> sson2 > >>> at > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > >>> checkRsp(JGroupsTransport.java:827) > >>> at > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > >>> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > >>> at > >>> java.util.concurrent.CompletableFuture.uniApply(CompletableF > >>> uture.java:602) > >>> at > >>> java.util.concurrent.CompletableFuture$UniApply.tryFire( > >>> CompletableFuture.java:577) > >>> at > >>> java.util.concurrent.CompletableFuture.postComplete(Completa > >>> bleFuture.java:474) > >>> at > >>> java.util.concurrent.CompletableFuture.complete(CompletableF > >>> uture.java:1962) > >>> at > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > >>> re.call(SingleResponseFuture.java:46) > >>> at > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > >>> re.call(SingleResponseFuture.java:17) > >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > >>> at > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) > >>> at > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) > >>> at > >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool > >>> Executor.java:1142) > >>> at > >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo > >>> lExecutor.java:617) > >>> at java.lang.Thread.run(Thread.java:745) > >>> > >>> 2018-02-06 11:42:07,171 ERROR > >>> [org.infinispan.interceptors.InvocationContextInterceptor] (default > >>> task-11) ISPN000136: Error executing command PutKeyValueCommand, > writing > >>> keys [dfd69644-e241-465c-8a92-ef84e76caf62]: > >>> org.infinispan.util.concurrent.TimeoutException: Replication timeout > for > >>> sson2 > >>> at > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > >>> checkRsp(JGroupsTransport.java:827) > >>> at > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > >>> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > >>> at > >>> java.util.concurrent.CompletableFuture.uniApply(CompletableF > >>> uture.java:602) > >>> at > >>> java.util.concurrent.CompletableFuture$UniApply.tryFire( > >>> CompletableFuture.java:577) > >>> at > >>> java.util.concurrent.CompletableFuture.postComplete(Completa > >>> bleFuture.java:474) > >>> at > >>> java.util.concurrent.CompletableFuture.complete(CompletableF > >>> uture.java:1962) > >>> at > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > >>> re.call(SingleResponseFuture.java:46) > >>> at > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > >>> re.call(SingleResponseFuture.java:17) > >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > >>> at > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) > >>> at > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) > >>> at > >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool > >>> Executor.java:1142) > >>> at > >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo > >>> lExecutor.java:617) > >>> at java.lang.Thread.run(Thread.java:745) > >>> > >>> 2018-02-06 11:42:07,173 ERROR > >>> [org.keycloak.services.error.KeycloakErrorHandler] (default task-11) > >>> Uncaught server error: org.infinispan.util. > concurrent.TimeoutException: > >>> Replication timeout for sson2 > >>> at > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > >>> checkRsp(JGroupsTransport.java:827) > >>> at > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > >>> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > >>> at > >>> java.util.concurrent.CompletableFuture.uniApply(CompletableF > >>> uture.java:602) > >>> at > >>> java.util.concurrent.CompletableFuture$UniApply.tryFire( > >>> CompletableFuture.java:577) > >>> at > >>> java.util.concurrent.CompletableFuture.postComplete(Completa > >>> bleFuture.java:474) > >>> at > >>> java.util.concurrent.CompletableFuture.complete(CompletableF > >>> uture.java:1962) > >>> at > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > >>> re.call(SingleResponseFuture.java:46) > >>> at > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > >>> re.call(SingleResponseFuture.java:17) > >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > >>> at > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) > >>> at > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) > >>> at > >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool > >>> Executor.java:1142) > >>> at > >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo > >>> lExecutor.java:617) > >>> at java.lang.Thread.run(Thread.java:745) > >>> > >>> 2018-02-06 11:42:07,205 ERROR > >>> [org.keycloak.services.error.KeycloakErrorHandler] (default task-17) > >>> Uncaught server error: org.infinispan.util. > concurrent.TimeoutException: > >>> Replication timeout for sson2 > >>> at > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > >>> checkRsp(JGroupsTransport.java:827) > >>> at > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > >>> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > >>> at > >>> java.util.concurrent.CompletableFuture.uniApply(CompletableF > >>> uture.java:602) > >>> at > >>> java.util.concurrent.CompletableFuture$UniApply.tryFire( > >>> CompletableFuture.java:577) > >>> at > >>> java.util.concurrent.CompletableFuture.postComplete(Completa > >>> bleFuture.java:474) > >>> at > >>> java.util.concurrent.CompletableFuture.complete(CompletableF > >>> uture.java:1962) > >>> at > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > >>> re.call(SingleResponseFuture.java:46) > >>> at > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > >>> re.call(SingleResponseFuture.java:17) > >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > >>> at > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) > >>> at > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) > >>> at > >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool > >>> Executor.java:1142) > >>> at > >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo > >>> lExecutor.java:617) > >>> at java.lang.Thread.run(Thread.java:745) > >>> > >>> > >>> > >>> Any idea of what's going on? > >>> > >>> > >> > > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Angel Abella *IT * *BKOOL* *Connect* *| Sport* mail: aabella at bkool.com mob: +34 691 77 18 98 add: C/ San Joaqu?n 3 - 28231 Las Rozas - Madrid www.bkool.com From Christoph.Guse at viega.de Wed Feb 7 10:54:04 2018 From: Christoph.Guse at viega.de (Guse, Christoph) Date: Wed, 7 Feb 2018 15:54:04 +0000 Subject: [keycloak-user] Apache auth_openidc_module and Policy enforcer Message-ID: <3B0A830696748C44A791CD7CB5608FDB2851491B@SAT-Exchange1.servers.emea.dir> Hi everybody, we currently did a proof of concept using Keycloak and we are very sure to fulfill the requirements using Keycloak. Thanks a lot for your work! At the moment I try out to use Apache with Keycloak using the auth_openidc_module. The redirect to Keycloak works but I?m wondering if it is possible to use the Authorization (Resources / Policies / Permissions) feature with auth_openidc_module. I would like to be able to configure the Apache resource authorization in Keycloak. We already managed to use Authorization in our Spring-Boot applications and we had to switch on the Policy Enforcer to use Authorization. Unfortunately I did not find this option in the configuration of auth_openidc_module in the documentation. In this documentation the authorization is configured in httpd.conf in the sections. Is Authorization available in auth_openidc_module? Cheers, Christoph Viega Holding GmbH & Co. KG, Sitz Attendorn, Amtsgericht Siegen HRA 7404, Komplement?rinnen: Viega Holding Beteiligungs B.V. (Vorsitzende der Gesch?ftsf?hrung: Walter Viegener, Claus Holst-Gydesen; Gesch?ftsf?hrer: Ralf Baginski, Andreas Brockow, Andreas Fiefhaus, Dirk Gellisch, Peter Sch?ler); Viega Holding Beteiligungs GmbH (Gesch?ftsf?hrer: Walter Viegener, Claus Holst-Gydesen) Rechtliche Verpflichtungen werden mit dieser Nachricht nur eingegangen, wenn eine davon unabh?ngige schriftliche Best?tigung erfolgt. Der Inhalt dieser Nachricht ist vertraulich und ausschlie?lich f?r den Adressaten bestimmt. Ihre unbefugte Verwertung oder Mitteilung an Dritte ist gesetzlich untersagt. Sind Sie selbst nicht der korrekte Empf?nger, so vernichten Sie bitte diese Nachricht und benachrichtigen Sie uns unverz?glich. Herzlichen Dank f?r Ihre Mithilfe. No obligation is entered into by this message, unless confirmed independently. The information contained in this message is confidential, intended only for the addressee. If you are not the intended recipient, any use, review, dissemination, distribution or copying of this document is strictly prohibited. If you have received this document in error, please destroy the original message and notify us immediately. Thank you very much for your cooperation. From psilva at redhat.com Wed Feb 7 11:18:58 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 7 Feb 2018 14:18:58 -0200 Subject: [keycloak-user] Apache auth_openidc_module and Policy enforcer In-Reply-To: <3B0A830696748C44A791CD7CB5608FDB2851491B@SAT-Exchange1.servers.emea.dir> References: <3B0A830696748C44A791CD7CB5608FDB2851491B@SAT-Exchange1.servers.emea.dir> Message-ID: Hi, It is not. But this doc [1] shows how to enforce access based on claims. Permissions granted by Keycloak are basically within a claim in the access token (so called RPT). But I guess you have looked this option already and it does not work for you. Regards. Pedro Igor On Wed, Feb 7, 2018 at 1:54 PM, Guse, Christoph wrote: > Hi everybody, > > we currently did a proof of concept using Keycloak and we are very sure to > fulfill the requirements using Keycloak. Thanks a lot for your work! > > At the moment I try out to use Apache with Keycloak using the > auth_openidc_module. The redirect to Keycloak works but I?m wondering if it > is possible to use the Authorization (Resources / Policies / Permissions) > feature with auth_openidc_module. I would like to be able to configure the > Apache resource authorization in Keycloak. > > We already managed to use Authorization in our Spring-Boot applications > and we had to switch on the Policy Enforcer to use Authorization. > Unfortunately I did not find this option in the configuration of > auth_openidc_module in the documentation. In this documentation the > authorization is configured in httpd.conf in the sections. > > Is Authorization available in auth_openidc_module? > > Cheers, > Christoph > > Viega Holding GmbH & Co. KG, Sitz Attendorn, Amtsgericht Siegen HRA 7404, > Komplement?rinnen: Viega Holding Beteiligungs B.V. (Vorsitzende der > Gesch?ftsf?hrung: Walter Viegener, Claus Holst-Gydesen; Gesch?ftsf?hrer: > Ralf Baginski, Andreas Brockow, Andreas Fiefhaus, Dirk Gellisch, Peter > Sch?ler); Viega Holding Beteiligungs GmbH (Gesch?ftsf?hrer: Walter > Viegener, Claus Holst-Gydesen) > > Rechtliche Verpflichtungen werden mit dieser Nachricht nur eingegangen, > wenn eine davon unabh?ngige schriftliche Best?tigung erfolgt. Der Inhalt > dieser Nachricht ist vertraulich und ausschlie?lich f?r den Adressaten > bestimmt. Ihre unbefugte Verwertung oder Mitteilung an Dritte ist > gesetzlich untersagt. Sind Sie selbst nicht der korrekte Empf?nger, so > vernichten Sie bitte diese Nachricht und benachrichtigen Sie uns > unverz?glich. Herzlichen Dank f?r Ihre Mithilfe. > > No obligation is entered into by this message, unless confirmed > independently. The information contained in this message is confidential, > intended only for the addressee. If you are not the intended recipient, any > use, review, dissemination, distribution or copying of this document is > strictly prohibited. If you have received this document in error, please > destroy the original message and notify us immediately. Thank you very much > for your cooperation. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From hmlnarik at redhat.com Thu Feb 8 03:57:31 2018 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Thu, 8 Feb 2018 09:57:31 +0100 Subject: [keycloak-user] cache replication problems? In-Reply-To: References: <62db1dc8-cf7c-5233-15be-744a5641ba6d@redhat.com> Message-ID: Check "Connecting to Infinispan JConsole" part of [1] for help with connecting to JMX via jconsole in AWS environment. [1] http://blog.keycloak.org/2018/01/keycloak-cross-data-center-setup-in-aws.html On Wed, Feb 7, 2018 at 4:43 PM, Angel Abella wrote: > It would be great to be able to access JMX, but I am not able to connect to > the JMX subsystem from my local machine to the servers on AWS. > I have this > > > > > > > > In the standalone-ha.xml file, and ports 9090 an 8081 open, but I cannot > connect from my machine to the remote server using jconsole with: > > service:jmx:http-remoting-jmx://servername:9990 OR > service:jmx:http-remoting-jmx://servername:8081 > > :-( > > > 2018-02-07 16:07 GMT+01:00 Josh Cain : > > > I know for us, we keep a close eye on JVM statistics. However, if your > > infinispan cluster is on the same box as your Keycloak server (not > > running anything like JDG) as ours is atm, then your JVM statistics are > > only part of the story. > > > > Iif you can *safely* enable JMX and set up a service account > > appropriately, MBean statistics on cache usage would give you a really > > clear picture of what Infinispan is doing: > > > > > statistics-enabled="true"> > > ... > > > statistics-enabled="true"/> > > > statistics-enabled="true"/> > > ... > > > > From there, you can get a better idea of how the cache-container > > settings can be tuned in your server config. > > > > Josh Cain > > Senior Software Applications Engineer, RHCE > > Red Hat North America > > jcain at redhat.com IRC: jcain > > > > On 02/07/2018 04:15 AM, Angel Abella wrote: > > > This test are with the latest KC version. > > > The problems starts when the number of sessions raise above 800.000. We > > > have tried to lower the access token lifespan, sso session max and sso > > > session idle and it helped. > > > > > > Sadly the docs are not as usefull as they should. :-( > > > > > > 2018-02-07 11:03 GMT+01:00 Marek Posolda : > > > > > >> What is your Keycloak version? If you used 2.X and you will migrate to > > >> latest 3.4.3, there is some chance that issues might be solved as we > did > > >> some performance improvements. > > >> > > >> Overally, it depends on number of sessions, network connection between > > >> cluster servers etc. If network can't be tweaked, then maybe it's > > possible > > >> to increase replication timeout? See infinispan and Wildfly Infinispan > > >> Subsystem docs for how to do it. > > >> > > >> Marek > > >> > > >> > > >> On 06/02/18 12:09, Angel Abella wrote: > > >> > > >>> Hello, > > >>> > > >>> We have a 2 server standalone-ha installation. When the number of > > sessions > > >>> alive increases we get this errors: > > >>> > > >>> > > >>> 2018-02-06 11:42:07,161 ERROR > > >>> [org.infinispan.interceptors.InvocationContextInterceptor] (default > > >>> task-22) ISPN000136: Error executing command PutKeyValueCommand, > > writing > > >>> keys [f75b436f-d316-4442-8d9b-c7313647c5b8]: > > >>> org.infinispan.util.concurrent.TimeoutException: Replication timeout > > for > > >>> sson2 > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > > >>> checkRsp(JGroupsTransport.java:827) > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > > >>> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > > >>> at > > >>> java.util.concurrent.CompletableFuture.uniApply(CompletableF > > >>> uture.java:602) > > >>> at > > >>> java.util.concurrent.CompletableFuture$UniApply.tryFire( > > >>> CompletableFuture.java:577) > > >>> at > > >>> java.util.concurrent.CompletableFuture.postComplete(Completa > > >>> bleFuture.java:474) > > >>> at > > >>> java.util.concurrent.CompletableFuture.complete(CompletableF > > >>> uture.java:1962) > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > > >>> re.call(SingleResponseFuture.java:46) > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > > >>> re.call(SingleResponseFuture.java:17) > > >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > >>> at > > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > > >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) > > >>> at > > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > > >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) > > >>> at > > >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool > > >>> Executor.java:1142) > > >>> at > > >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo > > >>> lExecutor.java:617) > > >>> at java.lang.Thread.run(Thread.java:745) > > >>> > > >>> 2018-02-06 11:42:07,162 ERROR > > >>> [org.keycloak.services.error.KeycloakErrorHandler] (default task-22) > > >>> Uncaught server error: org.infinispan.util. > > concurrent.TimeoutException: > > >>> Replication timeout for sson2 > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > > >>> checkRsp(JGroupsTransport.java:827) > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > > >>> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > > >>> at > > >>> java.util.concurrent.CompletableFuture.uniApply(CompletableF > > >>> uture.java:602) > > >>> at > > >>> java.util.concurrent.CompletableFuture$UniApply.tryFire( > > >>> CompletableFuture.java:577) > > >>> at > > >>> java.util.concurrent.CompletableFuture.postComplete(Completa > > >>> bleFuture.java:474) > > >>> at > > >>> java.util.concurrent.CompletableFuture.complete(CompletableF > > >>> uture.java:1962) > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > > >>> re.call(SingleResponseFuture.java:46) > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > > >>> re.call(SingleResponseFuture.java:17) > > >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > >>> at > > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > > >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) > > >>> at > > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > > >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) > > >>> at > > >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool > > >>> Executor.java:1142) > > >>> at > > >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo > > >>> lExecutor.java:617) > > >>> at java.lang.Thread.run(Thread.java:745) > > >>> > > >>> 2018-02-06 11:42:07,166 ERROR > > >>> [org.infinispan.interceptors.InvocationContextInterceptor] (default > > >>> task-17) ISPN000136: Error executing command RemoveCommand, writing > > keys > > >>> [0d8d4c5c-7971-46dd-b414-cb5f16862085]: > > >>> org.infinispan.util.concurrent.TimeoutException: Replication timeout > > for > > >>> sson2 > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > > >>> checkRsp(JGroupsTransport.java:827) > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > > >>> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > > >>> at > > >>> java.util.concurrent.CompletableFuture.uniApply(CompletableF > > >>> uture.java:602) > > >>> at > > >>> java.util.concurrent.CompletableFuture$UniApply.tryFire( > > >>> CompletableFuture.java:577) > > >>> at > > >>> java.util.concurrent.CompletableFuture.postComplete(Completa > > >>> bleFuture.java:474) > > >>> at > > >>> java.util.concurrent.CompletableFuture.complete(CompletableF > > >>> uture.java:1962) > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > > >>> re.call(SingleResponseFuture.java:46) > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > > >>> re.call(SingleResponseFuture.java:17) > > >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > >>> at > > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > > >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) > > >>> at > > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > > >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) > > >>> at > > >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool > > >>> Executor.java:1142) > > >>> at > > >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo > > >>> lExecutor.java:617) > > >>> at java.lang.Thread.run(Thread.java:745) > > >>> > > >>> 2018-02-06 11:42:07,171 ERROR > > >>> [org.infinispan.interceptors.InvocationContextInterceptor] (default > > >>> task-11) ISPN000136: Error executing command PutKeyValueCommand, > > writing > > >>> keys [dfd69644-e241-465c-8a92-ef84e76caf62]: > > >>> org.infinispan.util.concurrent.TimeoutException: Replication timeout > > for > > >>> sson2 > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > > >>> checkRsp(JGroupsTransport.java:827) > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > > >>> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > > >>> at > > >>> java.util.concurrent.CompletableFuture.uniApply(CompletableF > > >>> uture.java:602) > > >>> at > > >>> java.util.concurrent.CompletableFuture$UniApply.tryFire( > > >>> CompletableFuture.java:577) > > >>> at > > >>> java.util.concurrent.CompletableFuture.postComplete(Completa > > >>> bleFuture.java:474) > > >>> at > > >>> java.util.concurrent.CompletableFuture.complete(CompletableF > > >>> uture.java:1962) > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > > >>> re.call(SingleResponseFuture.java:46) > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > > >>> re.call(SingleResponseFuture.java:17) > > >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > >>> at > > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > > >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) > > >>> at > > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > > >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) > > >>> at > > >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool > > >>> Executor.java:1142) > > >>> at > > >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo > > >>> lExecutor.java:617) > > >>> at java.lang.Thread.run(Thread.java:745) > > >>> > > >>> 2018-02-06 11:42:07,173 ERROR > > >>> [org.keycloak.services.error.KeycloakErrorHandler] (default task-11) > > >>> Uncaught server error: org.infinispan.util. > > concurrent.TimeoutException: > > >>> Replication timeout for sson2 > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > > >>> checkRsp(JGroupsTransport.java:827) > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > > >>> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > > >>> at > > >>> java.util.concurrent.CompletableFuture.uniApply(CompletableF > > >>> uture.java:602) > > >>> at > > >>> java.util.concurrent.CompletableFuture$UniApply.tryFire( > > >>> CompletableFuture.java:577) > > >>> at > > >>> java.util.concurrent.CompletableFuture.postComplete(Completa > > >>> bleFuture.java:474) > > >>> at > > >>> java.util.concurrent.CompletableFuture.complete(CompletableF > > >>> uture.java:1962) > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > > >>> re.call(SingleResponseFuture.java:46) > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > > >>> re.call(SingleResponseFuture.java:17) > > >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > >>> at > > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > > >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) > > >>> at > > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > > >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) > > >>> at > > >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool > > >>> Executor.java:1142) > > >>> at > > >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo > > >>> lExecutor.java:617) > > >>> at java.lang.Thread.run(Thread.java:745) > > >>> > > >>> 2018-02-06 11:42:07,205 ERROR > > >>> [org.keycloak.services.error.KeycloakErrorHandler] (default task-17) > > >>> Uncaught server error: org.infinispan.util. > > concurrent.TimeoutException: > > >>> Replication timeout for sson2 > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > > >>> checkRsp(JGroupsTransport.java:827) > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.JGroupsTransport. > > >>> lambda$invokeRemotelyAsync$0(JGroupsTransport.java:628) > > >>> at > > >>> java.util.concurrent.CompletableFuture.uniApply(CompletableF > > >>> uture.java:602) > > >>> at > > >>> java.util.concurrent.CompletableFuture$UniApply.tryFire( > > >>> CompletableFuture.java:577) > > >>> at > > >>> java.util.concurrent.CompletableFuture.postComplete(Completa > > >>> bleFuture.java:474) > > >>> at > > >>> java.util.concurrent.CompletableFuture.complete(CompletableF > > >>> uture.java:1962) > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > > >>> re.call(SingleResponseFuture.java:46) > > >>> at > > >>> org.infinispan.remoting.transport.jgroups.SingleResponseFutu > > >>> re.call(SingleResponseFuture.java:17) > > >>> at java.util.concurrent.FutureTask.run(FutureTask.java:266) > > >>> at > > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > > >>> tureTask.access$201(ScheduledThreadPoolExecutor.java:180) > > >>> at > > >>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu > > >>> tureTask.run(ScheduledThreadPoolExecutor.java:293) > > >>> at > > >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPool > > >>> Executor.java:1142) > > >>> at > > >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoo > > >>> lExecutor.java:617) > > >>> at java.lang.Thread.run(Thread.java:745) > > >>> > > >>> > > >>> > > >>> Any idea of what's going on? > > >>> > > >>> > > >> > > > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > Angel Abella > *IT * > *BKOOL* *Connect* *| Sport* > mail: aabella at bkool.com > mob: +34 691 77 18 98 > add: C/ San Joaqu?n 3 - 28231 Las Rozas - Madrid > www.bkool.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- --Hynek From valsarajpv at gmail.com Thu Feb 8 04:21:58 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Thu, 8 Feb 2018 14:51:58 +0530 Subject: [keycloak-user] Integrating WildFly JavaEE application with Keyclock Message-ID: Hi, Currently our JavaEE application with servlets, EJB, remote EJB & HornetQ messaging using JAAS login module with LDAP back end. I am trying to integrate Keyclock with our WildFly 10.1 server for using identity provider & SSO. *Source LDAP/DB Sync* Found that Keycloak supports LDAP sync & we can sync existing user data periofically to Keyclock. Is it possiblr to sync from multiple user data stores as we have to integrate multiple JavaEE web apps? *JAAS custom login module for Keyclock* Currently we are using JAAS custom login module for authentication/authorization. Is it possible to user the same or similar login module with Keyclock? We need to avoid redirection to Keyclock login page. If redirection is must, is there any sample to migrate from JAAS to Keyclock realm? Thanks! -- Life is like this: "Just when we get all the answers of life.... God changes the question paper.... Valsaraj Viswanathan From j.muis at copas.nl Thu Feb 8 05:28:11 2018 From: j.muis at copas.nl (Jeroen Muis) Date: Thu, 8 Feb 2018 10:28:11 +0000 Subject: [keycloak-user] Integrating WildFly JavaEE application with Keyclock In-Reply-To: References: Message-ID: Hi, We are very much interested in this as well, and had some tests done based on the work of Marek Posolda https://github.com/mposolda/keycloak-remote-ejb This poc is based on direct access grants so no redirects are required. This seems to work just fine when having a ejb module, but when packaging this inside an EAR we don't seem to be able to get this working any longer. Not sure why yet, as we did not have enough time to fully debug this. Our EAR consists of several ejb modules, wars, etc. Best regards, Jeroen Muis, Copas B.V. ? -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of valsaraj pv Sent: Thursday, 8 February 2018 10:22 To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Integrating WildFly JavaEE application with Keyclock Hi, Currently our JavaEE application with servlets, EJB, remote EJB & HornetQ messaging using JAAS login module with LDAP back end. I am trying to integrate Keyclock with our WildFly 10.1 server for using identity provider & SSO. *Source LDAP/DB Sync* Found that Keycloak supports LDAP sync & we can sync existing user data periofically to Keyclock. Is it possiblr to sync from multiple user data stores as we have to integrate multiple JavaEE web apps? *JAAS custom login module for Keyclock* Currently we are using JAAS custom login module for authentication/authorization. Is it possible to user the same or similar login module with Keyclock? We need to avoid redirection to Keyclock login page. If redirection is must, is there any sample to migrate from JAAS to Keyclock realm? Thanks! -- Life is like this: "Just when we get all the answers of life.... God changes the question paper.... Valsaraj Viswanathan _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From subodhcjoshi82 at gmail.com Thu Feb 8 05:44:08 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Thu, 8 Feb 2018 16:14:08 +0530 Subject: [keycloak-user] Curl Commands to create Realm/User/AdminUsergroup Message-ID: Hi , Rather than using UI of keycloak some basic thing i will want to create dynamically so i am thinking to create a shell script file for linux server which will able to do following 1. Create realm 2. Create admin user group 3. Create Admin Role How to automate these feature through CURL ? Can someone please guide me? -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.trendsinnews.com From valsarajpv at gmail.com Thu Feb 8 06:27:35 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Thu, 8 Feb 2018 16:57:35 +0530 Subject: [keycloak-user] Integrating WildFly JavaEE application with Keyclock In-Reply-To: References: Message-ID: We have ear with war and ejb jar. So what option is better and working to integrate keycloak? If we use keycloak login module, will this set cookies? I wonder how sso will work in this case. On 08-Feb-2018 3:58 PM, "Jeroen Muis" wrote: > Hi, > > We are very much interested in this as well, and had some tests done > based on the work of Marek Posolda > https://github.com/mposolda/keycloak-remote-ejb > This poc is based on direct access grants so no redirects are required. > > This seems to work just fine when having a ejb module, but when packaging > this inside an EAR we don't seem to be able to get this working any longer. > Not sure why yet, as we did not have enough time to fully debug this. Our > EAR consists of several ejb modules, wars, etc. > > > Best regards, > Jeroen Muis, > Copas B.V. > > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@ > lists.jboss.org] On Behalf Of valsaraj pv > Sent: Thursday, 8 February 2018 10:22 > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] Integrating WildFly JavaEE application with > Keyclock > > Hi, > > Currently our JavaEE application with servlets, EJB, remote EJB & HornetQ > messaging using JAAS login module with LDAP back end. I am trying to > integrate Keyclock with our WildFly 10.1 server for using identity provider > & SSO. > > *Source LDAP/DB Sync* > Found that Keycloak supports LDAP sync & we can sync existing user data > periofically to Keyclock. Is it possiblr to sync from multiple user data > stores as we have to integrate multiple JavaEE web apps? > > *JAAS custom login module for Keyclock* > Currently we are using JAAS custom login module for > authentication/authorization. Is it possible to user the same or similar > login module with Keyclock? We need to avoid redirection to Keyclock login > page. > If redirection is must, is there any sample to migrate from JAAS to > Keyclock realm? > > Thanks! > > > > -- > Life is like this: "Just when we get all the answers of life.... God > changes the question paper.... > > Valsaraj Viswanathan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From hmlnarik at redhat.com Thu Feb 8 06:46:01 2018 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Thu, 8 Feb 2018 12:46:01 +0100 Subject: [keycloak-user] Curl Commands to create Realm/User/AdminUsergroup In-Reply-To: References: Message-ID: Rather than curl which would be quite tricky, have you looked at kcadm [1]? [1] http://www.keycloak.org/docs/latest/server_admin/index.html#the-admin-cli On Thu, Feb 8, 2018 at 11:44 AM, Subodh Joshi wrote: > Hi , > > Rather than using UI of keycloak some basic thing i will want to create > dynamically so i am thinking to create a shell script file for linux > server which will able to do following > > 1. Create realm > 2. Create admin user group > 3. Create Admin Role > > How to automate these feature through CURL ? Can someone please guide me? > > -- > Subodh Chandra Joshi > subodh1_joshi82 at yahoo.co.in > http://www.trendsinnews.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- --Hynek From subodhcjoshi82 at gmail.com Thu Feb 8 06:54:07 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Thu, 8 Feb 2018 17:24:07 +0530 Subject: [keycloak-user] Curl Commands to create Realm/User/AdminUsergroup In-Reply-To: References: Message-ID: Hi Hynek, Thanks for your reply ,Just want to tell you i dont want to use Admin GUI for creating some basic information first time at-least. Actually i will want to run this script after the keycloak installation so user dont have to do it manually through GUI . On Thu, Feb 8, 2018 at 5:16 PM, Hynek Mlnarik wrote: > Rather than curl which would be quite tricky, have you looked at kcadm [1]? > > [1] http://www.keycloak.org/docs/latest/server_admin/ > index.html#the-admin-cli > > On Thu, Feb 8, 2018 at 11:44 AM, Subodh Joshi > wrote: > >> Hi , >> >> Rather than using UI of keycloak some basic thing i will want to create >> dynamically so i am thinking to create a shell script file for linux >> server which will able to do following >> >> 1. Create realm >> 2. Create admin user group >> 3. Create Admin Role >> >> How to automate these feature through CURL ? Can someone please guide me? >> >> -- >> Subodh Chandra Joshi >> subodh1_joshi82 at yahoo.co.in >> http://www.trendsinnews.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > -- > > --Hynek > -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.trendsinnews.com From hanneshansen at t-online.de Thu Feb 8 07:12:53 2018 From: hanneshansen at t-online.de (Hannes Hansen) Date: Thu, 8 Feb 2018 13:12:53 +0100 Subject: [keycloak-user] CORS for admin API Message-ID: Hello everybody, is there a way to setup CORS headers for the admin API, documented under http://www.keycloak.org/docs-api/3.4/rest-api/. I only found the CORS settings for the clients. Thanks in advance. Best regards Hannes From j.muis at copas.nl Thu Feb 8 07:23:28 2018 From: j.muis at copas.nl (Jeroen Muis) Date: Thu, 8 Feb 2018 12:23:28 +0000 Subject: [keycloak-user] Integrating WildFly JavaEE application with Keyclock In-Reply-To: References: Message-ID: Hi, I don?t know, we have not been focusing on the war as I suspected that would work out of the box. (We have other standalone war deployments which are working). Maybe someone else can comment? In any case, our main issue has been around the remote ejb authentication / authorization issues. Is anyone on the user group successfully using EAR + remote EJB module(s) and willing to share solution (including the WildFly domain/standalone.xml settings for JAAS / ?) Best regards, Jeroen Muis, Copas B.V. From: valsaraj pv [mailto:valsarajpv at gmail.com] Sent: Thursday, 8 February 2018 12:28 To: Jeroen Muis Cc: keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] Integrating WildFly JavaEE application with Keyclock We have ear with war and ejb jar. So what option is better and working to integrate keycloak? If we use keycloak login module, will this set cookies? I wonder how sso will work in this case. On 08-Feb-2018 3:58 PM, "Jeroen Muis" > wrote: Hi, We are very much interested in this as well, and had some tests done based on the work of Marek Posolda https://github.com/mposolda/keycloak-remote-ejb This poc is based on direct access grants so no redirects are required. This seems to work just fine when having a ejb module, but when packaging this inside an EAR we don't seem to be able to get this working any longer. Not sure why yet, as we did not have enough time to fully debug this. Our EAR consists of several ejb modules, wars, etc. Best regards, Jeroen Muis, Copas B.V. -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of valsaraj pv Sent: Thursday, 8 February 2018 10:22 To: keycloak-user at lists.jboss.org Subject: [keycloak-user] Integrating WildFly JavaEE application with Keyclock Hi, Currently our JavaEE application with servlets, EJB, remote EJB & HornetQ messaging using JAAS login module with LDAP back end. I am trying to integrate Keyclock with our WildFly 10.1 server for using identity provider & SSO. *Source LDAP/DB Sync* Found that Keycloak supports LDAP sync & we can sync existing user data periofically to Keyclock. Is it possiblr to sync from multiple user data stores as we have to integrate multiple JavaEE web apps? *JAAS custom login module for Keyclock* Currently we are using JAAS custom login module for authentication/authorization. Is it possible to user the same or similar login module with Keyclock? We need to avoid redirection to Keyclock login page. If redirection is must, is there any sample to migrate from JAAS to Keyclock realm? Thanks! -- Life is like this: "Just when we get all the answers of life.... God changes the question paper.... Valsaraj Viswanathan _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From valsarajpv at gmail.com Thu Feb 8 08:00:52 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Thu, 8 Feb 2018 18:30:52 +0530 Subject: [keycloak-user] Integrating WildFly JavaEE application with Keyclock In-Reply-To: References: Message-ID: You have war deployment working with jaas login module? On 08-Feb-2018 5:53 PM, "Jeroen Muis" wrote: > Hi, > > > > I don?t know, we have not been focusing on the war as I suspected that > would work out of the box. (We have other standalone war deployments which > are working). Maybe someone else can comment? > > > > In any case, our main issue has been around the remote ejb authentication > / authorization issues. > > Is anyone on the user group successfully using EAR + remote EJB module(s) > and willing to share solution (including the WildFly domain/standalone.xml > settings for JAAS / ?) > > > > Best regards, > > Jeroen Muis, > > Copas B.V. > > > > *From:* valsaraj pv [mailto:valsarajpv at gmail.com] > *Sent:* Thursday, 8 February 2018 12:28 > *To:* Jeroen Muis > *Cc:* keycloak-user at lists.jboss.org > *Subject:* RE: [keycloak-user] Integrating WildFly JavaEE application > with Keyclock > > > > We have ear with war and ejb jar. So what option is better and working to > integrate keycloak? If we use keycloak login module, will this set cookies? > I wonder how sso will work in this case. > > > > On 08-Feb-2018 3:58 PM, "Jeroen Muis" wrote: > > Hi, > > We are very much interested in this as well, and had some tests done > based on the work of Marek Posolda > https://github.com/mposolda/keycloak-remote-ejb > This poc is based on direct access grants so no redirects are required. > > This seems to work just fine when having a ejb module, but when packaging > this inside an EAR we don't seem to be able to get this working any longer. > Not sure why yet, as we did not have enough time to fully debug this. Our > EAR consists of several ejb modules, wars, etc. > > > Best regards, > Jeroen Muis, > Copas B.V. > > > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@ > lists.jboss.org] On Behalf Of valsaraj pv > Sent: Thursday, 8 February 2018 10:22 > To: keycloak-user at lists.jboss.org > Subject: [keycloak-user] Integrating WildFly JavaEE application with > Keyclock > > Hi, > > Currently our JavaEE application with servlets, EJB, remote EJB & HornetQ > messaging using JAAS login module with LDAP back end. I am trying to > integrate Keyclock with our WildFly 10.1 server for using identity provider > & SSO. > > *Source LDAP/DB Sync* > Found that Keycloak supports LDAP sync & we can sync existing user data > periofically to Keyclock. Is it possiblr to sync from multiple user data > stores as we have to integrate multiple JavaEE web apps? > > *JAAS custom login module for Keyclock* > Currently we are using JAAS custom login module for > authentication/authorization. Is it possible to user the same or similar > login module with Keyclock? We need to avoid redirection to Keyclock login > page. > If redirection is must, is there any sample to migrate from JAAS to > Keyclock realm? > > Thanks! > > > > -- > Life is like this: "Just when we get all the answers of life.... God > changes the question paper.... > > Valsaraj Viswanathan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From sthorger at redhat.com Thu Feb 8 08:28:36 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 8 Feb 2018 14:28:36 +0100 Subject: [keycloak-user] "Default" Client Template In-Reply-To: References: Message-ID: You could also write a custom client registration policies that sets the client template field. On 7 February 2018 at 16:04, Bill Burke wrote: > You can define a template, but not a default template. You'd have to > add the template when registering the client. > > On Wed, Feb 7, 2018 at 8:29 AM, Jonas Sch?nenberger > wrote: > > Hi Bill > > > > Our clients are Oauth Clients that register dynamically and they expect > > certain user information in the tokens. Is there a way to set default > > mappers on realm-level until such a "client scope" feature is available? > > Setting mappers manually (or apply templates manually) on each > dynamically > > registered client would kind of break the dynamic registration. > > > > Thank you and Best Regards > > Jonas > > > > > > On Tue, Feb 6, 2018 at 7:04 PM, Bill Burke wrote: > >> > >> No. We will be doing work in this area soon. I'm thinking of > >> renaming templates to "Client Scope" and allow clients to inherit from > >> multiple scopes A client scope would only be able to specify allowed > >> roles, groups, attributes and protocol mappers. no other config > >> option. We would also do away with per-role and per-protocol mapper > >> consent messages and instead allow the scope and/or client to define > >> the consent message to give to the user. All this to support the OIDC > >> scope parameter better. > >> > >> I think a default scope would be an important addition. > >> > >> On Tue, Feb 6, 2018 at 8:15 AM, Jonas Sch?nenberger > >> wrote: > >> > Hi everyone > >> > > >> > Is it possible to define a default client template that every new > >> > dynamic > >> > client (OpenID Connect Dynamic Client Registration) receives during > >> > registration? > >> > > >> > Thank you for your help and Best Regards > >> > Jonas > >> > _______________________________________________ > >> > keycloak-user mailing list > >> > keycloak-user at lists.jboss.org > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > >> > >> -- > >> Bill Burke > >> Red Hat > > > > > > > > -- > Bill Burke > Red Hat > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Thu Feb 8 08:29:19 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 8 Feb 2018 14:29:19 +0100 Subject: [keycloak-user] CORS for admin API In-Reply-To: References: Message-ID: Configure web-origin for whatever client you use to obtain the token to access admin API On 8 February 2018 at 13:12, Hannes Hansen wrote: > Hello everybody, > > is there a way to setup CORS headers for the admin API, documented under > http://www.keycloak.org/docs-api/3.4/rest-api/. > > I only found the CORS settings for the clients. > > Thanks in advance. > > Best regards > Hannes > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From olivier.lievre at altran.com Thu Feb 8 09:17:49 2018 From: olivier.lievre at altran.com (LIEVRE Olivier) Date: Thu, 8 Feb 2018 14:17:49 +0000 Subject: [keycloak-user] Subject=Re: keycloak adapter with apache karaf 4.1.3 In-Reply-To: References: Message-ID: <5E0EBD68B410924EADA89C5CBD233CD06ED36235@XMB-DCFR-35.europe.corp.altran.com> Hello, Indeed I didn?t succeed to install keycloak adapter in karaf, but Im? not facing the same as you, I didn?t want to have keycloak server launched on Karaf, it is working on another platform with wildfly. To resolve my issue, I?ve created a dedicated adapter based on keycloak-jaxrs-oauth-client, which include all the keycloak dependency (for sure it is not a very good thing in OSGI environment). KR, oli De : Gennadij Degterjow [mailto:gennadij at degterjow.de] Envoy? : jeudi 8 f?vrier 2018 14:04 ? : keycloak-user at lists.jboss.org; LIEVRE Olivier Objet : Subject=Re: [keycloak-user] keycloak adapter with apache karaf 4.1.3 I've tried all 3.4.x Keycloak releases with Apache Karaf 4.1.4 under MacOS and Windows 7 The installation failed with dependency exception. See https://stackoverflow.com/questions/48649949/apache-karaf-keycloak-integration -- Mit freundlichen Gr?ssen / Best regards / ? ????????? Gennadij Degterjow Dipl. Ing. (FH), Systemanalytiker & Softwareentwickler [https://docs.google.com/uc?export=download&id=0B6PxKUFtqtEFRXpOamdKTzBENDg&revid=0B6PxKUFtqtEFMERscURIWDNCdE5lSlpOZmlTS3V1M1l3U2pJPQ] Mobil.: +49-177-6118841 EMail: Gennadij at Degterjow.de From moritz.becker at gmx.at Thu Feb 8 11:08:04 2018 From: moritz.becker at gmx.at (moritz.becker at gmx.at) Date: Thu, 8 Feb 2018 17:08:04 +0100 Subject: [keycloak-user] Keycloak development setup Message-ID: <011501d3a0f7$00f970f0$02ec52d0$@gmx.at> Hi, I need to adapt Keycloak and tried to set up a development project in IntelliJ but I couldn't figure out how to do it so that hot code replacement and other IDE integrations work. I used to hack on Keycloak but back then it was possible to create a simple WAR overlay and deploy that to the local server - easy. But with the newest version, only the Keycloak Wildfly subsystem distribution seems to be supported and I wonder how a development setup would look like given this restriction? Could not find any pointers on this, unfortunately. Thanks! Moritz From adr_gonzalez at yahoo.fr Thu Feb 8 11:18:58 2018 From: adr_gonzalez at yahoo.fr (Adrian Gonzalez) Date: Thu, 8 Feb 2018 16:18:58 +0000 (UTC) Subject: [keycloak-user] Service Accounts: multiple keys for a given Signed Jwt Authenticator References: <618743467.9294654.1518106738530.ref@mail.yahoo.com> Message-ID: <618743467.9294654.1518106738530@mail.yahoo.com> Hello, I'm using rfc7523?I've set Client Authenticator=Signed Jwt, and downloaded the jks. I'd like to know if there is a way to have multiple keys for a given Service Account ?This would provide me with a way of supporting multiple keys at the same time when rotating them. Is the JWKS URL the only way of handling that ??And in this case, can it support all the keys in the JWK URL at the same time (i.e. case of blue green deployments) ? Thanks,Adrian From subodhcjoshi82 at gmail.com Thu Feb 8 11:30:47 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Thu, 8 Feb 2018 22:00:47 +0530 Subject: [keycloak-user] Keycloak development setup In-Reply-To: <011501d3a0f7$00f970f0$02ec52d0$@gmx.at> References: <011501d3a0f7$00f970f0$02ec52d0$@gmx.at> Message-ID: How IDE stopping you to deploy war file with keycloak integration,We are running our application in Eclipse IDE(Java Application) and Simple NotePad(JS Application) and its working perfectly fine. What all you tried ? Where you Struck? What exception/error you are getting? I think these information will help to resolve your issue. On Thu, Feb 8, 2018 at 9:38 PM, wrote: > Hi, > > > > I need to adapt Keycloak and tried to set up a development project in > IntelliJ but I couldn't figure out how to do it so that hot code > replacement > and other IDE integrations work. > > I used to hack on Keycloak but back then it was possible to create a simple > WAR overlay and deploy that to the local server - easy. But with the newest > version, only the Keycloak Wildfly subsystem distribution seems to be > supported and I wonder how a development setup would look like given this > restriction? Could not find any pointers on this, unfortunately. > > > > Thanks! > > > > Moritz > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.trendsinnews.com From nielsbne at gmail.com Thu Feb 8 11:49:07 2018 From: nielsbne at gmail.com (Niels Bertram) Date: Fri, 9 Feb 2018 02:49:07 +1000 Subject: [keycloak-user] Keycloak JPA UserFederation Adapter in multiple realms with different Datasource names Message-ID: Hi there, we have a requirement to set the jndi datasource name on a UserFederation provider when added to a realm to support connecting different realms in the same Keycloak server to different databases. Been through the examples and read a few emails from around 2016 in the developer list but do not find anyone who'd actually done this before. we could create a user managed EntityManagerFactory within the federation provider factory but the question is then how can we inject it into the container context and enlist our transactions in the JTA? Has anyone ever had to implement something like that? Cheers, NIels From sthorger at redhat.com Thu Feb 8 14:23:19 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 8 Feb 2018 20:23:19 +0100 Subject: [keycloak-user] FIDO UAF Message-ID: Anyone here interested in FIDO UAF? I'd be interested to have a conversation about it. From mitya at cargosoft.ru Thu Feb 8 16:52:06 2018 From: mitya at cargosoft.ru (Dmitry Telegin) Date: Fri, 09 Feb 2018 00:52:06 +0300 Subject: [keycloak-user] FIDO UAF In-Reply-To: References: Message-ID: <1518126726.2623.1.camel@cargosoft.ru> Hi Stian, will be glad to discuss and participate! U2F in Keycloak is of great interest for our company. We were even planning to start implementing it ourselves, but it's even better it has finally got momentum from the upstream. We are the partners of our local security hardware manufacturer, Aladdin R.D. We've got some of their U2F devices, called JaCarta U2F, and have already tested them under Firefox and Chrome running on Linux, Windows and Mac OS X. Everything works fine, with the exception of some minor glitch in Firefox which I hope will be fixed in the upcoming versions. That said, we'll be glad to participate in testing (at least). Cheers, Dmitry > Anyone here interested in FIDO UAF? I'd be interested to have a > conversation about it. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From hmlnarik at redhat.com Thu Feb 8 17:20:15 2018 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Thu, 8 Feb 2018 23:20:15 +0100 Subject: [keycloak-user] Curl Commands to create Realm/User/AdminUsergroup In-Reply-To: References: Message-ID: That's what kcadm is for. On Thu, Feb 8, 2018 at 12:54 PM, Subodh Joshi wrote: > Hi Hynek, > > Thanks for your reply ,Just want to tell you i dont want to use Admin GUI > for creating some basic information first time at-least. Actually i will > want to run this script after the keycloak installation so user dont have > to do it manually through GUI . > > On Thu, Feb 8, 2018 at 5:16 PM, Hynek Mlnarik wrote: > >> Rather than curl which would be quite tricky, have you looked at kcadm >> [1]? >> >> [1] http://www.keycloak.org/docs/latest/server_admin/index. >> html#the-admin-cli >> >> On Thu, Feb 8, 2018 at 11:44 AM, Subodh Joshi >> wrote: >> >>> Hi , >>> >>> Rather than using UI of keycloak some basic thing i will want to create >>> dynamically so i am thinking to create a shell script file for linux >>> server which will able to do following >>> >>> 1. Create realm >>> 2. Create admin user group >>> 3. Create Admin Role >>> >>> How to automate these feature through CURL ? Can someone please guide me? >>> >>> -- >>> Subodh Chandra Joshi >>> subodh1_joshi82 at yahoo.co.in >>> http://www.trendsinnews.com >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> >> -- >> >> --Hynek >> > > > > -- > Subodh Chandra Joshi > subodh1_joshi82 at yahoo.co.in > http://www.trendsinnews.com > -- --Hynek From subodhcjoshi82 at gmail.com Thu Feb 8 17:30:45 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Fri, 9 Feb 2018 04:00:45 +0530 Subject: [keycloak-user] Curl Commands to create Realm/User/AdminUsergroup In-Reply-To: References: Message-ID: Thanks! But I have to automate it rather than using keycloak admin UI. On 9 Feb 2018 3:50 am, "Hynek Mlnarik" wrote: > That's what kcadm is for. > > On Thu, Feb 8, 2018 at 12:54 PM, Subodh Joshi > wrote: > >> Hi Hynek, >> >> Thanks for your reply ,Just want to tell you i dont want to use Admin GUI >> for creating some basic information first time at-least. Actually i will >> want to run this script after the keycloak installation so user dont have >> to do it manually through GUI . >> >> On Thu, Feb 8, 2018 at 5:16 PM, Hynek Mlnarik >> wrote: >> >>> Rather than curl which would be quite tricky, have you looked at kcadm >>> [1]? >>> >>> [1] http://www.keycloak.org/docs/latest/server_admin/index.h >>> tml#the-admin-cli >>> >>> On Thu, Feb 8, 2018 at 11:44 AM, Subodh Joshi >>> wrote: >>> >>>> Hi , >>>> >>>> Rather than using UI of keycloak some basic thing i will want to create >>>> dynamically so i am thinking to create a shell script file for linux >>>> server which will able to do following >>>> >>>> 1. Create realm >>>> 2. Create admin user group >>>> 3. Create Admin Role >>>> >>>> How to automate these feature through CURL ? Can someone please guide >>>> me? >>>> >>>> -- >>>> Subodh Chandra Joshi >>>> subodh1_joshi82 at yahoo.co.in >>>> http://www.trendsinnews.com >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >>> >>> -- >>> >>> --Hynek >>> >> >> >> >> -- >> Subodh Chandra Joshi >> subodh1_joshi82 at yahoo.co.in >> http://www.trendsinnews.com >> > > > > -- > > --Hynek > From sthorger at redhat.com Thu Feb 8 17:32:52 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 8 Feb 2018 23:32:52 +0100 Subject: [keycloak-user] FIDO UAF In-Reply-To: <1518126726.2623.1.camel@cargosoft.ru> References: <1518126726.2623.1.camel@cargosoft.ru> Message-ID: On this thread I'm only interested in UAF. U2F is much more straightforward and was simply to implement. Some feedback on https://github.com/stianst/keycloak-experimental/tree/master/fido-u2f would be appreciated though. Bear in mind that it's not finished yet. On 8 February 2018 at 22:52, Dmitry Telegin wrote: > Hi Stian, will be glad to discuss and participate! > > U2F in Keycloak is of great interest for our company. We were even > planning to start implementing it ourselves, but it's even better it > has finally got momentum from the upstream. > > We are the partners of our local security hardware manufacturer, > Aladdin R.D. We've got some of their U2F devices, called JaCarta U2F, > and have already tested them under Firefox and Chrome running on Linux, > Windows and Mac OS X. Everything works fine, with the exception of some > minor glitch in Firefox which I hope will be fixed in the upcoming > versions. > > That said, we'll be glad to participate in testing (at least). > > Cheers, > Dmitry > > > Anyone here interested in FIDO UAF? I'd be interested to have a > > conversation about it. > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mitya at cargosoft.ru Thu Feb 8 19:25:50 2018 From: mitya at cargosoft.ru (Dmitry Telegin) Date: Fri, 09 Feb 2018 03:25:50 +0300 Subject: [keycloak-user] FIDO UAF In-Reply-To: References: <1518126726.2623.1.camel@cargosoft.ru> Message-ID: <1518135950.6990.1.camel@cargosoft.ru> My bad, I've misread the message, sorry for that. Will try to test U2F however. Dmitry ? Thu, 08/02/2018 ? 23:32 +0100, Stian Thorgersen ?????: > On this thread I'm only interested in UAF. > > U2F is much more straightforward and was simply to implement. Some > feedback on?https://github.com/stianst/keycloak-experimental/tree/mas > ter/fido-u2f would be appreciated though. Bear in mind that it's not > finished yet. > > On 8 February 2018 at 22:52, Dmitry Telegin > wrote: > > Hi Stian, will be glad to discuss and participate! > > > > U2F in Keycloak is of great interest for our company. We were even > > planning to start implementing it ourselves, but it's even better > > it > > has finally got momentum from the upstream. > > > > We are the partners of our local security hardware manufacturer, > > Aladdin R.D. We've got some of their U2F devices, called JaCarta > > U2F, > > and have already tested them under Firefox and Chrome running on > > Linux, > > Windows and Mac OS X. Everything works fine, with the exception of > > some > > minor glitch in Firefox which I hope will be fixed in the upcoming > > versions. > > > > That said, we'll be glad to participate in testing (at least). > > > > Cheers, > > Dmitry > > > > > Anyone here interested in FIDO UAF? I'd be interested to have a > > > conversation about it. > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > From mitya at cargosoft.ru Thu Feb 8 20:40:24 2018 From: mitya at cargosoft.ru (Dmitry Telegin) Date: Fri, 09 Feb 2018 04:40:24 +0300 Subject: [keycloak-user] adding realm level configuration parameter In-Reply-To: References: <1516618984.27821.1.camel@cargosoft.ru> <551e0653-7061-3900-5f52-b30b4696f71e@redhat.com> <1516653768.29351.6.camel@cargosoft.ru> Message-ID: <1518140424.6990.3.camel@cargosoft.ru> Hi Marek, sorry for not replying earlier, > > > There is an example for all those functionalities. In the > > > "providers"? > > > directory of keycloak-examples distribution, there is "domain- > > > extension"? > > > . Some docs is in "Server development guide". > > > > Unfortunately, the "domain-extension" example is borked and is not > > going to be fixed anytime soon > > https://issues.jboss.org/browse/KEYCLOAK-5927 > ?You reported the bug and you know where the issue is. Cool. Maybe > you could also send PR to fix it? :) Yep I was thinking about that. I could implement the same approach I'm using in BeerCloak, but only if I were sure I'm not doing it in an obsolete/deprecated way. I've heard that authorization for REST admin resources has been revamped recently; could you please take a look at BeerCloak just to make sure I'm doing it the right way? Thanks, Dmitry From karan.s1992 at outlook.com Thu Feb 8 22:32:28 2018 From: karan.s1992 at outlook.com (karan shah) Date: Fri, 9 Feb 2018 03:32:28 +0000 Subject: [keycloak-user] keycloak behind nginx Message-ID: Posting this again as I have not been successful. I have a sample app which correctly secures the rest api locally. Now when I put this in production behind a nginx proxy it does not work. No errors. It allows all request. Front end serer with ssl is https://frontend.com> Back end server with ssl is https://backend.com Keycloak proxy forward is true Front end server(node server on 9000) <-> NGINX <-> Keycloak (running on 8180) nginx file sample upstream keycloak_server { server localhost:8180; } upstream node_server { server localhost:9000; } location /auth/ { proxy_pass http://keycloak_server; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location / { proxy_pass http://node_server; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } Front end server calls a backend api using Angular. REST api calls looks likehttps://backend.com/callTest Backend server(running on tomcat) <-> NGINX <-> Spring Boot(with keycloak) nginx sample location / { proxy_pass http://127.0.0.1:8080/dt-1.0/; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } in angular keycloak.json looks like { "realm": "demo", "auth-server-url": "https://frontend.com/auth", "ssl-required": "none", "resource": "tutorial-frontend", "public-client": true } in spring boot keycloak properties look like keycloak.auth-server-url=https://frontend.com/auth keycloak.realm=demo keycloak.resource=1040nra-client keycloak.public-client=true keycloak.bearer-only = true keycloak.cors = true keycloak.security-constraints[0].authRoles[0]=user keycloak.security-constraints[0].securityCollections[0].patterns[0]=/* Please let me know how to correct this. I would really appreciate it. From subodhcjoshi82 at gmail.com Fri Feb 9 00:12:32 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Fri, 9 Feb 2018 10:42:32 +0530 Subject: [keycloak-user] keycloak behind nginx In-Reply-To: References: Message-ID: I did it with my Java+JSF based web project where NGINX is in front end and Keycloak-HA in backside of NGINX with external(mariadb) db. Its work fine in the keycloak url everywhere i am giving https:///auth now its NGINX configuration duty to redirect the keycloak its want anyhow both keycloak point to same DB. I have generated SSL certificate for NGINX and import to the client machine for https connection. Its all working fine. On Fri, Feb 9, 2018 at 9:02 AM, karan shah wrote: > Posting this again as I have not been successful. I have a sample app > which correctly secures the rest api locally. Now when I put this in > production behind a nginx proxy it does not work. No errors. It allows all > request. > > Front end serer with ssl is https://frontend.com https://outlook.live.com/mail/>> > > Back end server with ssl is https://backend.com > > Keycloak proxy forward is true > > Front end server(node server on 9000) <-> NGINX <-> Keycloak (running on > 8180) > > nginx file sample > > upstream keycloak_server { > server localhost:8180; > } > > upstream node_server { > server localhost:9000; > } > > location /auth/ { > proxy_pass http://keycloak_server; > proxy_http_version 1.1; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > } > location / { > proxy_pass http://node_server; > proxy_http_version 1.1; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > } > > Front end server calls a backend api using Angular. REST api calls looks > likehttps://backend.com/callTest > > Backend server(running on tomcat) <-> NGINX <-> Spring Boot(with keycloak) > > nginx sample > > location / { > proxy_pass http://127.0.0.1:8080/dt-1.0/; > proxy_http_version 1.1; > proxy_set_header Host $host; > proxy_set_header X-Real-IP $remote_addr; > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; > proxy_set_header X-Forwarded-Proto $scheme; > } > > in angular keycloak.json looks like > > { > "realm": "demo", > "auth-server-url": "https://frontend.com/auth", > "ssl-required": "none", > "resource": "tutorial-frontend", > "public-client": true > } > > in spring boot keycloak properties look like > > keycloak.auth-server-url=https://frontend.com/auth > keycloak.realm=demo > keycloak.resource=1040nra-client > keycloak.public-client=true > keycloak.bearer-only = true > keycloak.cors = true > keycloak.security-constraints[0].authRoles[0]=user > keycloak.security-constraints[0].securityCollections[0].patterns[0]=/* > > Please let me know how to correct this. I would really appreciate it. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.trendsinnews.com From Abdur_Rehman at mentor.com Fri Feb 9 02:41:37 2018 From: Abdur_Rehman at mentor.com (Rehman, Abdur) Date: Fri, 9 Feb 2018 07:41:37 +0000 Subject: [keycloak-user] Downloading docker compose certs using cli Message-ID: <1518162097617.82948@mentor.com> Hi I am able to download the docker compose bundle by navigating the web UI as follows: Clients -> {client id} -> Installation -> Format Option -> Docker Compose YAML -> Download Is there a programmatic way to do the same? I am able to authenticate by calling auth/admin rest api from curl. But I am not sure how to proceed with downloading the yaml archive. I am only interested in the certs directory inside the archive. Can I get these certificates/key from some other method? I do not have graphical access to the machine I am running keycloak on, so I am limited to using command line. Best Regards Abdur From Michael.Liebe at ist.com Fri Feb 9 04:52:50 2018 From: Michael.Liebe at ist.com (Michael Liebe) Date: Fri, 9 Feb 2018 09:52:50 +0000 Subject: [keycloak-user] Support for X509Data as SAML Signature Key Name Message-ID: <2488ABC8-5A05-42DE-994B-D73AC4FED584@ist.com> Hi, We got a requirement to include the X509 certificate (X509Data/X509Certificate element) within the KeyInfo element when sending SAML authentication requests to external identity providers. Keycloak currently supports KEY_ID and CERT_SUBJECT as SAML signature key names. Are there any plans to support also X509Certificate in future releases? Best regards, Michael From valsarajpv at gmail.com Fri Feb 9 07:56:21 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Fri, 9 Feb 2018 18:26:21 +0530 Subject: [keycloak-user] Keyclock basic sample not working Message-ID: Hi, The basic sample in Keyclock is not working with latest Keycloak & application running on WildFly 10.1. I followed http://www.keycloak.org/docs/latest/getting_started/index.html#securing-a-jboss-servlet-application But got Invalid parameter: redirect_uri error: Redirected to Keyclock URL but shows Invalid parameter: redirect_uri for http://localhost:8180/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=vanilla&redirect_uri=http%3A%2F%2Flocalhost%3A8280%2Fvanilla%2Fprofile.jsp&state=86f497f4-5280-46dc-8dbd-81d0bea9d911&login=true&scope=openid Back to Application link shows following incorrect URL: http://localhost:8180/auth/realms/demo/protocol/openid-connect/http//localhost:8280/vanilla Thanks! From ssilvert at redhat.com Fri Feb 9 07:59:24 2018 From: ssilvert at redhat.com (Stan Silvert) Date: Fri, 9 Feb 2018 07:59:24 -0500 Subject: [keycloak-user] Keycloak and Angluar CLI Message-ID: <4327d864-0613-e8ae-aefe-2438a46e368e@redhat.com> Just published a new blog post on integration of Keycloak and the Angular CLI. http://blog.keycloak.org/2018/02/keycloak-and-angular-cli.html If you want to see documentation and a more comprehensive Getting Started Guide, go here: https://github.com/ssilvert/keycloak-schematic/wiki/Getting-Started Also, if anybody can tell me how to make the links in the blog post show up properly, I'd appreciate it. Right now, you can barely tell that the links are links. Stupid Blogger.com. Stan From orivat at janua.fr Fri Feb 9 08:41:49 2018 From: orivat at janua.fr (Olivier Rivat) Date: Fri, 9 Feb 2018 14:41:49 +0100 Subject: [keycloak-user] keycloak cluster - keycloak-user@lists.jboss.org "database error message session is closed" after stopping server-one Message-ID: <1084860c-05c9-0b2f-8da5-4b7bc626772c@janua.fr> Hi, I am trying to setup a cluster example. I would like to test the HA of my keycloak cluster configured in domain mode. If I stop the master node (server-one), I obtain the error message on slave server-two, when trying to authenticate: ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-7) Connection is broken: "session closed" [90067-193] For this I have deployed: -keyclock 3.4 (latest) -Wildfly 11 -installed the Jboss EAP adapter. 1) app-jee-vanilla application ============================== I have used keycloak quick start example and used app-profile-jee-vanilla The app-jee-vanillan is deployed in wildfly server wildfly server is authenticating against Keycloak ins standalone mode. I have first tested in standalone mode and everything works fine fine as expected. (Keyclock is strated in standalone mode on port 8180 and wildfly on port 8080) 2) Configuring the cluster =========================== 1. I have configured the cluster 2. I have run teh command add-user.sh to a create a secret beween master and slave 3. I have copied teh secret in the host-slave.xml 4. I have created an admin user bin/add-user-keycloak.sh -r master -u admin6 -p admin6 --domain 5. This admin user has been copied to mkdir ${KEYCLOAK_HOME}/domain/servers/server-one/configuration ? Then copy "keycloak-add-user.json" to the directory above. 6) Both servers are started successfuly with the command (master) ./domain.sh --host-config=host-master.xml -Djboss.http.port=8180 -Djboss.https.port=8543 -Djboss.ajp.port=8109 -Djboss.management.http.port=10090 (slave) ./domain.sh --host-config=host-slave.xml -Djboss.http.port=8180 -Djboss.https.port=8543 -Djboss.ajp.port=8109 -Djboss.management.http.port=10090 7) I can authenticate successfully to http://localhost:8080/vanilla, whivh redirects to the the cluster for authentication 8) Stopping Node server-two I am connecting to the cluster admin console at URL http://localhost:10090 I can stop node server-two, and still continue to log to teh vanilla app as before. 9) Stopping node server-one (master-node) I am connecting to the cluster admin console at URL http://localhost:10090 and stopping node1 (server-one) which is the master node server-ones shows: [Server:server-one] 14:30:25,320 INFO? [org.jboss.as] (MSC service thread 1-7) WFLYSRV0050: Keycloak 3.4.3.Final (WildFly Core 3.0.8.Final) stopped in 389ms [Server:server-one] 14:30:25,380 INFO? [org.jboss.as.process.Server:server-one.status] (reaper for Server:server-one) WFLYPC0011: Process 'Server:server-one' finished with an exit status of 0 [Host Controller] 14:30:25,420 INFO [org.jboss.as.host.controller] (ProcessControllerConnection-thread - 2) WFLYHC0027: Unregistering server server-one When I try to connect to the vanilla app, I obtain teh following error message on server-two: [Server:server-two] 14:30:25,233 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [asus:server-two|2] (1) [asus:server-two] [Server:server-two] 14:30:25,237 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [asus:server-two|2] (1) [asus:server-two] [Server:server-two] 14:30:25,335 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [asus:server-two|2] (1) [asus:server-two] [Server:server-two] 14:30:25,337 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [asus:server-two|2] (1) [asus:server-two] [Server:server-two] 14:30:25,338 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [asus:server-two|2] (1) [asus:server-two] [Server:server-two] 14:32:10,526 WARN? [org.keycloak.events] (default task-5) type=REFRESH_TOKEN_ERROR, realmId=master, clientId=app-profile-vanilla, userId=202be260-c68e-4871-944e-46122e903531, ipAddress=127.0.0.1, error=invalid_token, grant_type=refresh_token, refresh_token_type=Refresh, refresh_token_id=ae38ae31-a0bc-4958-964e-fc4e6ec9b13f, client_auth_method=client-secret [Server:server-two] 14:32:27,087 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-7) SQL Error: 90067, SQLState: 90067 [Server:server-two] 14:32:27,087 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-7) Connection is broken: "session closed" [90067-193] [Server:server-two] 14:32:27,089 WARN? [org.keycloak.services] (default task-7) KC-SERVICES0013: Failed authentication: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: could not prepare statement [Server:server-two] ??? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) [Server:server-two] ??? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) [Server:server-two] Hence, it is no longer possibel to authenticate. What could be the cause of the error message: ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-7) Connection is broken: "session closed" [90067-193] Could it be a misconfiguration ? Could it be a bug ? How is it possible to overcome this issue ? Note: This issue is happening with H2 and postgresql database as well. Regards, Olivier -- Olivier Rivat CTO orivat at janua.fr Gsm: +33(0)682 801 609 T?l: +33(0)489 829 238 Fax: +33(0)955 260 370 http://www.janua.fr From ryans at jlab.org Fri Feb 9 08:51:49 2018 From: ryans at jlab.org (Ryan Slominski) Date: Fri, 9 Feb 2018 08:51:49 -0500 (EST) Subject: [keycloak-user] Multiple User Storage Providers Message-ID: <8942680.9172683.1518184309737.JavaMail.zimbra@jlab.org> Hi Keycloak users, I'm looking for tips on how to migrate from mod_auth_kerb to Keycloak. I have two Kerberos realms, and one is a subset of the other: DOMAIN.ORG and INTERNAL.DOMAIN.ORG. The mod_auth_kerb handles this scenario beautifully and I simply have a service principal for each Kerberos realm in the keytab and Apache httpd will login the user if they are in either of the Kerberos realms. For Keycloak adding two Kerberos user storage providers, one at priority 1, and another at priority 2 doesn't seem to work. Only the first one used. What are other people doing to handle this? Creating a custom User Storage Provider? Client side multitenancy? Perhaps if I use two LDAP servers instead of two KDCs it could work (I assume from the priority field of user storage provider API that something must be allowed to be paired together)? Thanks, Ryan From lganga14 at gmail.com Fri Feb 9 08:59:47 2018 From: lganga14 at gmail.com (Ganga Lakshmanasamy) Date: Fri, 9 Feb 2018 19:29:47 +0530 Subject: [keycloak-user] Last access time for a given user using the token Message-ID: Hi, We are looking for an option to pull last access time for a given user using their access token. We can't make admin api as it will be from regular user session. Is there a option to fix that? Regards, Ganga Lakshmanasamy Virus-free. www.avg.com <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> From mposolda at redhat.com Fri Feb 9 09:04:56 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 9 Feb 2018 15:04:56 +0100 Subject: [keycloak-user] Multiple User Storage Providers In-Reply-To: <8942680.9172683.1518184309737.JavaMail.zimbra@jlab.org> References: <8942680.9172683.1518184309737.JavaMail.zimbra@jlab.org> Message-ID: <2f94a4b7-9702-36df-3fa9-6975d2097482@redhat.com> Hi, which Keycloak version are you using? In 3.4.3, we added support for the scenario when the kerberos realms are in trust with each other (hence you need just 1 LDAP/Kerberos UserStorageProvider and 1 keytab). Could you try with 3.4.3 and see if it helps? Otherwise please create JIRA with the steps to reproduce and ideally with server.log (with DEBUG option enabled on LDAP storage providers and with DEBUG logging described in "Troubleshooting" section of our Kerberos documentation). Thanks, Marek Dne 9.2.2018 v 14:51 Ryan Slominski napsal(a): > Hi Keycloak users, > I'm looking for tips on how to migrate from mod_auth_kerb to Keycloak. I have two Kerberos realms, and one is a subset of the other: DOMAIN.ORG and INTERNAL.DOMAIN.ORG. The mod_auth_kerb handles this scenario beautifully and I simply have a service principal for each Kerberos realm in the keytab and Apache httpd will login the user if they are in either of the Kerberos realms. For Keycloak adding two Kerberos user storage providers, one at priority 1, and another at priority 2 doesn't seem to work. Only the first one used. What are other people doing to handle this? Creating a custom User Storage Provider? Client side multitenancy? Perhaps if I use two LDAP servers instead of two KDCs it could work (I assume from the priority field of user storage provider API that something must be allowed to be paired together)? > > Thanks, > > Ryan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Fri Feb 9 09:10:32 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 9 Feb 2018 15:10:32 +0100 Subject: [keycloak-user] Last access time for a given user using the token In-Reply-To: References: Message-ID: Depends what exactly is "Last Access Time for given user using their access token" ? Is it last time when they refresh their token with Keycloak server? Then this option is already available in Keycloak as lastAccessTime attribute of UserSession. You may need to implement protocolMapper if you want to add that into the accessToken itself. Otherwise accessToken has just value "issuedAt", which is time when it was created. Or do you want time when accessTime was used on sending REST request to some bearer-only client? Then you can track it by yourself in your app somehow. Marek Dne 9.2.2018 v 14:59 Ganga Lakshmanasamy napsal(a): > Hi, > > We are looking for an option to pull last access time for a given user > using their access token. We can't make admin api as it will be from > regular user session. Is there a option to fix that? > > Regards, > Ganga Lakshmanasamy > > > Virus-free. > www.avg.com > > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Fri Feb 9 09:13:11 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 9 Feb 2018 15:13:11 +0100 Subject: [keycloak-user] Keyclock basic sample not working In-Reply-To: References: Message-ID: <983747b4-2fc5-fb4a-a6c3-9d7124589b8b@redhat.com> I guess you messed the configuration of URLs of your client in admin console? I assume "Base URL" and "Valid Redirect URIs" of the client. But I may be wrong, just guessing based on what you wrote. Marek Dne 9.2.2018 v 13:56 valsaraj pv napsal(a): > Hi, > > The basic sample in Keyclock is not working with latest Keycloak & > application running on WildFly 10.1. > I followed > http://www.keycloak.org/docs/latest/getting_started/index.html#securing-a-jboss-servlet-application > > But got Invalid parameter: redirect_uri error: > Redirected to Keyclock URL but shows Invalid parameter: redirect_uri for > http://localhost:8180/auth/realms/demo/protocol/openid-connect/auth?response_type=code&client_id=vanilla&redirect_uri=http%3A%2F%2Flocalhost%3A8280%2Fvanilla%2Fprofile.jsp&state=86f497f4-5280-46dc-8dbd-81d0bea9d911&login=true&scope=openid > > Back to Application link shows following incorrect URL: > http://localhost:8180/auth/realms/demo/protocol/openid-connect/http//localhost:8280/vanilla > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Fri Feb 9 09:15:56 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 9 Feb 2018 15:15:56 +0100 Subject: [keycloak-user] adding realm level configuration parameter In-Reply-To: <1518140424.6990.3.camel@cargosoft.ru> References: <1516618984.27821.1.camel@cargosoft.ru> <551e0653-7061-3900-5f52-b30b4696f71e@redhat.com> <1516653768.29351.6.camel@cargosoft.ru> <1518140424.6990.3.camel@cargosoft.ru> Message-ID: Dne 9.2.2018 v 02:40 Dmitry Telegin napsal(a): > Hi Marek, sorry for not replying earlier, > >>>> There is an example for all those functionalities. In the "providers" >>>> directory of keycloak-examples distribution, there is >>>> "domain-extension" >>>> . Some docs is in "Server development guide". >>> >>> Unfortunately, the "domain-extension" example is borked and is not >>> going to be fixed anytime soon >>> https://issues.jboss.org/browse/KEYCLOAK-5927 >> ?You reported the bug and you know where the issue is. Cool. Maybe >> you could also send PR to fix it? :) > > Yep I was thinking about that. I could implement the same approach I'm > using in BeerCloak, but only if I were sure I'm not doing it in an > obsolete/deprecated way. I've heard that authorization for REST admin > resources has been revamped recently; could you please take a look at > BeerCloak just to make sure I'm doing it the right way? There is support for fine-grain authorization of admin REST endpoints, but it's not enabled by default, so it should be backwards compatible. If BeerCloak still works with latest Keycloak, then you should be fine. Marek > > Thanks, > Dmitry > From mposolda at redhat.com Fri Feb 9 09:18:39 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 9 Feb 2018 15:18:39 +0100 Subject: [keycloak-user] Keycloak JPA UserFederation Adapter in multiple realms with different Datasource names In-Reply-To: References: Message-ID: <8f279099-7172-f86f-c51f-894ee77e6194@redhat.com> I suggest to look at this example: https://github.com/keycloak/keycloak/tree/master/examples/providers/user-storage-jpa AFAIK It's probably closest thing to your usecase, which we have. Marek Dne 8.2.2018 v 17:49 Niels Bertram napsal(a): > Hi there, > > we have a requirement to set the jndi datasource name on a UserFederation > provider when added to a realm to support connecting different realms in > the same Keycloak server to different databases. Been through the examples > and read a few emails from around 2016 in the developer list but do not > find anyone who'd actually done this before. we could create a user managed > EntityManagerFactory within the federation provider factory but the > question is then how can we inject it into the container context and enlist > our transactions in the JTA? > > Has anyone ever had to implement something like that? > > Cheers, > NIels > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Fri Feb 9 09:22:34 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 9 Feb 2018 15:22:34 +0100 Subject: [keycloak-user] Service Accounts: multiple keys for a given Signed Jwt Authenticator In-Reply-To: <618743467.9294654.1518106738530@mail.yahoo.com> References: <618743467.9294654.1518106738530.ref@mail.yahoo.com> <618743467.9294654.1518106738530@mail.yahoo.com> Message-ID: <4cef9436-2bd3-c807-b5b2-2390434ae027@redhat.com> Dne 8.2.2018 v 17:18 Adrian Gonzalez napsal(a): > Hello, > I'm using rfc7523?I've set Client Authenticator=Signed Jwt, and downloaded the jks. > > I'd like to know if there is a way to have multiple keys for a given Service Account ?This would provide me with a way of supporting multiple keys at the same time when rotating them. > > Is the JWKS URL the only way of handling that ??And in this case, can it support all the keys in the JWK URL at the same time (i.e. case of blue green deployments) ? Yes, it should exactly work like this. When Keycloak see the JWT token from your client, which is signed by unknown key (this is based on the value of "kid" from the token, which must be unknown to Keycloak), then Keycloak will try to download new keys from providerd JWKS URL. Your client can support multiple keys there, and Keycloak will then use the correct one based on the "kid" value. Marek > Thanks,Adrian > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From nielsbne at gmail.com Fri Feb 9 09:26:54 2018 From: nielsbne at gmail.com (Niels Bertram) Date: Sat, 10 Feb 2018 00:26:54 +1000 Subject: [keycloak-user] Keycloak JPA UserFederation Adapter in multiple realms with different Datasource names In-Reply-To: <8f279099-7172-f86f-c51f-894ee77e6194@redhat.com> References: <8f279099-7172-f86f-c51f-894ee77e6194@redhat.com> Message-ID: Yes studied that one before asking the question, its close but not close enough. I think I will get away with creating an application managed persistence context with container managed transaction. Then in the provider factory I will read the DataSource name from config and create the entity transaction manager. Am just not too sure if it'll work with the things you do in Keycloak to access these provider EJBs. I kinda need 1 stateful session bean for each provider instance added to the realm and that needs its on EntityManagerFactory which enrolls the entity manager in the JTA from Keycloak. Will report back if I can get something working. Thanks Niels On Sat, Feb 10, 2018 at 12:18 AM, Marek Posolda wrote: > I suggest to look at this example: https://github.com/keycloak/ke > ycloak/tree/master/examples/providers/user-storage-jpa > > AFAIK It's probably closest thing to your usecase, which we have. > > Marek > > Dne 8.2.2018 v 17:49 Niels Bertram napsal(a): > >> Hi there, >> >> we have a requirement to set the jndi datasource name on a UserFederation >> provider when added to a realm to support connecting different realms in >> the same Keycloak server to different databases. Been through the examples >> and read a few emails from around 2016 in the developer list but do not >> find anyone who'd actually done this before. we could create a user >> managed >> EntityManagerFactory within the federation provider factory but the >> question is then how can we inject it into the container context and >> enlist >> our transactions in the JTA? >> >> Has anyone ever had to implement something like that? >> >> Cheers, >> NIels >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > From mposolda at redhat.com Fri Feb 9 09:28:03 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 9 Feb 2018 15:28:03 +0100 Subject: [keycloak-user] Subject=Re: keycloak adapter with apache karaf 4.1.3 In-Reply-To: <5E0EBD68B410924EADA89C5CBD233CD06ED36235@XMB-DCFR-35.europe.corp.altran.com> References: <5E0EBD68B410924EADA89C5CBD233CD06ED36235@XMB-DCFR-35.europe.corp.altran.com> Message-ID: Yes, we didn't yet try to test with Karaf 4. There is pending PR for adding support for Fuse 7. See https://github.com/keycloak/keycloak/pull/4508 . I don't know if JBoss Fuse 7 uses Apache Karaf 4 under the covers, but I think that yes (you can maybe found it somewhere). If you want, you can try the PR, build Keycloak and see if it helps. Just a note, that PR may not necessarily be merged as is and there can be changes later. Marek Dne 8.2.2018 v 15:17 LIEVRE Olivier napsal(a): > Hello, > > Indeed I didn?t succeed to install keycloak adapter in karaf, but Im? not facing the same as you, I didn?t want to have keycloak server launched on Karaf, it is working on another platform with wildfly. > > To resolve my issue, I?ve created a dedicated adapter based on keycloak-jaxrs-oauth-client, which include all the keycloak dependency (for sure it is not a very good thing in OSGI environment). > > KR, > oli > > De : Gennadij Degterjow [mailto:gennadij at degterjow.de] > Envoy? : jeudi 8 f?vrier 2018 14:04 > ? : keycloak-user at lists.jboss.org; LIEVRE Olivier > Objet : Subject=Re: [keycloak-user] keycloak adapter with apache karaf 4.1.3 > > I've tried all 3.4.x Keycloak releases with Apache Karaf 4.1.4 under MacOS and Windows 7 > The installation failed with dependency exception. > > See https://stackoverflow.com/questions/48649949/apache-karaf-keycloak-integration > > -- > Mit freundlichen Gr?ssen / Best regards / ? ????????? > Gennadij Degterjow > Dipl. Ing. (FH), > Systemanalytiker & Softwareentwickler > > [https://docs.google.com/uc?export=download&id=0B6PxKUFtqtEFRXpOamdKTzBENDg&revid=0B6PxKUFtqtEFMERscURIWDNCdE5lSlpOZmlTS3V1M1l3U2pJPQ] > > Mobil.: +49-177-6118841 > EMail: Gennadij at Degterjow.de > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Fri Feb 9 09:31:36 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 9 Feb 2018 15:31:36 +0100 Subject: [keycloak-user] Keycloak 2.5.5 Ldap user group member ship is not syncing In-Reply-To: References: Message-ID: <874df457-792c-c64a-9130-21262bcc46d9@redhat.com> It's expected that ?Sync LDAP Groups to Keycloak? will sync only groups to Keycloak and "Synchronize all users" will synchronize only users to Keycloak. The fact that group membership info is not there means that you probably didn't configure things correctly. For inspiration, you can take a look at the example: https://github.com/keycloak/keycloak/tree/master/examples/ldap Marek Dne 7.2.2018 v 14:39 Nangunoori, Srinivas napsal(a): > Hi, > > > I am using Keycloak 2.5.5 and I have created group-ldap-mapper. When I press ?Sync LDAP Groups to Keycloak?, only groups are syncing to keycloak but not the users. > > I can sync users by pressing ?Synchronize all users?. But I am missing ldap group membership info. > > Can someone help me to solve this issue. > > --Srini > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From ryans at jlab.org Fri Feb 9 09:46:25 2018 From: ryans at jlab.org (Ryan Slominski) Date: Fri, 9 Feb 2018 09:46:25 -0500 (EST) Subject: [keycloak-user] Multiple User Storage Providers In-Reply-To: <1816842573.9187994.1518187539549.JavaMail.zimbra@jlab.org> References: <8942680.9172683.1518184309737.JavaMail.zimbra@jlab.org> <2f94a4b7-9702-36df-3fa9-6975d2097482@redhat.com> Message-ID: <450417951.9188272.1518187585618.JavaMail.zimbra@jlab.org> Thanks Marek, I am using 3.4.3, but the two Kerberos realms are not configured in a cross realm trust (I want the web apps in one specific Keycloak realm to trust either realm, but that trust shouldn't be universal and System Admins don't want to trust other realms for Workstation logins and cross realm trust would require new authorization considerations as it changes what "anyone with an account" means). Is cross realm trusts the only way to do what I'm after? Ryan ----- Original Message ----- From: "Marek Posolda" To: "Ryan Slominski" , "keycloak-user" Sent: Friday, February 9, 2018 9:04:56 AM Subject: Re: [keycloak-user] Multiple User Storage Providers Hi, which Keycloak version are you using? In 3.4.3, we added support for the scenario when the kerberos realms are in trust with each other (hence you need just 1 LDAP/Kerberos UserStorageProvider and 1 keytab). Could you try with 3.4.3 and see if it helps? Otherwise please create JIRA with the steps to reproduce and ideally with server.log (with DEBUG option enabled on LDAP storage providers and with DEBUG logging described in "Troubleshooting" section of our Kerberos documentation). Thanks, Marek Dne 9.2.2018 v 14:51 Ryan Slominski napsal(a): > Hi Keycloak users, > I'm looking for tips on how to migrate from mod_auth_kerb to Keycloak. I have two Kerberos realms, and one is a subset of the other: DOMAIN.ORG and INTERNAL.DOMAIN.ORG. The mod_auth_kerb handles this scenario beautifully and I simply have a service principal for each Kerberos realm in the keytab and Apache httpd will login the user if they are in either of the Kerberos realms. For Keycloak adding two Kerberos user storage providers, one at priority 1, and another at priority 2 doesn't seem to work. Only the first one used. What are other people doing to handle this? Creating a custom User Storage Provider? Client side multitenancy? Perhaps if I use two LDAP servers instead of two KDCs it could work (I assume from the priority field of user storage provider API that something must be allowed to be paired together)? > > Thanks, > > Ryan > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICBA&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=9_qBWrxq5tF_Bbe0PAmmj-8rJvJEqkjkYTpziWQCTcU&s=jJplqt7pC9jx8uJECGPSSPspXnqit8NW_PCQsYQLpug&e= From valsarajpv at gmail.com Fri Feb 9 11:54:29 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Fri, 9 Feb 2018 22:24:29 +0530 Subject: [keycloak-user] Keyclock basic sample not working In-Reply-To: <983747b4-2fc5-fb4a-a6c3-9d7124589b8b@redhat.com> References: <983747b4-2fc5-fb4a-a6c3-9d7124589b8b@redhat.com> Message-ID: Redirect uri issue fixed after I added same url from keycloak which shich shown as incorrect. But back to application link shown in keycloak login page is appending the uri given in client conf to keycloak openid url. This can be seen only if login page shows invalid redirect url. On 09-Feb-2018 7:43 PM, "Marek Posolda" wrote: I guess you messed the configuration of URLs of your client in admin console? I assume "Base URL" and "Valid Redirect URIs" of the client. But I may be wrong, just guessing based on what you wrote. Marek Dne 9.2.2018 v 13:56 valsaraj pv napsal(a): > Hi, > > The basic sample in Keyclock is not working with latest Keycloak & > application running on WildFly 10.1. > I followed > http://www.keycloak.org/docs/latest/getting_started/index.ht > ml#securing-a-jboss-servlet-application > > But got Invalid parameter: redirect_uri error: > Redirected to Keyclock URL but shows Invalid parameter: redirect_uri for > http://localhost:8180/auth/realms/demo/protocol/openid-conne > ct/auth?response_type=code&client_id=vanilla&redirect_ > uri=http%3A%2F%2Flocalhost%3A8280%2Fvanilla%2Fprofile. > jsp&state=86f497f4-5280-46dc-8dbd-81d0bea9d911&login=true&scope=openid > > Back to Application link shows following incorrect URL: > http://localhost:8180/auth/realms/demo/protocol/openid-conne > ct/http//localhost:8280/vanilla > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From adr_gonzalez at yahoo.fr Fri Feb 9 13:46:46 2018 From: adr_gonzalez at yahoo.fr (Adrian Gonzalez) Date: Fri, 9 Feb 2018 18:46:46 +0000 (UTC) Subject: [keycloak-user] Service Accounts: multiple keys for a given Signed Jwt Authenticator In-Reply-To: <4cef9436-2bd3-c807-b5b2-2390434ae027@redhat.com> References: <618743467.9294654.1518106738530.ref@mail.yahoo.com> <618743467.9294654.1518106738530@mail.yahoo.com> <4cef9436-2bd3-c807-b5b2-2390434ae027@redhat.com> Message-ID: <1718443615.10591455.1518202006426@mail.yahoo.com> Perfect, thanks for the answer Marek ! Le vendredi 9 f?vrier 2018 ? 15:22:37 UTC+1, Marek Posolda a ?crit : Dne 8.2.2018 v 17:18 Adrian Gonzalez napsal(a): > Hello, > I'm using rfc7523?I've set Client Authenticator=Signed Jwt, and downloaded the jks. > > I'd like to know if there is a way to have multiple keys for a given Service Account ?This would provide me with a way of supporting multiple keys at the same time when rotating them. > > Is the JWKS URL the only way of handling that ??And in this case, can it support all the keys in the JWK URL at the same time (i.e. case of blue green deployments) ? Yes, it should exactly work like this. When Keycloak see the JWT token from your client, which is signed by unknown key (this is based on the value of "kid" from the token, which must be unknown to Keycloak), then Keycloak will try to download new keys from providerd JWKS URL. Your client can support multiple keys there, and Keycloak will then use the correct one based on the "kid" value. Marek > Thanks,Adrian > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From adr_gonzalez at yahoo.fr Fri Feb 9 22:36:59 2018 From: adr_gonzalez at yahoo.fr (Adrian Gonzalez) Date: Sat, 10 Feb 2018 03:36:59 +0000 (UTC) Subject: [keycloak-user] DefaultKeycloakTransactionManager.begin doesn't call afterCompletion.begin References: <1311522694.10794519.1518233819679.ref@mail.yahoo.com> Message-ID: <1311522694.10794519.1518233819679@mail.yahoo.com> Hello, I'm having some issued when deleting a realm?containing 20.000 groups?(via /realms/{id] REST API).It's just takes some time and the transaction is aborted. What I tried for the moment, is to write a REST endpoint which deletes the groups in batches.The endpoint begins and commit transaction in a loop (in batches of 100). What I see is that after the first commit and the second begin, I have a? |03:18:02,861ERROR[org.keycloak.services.error.KeycloakErrorHandler](defaulttask-14)Uncaughtservererror:java.lang.IllegalStateException:Cannotaccessdelegatewithoutatransaction|atorg.keycloak.models.cache.infinispan.UserCacheSession.getDelegate(UserCacheSession.java:98)|atorg.keycloak.models.cache.infinispan.UserCacheSession.getUsers(UserCacheSession.java:632)|atorg.keycloak.models.cache.infinispan.UserCacheSession.getUsers(UserCacheSession.java:642)|atorg.gonzalad.keycloak.idp.user.rest.BenchmarkResource.deleteRealm(BenchmarkResource.java:88) This seems to be because?DefaultKeycloakTransactionManager.begin() calls only tx.begin of transactions attribute.But it doesn't call the begin() for the prepare nor for the afterCompletion attribute. And since the UserCacheSession.getDelegate() has registered a callback in the?afterCompletion attribute,??UserCacheSession.getDelegate()? isn't aware that I restarted a second transaction. Should I raise an issue or did I misunderstood the issue ? ThanksAdrian From srinivas.nangunoori at microfocus.com Sat Feb 10 00:49:20 2018 From: srinivas.nangunoori at microfocus.com (Nangunoori, Srinivas) Date: Sat, 10 Feb 2018 05:49:20 +0000 Subject: [keycloak-user] Keycloak 2.5.5 Ldap user group member ship is not syncing In-Reply-To: <874df457-792c-c64a-9130-21262bcc46d9@redhat.com> References: , <874df457-792c-c64a-9130-21262bcc46d9@redhat.com> Message-ID: Thanks for the info...I am able to get the group user membership info. Get Outlook for Android ________________________________ From: Marek Posolda Sent: Friday, February 9, 2018 8:01:36 PM To: Nangunoori, Srinivas; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Keycloak 2.5.5 Ldap user group member ship is not syncing It's expected that ?Sync LDAP Groups to Keycloak? will sync only groups to Keycloak and "Synchronize all users" will synchronize only users to Keycloak. The fact that group membership info is not there means that you probably didn't configure things correctly. For inspiration, you can take a look at the example: https://github.com/keycloak/keycloak/tree/master/examples/ldap Marek Dne 7.2.2018 v 14:39 Nangunoori, Srinivas napsal(a): > Hi, > > > I am using Keycloak 2.5.5 and I have created group-ldap-mapper. When I press ?Sync LDAP Groups to Keycloak?, only groups are syncing to keycloak but not the users. > > I can sync users by pressing ?Synchronize all users?. But I am missing ldap group membership info. > > Can someone help me to solve this issue. > > --Srini > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From orivat at janua.fr Sat Feb 10 05:51:03 2018 From: orivat at janua.fr (Olivier Rivat) Date: Sat, 10 Feb 2018 11:51:03 +0100 Subject: [keycloak-user] keycloak cluster - keycloak-user@lists.jboss.org "database error message session is closed" after stopping server-one In-Reply-To: <1084860c-05c9-0b2f-8da5-4b7bc626772c@janua.fr> References: <1084860c-05c9-0b2f-8da5-4b7bc626772c@janua.fr> Message-ID: Hi, I have done exactly the same thing with a fresh new install, and obtains same error 1) Keycloak cluster in domain mode 2) master started as follows ./domain.sh --host-config=host-master.xml -Djboss.http.port=8180 -Djboss.https.port=8543 -Djboss.ajp.port=8109 -Djboss.management.http.port=10090 3) slave started as follows: ./domain.sh --host-config=host-master.xml -Djboss.http.port=8180 -Djboss.https.port=8543 -Djboss.ajp.port=8109 -Djboss.management.http.port=10090 4) perform a couple of authentication with an app deployed against cluster 5) stop server-one (using management consoel at port 10090) 6) try to authenticate But get following execption on server-two. When server-one has been closed, it has also closed connection keycloak server-two. I think that the discprenacy is lying here. Why does stopping keycloak server-one entails closing keycloak server-two connection as well ? It sounds/smells? like a bug. [Server:server-two] 11:35:31,920 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 50) WFLYUT0021: Registered web context: '/auth' for server 'default-server' [Server:server-two] 11:35:41,148 INFO? [org.jboss.as.server] (ServerService Thread Pool -- 49) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war") [Server:server-two] 11:35:41,205 INFO? [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server [Server:server-two] 11:35:41,249 INFO? [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 3.4.3.Final (WildFly Core 3.0.8.Final) started in 24224ms - Started 629 of 982 services (704 services are lazy, passive or on-demand) [Server:server-two] 11:36:15,150 WARN? [org.keycloak.events] (default task-3) type=LOGIN_ERROR, realmId=master, clientId=app-profile-vanilla, userId=null, ipAddress=127.0.0.1, error=client_not_found [Server:server-two] 11:36:48,047 WARN? [org.keycloak.events] (default task-4) type=LOGIN_ERROR, realmId=master, clientId=app-profile-vanilla, userId=null, ipAddress=127.0.0.1, error=client_not_found [Server:server-two] 11:38:48,863 WARN [org.keycloak.connections.httpclient.DefaultHttpClientFactory] (default task-55) Truststore is disabled [Server:server-two] 11:40:43,727 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [asus:server-two|2] (1) [asus:server-two] [Server:server-two] 11:40:43,729 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [asus:server-two|2] (1) [asus:server-two] [Server:server-two] 11:40:43,831 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [asus:server-two|2] (1) [asus:server-two] [Server:server-two] 11:40:43,831 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [asus:server-two|2] (1) [asus:server-two] [Server:server-two] 11:40:43,831 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [asus:server-two|2] (1) [asus:server-two] [Server:server-two] 11:41:18,712 WARN [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-59) SQL Error: 90067, SQLState: 90067 [Server:server-two] 11:41:18,714 ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-59) Connection is broken: "session closed" [90067-193] [Server:server-two] 11:41:18,732 WARN? [org.keycloak.services] (default task-59) KC-SERVICES0013: Failed authentication: javax.persistence.PersistenceException: org.hibernate.exception.GenericJDBCException: could not prepare statement [Server:server-two] ??? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) [Server:server-two] ??? at org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) [Server:server-two] ??? at org.hibernate.jpa.internal.QueryImpl.getResultList(QueryImpl.java:492) [Server:server-two] ??? at org.keycloak.models.jpa.JpaUserProvider.getUserByUsername(JpaUserProvider.java:535) [Server:server-two] ??? at org.keycloak.storage.UserStorageManager.getUserByUsername(UserStorageManager.java:388) [Server:server-two] ??? at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByUsername(UserCacheSession.java:249) [Server:server-two] ??? at org.keycloak.models.utils.KeycloakModelUtils.findUserByNameOrEmail(KeycloakModelUtils.java:213) [Server:server-two] ??? at org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator.validateUserAndPassword(AbstractUsernameFormAuthenticator.java:153) [Server:server-two] ??? at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.validateForm(UsernamePasswordForm.java:56) [Server:server-two] ??? at org.keycloak.authentication.authenticators.browser.UsernamePasswordForm.action(UsernamePasswordForm.java:49) [Server:server-two] ??? at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:92) Waiting for your updates, Regards, Olivier Le 09/02/2018 ? 14:41, Olivier Rivat a ?crit?: > > > Hi, > > I am trying to setup a cluster example. > > > I would like to test the HA of my keycloak cluster configured in > domain mode. > If I stop the master node (server-one), I obtain the error message on > slave server-two, when trying to authenticate: > ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default > task-7) Connection is broken: "session closed" [90067-193] > > > > > For this I have deployed: > -keyclock 3.4 (latest) > -Wildfly 11 > -installed the Jboss EAP adapter. > > 1) app-jee-vanilla application > ============================== > I have used keycloak quick start example and used app-profile-jee-vanilla > The app-jee-vanillan is deployed in wildfly server > > wildfly server is authenticating against Keycloak ins standalone mode. > > I have first tested in standalone mode and everything works fine fine > as expected. > > (Keyclock is strated in standalone mode on port 8180 and wildfly on > port 8080) > > > 2) Configuring the cluster > =========================== > 1. I have configured the cluster > 2. I have run teh command add-user.sh to a create a secret beween > master and slave > 3. I have copied teh secret in the host-slave.xml > > 4. I have created an admin user > bin/add-user-keycloak.sh -r master -u admin6 -p admin6 --domain > > 5. This admin user has been copied to > mkdir ${KEYCLOAK_HOME}/domain/servers/server-one/configuration > ? Then copy "keycloak-add-user.json" to the directory above. > > > 6) Both servers are started successfuly with the command > (master) > ./domain.sh --host-config=host-master.xml -Djboss.http.port=8180 > -Djboss.https.port=8543 -Djboss.ajp.port=8109 > -Djboss.management.http.port=10090 > > (slave) > ./domain.sh --host-config=host-slave.xml -Djboss.http.port=8180 > -Djboss.https.port=8543 -Djboss.ajp.port=8109 > -Djboss.management.http.port=10090 > > > > 7) I can authenticate successfully to http://localhost:8080/vanilla, > whivh redirects to the the cluster for authentication > > 8) Stopping Node server-two > I am connecting to the cluster admin console at URL http://localhost:10090 > > I can stop node server-two, and still continue to log to teh vanilla > app as before. > > > > 9) Stopping node server-one (master-node) > I am connecting to the cluster admin console at URL > http://localhost:10090 and stopping node1 (server-one) which is the > master node > > server-ones shows: > > [Server:server-one] 14:30:25,320 INFO? [org.jboss.as] (MSC service > thread 1-7) WFLYSRV0050: Keycloak 3.4.3.Final (WildFly Core > 3.0.8.Final) stopped in 389ms > [Server:server-one] > 14:30:25,380 INFO [org.jboss.as.process.Server:server-one.status] > (reaper for Server:server-one) WFLYPC0011: Process 'Server:server-one' > finished with an exit status of 0 > [Host Controller] 14:30:25,420 INFO [org.jboss.as.host.controller] > (ProcessControllerConnection-thread - 2) WFLYHC0027: Unregistering > server server-one > > > > > When I try to connect to the vanilla app, I obtain teh following error > message on server-two: > > [Server:server-two] 14:30:25,233 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (thread-2) ISPN000094: Received new cluster view for channel ejb: > [asus:server-two|2] (1) [asus:server-two] > [Server:server-two] 14:30:25,237 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (thread-2) ISPN000094: Received new cluster view for channel ejb: > [asus:server-two|2] (1) [asus:server-two] > [Server:server-two] 14:30:25,335 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (thread-2) ISPN000094: Received new cluster view for channel ejb: > [asus:server-two|2] (1) [asus:server-two] > [Server:server-two] 14:30:25,337 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (thread-2) ISPN000094: Received new cluster view for channel ejb: > [asus:server-two|2] (1) [asus:server-two] > [Server:server-two] 14:30:25,338 INFO > [org.infinispan.remoting.transport.jgroups.JGroupsTransport] > (thread-2) ISPN000094: Received new cluster view for channel ejb: > [asus:server-two|2] (1) [asus:server-two] > [Server:server-two] 14:32:10,526 WARN? [org.keycloak.events] (default > task-5) type=REFRESH_TOKEN_ERROR, realmId=master, > clientId=app-profile-vanilla, > userId=202be260-c68e-4871-944e-46122e903531, ipAddress=127.0.0.1, > error=invalid_token, grant_type=refresh_token, > refresh_token_type=Refresh, > refresh_token_id=ae38ae31-a0bc-4958-964e-fc4e6ec9b13f, > client_auth_method=client-secret > [Server:server-two] 14:32:27,087 WARN > [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-7) > SQL Error: 90067, SQLState: 90067 > [Server:server-two] 14:32:27,087 ERROR > [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-7) > Connection is broken: "session closed" [90067-193] > [Server:server-two] 14:32:27,089 WARN? [org.keycloak.services] > (default task-7) KC-SERVICES0013: Failed authentication: > javax.persistence.PersistenceException: > org.hibernate.exception.GenericJDBCException: could not prepare statement > [Server:server-two] ??? at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692) > [Server:server-two] ??? at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602) > [Server:server-two] > > > Hence, it is no longer possibel to authenticate. > > What could be the cause of the error message: > ERROR [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default > task-7) Connection is broken: "session closed" [90067-193] > > Could it be a misconfiguration ? > Could it be a bug ? > > How is it possible to overcome this issue ? > > > Note: > This issue is happening with H2 and postgresql database as well. > > > Regards, > Olivier > > > > > -- > > > > > > > Olivier Rivat > CTO > orivat at janua.fr > Gsm: +33(0)682 801 609 > T?l: +33(0)489 829 238 > Fax: +33(0)955 260 370 > http://www.janua.fr > > > -- Olivier Rivat CTO orivat at janua.fr Gsm: +33(0)682 801 609 T?l: +33(0)489 829 238 Fax: +33(0)955 260 370 http://www.janua.fr From nielsbne at gmail.com Sat Feb 10 07:38:50 2018 From: nielsbne at gmail.com (Niels Bertram) Date: Sat, 10 Feb 2018 22:38:50 +1000 Subject: [keycloak-user] Keycloak JPA UserFederation Adapter in multiple realms with different Datasource names In-Reply-To: References: <8f279099-7172-f86f-c51f-894ee77e6194@redhat.com> Message-ID: Hi Marek, using an application managed EntityManagerFactory appear to be working. I created a UserStorageProviderFactory that is managing a entity manager factory and when I use the entity manager in the UserStorageProvider the transaction is managed by the container transaction manager that also manages the Keycloak transactions. Why am I certain about that? Had a few errors in the beginning about 2 datasources trying to enroll as last resort. The main ingredients in this gist. https://gist.github.com/bertramn/cbc4eec5e7b13e28099f4165a0c15b29 The trick is to tell hibernate where to get the JTA platform transaction manager from. Does that look about right? I have a feeling it could be simplified with some CDI magic ... Cheers Niels On Sat, Feb 10, 2018 at 12:26 AM, Niels Bertram wrote: > Yes studied that one before asking the question, its close but not close > enough. I think I will get away with creating an application managed > persistence context with container managed transaction. Then in the > provider factory I will read the DataSource name from config and create the > entity transaction manager. Am just not too sure if it'll work with the > things you do in Keycloak to access these provider EJBs. I kinda need 1 > stateful session bean for each provider instance added to the realm and > that needs its on EntityManagerFactory which enrolls the entity manager in > the JTA from Keycloak. Will report back if I can get something working. > Thanks Niels > > On Sat, Feb 10, 2018 at 12:18 AM, Marek Posolda > wrote: > >> I suggest to look at this example: https://github.com/keycloak/ke >> ycloak/tree/master/examples/providers/user-storage-jpa >> >> AFAIK It's probably closest thing to your usecase, which we have. >> >> Marek >> >> Dne 8.2.2018 v 17:49 Niels Bertram napsal(a): >> >>> Hi there, >>> >>> we have a requirement to set the jndi datasource name on a UserFederation >>> provider when added to a realm to support connecting different realms in >>> the same Keycloak server to different databases. Been through the >>> examples >>> and read a few emails from around 2016 in the developer list but do not >>> find anyone who'd actually done this before. we could create a user >>> managed >>> EntityManagerFactory within the federation provider factory but the >>> question is then how can we inject it into the container context and >>> enlist >>> our transactions in the JTA? >>> >>> Has anyone ever had to implement something like that? >>> >>> Cheers, >>> NIels >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> >> > From jpperata at gmail.com Sat Feb 10 13:36:35 2018 From: jpperata at gmail.com (Juan Pablo Perata) Date: Sat, 10 Feb 2018 18:36:35 +0000 Subject: [keycloak-user] getRoleMappings - please I need a help In-Reply-To: <1835945371.35089.1517255229596.JavaMail.root@prodesan.com.br> References: <1241536950.34597.1517254530999.JavaMail.root@prodesan.com.br> <1835945371.35089.1517255229596.JavaMail.root@prodesan.com.br> Message-ID: +1 to the question. I faced the same problem and got stuck with getRoleMappingsInternal(). I tried debugging keycloak code where this method is called and legacy system roles were retrieved but not added to the final list of role mappings. I had not enough time to dig more into the problem but seems that if role is not defined in keycloak realm, then role is not added. What I ended up doing was thinking another approach: creating a servlet in application which is called after authentication succeeds. Another option would be to have a filter. It depends on your needs. Hope it helps. It would be great if you can share your experience too or if you found the way. Regards, Juan On Mon, Jan 29, 2018 at 4:47 PM, JOSE INACIO DA SILVA JUNIOR < inacio-silva at prodesan.com.br> wrote: > Hi, > > I'm changing PropertyFileUserStorageProvider example. And I need to > override the method: Set getRoleMappingsInternal(); of the class > > AbstractUserAdapterFederatedStorage.class in order to retrive external > roles based on a legacy system. > > How can I do that? > > I've tried: > > protected Set getRoleMappingsInternal() { > > Set roles = new HashSet<>(); > RoleModel role = new MyRoleAdapter(realm,"role1","role1","role1 > description", false); > roles.add(role); > return roles; > > } > > The code of MyRoleAdapter: > > > public class MyRoleAdapter implements RoleModel{ > private String id; > private String name; > private String description; > private RealmModel container; > private boolean isClientRole; > > public RoleProdesanAdapter(RealmModel container, String id, String > name, String description, boolean isClientRole) { > this.id = id; > this.name = name; > this.description = description; > this.container = container; > this.isClientRole = isClientRole; > } > > // getters > } > > > Please help me. I've tried a lot but without success! > > > Thanks in advance! > In?cio > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From nielsbne at gmail.com Sat Feb 10 20:34:11 2018 From: nielsbne at gmail.com (Niels Bertram) Date: Sun, 11 Feb 2018 11:34:11 +1000 Subject: [keycloak-user] Custom Keycloak UserStorageProvider not used when using a Local interface Message-ID: Strange thing, if I create a Local interface for the UserStorageProvider and then register a corresponding Stateful bean I can return it with the provider factory but Keycloak refuses to use it, even though the actual EJB implements all the other required interfaces. Obviously I cannot extend the local interface with all the SPI interfaces but I would have thought that it is enough for me to return a ? extends UserStorageProvider from the provider factory and KC would be able to run with this. Whacking a @Local on the actual EJB bean as in the keycloak example a) does not allow the programming to interfaces and b) generates a big fat warning in Intellj that it is bad practice. Any comments, thoughts or ideas on how fix this? *Local interface* @Local public interface CustomUserStorageProvider extends UserStorageProvider { KeycloakSession getSession(); void setSession(KeycloakSession session); ComponentModel getModel(); void setModel(ComponentModel model); } *The EJB* @Stateful @Local( CustomUserStorageProvider.class) public class CustomUserStorageProviderBean implements CustomUserStorageProvider, UserLookupProvider, CredentialInputValidator, CredentialInputUpdater, UserRegistrationProvider, UserQueryProvider { ... } Another thing I noticed, even if following the JPA example to the letter, a properly annotated EJB lifecycle method @PreDestroy is never called as the EJB is yanked from the context by (container) unmanaged code. I can sort of see why but not sure this is ideal. Wouldn't it be possible to "weld" the providers together in Keycloak ... something along the lines of CDI.current().getBeanManager() in the provider factory? From stephen at saasindustries.com Fri Feb 9 17:49:51 2018 From: stephen at saasindustries.com (Stephen Henrie) Date: Fri, 9 Feb 2018 15:49:51 -0700 Subject: [keycloak-user] registration new flow Message-ID: Hi all, I am using Keycloak 3.2.1 and trying to add a new flow step to the new user registration flow so that I can add a script execution step as illustrated in the attached image. However, with this configuration I am getting a nullpointer exception when I click on the "Register" link and get a 500 error instead of the registration page. Does anyone have any ideas what I might be doing wrong or if there is a different way to accomplish what I am trying to do? The stack trace from the log is below: Thanks Stephen 22:42:11,855 WARN [org.keycloak.services] (default task-1) KC-SERVICES0013: Failed authentication: java.lang.NullPointerException at org.keycloak.authentication.FormAuthenticationFlow.renderForm(FormAuthenticationFlow.java:281) at org.keycloak.authentication.FormAuthenticationFlow.processFlow(FormAuthenticationFlow.java:263) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:127) at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:843) at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:714) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:279) at org.keycloak.services.resources.LoginActionsService.processRegistration(LoginActionsService.java:573) at org.keycloak.services.resources.LoginActionsService.registerRequest(LoginActionsService.java:623) at org.keycloak.services.resources.LoginActionsService.registerPage(LoginActionsService.java:588) 22:42:11,860 WARN [org.keycloak.events] (default task-1) type=REGISTER_ERROR, realmId=chassi, clientId=chassi-web-app, userId=null, ipAddress=10.0.2.2, error=invalid_user_credentials, auth_method=openid-connect, auth_type=code, redirect_uri= http://localhost:3000/, code_id=c926d684-2a6b-4fb5-adb4-9df7de9d8483 -------------- next part -------------- A non-text attachment was scrubbed... Name: regflow.jpg Type: image/jpeg Size: 204242 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180209/dce140b1/attachment-0001.jpg From mposolda at redhat.com Mon Feb 12 03:22:08 2018 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 12 Feb 2018 09:22:08 +0100 Subject: [keycloak-user] Keycloak JPA UserFederation Adapter in multiple realms with different Datasource names In-Reply-To: References: <8f279099-7172-f86f-c51f-894ee77e6194@redhat.com> Message-ID: <862b6516-4549-34f4-08ab-282903df54a8@redhat.com> I recall that if your application is using different datasource then "KeycloakDS" (which probably is the case if you are using different database then Keycloak), then you need to configure second datasource as "xa-datasource" . I think it looks right from quickly looking at it. Marek On 10/02/18 13:38, Niels Bertram wrote: > Hi Marek, > > using an application managed EntityManagerFactory appear to be > working. I created a UserStorageProviderFactory that is managing a > entity manager factory and when I use the entity manager in the > UserStorageProvider the transaction is managed by the container > transaction manager that also manages the Keycloak transactions. Why > am I certain about that? Had a few errors in the beginning about 2 > datasources trying to enroll as last resort. > > The main ingredients in this gist. > > https://gist.github.com/bertramn/cbc4eec5e7b13e28099f4165a0c15b29 > > > The trick is to tell hibernate > > where to get the JTA platform transaction manager from. > > Does that look about right? I have a feeling it could be simplified > with some CDI magic ... > > Cheers Niels > > > On Sat, Feb 10, 2018 at 12:26 AM, Niels Bertram > wrote: > > Yes studied that one before asking the question, its close but not > close enough. I think I will get away with creating an application > managed persistence context with container managed transaction. > Then in the provider factory I will read the DataSource name from > config and create the entity transaction manager. Am just not too > sure if it'll work with the things you do in Keycloak to access > these provider EJBs. I kinda need 1 stateful session bean for each > provider instance added to the realm and that needs its on > EntityManagerFactory which enrolls the entity manager in the JTA > from Keycloak. Will report back if I can get something working. > Thanks Niels > > On Sat, Feb 10, 2018 at 12:18 AM, Marek Posolda > > wrote: > > I suggest to look at this example: > https://github.com/keycloak/keycloak/tree/master/examples/providers/user-storage-jpa > > > AFAIK It's probably closest thing to your usecase, which we have. > > Marek > > Dne 8.2.2018 v 17:49 Niels Bertram napsal(a): > > Hi there, > > we have a requirement to set the jndi datasource name on a > UserFederation > provider when added to a realm to support connecting > different realms in > the same Keycloak server to different databases. Been > through the examples > and read a few emails from around 2016 in the developer > list but do not > find anyone who'd actually done this before. we could > create a user managed > EntityManagerFactory within the federation provider > factory but the > question is then how can we inject it into the container > context and enlist > our transactions in the JTA? > > Has anyone ever had to implement something like that? > > Cheers, > NIels > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > From sthorger at redhat.com Mon Feb 12 03:35:14 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 12 Feb 2018 09:35:14 +0100 Subject: [keycloak-user] [keycloak-dev] Trojan in Keycloak Javascript Adapter? In-Reply-To: References: Message-ID: Please try the files on https://www.microsoft.com/en-us/wdsi/filesubmission. That will allow Microsoft to investigate the issue. I've just submitted it myself and it comes back clean, so this seems to be an issue in your environment. Maybe your computer is affected? On 4 January 2018 at 15:52, Ariel Carrera wrote: > Hi, It still happen on my environment. > The problem persists with the new version of today (3.4.3.Final). > > Any comments from the dev team? Could you check it? > > Maybe it's a false alarm but it could be a serious security problem. > > - Screenshot of Keycloak JS Adapter alert: > > [image: Im?genes integradas 1] > > - Screenshot of Keycloak distribution alert: > > [image: Im?genes integradas 2] > > - Screenshot of Virus Definitions Version: > [image: Im?genes integradas 3] > > - Screenshot of Virus Definition Upgrade: > [image: Im?genes integradas 4] > > - Screenshot of Keycloak JS Adapter alert again (with definitions up to > date): > [image: Im?genes integradas 5] > > Thanks, > > 2018-01-03 18:07 GMT-03:00 Ariel Carrera : > > > Thanks Ramunas, I will check My Windows defender?s definition version to > > compare with you. I have Windows 10 (64 bit) updated on December 2017. > > > > > > El El mi?, 3 ene. 2018 a las 17:45, Rumanas > escribi?: > > > >> * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file > >> * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final" folder > >> with Windows Defender on Windows 10 - no issues found > >> * checked for Windows updates. New update "Definition Update for Windows > >> Defender Antivirus - KB2267602 (Definition 1.259.1141.0)" was found and > >> installed. > >> * scanned again. No issues found. > >> > >> Ram?nas > >> > > -- > > Ariel Carrera > > > > > > -- > Ariel Carrera > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From nielsbne at gmail.com Mon Feb 12 07:25:04 2018 From: nielsbne at gmail.com (Niels Bertram) Date: Mon, 12 Feb 2018 22:25:04 +1000 Subject: [keycloak-user] Keycloak JPA UserFederation Adapter in multiple realms with different Datasource names In-Reply-To: <862b6516-4549-34f4-08ab-282903df54a8@redhat.com> References: <8f279099-7172-f86f-c51f-894ee77e6194@redhat.com> <862b6516-4549-34f4-08ab-282903df54a8@redhat.com> Message-ID: Yes the 2nd datasource is an XA capable one. Is there any reason why we cannot also supply a XA datasource to Keycloak? We have a potential 3rd participant in the global transaction (JCA adapter) but need to make it last resource. As long as the JCA adapter is consumed (and lifecycle managed) within a Keycloak provider that should all work, no? N On Mon, Feb 12, 2018 at 6:22 PM, Marek Posolda wrote: > I recall that if your application is using different datasource then > "KeycloakDS" (which probably is the case if you are using different > database then Keycloak), then you need to configure second datasource as > "xa-datasource" . > > I think it looks right from quickly looking at it. > > Marek > > > On 10/02/18 13:38, Niels Bertram wrote: > > Hi Marek, > > using an application managed EntityManagerFactory appear to be working. I > created a UserStorageProviderFactory that is managing a entity manager > factory and when I use the entity manager in the UserStorageProvider the > transaction is managed by the container transaction manager that also > manages the Keycloak transactions. Why am I certain about that? Had a few > errors in the beginning about 2 datasources trying to enroll as last > resort. > > The main ingredients in this gist. > > https://gist.github.com/bertramn/cbc4eec5e7b13e28099f4165a0c15b29 > > > The trick is to tell hibernate > > where to get the JTA platform transaction manager from. > > Does that look about right? I have a feeling it could be simplified with > some CDI magic ... > > Cheers Niels > > > On Sat, Feb 10, 2018 at 12:26 AM, Niels Bertram > wrote: > >> Yes studied that one before asking the question, its close but not close >> enough. I think I will get away with creating an application managed >> persistence context with container managed transaction. Then in the >> provider factory I will read the DataSource name from config and create the >> entity transaction manager. Am just not too sure if it'll work with the >> things you do in Keycloak to access these provider EJBs. I kinda need 1 >> stateful session bean for each provider instance added to the realm and >> that needs its on EntityManagerFactory which enrolls the entity manager in >> the JTA from Keycloak. Will report back if I can get something working. >> Thanks Niels >> >> On Sat, Feb 10, 2018 at 12:18 AM, Marek Posolda >> wrote: >> >>> I suggest to look at this example: https://github.com/keycloak/ke >>> ycloak/tree/master/examples/providers/user-storage-jpa >>> >>> AFAIK It's probably closest thing to your usecase, which we have. >>> >>> Marek >>> >>> Dne 8.2.2018 v 17:49 Niels Bertram napsal(a): >>> >>>> Hi there, >>>> >>>> we have a requirement to set the jndi datasource name on a >>>> UserFederation >>>> provider when added to a realm to support connecting different realms in >>>> the same Keycloak server to different databases. Been through the >>>> examples >>>> and read a few emails from around 2016 in the developer list but do not >>>> find anyone who'd actually done this before. we could create a user >>>> managed >>>> EntityManagerFactory within the federation provider factory but the >>>> question is then how can we inject it into the container context and >>>> enlist >>>> our transactions in the JTA? >>>> >>>> Has anyone ever had to implement something like that? >>>> >>>> Cheers, >>>> NIels >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >>> >> > > From scott.finlay at sixt.com Mon Feb 12 08:14:02 2018 From: scott.finlay at sixt.com (Scott Finlay) Date: Mon, 12 Feb 2018 13:14:02 +0000 Subject: [keycloak-user] How to logout a specific offline session Message-ID: Hi, We have the case that there can be multiple offline sessions for a particular user. Is there a way to logout or invalid one particular offline session/token? Using the OAuth endpoints we can easily logout the normal session, but the offline tokens are still there. I can see that it is possible to invalidate ALL offline tokens for a particular user, but is there any way to invalidate just one particular one? I saw this issue which was discussed a bit and reopened and then closed, but it doesn't look like something was done: https://issues.jboss.org/browse/KEYCLOAK-3375 Regards, Scott From logan.hauspie.pro at gmail.com Mon Feb 12 08:55:40 2018 From: logan.hauspie.pro at gmail.com (Logan HAUSPIE) Date: Mon, 12 Feb 2018 14:55:40 +0100 Subject: [keycloak-user] InfinispanUserSessionProviderFactory specify the return type of `create` method Message-ID: Hi there, I'm trying to build my own UserSessionProviderFactory by extending the existing InfinispanUserSessionProviderFactory. I noticed that this Infinispan implementation is returning (in the signature) InfinispanUserSessionProvider instead of returning UserSessionProvider. Are you sure is that what you wanted? Have a nice day. *---* *Logan HAUSPIE* E-Mail : logan.hauspie.pro at gmail.com From logan.hauspie.pro at gmail.com Mon Feb 12 09:03:41 2018 From: logan.hauspie.pro at gmail.com (Logan HAUSPIE) Date: Mon, 12 Feb 2018 15:03:41 +0100 Subject: [keycloak-user] How to add custom information (a session note) in UserSession Message-ID: Hi there, I would like to know what I have to do (server-devlopment) to add custom data in the user session. My purpose is to call an External Web Service to retrieve some data and add it to the User Session. This returned data will be different from one call to another. So it's important for me to 'store' it in the session and not in the user. Which Provider do I need to implement to do that ? Thanks in advance. *Logan HAUSPIE* From valsarajpv at gmail.com Mon Feb 12 09:04:26 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Mon, 12 Feb 2018 19:34:26 +0530 Subject: [keycloak-user] Custom JAAS login module for Keyclock auth Message-ID: Hi, I would like to know how to write custom JAAS login module for Keyclock auth. Thanks! From carreraariel at gmail.com Mon Feb 12 09:32:42 2018 From: carreraariel at gmail.com (Ariel Carrera) Date: Mon, 12 Feb 2018 11:32:42 -0300 Subject: [keycloak-user] [keycloak-dev] Trojan in Keycloak Javascript Adapter? In-Reply-To: References: Message-ID: Hi Stian how you doin ? Are you talking to me? It's about my virus report? It was solved with your submit (or my submit). Microsoft Defender tells now that files are valid. It was detected as a virus for a while but after submit file and update virus definitions it was marked as valid. I remember that we talked about it on January 9th/10th! Thank you! 2018-02-12 5:35 GMT-03:00 Stian Thorgersen : > Please try the files on https://www.microsoft.com/ > en-us/wdsi/filesubmission. That will allow Microsoft to investigate the > issue. > > I've just submitted it myself and it comes back clean, so this seems to be > an issue in your environment. Maybe your computer is affected? > > On 4 January 2018 at 15:52, Ariel Carrera wrote: > >> Hi, It still happen on my environment. >> The problem persists with the new version of today (3.4.3.Final). >> >> Any comments from the dev team? Could you check it? >> >> Maybe it's a false alarm but it could be a serious security problem. >> >> - Screenshot of Keycloak JS Adapter alert: >> >> [image: Im?genes integradas 1] >> >> - Screenshot of Keycloak distribution alert: >> >> [image: Im?genes integradas 2] >> >> - Screenshot of Virus Definitions Version: >> [image: Im?genes integradas 3] >> >> - Screenshot of Virus Definition Upgrade: >> [image: Im?genes integradas 4] >> >> - Screenshot of Keycloak JS Adapter alert again (with definitions up to >> date): >> [image: Im?genes integradas 5] >> >> Thanks, >> >> 2018-01-03 18:07 GMT-03:00 Ariel Carrera : >> >> > Thanks Ramunas, I will check My Windows defender?s definition version to >> > compare with you. I have Windows 10 (64 bit) updated on December 2017. >> > >> > >> > El El mi?, 3 ene. 2018 a las 17:45, Rumanas >> escribi?: >> > >> >> * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file >> >> * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final" folder >> >> with Windows Defender on Windows 10 - no issues found >> >> * checked for Windows updates. New update "Definition Update for >> Windows >> >> Defender Antivirus - KB2267602 (Definition 1.259.1141.0)" was found and >> >> installed. >> >> * scanned again. No issues found. >> >> >> >> Ram?nas >> >> >> > -- >> > Ariel Carrera >> > >> >> >> >> -- >> Ariel Carrera >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > -- Ariel Carrera From trmadhu at tafe.com Mon Feb 12 10:20:47 2018 From: trmadhu at tafe.com (trmadhu at tafe.com) Date: Mon, 12 Feb 2018 15:20:47 +0000 Subject: [keycloak-user] Login failed due to missing user attributes Message-ID: Dear All We are trying to configure SSO with Keycloak as IDP and Shibboleth SP for .Net application. The user authentication is handled by Keycloak IDP and in the Shibboleth, we are the getting the error message Login failed due to missing user attributes Attribute Value SHIB_displayName SHIB_givenName SHIB_cn SHIB_sn SHIB_eduPersonPrincipalName SHIB_schacHomeOrganization SHIB_schacHomeOrganizationType Can you help in solving this issues or suggest any alternative for .Net application (for keycloak). Regards [All] Above email is subject to 'Disclaimer' as per http://tafe.co.in/email-disclaimer.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 15671 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180212/82473c42/attachment-0001.png From sthorger at redhat.com Mon Feb 12 10:41:14 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 12 Feb 2018 16:41:14 +0100 Subject: [keycloak-user] [keycloak-dev] Trojan in Keycloak Javascript Adapter? In-Reply-To: References: Message-ID: Sorry, I realised what happened. It was an old message that for some reason was just delivered. On 12 February 2018 at 15:32, Ariel Carrera wrote: > Hi Stian how you doin ? > Are you talking to me? It's about my virus report? > It was solved with your submit (or my submit). Microsoft Defender tells > now that files are valid. > It was detected as a virus for a while but after submit file and update > virus definitions it was marked as valid. > I remember that we talked about it on January 9th/10th! Thank you! > > 2018-02-12 5:35 GMT-03:00 Stian Thorgersen : > >> Please try the files on https://www.microsoft.com/e >> n-us/wdsi/filesubmission. That will allow Microsoft to investigate the >> issue. >> >> I've just submitted it myself and it comes back clean, so this seems to >> be an issue in your environment. Maybe your computer is affected? >> >> On 4 January 2018 at 15:52, Ariel Carrera wrote: >> >>> Hi, It still happen on my environment. >>> The problem persists with the new version of today (3.4.3.Final). >>> >>> Any comments from the dev team? Could you check it? >>> >>> Maybe it's a false alarm but it could be a serious security problem. >>> >>> - Screenshot of Keycloak JS Adapter alert: >>> >>> [image: Im?genes integradas 1] >>> >>> - Screenshot of Keycloak distribution alert: >>> >>> [image: Im?genes integradas 2] >>> >>> - Screenshot of Virus Definitions Version: >>> [image: Im?genes integradas 3] >>> >>> - Screenshot of Virus Definition Upgrade: >>> [image: Im?genes integradas 4] >>> >>> - Screenshot of Keycloak JS Adapter alert again (with definitions up to >>> date): >>> [image: Im?genes integradas 5] >>> >>> Thanks, >>> >>> 2018-01-03 18:07 GMT-03:00 Ariel Carrera : >>> >>> > Thanks Ramunas, I will check My Windows defender?s definition version >>> to >>> > compare with you. I have Windows 10 (64 bit) updated on December 2017. >>> > >>> > >>> > El El mi?, 3 ene. 2018 a las 17:45, Rumanas >>> escribi?: >>> > >>> >> * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file >>> >> * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final" folder >>> >> with Windows Defender on Windows 10 - no issues found >>> >> * checked for Windows updates. New update "Definition Update for >>> Windows >>> >> Defender Antivirus - KB2267602 (Definition 1.259.1141.0)" was found >>> and >>> >> installed. >>> >> * scanned again. No issues found. >>> >> >>> >> Ram?nas >>> >> >>> > -- >>> > Ariel Carrera >>> > >>> >>> >>> >>> -- >>> Ariel Carrera >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > > > -- > Ariel Carrera > From mposolda at redhat.com Mon Feb 12 12:10:57 2018 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 12 Feb 2018 18:10:57 +0100 Subject: [keycloak-user] Keycloak JPA UserFederation Adapter in multiple realms with different Datasource names In-Reply-To: References: <8f279099-7172-f86f-c51f-894ee77e6194@redhat.com> <862b6516-4549-34f4-08ab-282903df54a8@redhat.com> Message-ID: <8a603d0f-8171-a0f8-c673-e3b224e59257@redhat.com> I think you can change existing KeycloakDS to be "xa-datasource" . Maybe some configuration properties will need to be changed. I am not 100% sure why the KeycloakDS is not "xa-datasource" by default. Maybe just because some databases (H2 ?) have issues with it. Marek On 12/02/18 13:25, Niels Bertram wrote: > Yes the 2nd datasource is an XA capable one. Is there any reason why > we cannot also supply a XA datasource to Keycloak? We have a potential > 3rd participant in the global transaction (JCA adapter) but need to > make it last resource. As long as the JCA adapter is consumed (and > lifecycle managed) within a Keycloak provider that should all work, no? N > > On Mon, Feb 12, 2018 at 6:22 PM, Marek Posolda > wrote: > > I recall that if your application is using different datasource > then "KeycloakDS" (which probably is the case if you are using > different database then Keycloak), then you need to configure > second datasource as "xa-datasource" . > > I think it looks right from quickly looking at it. > > Marek > > > On 10/02/18 13:38, Niels Bertram wrote: >> Hi Marek, >> >> using an application managed EntityManagerFactory appear to be >> working. I created a UserStorageProviderFactory that is managing >> a entity manager factory and when I use the entity manager in the >> UserStorageProvider the transaction is managed by the container >> transaction manager that also manages the Keycloak transactions. >> Why am I certain about that? Had a few errors in the beginning >> about 2 datasources trying to enroll as last resort. >> >> The main ingredients in this gist. >> >> https://gist.github.com/bertramn/cbc4eec5e7b13e28099f4165a0c15b29 >> >> >> >> The trick is to tell hibernate >> >> where to get the JTA platform transaction manager from. >> >> Does that look about right? I have a feeling it could be >> simplified with some CDI magic ... >> >> Cheers Niels >> >> >> On Sat, Feb 10, 2018 at 12:26 AM, Niels Bertram >> > wrote: >> >> Yes studied that one before asking the question, its close >> but not close enough. I think I will get away with creating >> an application managed persistence context with container >> managed transaction. Then in the provider factory I will read >> the DataSource name from config and create the entity >> transaction manager. Am just not too sure if it'll work with >> the things you do in Keycloak to access these provider EJBs. >> I kinda need 1 stateful session bean for each provider >> instance added to the realm and that needs its on >> EntityManagerFactory which enrolls the entity manager in the >> JTA from Keycloak. Will report back if I can get something >> working. Thanks Niels >> >> On Sat, Feb 10, 2018 at 12:18 AM, Marek Posolda >> > wrote: >> >> I suggest to look at this example: >> https://github.com/keycloak/keycloak/tree/master/examples/providers/user-storage-jpa >> >> >> AFAIK It's probably closest thing to your usecase, which >> we have. >> >> Marek >> >> Dne 8.2.2018 v 17:49 Niels Bertram napsal(a): >> >> Hi there, >> >> we have a requirement to set the jndi datasource name >> on a UserFederation >> provider when added to a realm to support connecting >> different realms in >> the same Keycloak server to different databases. Been >> through the examples >> and read a few emails from around 2016 in the >> developer list but do not >> find anyone who'd actually done this before. we could >> create a user managed >> EntityManagerFactory within the federation provider >> factory but the >> question is then how can we inject it into the >> container context and enlist >> our transactions in the JTA? >> >> Has anyone ever had to implement something like that? >> >> Cheers, >> NIels >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> >> >> >> > > From sthorger at redhat.com Mon Feb 12 13:10:43 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Mon, 12 Feb 2018 19:10:43 +0100 Subject: [keycloak-user] Login failed due to missing user attributes In-Reply-To: References: Message-ID: Not sure what the values of those claims should be, but you can use protocol mappers to add any claims that you want. On 12 February 2018 at 16:20, wrote: > Dear All > > We are trying to configure SSO with Keycloak as IDP and Shibboleth SP for > .Net application. The user authentication is handled by Keycloak IDP and in > the Shibboleth, we are the getting the error message > Login failed due to missing user attributes > Attribute > > Value > > SHIB_displayName > > SHIB_givenName > > SHIB_cn > > SHIB_sn > > SHIB_eduPersonPrincipalName > > SHIB_schacHomeOrganization > > SHIB_schacHomeOrganizationType > > > Can you help in solving this issues or suggest any alternative for .Net > application (for keycloak). > > Regards > > [All] > > > > Above email is subject to 'Disclaimer' as per http://tafe. > co.in/email-disclaimer.htm > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mjbvilhena at gmail.com Mon Feb 12 13:45:10 2018 From: mjbvilhena at gmail.com (Miguel Vilhena) Date: Mon, 12 Feb 2018 18:45:10 +0000 Subject: [keycloak-user] Passing client_secret when sending request to Token url Message-ID: Hi, I am trying to use a custom Identity Provider in keycloak, and haven't been able to configure it a way that it doesn't send the client_secret in the POST request. Am i assuming incorrectly that if the client, in this case "Account", is marked as Public, then the client_secret should not be included in the request? Thank you. Miguel From adr_gonzalez at yahoo.fr Mon Feb 12 16:37:08 2018 From: adr_gonzalez at yahoo.fr (Adrian Gonzalez) Date: Mon, 12 Feb 2018 21:37:08 +0000 (UTC) Subject: [keycloak-user] User REST API: n+1 selects References: <1467066654.5013.1518471428961.ref@mail.yahoo.com> Message-ID: <1467066654.5013.1518471428961@mail.yahoo.com> Hello, I'm testing KC 3.4.3 REST API and I get n+1 selects (aka 701 selects when asking for a page of 100 users). Issue 1:Looking at the code, there's n+1 select on the following fields UserEntity:?- attributes- requiredActions- credentials?7The n+1 select is triggered by?https://github.com/keycloak/keycloak/blob/8e53ccf5abb4d7cc3ab8d5abc9d078a7f8725e8a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L215 This can be solved by annotated these attributes with?@Fetch(FetchMode.SUBSELECT).I also tried using EntityGraph, but it doesn't work since we're using Collection types (instead of Set) and because we're doing pagination while fetching ToMany associations. Issue 2: n+1 select because we don't cache null values We have this select executed n times:select? ? resourcese0_.ID as ID1_60_0_,? ? resourcese0_.ALLOW_RS_REMOTE_MGMT as ALLOW_RS2_60_0_,? ? resourcese0_.POLICY_ENFORCE_MODE as POLICY_E3_60_0_?from? ? RESOURCE_SERVER resourcese0_?where? ? resourcese0_.ID=? This one is done here:https://github.com/keycloak/keycloak/blob/8e53ccf5abb4d7cc3ab8d5abc9d078a7f8725e8a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L216 In default setup,root.realmResourceServer() is null.Since?StoreFactoryCacheSession doesn't cache null values, the return value never gets cached.I don't know how to easily solve that one. Should I create an issue ? Thanks? From adr_gonzalez at yahoo.fr Mon Feb 12 16:56:22 2018 From: adr_gonzalez at yahoo.fr (Adrian Gonzalez) Date: Mon, 12 Feb 2018 21:56:22 +0000 (UTC) Subject: [keycloak-user] User REST API: n+1 selects In-Reply-To: <1467066654.5013.1518471428961@mail.yahoo.com> References: <1467066654.5013.1518471428961.ref@mail.yahoo.com> <1467066654.5013.1518471428961@mail.yahoo.com> Message-ID: <2014615029.56093.1518472582245@mail.yahoo.com> As a workaround for issue 2, we can activate Permissions in?realm-management Client (I've created a custom realm to avoid working on master realm).This way, we ensure?root.realmResourceServer() is not null.But that's a bit convoluted :( ? Le lundi 12 f?vrier 2018 ? 22:37:08 UTC+1, Adrian Gonzalez a ?crit : Hello, I'm testing KC 3.4.3 REST API and I get n+1 selects (aka 701 selects when asking for a page of 100 users). Issue 1:Looking at the code, there's n+1 select on the following fields UserEntity:?- attributes- requiredActions- credentials?7The n+1 select is triggered by?https://github.com/keycloak/keycloak/blob/8e53ccf5abb4d7cc3ab8d5abc9d078a7f8725e8a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L215 This can be solved by annotated these attributes with?@Fetch(FetchMode.SUBSELECT).I also tried using EntityGraph, but it doesn't work since we're using Collection types (instead of Set) and because we're doing pagination while fetching ToMany associations. Issue 2: n+1 select because we don't cache null values We have this select executed n times:select? ? resourcese0_.ID as ID1_60_0_,? ? resourcese0_.ALLOW_RS_REMOTE_MGMT as ALLOW_RS2_60_0_,? ? resourcese0_.POLICY_ENFORCE_MODE as POLICY_E3_60_0_?from? ? RESOURCE_SERVER resourcese0_?where? ? resourcese0_.ID=? This one is done here:https://github.com/keycloak/keycloak/blob/8e53ccf5abb4d7cc3ab8d5abc9d078a7f8725e8a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L216 In default setup,root.realmResourceServer() is null.Since?StoreFactoryCacheSession doesn't cache null values, the return value never gets cached.I don't know how to easily solve that one. Should I create an issue ? Thanks? From adr_gonzalez at yahoo.fr Mon Feb 12 18:26:21 2018 From: adr_gonzalez at yahoo.fr (Adrian Gonzalez) Date: Mon, 12 Feb 2018 23:26:21 +0000 (UTC) Subject: [keycloak-user] User REST API: n+1 selects In-Reply-To: <2014615029.56093.1518472582245@mail.yahoo.com> References: <1467066654.5013.1518471428961.ref@mail.yahoo.com> <1467066654.5013.1518471428961@mail.yahoo.com> <2014615029.56093.1518472582245@mail.yahoo.com> Message-ID: <609721624.45055.1518477981314@mail.yahoo.com> Here are some test results: Laptop: Intel Core i7-6820HQ CPU 2.70GHz ? 8?16 o RAMsettings as per?https://github.com/keycloak/keycloak/blob/3.4.1.CR1/testsuite/performance/README.provisioning-parameters.mdInjector, KC and postgres are on the same laptop. Scenario: /users call with username criteria returning a 100 users page.1000 total users in db. Before optimization: 1 thread, no wait tx/s: 9 avg response time (ms): 110 CPU: java=80%, postgres=20% mem 5 thread, no wait tx/s: 31 avg response time (ms): 149 CPU: java=628%, postgres=135% (19 processes with 7.6%) mem: 1g used 10 thread, no wait tx/s: 41.5 avg response time (ms): 219 CPU: java=613%, postgres=135% (9 processes with 15%) mem: 400m used a ?crit : As a workaround for issue 2, we can activate Permissions in?realm-management Client (I've created a custom realm to avoid working on master realm).This way, we ensure?root.realmResourceServer() is not null.But that's a bit convoluted :( ? Le lundi 12 f?vrier 2018 ? 22:37:08 UTC+1, Adrian Gonzalez a ?crit : Hello, I'm testing KC 3.4.3 REST API and I get n+1 selects (aka 701 selects when asking for a page of 100 users). Issue 1:Looking at the code, there's n+1 select on the following fields UserEntity:?- attributes- requiredActions- credentials?7The n+1 select is triggered by?https://github.com/keycloak/keycloak/blob/8e53ccf5abb4d7cc3ab8d5abc9d078a7f8725e8a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L215 This can be solved by annotated these attributes with?@Fetch(FetchMode.SUBSELECT).I also tried using EntityGraph, but it doesn't work since we're using Collection types (instead of Set) and because we're doing pagination while fetching ToMany associations. Issue 2: n+1 select because we don't cache null values We have this select executed n times:select? ? resourcese0_.ID as ID1_60_0_,? ? resourcese0_.ALLOW_RS_REMOTE_MGMT as ALLOW_RS2_60_0_,? ? resourcese0_.POLICY_ENFORCE_MODE as POLICY_E3_60_0_?from? ? RESOURCE_SERVER resourcese0_?where? ? resourcese0_.ID=? This one is done here:https://github.com/keycloak/keycloak/blob/8e53ccf5abb4d7cc3ab8d5abc9d078a7f8725e8a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L216 In default setup,root.realmResourceServer() is null.Since?StoreFactoryCacheSession doesn't cache null values, the return value never gets cached.I don't know how to easily solve that one. Should I create an issue ? Thanks? From adr_gonzalez at yahoo.fr Mon Feb 12 19:04:01 2018 From: adr_gonzalez at yahoo.fr (Adrian Gonzalez) Date: Tue, 13 Feb 2018 00:04:01 +0000 (UTC) Subject: [keycloak-user] User REST API: n+1 selects In-Reply-To: <609721624.45055.1518477981314@mail.yahoo.com> References: <1467066654.5013.1518471428961.ref@mail.yahoo.com> <1467066654.5013.1518471428961@mail.yahoo.com> <2014615029.56093.1518472582245@mail.yahoo.com> <609721624.45055.1518477981314@mail.yahoo.com> Message-ID: <2108019504.98519.1518480241144@mail.yahoo.com> On Group API, I think it's less critical, first loading is resource consuming, but afterwards, the groups are in cache. With a db with 1000 groups (no hierarchy) 1. The first call to /groups with first=0, max=100 issues?3076 SQL statements.If I add @Fetch(Subselect), the number of statements is reduced to?2077 (2 times n+1 select, n being 1000).Then the rest is done in?https://github.com/keycloak/keycloak/blob/a743600b344763ce2e7f70a625f590a8425fc5f3/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/entities/CachedGroup.java#L47-L55 2. later calls are cached, so no more db access (until a group is updated.removed I assume) Le mardi 13 f?vrier 2018 ? 00:26:21 UTC+1, Adrian Gonzalez a ?crit : Here are some test results: Laptop: Intel Core i7-6820HQ CPU 2.70GHz ? 8?16 o RAMsettings as per?https://github.com/keycloak/keycloak/blob/3.4.1.CR1/testsuite/performance/README.provisioning-parameters.mdInjector, KC and postgres are on the same laptop. Scenario: /users call with username criteria returning a 100 users page.1000 total users in db. Before optimization: 1 thread, no wait tx/s: 9 avg response time (ms): 110 CPU: java=80%, postgres=20% mem 5 thread, no wait tx/s: 31 avg response time (ms): 149 CPU: java=628%, postgres=135% (19 processes with 7.6%) mem: 1g used 10 thread, no wait tx/s: 41.5 avg response time (ms): 219 CPU: java=613%, postgres=135% (9 processes with 15%) mem: 400m used a ?crit : As a workaround for issue 2, we can activate Permissions in?realm-management Client (I've created a custom realm to avoid working on master realm).This way, we ensure?root.realmResourceServer() is not null.But that's a bit convoluted :( ? Le lundi 12 f?vrier 2018 ? 22:37:08 UTC+1, Adrian Gonzalez a ?crit : Hello, I'm testing KC 3.4.3 REST API and I get n+1 selects (aka 701 selects when asking for a page of 100 users). Issue 1:Looking at the code, there's n+1 select on the following fields UserEntity:?- attributes- requiredActions- credentials?7The n+1 select is triggered by?https://github.com/keycloak/keycloak/blob/8e53ccf5abb4d7cc3ab8d5abc9d078a7f8725e8a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L215 This can be solved by annotated these attributes with?@Fetch(FetchMode.SUBSELECT).I also tried using EntityGraph, but it doesn't work since we're using Collection types (instead of Set) and because we're doing pagination while fetching ToMany associations. Issue 2: n+1 select because we don't cache null values We have this select executed n times:select? ? resourcese0_.ID as ID1_60_0_,? ? resourcese0_.ALLOW_RS_REMOTE_MGMT as ALLOW_RS2_60_0_,? ? resourcese0_.POLICY_ENFORCE_MODE as POLICY_E3_60_0_?from? ? RESOURCE_SERVER resourcese0_?where? ? resourcese0_.ID=? This one is done here:https://github.com/keycloak/keycloak/blob/8e53ccf5abb4d7cc3ab8d5abc9d078a7f8725e8a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L216 In default setup,root.realmResourceServer() is null.Since?StoreFactoryCacheSession doesn't cache null values, the return value never gets cached.I don't know how to easily solve that one. Should I create an issue ? Thanks? From sthorger at redhat.com Tue Feb 13 02:05:40 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 13 Feb 2018 08:05:40 +0100 Subject: [keycloak-user] Keycloak JPA UserFederation Adapter in multiple realms with different Datasource names In-Reply-To: <8a603d0f-8171-a0f8-c673-e3b224e59257@redhat.com> References: <8f279099-7172-f86f-c51f-894ee77e6194@redhat.com> <862b6516-4549-34f4-08ab-282903df54a8@redhat.com> <8a603d0f-8171-a0f8-c673-e3b224e59257@redhat.com> Message-ID: It's not can by default because most people don't need it and xa needs to have different config. An xa transaction can have a single non-xa resource joining it though. On 12 Feb 2018 6:17 pm, "Marek Posolda" wrote: > I think you can change existing KeycloakDS to be "xa-datasource" . Maybe > some configuration properties will need to be changed. > > I am not 100% sure why the KeycloakDS is not "xa-datasource" by default. > Maybe just because some databases (H2 ?) have issues with it. > > Marek > > > On 12/02/18 13:25, Niels Bertram wrote: > > Yes the 2nd datasource is an XA capable one. Is there any reason why > > we cannot also supply a XA datasource to Keycloak? We have a potential > > 3rd participant in the global transaction (JCA adapter) but need to > > make it last resource. As long as the JCA adapter is consumed (and > > lifecycle managed) within a Keycloak provider that should all work, no? N > > > > On Mon, Feb 12, 2018 at 6:22 PM, Marek Posolda > > wrote: > > > > I recall that if your application is using different datasource > > then "KeycloakDS" (which probably is the case if you are using > > different database then Keycloak), then you need to configure > > second datasource as "xa-datasource" . > > > > I think it looks right from quickly looking at it. > > > > Marek > > > > > > On 10/02/18 13:38, Niels Bertram wrote: > >> Hi Marek, > >> > >> using an application managed EntityManagerFactory appear to be > >> working. I created a UserStorageProviderFactory that is managing > >> a entity manager factory and when I use the entity manager in the > >> UserStorageProvider the transaction is managed by the container > >> transaction manager that also manages the Keycloak transactions. > >> Why am I certain about that? Had a few errors in the beginning > >> about 2 datasources trying to enroll as last resort. > >> > >> The main ingredients in this gist. > >> > >> https://gist.github.com/bertramn/cbc4eec5e7b13e28099f4165a0c15b29 > >> > >> > >> > >> The trick is to tell hibernate > >> 29#file-customuserstorageproviderfactory-java-L117> > >> where to get the JTA platform transaction manager from. > >> > >> Does that look about right? I have a feeling it could be > >> simplified with some CDI magic ... > >> > >> Cheers Niels > >> > >> > >> On Sat, Feb 10, 2018 at 12:26 AM, Niels Bertram > >> > wrote: > >> > >> Yes studied that one before asking the question, its close > >> but not close enough. I think I will get away with creating > >> an application managed persistence context with container > >> managed transaction. Then in the provider factory I will read > >> the DataSource name from config and create the entity > >> transaction manager. Am just not too sure if it'll work with > >> the things you do in Keycloak to access these provider EJBs. > >> I kinda need 1 stateful session bean for each provider > >> instance added to the realm and that needs its on > >> EntityManagerFactory which enrolls the entity manager in the > >> JTA from Keycloak. Will report back if I can get something > >> working. Thanks Niels > >> > >> On Sat, Feb 10, 2018 at 12:18 AM, Marek Posolda > >> > wrote: > >> > >> I suggest to look at this example: > >> https://github.com/keycloak/keycloak/tree/master/examples/ > providers/user-storage-jpa > >> providers/user-storage-jpa> > >> > >> AFAIK It's probably closest thing to your usecase, which > >> we have. > >> > >> Marek > >> > >> Dne 8.2.2018 v 17:49 Niels Bertram napsal(a): > >> > >> Hi there, > >> > >> we have a requirement to set the jndi datasource name > >> on a UserFederation > >> provider when added to a realm to support connecting > >> different realms in > >> the same Keycloak server to different databases. Been > >> through the examples > >> and read a few emails from around 2016 in the > >> developer list but do not > >> find anyone who'd actually done this before. we could > >> create a user managed > >> EntityManagerFactory within the federation provider > >> factory but the > >> question is then how can we inject it into the > >> container context and enlist > >> our transactions in the JTA? > >> > >> Has anyone ever had to implement something like that? > >> > >> Cheers, > >> NIels > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > > >> > >> > >> > >> > >> > > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From sthorger at redhat.com Tue Feb 13 02:53:34 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 13 Feb 2018 08:53:34 +0100 Subject: [keycloak-user] How to logout a specific offline session In-Reply-To: References: Message-ID: An offline session is not linked to the normal session and there's two ways to log those out: * A user can remove the offline session in account management console * The offline token can be logged using the logout endpoint (see https://issues.jboss.org/browse/KEYCLOAK-3173) On 12 February 2018 at 14:14, Scott Finlay wrote: > Hi, > > > We have the case that there can be multiple offline sessions for a > particular user. Is there a way to logout or invalid one particular offline > session/token? Using the OAuth endpoints we can easily logout the > normal session, but the offline tokens are still there. I can see that it > is > possible to invalidate ALL offline tokens for a particular user, but is > there > any way to invalidate just one particular one? > > I saw this issue which was discussed a bit and reopened and then closed, > but it doesn't look like something was done: https://issues.jboss.org/ > browse/KEYCLOAK-3375 > > > Regards, > > Scott > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From hmlnarik at redhat.com Tue Feb 13 02:57:07 2018 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Tue, 13 Feb 2018 08:57:07 +0100 Subject: [keycloak-user] Support for X509Data as SAML Signature Key Name In-Reply-To: <2488ABC8-5A05-42DE-994B-D73AC4FED584@ist.com> References: <2488ABC8-5A05-42DE-994B-D73AC4FED584@ist.com> Message-ID: It may be considered for inclusion. Can you please file a feature request in JIRA? Community contributions are welcome. --Hynek On Fri, Feb 9, 2018 at 10:52 AM, Michael Liebe wrote: > Hi, > > We got a requirement to include the X509 certificate > (X509Data/X509Certificate element) within the KeyInfo element when sending > SAML authentication requests to external identity providers. Keycloak > currently supports KEY_ID and CERT_SUBJECT as SAML signature key names. Are > there any plans to support also X509Certificate in future releases? > > Best regards, > Michael > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- --Hynek From subodhcjoshi82 at gmail.com Tue Feb 13 03:10:04 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Tue, 13 Feb 2018 13:40:04 +0530 Subject: [keycloak-user] How to create a realm through Admin CLI Message-ID: Hi All I am trying to create realm through admin CLI and tried below command ./kcadm.sh config credentials --server http://:8665/auth/ create realms -s realm=demorealmAdminCLI -s enabled=true But i am getting Required option not specified: --realm What i am doing wrong ? When i tried following command [root at suredevbana1 bin]# ./kcadm.sh config credentials --server http://:8665/auth/ --realm master --user admin --password admin Then i am getting below message Logging into http://:8665/auth/ as user admin of realm master Feb 13, 2018 1:23:35 PM org.apache.http.impl.execchain.RetryExec execute INFO: I/O exception (java.net.NoRouteToHostException) caught when processing request to {}->http:// :8665: No route to host Feb 13, 2018 1:23:35 PM org.apache.http.impl.execchain.RetryExec execute INFO: Retrying request to {}->http:// :8665 Feb 13, 2018 1:23:35 PM org.apache.http.impl.execchain.RetryExec execute INFO: I/O exception (java.net.NoRouteToHostException) caught when processing request to {}->http:// :8665: No route to host Feb 13, 2018 1:23:35 PM org.apache.http.impl.execchain.RetryExec execute INFO: Retrying request to {}->http:// :8665 Feb 13, 2018 1:23:35 PM org.apache.http.impl.execchain.RetryExec execute INFO: I/O exception (java.net.NoRouteToHostException) caught when processing request to {}->http:// :8665: No route to host Feb 13, 2018 1:23:35 PM org.apache.http.impl.execchain.RetryExec execute INFO: Retrying request to {}->http:// :8665 Failed to send request - No route to host Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.questioninmind.com From lkrzyzan at redhat.com Tue Feb 13 04:20:54 2018 From: lkrzyzan at redhat.com (=?utf-8?Q?Libor_Krzy=C5=BEanek?=) Date: Tue, 13 Feb 2018 10:20:54 +0100 Subject: [keycloak-user] Keycloak 3.4.3 Failover with session replication Message-ID: <198C8306-E699-47B9-9099-807187F261F3@redhat.com> Hi, we?re upgrading keycloak from 1.9. to 3.4 and caches changed quite a lot. The setup is simply two nodes in HA mode. I see that nodes see each other but it?s not clear to me what is the easiest way how to achieve failover with session replication. In KC 1.9 we just increased owners=2 and it was enough. We tried the default setup with distributed-caches (most of them have owners=?1?) and when one node is killed (not shutdown.sh but hard java kill) then user lost session and is asked to login again once LB forward traffic to second node. We tried to increase owners on these caches but with no luck. I read this article: http://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html but we don?t have JDG because it?s just simple cluster with two nodes within same datacenter. What is the best and easiest approach to achieve failover with session replication? Thanks, Libor Libor Krzy?anek Principal Software Engineer Middleware Engineering Services From lkrzyzan at redhat.com Tue Feb 13 04:23:58 2018 From: lkrzyzan at redhat.com (=?utf-8?Q?Libor_Krzy=C5=BEanek?=) Date: Tue, 13 Feb 2018 10:23:58 +0100 Subject: [keycloak-user] Keycloak 3.4.3 Failover with session replication In-Reply-To: <198C8306-E699-47B9-9099-807187F261F3@redhat.com> References: <198C8306-E699-47B9-9099-807187F261F3@redhat.com> Message-ID: <7860F966-8A6F-411C-BE2A-2601E8D243FD@redhat.com> And btw. this is output in log when one node is killed: 2018-02-12 15:16:44,794 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [developer-keycloak04|26] (1) [developer-keycloak04] 2018-02-12 15:16:44,794 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [developer-keycloak04|26] (1) [developer-keycloak04] 2018-02-12 15:16:44,795 WARN [org.infinispan.CLUSTER] (transport-thread--p32-t6) [Context=client-mappings]ISPN000314: Lost at least half of the stable members, possible split brain causing data inconsistency. Current members are [developer-keycloak04], lost members are [developer-keycloak03], stable members are [developer-keycloak04, developer-keycloak03] 2018-02-12 15:16:44,801 FATAL [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=authenticationSessions]ISPN000313: Lost data because of abrupt leavers [developer-keycloak03] 2018-02-12 15:16:44,803 FATAL [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=sessions]ISPN000313: Lost data because of abrupt leavers [developer-keycloak03] 2018-02-12 15:16:44,805 FATAL [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=clientSessions]ISPN000313: Lost data because of abrupt leavers [developer-keycloak03] 2018-02-12 15:16:44,807 WARN [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=work]ISPN000314: Lost at least half of the stable members, possible split brain causing data inconsistency. Current members are [developer-keycloak04], lost members are [developer-keycloak03], stable members are [developer-keycloak04, developer-keycloak03] 2018-02-12 15:16:44,810 FATAL [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=offlineSessions]ISPN000313: Lost data because of abrupt leavers [developer-keycloak03] 2018-02-12 15:16:44,823 FATAL [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=loginFailures]ISPN000313: Lost data because of abrupt leavers [developer-keycloak03] 2018-02-12 15:16:44,825 WARN [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=actionTokens]ISPN000314: Lost at least half of the stable members, possible split brain causing data inconsistency. Current members are [developer-keycloak04], lost members are [developer-keycloak03], stable members are [developer-keycloak04, developer-keycloak03] Thanks, Libor Krzy?anek Principal Software Engineer Middleware Engineering Services > On 13.02.2018, at 10:20, Libor Krzy?anek wrote: > > Hi, > we?re upgrading keycloak from 1.9. to 3.4 and caches changed quite a lot. > > The setup is simply two nodes in HA mode. I see that nodes see each other but it?s not clear to me what is the easiest way how to achieve failover with session replication. In KC 1.9 we just increased owners=2 and it was enough. > > We tried the default setup with distributed-caches (most of them have owners=?1?) and when one node is killed (not shutdown.sh but hard java kill) then user lost session and is asked to login again once LB forward traffic to second node. > > We tried to increase owners on these caches > > > but with no luck. > > I read this article: http://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html but we don?t have JDG because it?s just simple cluster with two nodes within same datacenter. > > What is the best and easiest approach to achieve failover with session replication? > > Thanks, > > Libor > > Libor Krzy?anek > Principal Software Engineer > Middleware Engineering Services > From marian.rainer-harbach at apa.at Tue Feb 13 04:25:52 2018 From: marian.rainer-harbach at apa.at (Rainer-Harbach Marian) Date: Tue, 13 Feb 2018 10:25:52 +0100 Subject: [keycloak-user] Keycloak 4.0 release date estimate? Message-ID: <1cf2b54e-5711-f643-82be-b8ae3b0effba@apa.at> Hi guys, we are very interested in Keycloak 4.0 (in particular https://issues.jboss.org/browse/KEYCLOAK-3370). Is there an estimate on when 4.0 (or even a beta of 4.0) will be released? Thanks, Marian -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3853 bytes Desc: S/MIME Cryptographic Signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180213/7fb17ab6/attachment.bin From mstrukel at redhat.com Tue Feb 13 04:28:43 2018 From: mstrukel at redhat.com (Marko Strukelj) Date: Tue, 13 Feb 2018 10:28:43 +0100 Subject: [keycloak-user] How to create a realm through Admin CLI In-Reply-To: References: Message-ID: See documentation: http://www.keycloak.org/docs/latest/server_admin/index.html#the-admin-cli No route to host means you have a networking issue or are using a wrong IP for the server. On Feb 13, 2018 09:13, "Subodh Joshi" wrote: Hi All I am trying to create realm through admin CLI and tried below command ./kcadm.sh config credentials --server http://:8665/auth/ create realms -s realm=demorealmAdminCLI -s enabled=true But i am getting Required option not specified: --realm What i am doing wrong ? When i tried following command [root at suredevbana1 bin]# ./kcadm.sh config credentials --server http://:8665/auth/ --realm master --user admin --password admin Then i am getting below message Logging into http://:8665/auth/ as user admin of realm master Feb 13, 2018 1:23:35 PM org.apache.http.impl.execchain.RetryExec execute INFO: I/O exception (java.net.NoRouteToHostException) caught when processing request to {}->http:// :8665: No route to host Feb 13, 2018 1:23:35 PM org.apache.http.impl.execchain.RetryExec execute INFO: Retrying request to {}->http:// :8665 Feb 13, 2018 1:23:35 PM org.apache.http.impl.execchain.RetryExec execute INFO: I/O exception (java.net.NoRouteToHostException) caught when processing request to {}->http:// :8665: No route to host Feb 13, 2018 1:23:35 PM org.apache.http.impl.execchain.RetryExec execute INFO: Retrying request to {}->http:// :8665 Feb 13, 2018 1:23:35 PM org.apache.http.impl.execchain.RetryExec execute INFO: I/O exception (java.net.NoRouteToHostException) caught when processing request to {}->http:// :8665: No route to host Feb 13, 2018 1:23:35 PM org.apache.http.impl.execchain.RetryExec execute INFO: Retrying request to {}->http:// :8665 Failed to send request - No route to host Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.questioninmind.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From ionut.culda at lola.tech Tue Feb 13 04:38:35 2018 From: ionut.culda at lola.tech (Ionut Culda) Date: Tue, 13 Feb 2018 11:38:35 +0200 Subject: [keycloak-user] sssd and otp Message-ID: <6A177096-B284-4172-9D32-4840944F0E6A@lola.tech> Hello, Can anybody tells me if keycloak supports sssd user federation with otp? I configured this but when i try to configure first time otp i get the following error: ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-28) Uncaught server error: java.lang.IllegalStateException: You can't update your password as your account is read only. Thank You From valsarajpv at gmail.com Tue Feb 13 05:07:49 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Tue, 13 Feb 2018 15:37:49 +0530 Subject: [keycloak-user] Keycloak forum Message-ID: Hi, Is there any Keycloak forum website? Thanks! From orivat at janua.fr Tue Feb 13 06:20:49 2018 From: orivat at janua.fr (Olivier Rivat) Date: Tue, 13 Feb 2018 12:20:49 +0100 Subject: [keycloak-user] Modcluster integration with keycloak Message-ID: <354db9e4-b67d-be14-9aff-a0ab0345dae8@janua.fr> Configuring Keycloak With Modcluster in standalone h amode with wildfly 1) I am atrying to setup a cluster ins standalone mode with keycloak. I have -keycloak 3.4.3 -wildfly 11 -modcluster 1.3 1) mod_cluster ============== I have configured on a unnutu distribution mod_cluster as follwos: MemManagerFile cache/mod_cluster Listen 8180 http ??? ??? # add ip of JBoss nodes to join this proxy here ??? Require ip 127.0.0.1 ??? #Require all granted ??? Allow from all ??? ??? ServerAdvertise on ??? EnableMCPMReceive ??? ??? SetHandler mod_cluster-manager ??? # add ip of clients allowed to access mod_cluster-manager ??? Require ip 127.0.0.1 ??? #Require all granted ??? Allow from all I can access it at URL http://vps383894.ovh.net:8180/mod_cluster_manager to check that mod_cluster is operational 2) Keycloak server ================== On my server I have instaled keycloak http://www.keycloak.org/docs/latest/server_installation/index.html#_example-setup-with-mod-cluster route add -net 224.0.0.0 netmask 240.0.0.0 dev lo ifconfig lo multicast The difference I have introduced I have started it as ./standalone.sh -c standalone-ha.xml -Djboss.socket.binding.port-offset=200 -Djboss.node.name=node1 I have updated the xml as follows: ? ??????????? ??????????? ??????????????? ??????????????? ??????????????? ??????????????? ??????????????????? ??????????????????? ??????????????????? ??????????????? ??????????? ??????????? ??????????????? ??????????????? ??????????????? ??????????? ??????????? ??????????????? ??????????? ??????????? ????????????? ??????????? ??????? changes: 2.1) X-Forwarded-For AJP Config ???? ???? ???????? ???????? ???????? ???????????? ... ???????????? ???????? ???? ??????? ... ???? ???????? ... ???????? ???? ? 2.2) servlet-container name="default"> ??? ??? ... 3) Traces ========= Now I try to access to http://vps383894.ovh.net:8180/auth to access to teh keycloak authent URL I obtain the following errors in apache module in error log trace Tue Feb 13 11:07:44.023463 2018] [core:notice] [pid 17183:tid 140195770410880] AH00094: Command line: '/usr/sbin/apache2' [Tue Feb 13 11:43:03.239246 2018] [mpm_event:notice] [pid 17183:tid 140195770410880] AH00491: caught SIGTERM, shutting down [Tue Feb 13 11:43:04.383906 2018] [ssl:warn] [pid 23735:tid 139634017527680] AH01906: vps383894.ovh.net:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Feb 13 11:43:04.415962 2018] [ssl:warn] [pid 23736:tid 139634017527680] AH01906: vps383894.ovh.net:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Feb 13 11:43:04.421178 2018] [:notice] [pid 23736:tid 139634017527680] Advertise initialized for process 23736 [Tue Feb 13 11:43:04.422642 2018] [mpm_event:notice] [pid 23736:tid 139634017527680] AH00489: Apache/2.4.18 (Ubuntu) mod_cluster/1.3.1.Final OpenSSL/1.0.2g configured -- resuming normal operations [Tue Feb 13 11:43:04.422682 2018] [core:notice] [pid 23736:tid 139634017527680] AH00094: Command line: '/usr/sbin/apache2' [Tue Feb 13 11:55:14.852179 2018] [mpm_event:notice] [pid 23736:tid 139634017527680] AH00491: caught SIGTERM, shutting down [Tue Feb 13 11:55:15.984187 2018] [ssl:warn] [pid 25890:tid 140179862239104] AH01906: vps383894.ovh.net:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Feb 13 11:55:16.005249 2018] [ssl:warn] [pid 25891:tid 140179862239104] AH01906: vps383894.ovh.net:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Tue Feb 13 11:55:16.009504 2018] [:notice] [pid 25891:tid 140179862239104] Advertise initialized for process 25891 [Tue Feb 13 11:55:16.010908 2018] [mpm_event:notice] [pid 25891:tid 140179862239104] AH00489: Apache/2.4.18 (Ubuntu) mod_cluster/1.3.1.Final OpenSSL/1.0.2g configured -- resuming normal operations [Tue Feb 13 11:55:16.010932 2018] [core:notice] [pid 25891:tid 140179862239104] AH00094: Command line: '/usr/sbin/apache2' [Tue Feb 13 12:13:35.051090 2018] [proxy:warn] [pid 25895:tid 140179444545280] [client 82.236.158.30:49992] AH01144: No protocol handler was valid for the URL /auth. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Tue Feb 13 12:13:57.552528 2018] [proxy:warn] [pid 25895:tid 140179452937984] [client 82.236.158.30:49996] AH01144: No protocol handler was valid for the URL /auth. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Tue Feb 13 12:13:58.508734 2018] [proxy:warn] [pid 25896:tid 140179461330688] [client 82.236.158.30:49998] AH01144: No protocol handler was valid for the URL /auth. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Tue Feb 13 12:13:58.670853 2018] [proxy:warn] [pid 25895:tid 140179427759872] [client 82.236.158.30:50000] AH01144: No protocol handler was valid for the URL /auth. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Tue Feb 13 12:13:58.819705 2018] [proxy:warn] [pid 25896:tid 140179452937984] [client 82.236.158.30:50002] AH01144: No protocol handler was valid for the URL /auth. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Tue Feb 13 12:13:58.980052 2018] [proxy:warn] [pid 25895:tid 140179419367168] [client 82.236.158.30:50004] AH01144: No protocol handler was valid for the URL /auth. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. [Tue Feb 13 12:14:50.778001 2018] [proxy:warn] [pid 25895:tid 140179385796352] [client 82.236.158.30:50014] AH01144: No protocol handler was valid for the URL /auth. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule. WHat's going wrong ? How is it possible to fix this ? Regards, Olivier -- Olivier Rivat CTO orivat at janua.fr Gsm: +33(0)682 801 609 T?l: +33(0)489 829 238 Fax: +33(0)955 260 370 http://www.janua.fr From orivat at janua.fr Tue Feb 13 06:34:39 2018 From: orivat at janua.fr (Olivier Rivat) Date: Tue, 13 Feb 2018 12:34:39 +0100 Subject: [keycloak-user] Modcluster integration with keycloak In-Reply-To: <354db9e4-b67d-be14-9aff-a0ab0345dae8@janua.fr> References: <354db9e4-b67d-be14-9aff-a0ab0345dae8@janua.fr> Message-ID: <9eb4ec52-466c-11cc-748d-46a5103191fe@janua.fr> !Found It required to enable all the modules. They are not enabled by default on ubuntu!!!! sudo a2enmod proxy proxy_http proxy_ajp Module proxy already enabled Considering dependency proxy for proxy_http: Module proxy already enabled Module proxy_http already enabled Considering dependency proxy for proxy_ajp: Module proxy already enabled Enabling module proxy_ajp. To activate the new configuration, you need to run: ? service apache2 restart Regards, Olivier Le 13/02/2018 ? 12:20, Olivier Rivat a ?crit?: > > > > > Configuring Keycloak With Modcluster in standalone h amode with wildfly > > > > 1) I am atrying to setup a cluster ins standalone mode with keycloak. > > I have > -keycloak 3.4.3 > -wildfly 11 > -modcluster 1.3 > > > 1) mod_cluster > ============== > I have configured on a unnutu distribution mod_cluster as follwos: > > MemManagerFile cache/mod_cluster > > > Listen 8180 http > > ??? > ??? # add ip of JBoss nodes to join this proxy here > ??? Require ip 127.0.0.1 > ??? #Require all granted > ??? Allow from all > > ??? > ??? ServerAdvertise on > ??? EnableMCPMReceive > ??? > ??? SetHandler mod_cluster-manager > ??? # add ip of clients allowed to access mod_cluster-manager > ??? Require ip 127.0.0.1 > ??? #Require all granted > ??? Allow from all > > > > > > I can access it at URL > http://vps383894.ovh.net:8180/mod_cluster_manager to check that > mod_cluster is operational > > 2) Keycloak server > ================== > On my server I have instaled keycloak > > http://www.keycloak.org/docs/latest/server_installation/index.html#_example-setup-with-mod-cluster > > > route add -net 224.0.0.0 netmask 240.0.0.0 dev lo > ifconfig lo multicast > > > > The difference I have introduced > > > I have started it as ./standalone.sh -c standalone-ha.xml > -Djboss.socket.binding.port-offset=200 -Djboss.node.name=node1 > > I have updated the xml as follows: > > ? > ??????????? > ??????????? > ??????????????? > ??????????????? redirect-socket="https" enable-http2="true"/> > ??????????????? security-realm="ApplicationRealm" enable-http2="true"/> > ??????????????? > ??????????????????? > ??????????????????? > ??????????????????? > ??????????????? > ??????????? > ??????????? > ??????????????? > ??????????????? > ??????????????? > ??????????? > ??????????? > ??????????????? path="${jboss.home.dir}/welcome-content"/> > ??????????? > ??????????? > ????????????? class-name="io.undertow.server.handlers.ProxyPeerAddressHandler" > ???????????????? module="io.undertow.core" /> > ??????????? > ??????? > > > changes: > > 2.1) > > X-Forwarded-For AJP Config > > > ???? > ???? > ???????? > ???????? redirect-socket="https"/> > ???????? > ???????????? ... > ???????????? > ???????? > ???? > ??????? ... > ???? > ???????? ... > ???????? class-name="io.undertow.server.handlers.ProxyPeerAddressHandler" > ???????????????? module="io.undertow.core" /> > ???? > ? > > > 2.2) > > servlet-container name="default"> > ??? > ??? ... > > > > > > > > 3) Traces > ========= > > Now I try to access to http://vps383894.ovh.net:8180/auth to access to > teh keycloak authent URL > > I obtain the following errors in apache module in error log trace > > > Tue Feb 13 11:07:44.023463 2018] [core:notice] [pid 17183:tid > 140195770410880] AH00094: Command line: '/usr/sbin/apache2' > [Tue Feb 13 11:43:03.239246 2018] [mpm_event:notice] [pid 17183:tid > 140195770410880] AH00491: caught SIGTERM, shutting down > [Tue Feb 13 11:43:04.383906 2018] [ssl:warn] [pid 23735:tid > 139634017527680] AH01906: vps383894.ovh.net:443:0 server certificate > is a CA certificate (BasicConstraints: CA == TRUE !?) > [Tue Feb 13 11:43:04.415962 2018] [ssl:warn] [pid 23736:tid > 139634017527680] AH01906: vps383894.ovh.net:443:0 server certificate > is a CA certificate (BasicConstraints: CA == TRUE !?) > [Tue Feb 13 11:43:04.421178 2018] [:notice] [pid 23736:tid > 139634017527680] Advertise initialized for process 23736 > [Tue Feb 13 11:43:04.422642 2018] [mpm_event:notice] [pid 23736:tid > 139634017527680] AH00489: Apache/2.4.18 (Ubuntu) > mod_cluster/1.3.1.Final OpenSSL/1.0.2g configured -- resuming normal > operations > [Tue Feb 13 11:43:04.422682 2018] [core:notice] [pid 23736:tid > 139634017527680] AH00094: Command line: '/usr/sbin/apache2' > [Tue Feb 13 11:55:14.852179 2018] [mpm_event:notice] [pid 23736:tid > 139634017527680] AH00491: caught SIGTERM, shutting down > [Tue Feb 13 11:55:15.984187 2018] [ssl:warn] [pid 25890:tid > 140179862239104] AH01906: vps383894.ovh.net:443:0 server certificate > is a CA certificate (BasicConstraints: CA == TRUE !?) > [Tue Feb 13 11:55:16.005249 2018] [ssl:warn] [pid 25891:tid > 140179862239104] AH01906: vps383894.ovh.net:443:0 server certificate > is a CA certificate (BasicConstraints: CA == TRUE !?) > [Tue Feb 13 11:55:16.009504 2018] [:notice] [pid 25891:tid > 140179862239104] Advertise initialized for process 25891 > [Tue Feb 13 11:55:16.010908 2018] [mpm_event:notice] [pid 25891:tid > 140179862239104] AH00489: Apache/2.4.18 (Ubuntu) > mod_cluster/1.3.1.Final OpenSSL/1.0.2g configured -- resuming normal > operations > [Tue Feb 13 11:55:16.010932 2018] [core:notice] [pid 25891:tid > 140179862239104] AH00094: Command line: '/usr/sbin/apache2' > [Tue Feb 13 12:13:35.051090 2018] [proxy:warn] [pid 25895:tid > 140179444545280] [client 82.236.158.30:49992] AH01144: No protocol > handler was valid for the URL /auth. If you are using a DSO version of > mod_proxy, make sure the proxy submodules are included in the > configuration using LoadModule. > [Tue Feb 13 12:13:57.552528 2018] [proxy:warn] [pid 25895:tid > 140179452937984] [client 82.236.158.30:49996] AH01144: No protocol > handler was valid for the URL /auth. If you are using a DSO version of > mod_proxy, make sure the proxy submodules are included in the > configuration using LoadModule. > [Tue Feb 13 12:13:58.508734 2018] [proxy:warn] [pid 25896:tid > 140179461330688] [client 82.236.158.30:49998] AH01144: No protocol > handler was valid for the URL /auth. If you are using a DSO version of > mod_proxy, make sure the proxy submodules are included in the > configuration using LoadModule. > [Tue Feb 13 12:13:58.670853 2018] [proxy:warn] [pid 25895:tid > 140179427759872] [client 82.236.158.30:50000] AH01144: No protocol > handler was valid for the URL /auth. If you are using a DSO version of > mod_proxy, make sure the proxy submodules are included in the > configuration using LoadModule. > [Tue Feb 13 12:13:58.819705 2018] [proxy:warn] [pid 25896:tid > 140179452937984] [client 82.236.158.30:50002] AH01144: No protocol > handler was valid for the URL /auth. If you are using a DSO version of > mod_proxy, make sure the proxy submodules are included in the > configuration using LoadModule. > [Tue Feb 13 12:13:58.980052 2018] [proxy:warn] [pid 25895:tid > 140179419367168] [client 82.236.158.30:50004] AH01144: No protocol > handler was valid for the URL /auth. If you are using a DSO version of > mod_proxy, make sure the proxy submodules are included in the > configuration using LoadModule. > [Tue Feb 13 12:14:50.778001 2018] [proxy:warn] [pid 25895:tid > 140179385796352] [client 82.236.158.30:50014] AH01144: No protocol > handler was valid for the URL /auth. If you are using a DSO version of > mod_proxy, make sure the proxy submodules are included in the > configuration using LoadModule. > > > WHat's going wrong ? > How is it possible to fix this ? > > Regards, > Olivier > > > > > -- > > > > > > > Olivier Rivat > CTO > orivat at janua.fr > Gsm: +33(0)682 801 609 > T?l: +33(0)489 829 238 > Fax: +33(0)955 260 370 > http://www.janua.fr > > > -- Olivier Rivat CTO orivat at janua.fr Gsm: +33(0)682 801 609 T?l: +33(0)489 829 238 Fax: +33(0)955 260 370 http://www.janua.fr From jcain at redhat.com Tue Feb 13 11:49:22 2018 From: jcain at redhat.com (Josh Cain) Date: Tue, 13 Feb 2018 10:49:22 -0600 Subject: [keycloak-user] Keycloak forum In-Reply-To: References: Message-ID: <73876f9c-171b-0cbd-e9dc-1839090b2def@redhat.com> Nope. See http://www.keycloak.org/community.html The IRC channel is mostly just lurkers. Your best bet is going to be the mailing list. I suppose you could think of the list archives as a type of forum log: http://lists.jboss.org/pipermail/keycloak-user/ I also try to keep an eye on the keycloak tag on S/O [0], but that's been kind of noisy with not-so-great questions lately. [0] https://stackoverflow.com/questions/tagged/keycloak Josh Cain Senior Software Applications Engineer, RHCE Red Hat North America jcain at redhat.com IRC: jcain On 02/13/2018 04:07 AM, valsaraj pv wrote: > Hi, > > Is there any Keycloak forum website? > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180213/0005041c/attachment-0001.bin From valsarajpv at gmail.com Tue Feb 13 13:03:36 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Tue, 13 Feb 2018 23:33:36 +0530 Subject: [keycloak-user] Keycloak forum In-Reply-To: <73876f9c-171b-0cbd-e9dc-1839090b2def@redhat.com> References: <73876f9c-171b-0cbd-e9dc-1839090b2def@redhat.com> Message-ID: Ok thanks! I was checking the one like jboss developers forum. On 13-Feb-2018 10:21 PM, "Josh Cain" wrote: > Nope. See http://www.keycloak.org/community.html > > The IRC channel is mostly just lurkers. Your best bet is going to be > the mailing list. I suppose you could think of the list archives as a > type of forum log: http://lists.jboss.org/pipermail/keycloak-user/ > > I also try to keep an eye on the keycloak tag on S/O [0], but that's > been kind of noisy with not-so-great questions lately. > > [0] https://stackoverflow.com/questions/tagged/keycloak > > Josh Cain > Senior Software Applications Engineer, RHCE > Red Hat North America > jcain at redhat.com IRC: jcain > > On 02/13/2018 04:07 AM, valsaraj pv wrote: > > Hi, > > > > Is there any Keycloak forum website? > > > > Thanks! > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From trmadhu at tafe.com Tue Feb 13 13:39:22 2018 From: trmadhu at tafe.com (trmadhu at tafe.com) Date: Tue, 13 Feb 2018 18:39:22 +0000 Subject: [keycloak-user] Customize login page Message-ID: Dear Support We want to customize the login url for the end users, currently to access the Keycloak IDP, the URL will be https://imsva91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fabc.def.com%2fauth%2frealms%2fabcd%2faccount%2fapplications%2c&umid=4C4B0559-651C-5005-9CA2-3A4A3894F8E5&auth=c6cae4180046c553f560dbcbfe34f7a11f00dc0e-f1b032b9efb3ca906745c81f526819e2a10e2083 Can we have a redirect rule, when user types abc.def.com, it should redirect to the application page / customised URL. Regards Madhu T R Above email is subject to 'Disclaimer' as per http://tafe.co.in/email-disclaimer.htm From trmadhu at tafe.com Tue Feb 13 13:42:02 2018 From: trmadhu at tafe.com (trmadhu at tafe.com) Date: Tue, 13 Feb 2018 18:42:02 +0000 Subject: [keycloak-user] Customize login page Message-ID: <4415e8c9115f41bc96db9239c72065ff@ex2k13mbx2.tafedc.com> Dear Support When we login in the keycloak IDP page, we are able to see the list of application name with details, can we customize this page, we need to show the application as Icons (instead of showing Application, available permissions, grant permissions etc. Kindly support . [cid:image001.jpg at 01D3A528.6FA7F730] T R Madhu Associate Principal Consultant | Enterprise Application Admin Mobile No : 99400 76612 www.tafe.com Above email is subject to 'Disclaimer' as per http://tafe.co.in/email-disclaimer.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 36682 bytes Desc: image001.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180213/5092100a/attachment-0001.jpg From trmadhu at tafe.com Tue Feb 13 13:48:05 2018 From: trmadhu at tafe.com (trmadhu at tafe.com) Date: Tue, 13 Feb 2018 18:48:05 +0000 Subject: [keycloak-user] Application icons based Message-ID: Dear Support When we login in the keycloak IDP page, we are able to see the list of application name with details, can we customize this page, we need to show the application as Icons (instead of showing Application, available permissions, grant permissions etc. Kindly support . [cid:image001.jpg at 01D3A529.482039B0] T R Madhu Associate Principal Consultant | Enterprise Application Admin Mobile No : 99400 76612 www.tafe.com Above email is subject to 'Disclaimer' as per http://tafe.co.in/email-disclaimer.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 36682 bytes Desc: image001.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180213/cf3777de/attachment-0001.jpg From harary.or at gmail.com Tue Feb 13 13:50:02 2018 From: harary.or at gmail.com (Or Harary) Date: Tue, 13 Feb 2018 20:50:02 +0200 Subject: [keycloak-user] Share resource by checking if some other user is in a certain group Message-ID: Hello, After some time of using keycloak which works great for most of my demands, I wanted to know if it's possible to create a permission with a policy that will tell me if some user (not the one which is logged in) is within a certain group. For example: User 1 have a digital wallet. This digital wallet have a resource: name: /wallet/{wallet-id} uri: /{user-1-id}/wallet/{wallet-id} scopes: charge/read/... User 2 have a company which is represented as a group User 2 wants to charge user 1 digital wallet but I want him to only be able to do so when user 1 is inside user 2 company's group How can I check this with a policy? Or somehow share user 1 resource with user 2 by a policy? Thanks! From ba.andrzejczak at gmail.com Tue Feb 13 15:41:06 2018 From: ba.andrzejczak at gmail.com (bandrzejczak) Date: Tue, 13 Feb 2018 13:41:06 -0700 (MST) Subject: [keycloak-user] User impersonation - JWT In-Reply-To: References: Message-ID: <1518554466621-0.post@n6.nabble.com> There are two ways of doing that now: Getting token via implicit flow (introduced in 1.9.2) or via Token Exchange (introduced in 3.4.0). I've described them both in https://blog.softwaremill.com/who-am-i-keycloak-impersonation-api-bfe7acaf051a -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From ryans at jlab.org Tue Feb 13 15:48:00 2018 From: ryans at jlab.org (Ryan Slominski) Date: Tue, 13 Feb 2018 15:48:00 -0500 (EST) Subject: [keycloak-user] kcadm CLI for kerberos user storage API needs updating? In-Reply-To: <229318364.9919257.1518554871909.JavaMail.zimbra@jlab.org> References: <1499329272.8253056.1517944592901.JavaMail.zimbra@jlab.org> <1165784646.8456228.1518017109049.JavaMail.zimbra@jlab.org> Message-ID: <1198433338.9919270.1518554880666.JavaMail.zimbra@jlab.org> Hi Keycloak Users, I figured out that single quotes are sometimes required around CLI attributes and sometimes not (doesn't seem to have anything to do with whitespace either). I've created an issue ticket in Jira to update the documentation to reflect the new "create components" API instead of the old "create user-federation/instances" API. Issue created: https://issues.jboss.org/browse/KEYCLOAK-6583 And make the fix in the documentation repository. Pull request: https://github.com/keycloak/keycloak-documentation/pull/328 Ryan ----- Original Message ----- From: "Ryan Slominski" To: "keycloak-user" Sent: Wednesday, February 7, 2018 10:25:09 AM Subject: Re: [keycloak-user] kcadm CLI for kerberos user storage API needs updating? I figured out why the kerberos component wasn't showing up in the web console. I now see that realm name and realm ID are not identical by default. It might make sense to update the CLI docs to suggest that when creating a realm you explicitly set the ID to be the same as the realm name as the web console automatically does. That is why I was seeing the command line listing the component as part of the realm, but not visible when browsing from the web console. The first part of my question still remains. It seems the kcadm tool cannot be used to create or modify a user storage provider with all of the fields. Some fields seem to cause parsing errors on the server. Including these fields in the initial create command doesn't work. Neither does including them in an update command: kcadm.sh update components/my-kerberos-component-id -r demorealm -s config.kerberosRealm=["my-kerberos-realm-name"] Also results in: Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of VALUE_STRING token ----- Original Message ----- From: "Ryan Slominski" To: "keycloak-user" Sent: Tuesday, February 6, 2018 2:16:32 PM Subject: [keycloak-user] kcadm CLI for kerberos user storage API needs updating? I'm following the latest CLI documentation (https://urldefense.proofpoint.com/v2/url?u=http-3A__www.keycloak.org_docs_latest_server-5Fadmin_index.html-23the-2Dadmin-2Dcli&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=hvmhpahktF5agMlqV9WVmRD98uOlyXta9CpsyHxWJFY&s=bT2q3wiP7nDXfTYtZfXWJkFa87aNGSVSoGm7PZ02KYI&e= ), but the section about managing Kerberos user storage providers seems to be out-of-date. The related REST API documentation (https://urldefense.proofpoint.com/v2/url?u=http-3A__www.keycloak.org_docs_latest_server-5Fdevelopment_index.html-23rest-2Dmanagement-2Dapi&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=hvmhpahktF5agMlqV9WVmRD98uOlyXta9CpsyHxWJFY&s=Ktm4rb5xZR1h3YMxKOuhfpb3w-eh11mR7LRbXYJFTSs&e= ) points out major changes occurred after version 2.4.0. In particular the following command no longer works: kcadm.sh create user-federation/instances -r demorealm ... Instead it seems it should be something like the following: kcadm.sh create components -r demorealm -s parentId=demorealm -s name="kerberos" -s providerId="kerberos" -s providerType="org.keycloak.storage.UserStorageProvider"\ -s config.enabled=["true"] -s config.allowPasswordAuthentication=["true"] -s config.debug=["false"] -s config.priority=["0"] -s config.updateProfileFirstLogin=["false"] However, this "create components" command only seems to work if I don't include the following otherwise desirable attributes: -s config.keyTab=["path-to-keytab"] -s config.kerberosRealm=["kerberos-realm-name"] -s config.cachePolicy=["DEFAULT"] -s config.editMode=["READ_ONLY"] -s config.serverPrincipal=["http-principal-name"] Including any one of them results in the server throwing the following exception: Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can not deserialize instance of java.util.ArrayList out of VALUE_STRING token Further, even if I leave these attributes out and attempt to finish the job using the web console I noticed the new user storage provider doesn't show up in the list on the web. It DOES show up when queried from the command line with: kcadm.sh get components -r demorealm But oddly doesn't show up if you filter as the web does with: kcadm.sh get components -r demorealm -q type=org.keycloak.storage.UserStorageProvider Any help is appreciated. Thanks, Ryan _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=hvmhpahktF5agMlqV9WVmRD98uOlyXta9CpsyHxWJFY&s=gX1vT4iLApiLig4EggteIwULHvrU60HiyY3AdR3rGkI&e= From mposolda at redhat.com Tue Feb 13 15:52:04 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 13 Feb 2018 21:52:04 +0100 Subject: [keycloak-user] Keycloak 3.4.3 Failover with session replication In-Reply-To: <7860F966-8A6F-411C-BE2A-2601E8D243FD@redhat.com> References: <198C8306-E699-47B9-9099-807187F261F3@redhat.com> <7860F966-8A6F-411C-BE2A-2601E8D243FD@redhat.com> Message-ID: <58ff0801-1935-a938-ef9b-775cf306f9d9@redhat.com> Hi Libor, you need to increase owners also for "clientSessions" and "offlineClientSessions" . Marek On 13/02/18 10:23, Libor Krzy?anek wrote: > And btw. this is output in log when one node is killed: > > > 2018-02-12 15:16:44,794 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [developer-keycloak04|26] (1) [developer-keycloak04] > 2018-02-12 15:16:44,794 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [developer-keycloak04|26] (1) [developer-keycloak04] > 2018-02-12 15:16:44,795 WARN [org.infinispan.CLUSTER] (transport-thread--p32-t6) [Context=client-mappings]ISPN000314: Lost at least half of the stable members, possible split brain causing data inconsistency. Current members are [developer-keycloak04], lost members are [developer-keycloak03], stable members are [developer-keycloak04, developer-keycloak03] > 2018-02-12 15:16:44,801 FATAL [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=authenticationSessions]ISPN000313: Lost data because of abrupt leavers [developer-keycloak03] > 2018-02-12 15:16:44,803 FATAL [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=sessions]ISPN000313: Lost data because of abrupt leavers [developer-keycloak03] > 2018-02-12 15:16:44,805 FATAL [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=clientSessions]ISPN000313: Lost data because of abrupt leavers [developer-keycloak03] > 2018-02-12 15:16:44,807 WARN [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=work]ISPN000314: Lost at least half of the stable members, possible split brain causing data inconsistency. Current members are [developer-keycloak04], lost members are [developer-keycloak03], stable members are [developer-keycloak04, developer-keycloak03] > 2018-02-12 15:16:44,810 FATAL [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=offlineSessions]ISPN000313: Lost data because of abrupt leavers [developer-keycloak03] > 2018-02-12 15:16:44,823 FATAL [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=loginFailures]ISPN000313: Lost data because of abrupt leavers [developer-keycloak03] > 2018-02-12 15:16:44,825 WARN [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=actionTokens]ISPN000314: Lost at least half of the stable members, possible split brain causing data inconsistency. Current members are [developer-keycloak04], lost members are [developer-keycloak03], stable members are [developer-keycloak04, developer-keycloak03] > > > Thanks, > > Libor Krzy?anek > Principal Software Engineer > Middleware Engineering Services > >> On 13.02.2018, at 10:20, Libor Krzy?anek wrote: >> >> Hi, >> we?re upgrading keycloak from 1.9. to 3.4 and caches changed quite a lot. >> >> The setup is simply two nodes in HA mode. I see that nodes see each other but it?s not clear to me what is the easiest way how to achieve failover with session replication. In KC 1.9 we just increased owners=2 and it was enough. >> >> We tried the default setup with distributed-caches (most of them have owners=?1?) and when one node is killed (not shutdown.sh but hard java kill) then user lost session and is asked to login again once LB forward traffic to second node. >> >> We tried to increase owners on these caches >> >> >> but with no luck. >> >> I read this article: http://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html but we don?t have JDG because it?s just simple cluster with two nodes within same datacenter. >> >> What is the best and easiest approach to achieve failover with session replication? >> >> Thanks, >> >> Libor >> >> Libor Krzy?anek >> Principal Software Engineer >> Middleware Engineering Services >> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From carlosthe19916 at gmail.com Tue Feb 13 17:16:09 2018 From: carlosthe19916 at gmail.com (Carlos Feria) Date: Tue, 13 Feb 2018 17:16:09 -0500 Subject: [keycloak-user] Auto Refresh of external IDP tokens Message-ID: Hi All. I'm facing a problem trying to retrieve an external IDP token from google using the Broker configuration. This is the context: I have a Keycloak offline_token of every user of my application, then I use these offline_tokens to retrieve external IDP Token (Google) calling to: GET /auth/realms/{realm}/broker/{provider_alias}/token Authorization: Bearer {keycloak_access_token} The http GET returns an access token and I use that access token to get information from Google. The problem is that The access token retrieved has an expiration of 1 hour and after that I'm not able to call to google any more. After reading the documentation I found this part: http://www.keycloak.org/docs/latest/server_development/index.html#retrieving-external-idp-tokens That part said: "These external tokens can be re-established by either logging in again through the provider, or using the client initiated account linking API." It means that I have to force to the user to login again and again every time I found the external token has been expired? Is it possible to re-establish the external IDP token without the intervention of the user? This doesn't seems to be a big problem, but because in my case I have Keycloak offline_tokens I can't re-establish the external IDP token. How would I face this problem? -- Carlos E. Feria Vila From bobwilson33 at gmail.com Tue Feb 13 20:58:24 2018 From: bobwilson33 at gmail.com (Christian Chive) Date: Tue, 13 Feb 2018 17:58:24 -0800 Subject: [keycloak-user] Duplicate User showing in admin console after user import via federation Message-ID: Hi, This is my first time using a mailing list, and my colleagues found it hysterical that I'd never heard of the concept before, so apologies if I'm doing something incorrectly. I have based my code off of https://github.com/keycloak/keycloak/tree/master/examples/providers/user-storage-simple/src/main/java/org/keycloak/examples/userstorage/writeable I've been reading Section 11.X to help troubleshoot http://www.keycloak.org/docs/3.4/server_development/index.html#credentialinputvalidator-implementation Here are (I think) all of the relevant methods I overrode. I excluded methods I figured were irrelevant. https://pastebin.com/0CF1n4xy My goal: Using keycloak 3.4, write a provider that allows me to log in with credentials in a simple key/value properties file. Once a user logs in for the first time while keycloak is up, keycloak will create a new user and add it to the UserLocalStorage so the next time the user logs in, it will query the UserLocalStorage to retrieve the user and skip hitting the external store. The end goal is to hook into our SQL DB and slowly migrate users on a per-login basis. I've got all of this working, except whenever I go into the admin console and go to Users -> View All Users, I see duplicates of all of the users that have been migrated over - same ID, same username. I had thrown debug statements all over my overridden methods and the getUsers method seemed to be returning the correct (non duplicate) amount of accounts, but the 'isConfiguredFor' coming from the CredentialInputValidator interface was being called twice for each account, but couldn't figure out why. An important note, once I unlink the users and remove the provider, the users that remain in the 'Users -> View All' display no duplicates. Any help would be sincerely appreciated. Thank you! From subodhcjoshi82 at gmail.com Wed Feb 14 05:58:15 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Wed, 14 Feb 2018 16:28:15 +0530 Subject: [keycloak-user] Client secret not provided in request [unauthorized_client] Message-ID: Hi All I am trying to run this command through ADMIN CLI ./kcadm.sh config credentials --server https://:8666/auth --realm master --user admin --password admin But end with the issue Client secret not provided in request [unauthorized_client] -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.trendsinnews.com From orivat at janua.fr Wed Feb 14 06:13:49 2018 From: orivat at janua.fr (Olivier Rivat) Date: Wed, 14 Feb 2018 12:13:49 +0100 Subject: [keycloak-user] Modcluster does connect in SSL to keyclaok Message-ID: <7a7f689a-0c58-ff00-0f38-f56a2f3f89f3@janua.fr> Hi, I am trying to setup modcluster in SSL to keycloak connection the error I obtained is: 11:53:32,916 ERROR [org.jboss.modcluster] (UndertowEventHandlerAdapter - 1) MODCLUSTER000043: Failed to send INFO command to vps383894.ovh.net/79.137.82.56:8180: Unrecognized SSL message, plaintext connection? My proxy_cluster.conf is MemManagerFile /var/cache/mod_cluster LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule advertise_module /usr/lib/apache2/modules/mod_advertise.so LoadModule manager_module /usr/lib/apache2/modules/mod_manager.so LoadModule proxy_cluster_module /usr/lib/apache2/modules/mod_proxy_cluster.so LoadModule cluster_slotmem_module /usr/lib/apache2/modules/mod_cluster_slotmem.so Listen 8180? http SSLProxyEngine On SSLProxyVerify require SSLProxyVerifyDepth 1????? # if not using self signed certificates set the verify depth appropriately SSLProxyCACertificateFile? /home/olivier/dev/MyRootCA.pem SSLProxyMachineCertificateFile /home/olivier/dev/MyClient1.pem SSLProxyProtocol ALL -SSLv2 ??? SSLEngine on ??? SSLCertificateFile? /home/olivier/dev/MyClient1.pem ??? SSLCertificateKeyFile /home/olivier/dev/certs/MyClient1.key ??? ??? # add ip of JBoss nodes to join this proxy here ??? #Require ip vps383894.ovh.net ??? #Require all granted ??? Allow from all ??? Order deny,allow ??? Allow from all ??? ??? ServerAdvertise on ??? EnableMCPMReceive ??? ??? SetHandler mod_cluster-manager ??? # add ip of clients allowed to access mod_cluster-manager ??? #Require ip vps383894.ovh.net ??? #Require all granted ??? Allow from all ??? Order deny,allow ??? LogLevel message The standalone-ha.xml contains the following modif: ??????????? ????????????? ????????????????? ????????????? ??????????????? ???????????? ??????? and ? ??????? ??????? ??????? ??????? ??????? ??????? ??????? ??????? ??????? ??????? ??????? ??????? ??????????? ??????? ??????? ?????????? ??????? ??? Keycloaks is lauched as follows: /standalone.sh -c standalone-ha.xml -Djboss.socket.binding.port-offset=300 -Djboss.node.name=node1 -Djboss.bind.address=vps383894.ovh.net MyRootCA and MyClientt1 are part of the keystores.jks What coudl be wrong with my settings ? Regards, Olivier -- Olivier Rivat CTO orivat at janua.fr Gsm: +33(0)682 801 609 T?l: +33(0)489 829 238 Fax: +33(0)955 260 370 http://www.janua.fr From psilva at redhat.com Wed Feb 14 06:53:17 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 14 Feb 2018 09:53:17 -0200 Subject: [keycloak-user] Share resource by checking if some other user is in a certain group In-Reply-To: References: Message-ID: On Tue, Feb 13, 2018 at 4:50 PM, Or Harary wrote: > Hello, > > After some time of using keycloak which works great for most of my demands, > I wanted to know if it's possible to create a permission with a policy that > will tell me if some user (not the one which is logged in) is within a > certain group. > > For example: > > User 1 have a digital wallet. > This digital wallet have a resource: > name: /wallet/{wallet-id} > uri: /{user-1-id}/wallet/{wallet-id} > scopes: charge/read/... > > User 2 have a company which is represented as a group > > User 2 wants to charge user 1 digital wallet but I want him to only be able > to do so when user 1 is inside user 2 company's group > > How can I check this with a policy? > Or somehow share user 1 resource with user 2 by a policy? > We are introducing some changes to authorization services in order to update implementation to UMA 2.0. One of the main features we are delivering is the user-managed access part we were missing in current implementation, where users are allowed to share their resources. We are also providing some RESTful endpoint which your applications (resource servers) can use to manage permission requests. Right now, I think you can try a JS policy that checks for the group and the user allowed to access a resource. Let me know if you are able to do so, if not we have space to improve what we expose via the Evaluation API (the objects exposed to policies with the permission being requested + context). Regards. Pedro Igor > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From harary.or at gmail.com Wed Feb 14 07:11:41 2018 From: harary.or at gmail.com (Or Harary) Date: Wed, 14 Feb 2018 14:11:41 +0200 Subject: [keycloak-user] Share resource by checking if some other user is in a certain group In-Reply-To: References: Message-ID: Hi, Thanks for the response. I have a policy which checks if a user is in a certain group which is related to the resource, but my case is a bit different because I want to check if another user (not the one who calls the authorization api) is in a group. I'll try to explain some more- I have one case like this: some resource with the following path: /company/{company id}/resource_name/{resource_id} a group representing the company with the name: /company/{company id} Users who are managers in the company are in this group. I have a group mapper which puts the groups with their full path inside the token. This way it's easy for me to check if a user has access to a company's resources by a JS policy (match the groups companies ids with the resource uri). My different case with the wallet is that the resource is not held by the company, it's the user's resource and this resource should be "visible" by multiple company's in the right conditions. This resource URI is: /{user-1-id}/wallet/{wallet-id} as I mentioned before So when a "manager" (a user in a company's group) try to access a different user resource like this, I don't have the option to check groups, because I need the resource owner groups and not the groups of the user who requests the permissions. Hope it clears the question a little more. With the improvements you mentioned about the user managed access will it be possible to control it by a policy or will it be implicit by specifying specific users which will be able to access this resource? because I need a dynamic solution (managers can always change) On Wed, Feb 14, 2018 at 1:53 PM, Pedro Igor Silva wrote: > > > On Tue, Feb 13, 2018 at 4:50 PM, Or Harary wrote: > >> Hello, >> >> After some time of using keycloak which works great for most of my >> demands, >> I wanted to know if it's possible to create a permission with a policy >> that >> will tell me if some user (not the one which is logged in) is within a >> certain group. >> >> For example: >> >> User 1 have a digital wallet. >> This digital wallet have a resource: >> name: /wallet/{wallet-id} >> uri: /{user-1-id}/wallet/{wallet-id} >> scopes: charge/read/... >> >> User 2 have a company which is represented as a group >> >> User 2 wants to charge user 1 digital wallet but I want him to only be >> able >> to do so when user 1 is inside user 2 company's group >> >> How can I check this with a policy? >> Or somehow share user 1 resource with user 2 by a policy? >> > > We are introducing some changes to authorization services in order to > update implementation to UMA 2.0. > > One of the main features we are delivering is the user-managed access part > we were missing in current implementation, where users are allowed to share > their resources. > > We are also providing some RESTful endpoint which your applications > (resource servers) can use to manage permission requests. > > Right now, I think you can try a JS policy that checks for the group and > the user allowed to access a resource. Let me know if you are able to do > so, if not we have space to improve what we expose via the Evaluation API > (the objects exposed to policies with the permission being requested + > context). > > Regards. > Pedro Igor > > >> >> Thanks! >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From psilva at redhat.com Wed Feb 14 07:52:08 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 14 Feb 2018 10:52:08 -0200 Subject: [keycloak-user] Share resource by checking if some other user is in a certain group In-Reply-To: References: Message-ID: On Wed, Feb 14, 2018 at 10:11 AM, Or Harary wrote: > Hi, > > Thanks for the response. > I have a policy which checks if a user is in a certain group which is > related to the resource, but my case is a bit different because I want to > check if another user (not the one who calls the authorization api) is in a > group. > I'll try to explain some more- > > I have one case like this: > > some resource with the following path: > /company/{company id}/resource_name/{resource_id} > > a group representing the company with the name: > /company/{company id} > > Users who are managers in the company are in this group. > I have a group mapper which puts the groups with their full path inside > the token. > This way it's easy for me to check if a user has access to a company's > resources by a JS policy (match the groups companies ids with the resource > uri). > > My different case with the wallet is that the resource is not held by the > company, it's the user's resource and this resource should be "visible" by > multiple company's in the right conditions. > This resource URI is: > /{user-1-id}/wallet/{wallet-id} > as I mentioned before > > So when a "manager" (a user in a company's group) try to access a > different user resource like this, I don't have the option to check groups, > because I need the resource owner groups and not the groups of the user who > requests the permissions. > Hope it clears the question a little more. > Yeah, it is clear now. Thanks. I think we can improve the Evaluation API and expose the owner as an object. Or even provide additional methods to check roles/groups that accept an username/id (such as the owner as it stands today). Other improvement we are planning is allow pushing additional claims when obtaining a RPT (token with permissions) from the server. Not sure if this is going to help you in this case, but you will be able to push these claims to your policies and use them to determine a decision. For last, there is also an issue to introduce attributes to resources .... > > With the improvements you mentioned about the user managed access will it > be possible to control it by a policy or will it be implicit by specifying > specific users which will be able to access this resource? because I need a > dynamic solution (managers can always change) > By specifying specific users which will be able to access a resource. This is not controlled by a policy, but a direct approval by the resource owner to access some of his resources. The main idea behind this feature is privacy. Users should be able to grant access, revoke and review access to his resources anytime (such as using Keycloak User Account Service). But you can also manage these permissions using the RESTful endpoints I mentioned before. These permissions override any result produced by the evaluation engine. If this user-defined permission exists (and are granted), access is granted even though your policies voted for a DENY. > > On Wed, Feb 14, 2018 at 1:53 PM, Pedro Igor Silva > wrote: > >> >> >> On Tue, Feb 13, 2018 at 4:50 PM, Or Harary wrote: >> >>> Hello, >>> >>> After some time of using keycloak which works great for most of my >>> demands, >>> I wanted to know if it's possible to create a permission with a policy >>> that >>> will tell me if some user (not the one which is logged in) is within a >>> certain group. >>> >>> For example: >>> >>> User 1 have a digital wallet. >>> This digital wallet have a resource: >>> name: /wallet/{wallet-id} >>> uri: /{user-1-id}/wallet/{wallet-id} >>> scopes: charge/read/... >>> >>> User 2 have a company which is represented as a group >>> >>> User 2 wants to charge user 1 digital wallet but I want him to only be >>> able >>> to do so when user 1 is inside user 2 company's group >>> >>> How can I check this with a policy? >>> Or somehow share user 1 resource with user 2 by a policy? >>> >> >> We are introducing some changes to authorization services in order to >> update implementation to UMA 2.0. >> >> One of the main features we are delivering is the user-managed access >> part we were missing in current implementation, where users are allowed to >> share their resources. >> >> We are also providing some RESTful endpoint which your applications >> (resource servers) can use to manage permission requests. >> >> Right now, I think you can try a JS policy that checks for the group and >> the user allowed to access a resource. Let me know if you are able to do >> so, if not we have space to improve what we expose via the Evaluation API >> (the objects exposed to policies with the permission being requested + >> context). >> >> Regards. >> Pedro Igor >> >> >>> >>> Thanks! >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From subodhcjoshi82 at gmail.com Wed Feb 14 09:48:24 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Wed, 14 Feb 2018 20:18:24 +0530 Subject: [keycloak-user] Client secret not provided in request [unauthorized_client] In-Reply-To: References: Message-ID: After too many hit and try i found this ./kcadm.sh config credentials --server https://:8666/auth --realm master --user admin --password admin --client admin-cli But can someone please confirm if by default after keycloak installation *Access-Type* be default *public OR Confidential ? * On Wed, Feb 14, 2018 at 4:28 PM, Subodh Joshi wrote: > Hi All > > I am trying to run this command through ADMIN CLI > ./kcadm.sh config credentials --server https://:8666/auth > --realm master --user admin --password admin > > But end with the issue > Client secret not provided in request [unauthorized_client] > -- > Subodh Chandra Joshi > subodh1_joshi82 at yahoo.co.in > http://www.trendsinnews.com > -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.trendsinnews.com From lkrzyzan at redhat.com Wed Feb 14 10:24:39 2018 From: lkrzyzan at redhat.com (=?utf-8?Q?Libor_Krzy=C5=BEanek?=) Date: Wed, 14 Feb 2018 16:24:39 +0100 Subject: [keycloak-user] Keycloak 3.4.3 Failover with session replication In-Reply-To: <58ff0801-1935-a938-ef9b-775cf306f9d9@redhat.com> References: <198C8306-E699-47B9-9099-807187F261F3@redhat.com> <7860F966-8A6F-411C-BE2A-2601E8D243FD@redhat.com> <58ff0801-1935-a938-ef9b-775cf306f9d9@redhat.com> Message-ID: Hi, thanks for advice. It looks to be working. Any reason why we should rather use ?replicated cache? instead of distributed with 2 owners? Is there any tricky implication? What would be your advice - stay with distributed cache with 2 osners or switch to replicated cache? Thank you very much, Libor Krzy?anek Principal Software Engineer Middleware Engineering Services > On 13.02.2018, at 21:52, Marek Posolda wrote: > > Hi Libor, > > you need to increase owners also for "clientSessions" and "offlineClientSessions" . > > Marek > > On 13/02/18 10:23, Libor Krzy?anek wrote: >> And btw. this is output in log when one node is killed: >> >> >> 2018-02-12 15:16:44,794 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [developer-keycloak04|26] (1) [developer-keycloak04] >> 2018-02-12 15:16:44,794 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [developer-keycloak04|26] (1) [developer-keycloak04] >> 2018-02-12 15:16:44,795 WARN [org.infinispan.CLUSTER] (transport-thread--p32-t6) [Context=client-mappings]ISPN000314: Lost at least half of the stable members, possible split brain causing data inconsistency. Current members are [developer-keycloak04], lost members are [developer-keycloak03], stable members are [developer-keycloak04, developer-keycloak03] >> 2018-02-12 15:16:44,801 FATAL [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=authenticationSessions]ISPN000313: Lost data because of abrupt leavers [developer-keycloak03] >> 2018-02-12 15:16:44,803 FATAL [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=sessions]ISPN000313: Lost data because of abrupt leavers [developer-keycloak03] >> 2018-02-12 15:16:44,805 FATAL [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=clientSessions]ISPN000313: Lost data because of abrupt leavers [developer-keycloak03] >> 2018-02-12 15:16:44,807 WARN [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=work]ISPN000314: Lost at least half of the stable members, possible split brain causing data inconsistency. Current members are [developer-keycloak04], lost members are [developer-keycloak03], stable members are [developer-keycloak04, developer-keycloak03] >> 2018-02-12 15:16:44,810 FATAL [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=offlineSessions]ISPN000313: Lost data because of abrupt leavers [developer-keycloak03] >> 2018-02-12 15:16:44,823 FATAL [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=loginFailures]ISPN000313: Lost data because of abrupt leavers [developer-keycloak03] >> 2018-02-12 15:16:44,825 WARN [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=actionTokens]ISPN000314: Lost at least half of the stable members, possible split brain causing data inconsistency. Current members are [developer-keycloak04], lost members are [developer-keycloak03], stable members are [developer-keycloak04, developer-keycloak03] >> >> >> Thanks, >> >> Libor Krzy?anek >> Principal Software Engineer >> Middleware Engineering Services >> >>> On 13.02.2018, at 10:20, Libor Krzy?anek wrote: >>> >>> Hi, >>> we?re upgrading keycloak from 1.9. to 3.4 and caches changed quite a lot. >>> >>> The setup is simply two nodes in HA mode. I see that nodes see each other but it?s not clear to me what is the easiest way how to achieve failover with session replication. In KC 1.9 we just increased owners=2 and it was enough. >>> >>> We tried the default setup with distributed-caches (most of them have owners=?1?) and when one node is killed (not shutdown.sh but hard java kill) then user lost session and is asked to login again once LB forward traffic to second node. >>> >>> We tried to increase owners on these caches >>> >>> >>> but with no luck. >>> >>> I read this article: http://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html > but we don?t have JDG because it?s just simple cluster with two nodes within same datacenter. >>> >>> What is the best and easiest approach to achieve failover with session replication? >>> >>> Thanks, >>> >>> Libor >>> >>> Libor Krzy?anek >>> Principal Software Engineer >>> Middleware Engineering Services >>> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From adr_gonzalez at yahoo.fr Wed Feb 14 11:03:24 2018 From: adr_gonzalez at yahoo.fr (Adrian Gonzalez) Date: Wed, 14 Feb 2018 16:03:24 +0000 (UTC) Subject: [keycloak-user] User REST API: n+1 selects In-Reply-To: <2108019504.98519.1518480241144@mail.yahoo.com> References: <1467066654.5013.1518471428961.ref@mail.yahoo.com> <1467066654.5013.1518471428961@mail.yahoo.com> <2014615029.56093.1518472582245@mail.yahoo.com> <609721624.45055.1518477981314@mail.yahoo.com> <2108019504.98519.1518480241144@mail.yahoo.com> Message-ID: <1011459388.1577856.1518624204852@mail.yahoo.com> Hello, I created the following JIRA issue :https://issues.jboss.org/browse/KEYCLOAK-6589 And? I sent a PR to fix the issue on the User search API :?https://github.com/keycloak/keycloak/pull/4999 Could a KC committer please consider it ? Thanks,Adrian Le mardi 13 f?vrier 2018 ? 01:04:01 UTC+1, Adrian Gonzalez a ?crit : On Group API, I think it's less critical, first loading is resource consuming, but afterwards, the groups are in cache. With a db with 1000 groups (no hierarchy) 1. The first call to /groups with first=0, max=100 issues?3076 SQL statements.If I add @Fetch(Subselect), the number of statements is reduced to?2077 (2 times n+1 select, n being 1000).Then the rest is done in?https://github.com/keycloak/keycloak/blob/a743600b344763ce2e7f70a625f590a8425fc5f3/model/infinispan/src/main/java/org/keycloak/models/cache/infinispan/entities/CachedGroup.java#L47-L55 2. later calls are cached, so no more db access (until a group is updated.removed I assume) Le mardi 13 f?vrier 2018 ? 00:26:21 UTC+1, Adrian Gonzalez a ?crit : Here are some test results: Laptop: Intel Core i7-6820HQ CPU 2.70GHz ? 8?16 o RAMsettings as per?https://github.com/keycloak/keycloak/blob/3.4.1.CR1/testsuite/performance/README.provisioning-parameters.mdInjector, KC and postgres are on the same laptop. Scenario: /users call with username criteria returning a 100 users page.1000 total users in db. Before optimization: 1 thread, no wait tx/s: 9 avg response time (ms): 110 CPU: java=80%, postgres=20% mem 5 thread, no wait tx/s: 31 avg response time (ms): 149 CPU: java=628%, postgres=135% (19 processes with 7.6%) mem: 1g used 10 thread, no wait tx/s: 41.5 avg response time (ms): 219 CPU: java=613%, postgres=135% (9 processes with 15%) mem: 400m used a ?crit : As a workaround for issue 2, we can activate Permissions in?realm-management Client (I've created a custom realm to avoid working on master realm).This way, we ensure?root.realmResourceServer() is not null.But that's a bit convoluted :( ? Le lundi 12 f?vrier 2018 ? 22:37:08 UTC+1, Adrian Gonzalez a ?crit : Hello, I'm testing KC 3.4.3 REST API and I get n+1 selects (aka 701 selects when asking for a page of 100 users). Issue 1:Looking at the code, there's n+1 select on the following fields UserEntity:?- attributes- requiredActions- credentials?7The n+1 select is triggered by?https://github.com/keycloak/keycloak/blob/8e53ccf5abb4d7cc3ab8d5abc9d078a7f8725e8a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L215 This can be solved by annotated these attributes with?@Fetch(FetchMode.SUBSELECT).I also tried using EntityGraph, but it doesn't work since we're using Collection types (instead of Set) and because we're doing pagination while fetching ToMany associations. Issue 2: n+1 select because we don't cache null values We have this select executed n times:select? ? resourcese0_.ID as ID1_60_0_,? ? resourcese0_.ALLOW_RS_REMOTE_MGMT as ALLOW_RS2_60_0_,? ? resourcese0_.POLICY_ENFORCE_MODE as POLICY_E3_60_0_?from? ? RESOURCE_SERVER resourcese0_?where? ? resourcese0_.ID=? This one is done here:https://github.com/keycloak/keycloak/blob/8e53ccf5abb4d7cc3ab8d5abc9d078a7f8725e8a/services/src/main/java/org/keycloak/services/resources/admin/UsersResource.java#L216 In default setup,root.realmResourceServer() is null.Since?StoreFactoryCacheSession doesn't cache null values, the return value never gets cached.I don't know how to easily solve that one. Should I create an issue ? Thanks? From gustav.lundin at itello.se Wed Feb 14 12:13:16 2018 From: gustav.lundin at itello.se (Gustav Lundin) Date: Wed, 14 Feb 2018 17:13:16 +0000 Subject: [keycloak-user] Using the adapters, without the server Message-ID: <2e3e7d4c46a74e118e2f38c4fa66295a@itello.se> Hi, Is it possible to use the Keycloak adapters to secure an application against a different authorization server (like ADFS)? I know that the Keycloak server can integrate against ADFS and many other services but for this use case I would like to avoid installing the server altogether. After som quick tests it seems like the adapters (at least the Java OpenID adapters) have hardcoded relative endpoint addresses which prevent them from working with different servers. Maybe I've missed if there is a way to configure this though? Many thanks, Gustav From mposolda at redhat.com Wed Feb 14 12:19:57 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 14 Feb 2018 18:19:57 +0100 Subject: [keycloak-user] Keycloak 3.4.3 Failover with session replication In-Reply-To: References: <198C8306-E699-47B9-9099-807187F261F3@redhat.com> <7860F966-8A6F-411C-BE2A-2601E8D243FD@redhat.com> <58ff0801-1935-a938-ef9b-775cf306f9d9@redhat.com> Message-ID: <8789abb5-a2a8-d115-f68b-11e42c5aa709@redhat.com> We didn't try to test with replicated cache. I think the replicated cache is same thing like distributed cache where number-of-owners is same like number of nodes in cluster. For cluster with 2 nodes, I think there is no difference between replicated cache and distributed cache with 2 owners. For setup with more nodes, replication cache has the disadvantage that memory footprint is bigger (every item is saved on all cluster nodes) and writes are more expensive. Reads are less expensive with replicated cache as every item is available locally, but with sticky sessions (which we have some support in latest Keycloak), the advantage of cheaper reads is not so important as read items are usually available on the "local" nodes anyway. Marek On 14/02/18 16:24, Libor Krzy?anek wrote: > Hi, > thanks for advice. It looks to be working. > > Any reason why we should rather use ?replicated cache? instead of > distributed with 2 owners? Is there any tricky implication? > What would be your advice - stay with distributed cache with 2 osners > or switch to replicated cache? > > Thank you very much, > > Libor Krzy?anek > Principal Software Engineer > Middleware Engineering Services > >> On 13.02.2018, at 21:52, Marek Posolda > > wrote: >> >> Hi Libor, >> >> you need to increase owners also for "clientSessions" and >> "offlineClientSessions" . >> >> Marek >> >> On 13/02/18 10:23, Libor Krzy?anek wrote: >>> And btw. this is output in log when one node is killed: >>> >>> >>> 2018-02-12 15:16:44,794 INFO >>> ?[org.infinispan.remoting.transport.jgroups.JGroupsTransport] >>> (thread-2) ISPN000094: Received new cluster view for channel ejb: >>> [developer-keycloak04|26] (1) [developer-keycloak04] >>> 2018-02-12 15:16:44,794 INFO >>> ?[org.infinispan.remoting.transport.jgroups.JGroupsTransport] >>> (thread-2) ISPN000094: Received new cluster view for channel ejb: >>> [developer-keycloak04|26] (1) [developer-keycloak04] >>> 2018-02-12 15:16:44,795 WARN ?[org.infinispan.CLUSTER] >>> (transport-thread--p32-t6) [Context=client-mappings]ISPN000314: Lost >>> at least half of the stable members, possible split brain causing >>> data inconsistency. Current members are [developer-keycloak04], lost >>> members are [developer-keycloak03], stable members are >>> [developer-keycloak04, developer-keycloak03] >>> 2018-02-12 15:16:44,801 FATAL [org.infinispan.CLUSTER] >>> (transport-thread--p36-t10) >>> [Context=authenticationSessions]ISPN000313: Lost data because of >>> abrupt leavers [developer-keycloak03] >>> 2018-02-12 15:16:44,803 FATAL [org.infinispan.CLUSTER] >>> (transport-thread--p36-t10) [Context=sessions]ISPN000313: Lost data >>> because of abrupt leavers [developer-keycloak03] >>> 2018-02-12 15:16:44,805 FATAL [org.infinispan.CLUSTER] >>> (transport-thread--p36-t10) [Context=clientSessions]ISPN000313: Lost >>> data because of abrupt leavers [developer-keycloak03] >>> 2018-02-12 15:16:44,807 WARN ?[org.infinispan.CLUSTER] >>> (transport-thread--p36-t10) [Context=work]ISPN000314: Lost at least >>> half of the stable members, possible split brain causing data >>> inconsistency. Current members are [developer-keycloak04], lost >>> members are [developer-keycloak03], stable members are >>> [developer-keycloak04, developer-keycloak03] >>> 2018-02-12 15:16:44,810 FATAL [org.infinispan.CLUSTER] >>> (transport-thread--p36-t10) [Context=offlineSessions]ISPN000313: >>> Lost data because of abrupt leavers [developer-keycloak03] >>> 2018-02-12 15:16:44,823 FATAL [org.infinispan.CLUSTER] >>> (transport-thread--p36-t10) [Context=loginFailures]ISPN000313: Lost >>> data because of abrupt leavers [developer-keycloak03] >>> 2018-02-12 15:16:44,825 WARN ?[org.infinispan.CLUSTER] >>> (transport-thread--p36-t10) [Context=actionTokens]ISPN000314: Lost >>> at least half of the stable members, possible split brain causing >>> data inconsistency. Current members are [developer-keycloak04], lost >>> members are [developer-keycloak03], stable members are >>> [developer-keycloak04, developer-keycloak03] >>> >>> >>> Thanks, >>> >>> Libor Krzy?anek >>> Principal Software Engineer >>> Middleware Engineering Services >>> >>>> On 13.02.2018, at 10:20, Libor Krzy?anek >>> > wrote: >>>> >>>> Hi, >>>> we?re upgrading keycloak from 1.9. to 3.4 and caches changed quite >>>> a lot. >>>> >>>> The setup is simply two nodes in HA mode. I see that nodes see each >>>> other but it?s not clear to me what is the easiest way how to >>>> achieve failover with session replication. In KC 1.9 we just >>>> increased owners=2 and it was enough. >>>> >>>> We tried the default setup with distributed-caches (most of them >>>> have owners=?1?) and when one node is killed (not shutdown.sh but >>>> hard java kill) then user lost session and is asked to login again >>>> once LB forward traffic to second node. >>>> >>>> We tried to increase owners on these caches >>>> ???????????? >>>> ????????????>>> owners="2"/> >>>> but with no luck. >>>> >>>> I read this >>>> article:http://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html >>>> but we don?t have JDG because it?s just simple cluster with two >>>> nodes within same datacenter. >>>> >>>> What is the best and easiest approach to achieve failover with >>>> session replication? >>>> >>>> Thanks, >>>> >>>> Libor >>>> >>>> Libor Krzy?anek >>>> Principal Software Engineer >>>> Middleware Engineering Services >>>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user > From betalb at gmail.com Wed Feb 14 14:14:52 2018 From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=) Date: Wed, 14 Feb 2018 19:14:52 +0000 Subject: [keycloak-user] Token exchange without configured policy Message-ID: Hi I've been experimenting with internal to internal token exchange [1] and managed to exchange token without configured policy My original token belongs to public client (token_owner_klient_id) and I'm trying to exchange it with audience set to a confidential client that allows only client credentials grant (confidential_client). If I execute request as provided in documentation access is denied, but if I'll provide confidential_client+confidential_client_secret exchange operation succeeds. The only difference in tokens issued with and without policy is that with policy azp claim is set correctly to token_owner_klient_id. The question is -- is it correct behaviour from the perspective of token exchange? curl -v -X POST --user confidential_client:confidential_client_secret \ -d "client_id=token_owner_klient_id" \ --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \ -d "subject_token=${TOKEN}" \ --data-urlencode "requested_token_type=urn:ietf:params:oauth:token-type:refresh_token" \ -d "audience=confidential_client" \ http://keycloak/auth/realms/configured-realm/protocol/openid-connect/token [1] http://www.keycloak.org/docs/latest/securing_apps/index.html#internal-token-to-internal-token-exchange From mposolda at redhat.com Wed Feb 14 17:04:29 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 14 Feb 2018 23:04:29 +0100 Subject: [keycloak-user] Using the adapters, without the server In-Reply-To: <2e3e7d4c46a74e118e2f38c4fa66295a@itello.se> References: <2e3e7d4c46a74e118e2f38c4fa66295a@itello.se> Message-ID: Hi, I think that Keycloak SAML adapter is able to work with any 3rd party SAML IDP Server. However Keycloak OIDC adapter won't work with other server then Keycloak. Marek On 14/02/18 18:13, Gustav Lundin wrote: > Hi, > > Is it possible to use the Keycloak adapters to secure an application against a different authorization server (like ADFS)? I know that the Keycloak server can integrate against ADFS and many other services but for this use case I would like to avoid installing the server altogether. After som quick tests it seems like the adapters (at least the Java OpenID adapters) have hardcoded relative endpoint addresses which prevent them from working with different servers. Maybe I've missed if there is a way to configure this though? > > Many thanks, > Gustav > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Feb 14 17:10:54 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 14 Feb 2018 23:10:54 +0100 Subject: [keycloak-user] How to add custom information (a session note) in UserSession In-Reply-To: References: Message-ID: If you want to add the information during authentication, then you may implement custom Authenticator (See docs and examples for Authentication SPI) and call AuthenticationSessionModel.setUserSessionNote. If you want after authentication, then maybe invoke REST endpoint for that (See docs and examples for REST SPI) with the token, which will need to be verified in your REST endpoint and then can be used to load the proper userSession (tokens has the info in the session_state claim). Marek On 12/02/18 15:03, Logan HAUSPIE wrote: > Hi there, > > I would like to know what I have to do (server-devlopment) to add custom > data in the user session. > > My purpose is to call an External Web Service to retrieve some data and add > it to the User Session. > This returned data will be different from one call to another. So it's > important for me to 'store' it in the session and not in the user. > > Which Provider do I need to implement to do that ? > > Thanks in advance. > > *Logan HAUSPIE* > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Feb 14 17:11:55 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 14 Feb 2018 23:11:55 +0100 Subject: [keycloak-user] Custom JAAS login module for Keyclock auth In-Reply-To: References: Message-ID: <6a587b96-7d13-2171-c6c6-8111732e2223@redhat.com> We have some JAAS login modules. See [1]. You can either re-use them or create something similar based on your needs. [1] http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/java/jaas.html Marek On 12/02/18 15:04, valsaraj pv wrote: > Hi, > > I would like to know how to write custom JAAS login module for Keyclock > auth. > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From carlosthe19916 at gmail.com Wed Feb 14 22:17:11 2018 From: carlosthe19916 at gmail.com (Carlos Feria) Date: Wed, 14 Feb 2018 22:17:11 -0500 Subject: [keycloak-user] Offline tokens with external IDP In-Reply-To: References: Message-ID: I'm facing a similar problem like Haim Vana. I need offline access to External IDP (Google). I meant, I need to read user's inbox in offline mode (using external token), but the problem is that the token stored on Keycloak is just access_token and there is no refresh_token and because of that is not possible to get a new access_token from google without login again. I was searching a title about this and I found this message http://lists.jboss.org/pipermail/keycloak-dev/2015-April/004350.html where *"Stian Thorgersen" > explains a title about the problem.* *In general, is there a way to have offline access to external IDP? How would I face this problem? please help me. * On Mon, Sep 19, 2016 at 5:27 AM, Haim Vana wrote: > Hi, > > > > I have combined the offline-access and the saml-broker-authentication > examples in order to create demo for generating offline tokens. > > > > It works as expected with External IDP however when the user is already > logged in the offline token is not generated - a regular token is generated > instead. > > > > Any idea if it as designed or am I doing something wrong ? if it is by > design is there any work around to generate the External IDP offline token > without user logout ? > > > > > > Thanks, > > Haim. > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* Tuesday, August 16, 2016 12:09 PM > > *To:* Haim Vana > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Offline tokens with external IDP > > > > > > > > On 16 August 2016 at 10:11, Haim Vana wrote: > > Hi Stian, > > Thanks for your answer. > > > > What I meant to ask is how to create offline token for external IDP, I > wasn't able to it with REST API (I am able to it if it's not external IDP). > > The only way I managed to do it was when adding offline_access to the UI > login page, so for external IDP ? is it the only way ? REST API is not > supported ? > > > > Login page is the only way for external IdPs. > > > > > > Assuming it's the only way I thought to create external UI service for the > user to log in and get his offline token. > > What do you think about such solution ? also if the user will be already > logged in ? do you know if the offline token will be created ? or the will > have to logout and login again? > > > > Depends on what your script is implemented in it can also start a web > server on localhost, then popup the browser window to do the login and > finally it'll get the code and can get the offline token directly itself. > Take a look at our customer-app-cli example. It doesn't do offline token, > but would be trivial to change it to do that instead. > > > > > > Thanks, > > Haim. > > > > *From:* Stian Thorgersen [mailto:sthorger at redhat.com] > *Sent:* Tuesday, August 16, 2016 10:52 AM > *To:* Haim Vana > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] Offline tokens with external IDP > > > > > > > > On 25 July 2016 at 09:01, Haim Vana wrote: > > Hi, > > > > We are using KeyCloak for a several weeks now, one of the flows is user > script authentication with offline token: > > > > 1. The user log in to the UI > > 2. Generates offline token by entering his password again > > 3. Put the offline token in his script > > 4. Executes the script > > > > Now we want to add external IDP support, first is it possible to generate > offline tokens for extremal IDP in KeyCloak ? if so how ? > > > > Assuming you're using the Keycloak login screen it's just a matter of > configuring the external IdP as an identity broker provider and it will be > displayed as an option on the login screen. > > > > > > Second in section #2 above the user enters his password to generate the > offline token, with external IDP we can?t use his password, one alternative > is to always generate the offline token in the login (add offline_access), > however is it make sense to create offline token for every login ? > > > > You shouldn't create offline token for every login, just once for a new > user or once offline token is no longer valid. > > > > > > > > Thanks, > > Haim. > > The information contained in this message is proprietary to the sender, > protected from disclosure, and may be privileged. The information is > intended to be conveyed only to the designated recipient(s) of the message. > If the reader of this message is not the intended recipient, you are hereby > notified that any dissemination, use, distribution or copying of this > communication is strictly prohibited and may be unlawful. If you have > received this communication in error, please notify us immediately by > replying to the message and deleting it from your computer. Thank you. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > The information contained in this message is proprietary to the sender, > protected from disclosure, and may be privileged. The information is > intended to be conveyed only to the designated recipient(s) of the message. > If the reader of this message is not the intended recipient, you are hereby > notified that any dissemination, use, distribution or copying of this > communication is strictly prohibited and may be unlawful. If you have > received this communication in error, please notify us immediately by > replying to the message and deleting it from your computer. Thank you. > > > The information contained in this message is proprietary to the sender, > protected from disclosure, and may be privileged. The information is > intended to be conveyed only to the designated recipient(s) of the message. > If the reader of this message is not the intended recipient, you are hereby > notified that any dissemination, use, distribution or copying of this > communication is strictly prohibited and may be unlawful. If you have > received this communication in error, please notify us immediately by > replying to the message and deleting it from your computer. Thank you. > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Carlos E. Feria Vila From valsarajpv at gmail.com Wed Feb 14 22:59:39 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Thu, 15 Feb 2018 09:29:39 +0530 Subject: [keycloak-user] Custom JAAS login module for Keyclock auth In-Reply-To: <6a587b96-7d13-2171-c6c6-8111732e2223@redhat.com> References: <6a587b96-7d13-2171-c6c6-8111732e2223@redhat.com> Message-ID: Hi Marek, Yes, I see this but I want to include custom logic in my existing login module as well. So how to create a custom keycloak login module? Currently I have integrated keycloak using wildfly adapter. Should I rebuild adapter with my custom module? If I add custom adapter with my ear, I want dependency jars of Keycloak to build tha custom login module. What is recommended to get the Keycloak jars (not using maven)? Thanks! On Thu, Feb 15, 2018 at 3:41 AM, Marek Posolda wrote: > We have some JAAS login modules. See [1]. You can either re-use them or > create something similar based on your needs. > > [1] http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/j > ava/jaas.html > > Marek > > > On 12/02/18 15:04, valsaraj pv wrote: > >> Hi, >> >> I would like to know how to write custom JAAS login module for Keyclock >> auth. >> >> Thanks! >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > -- Life is like this: "Just when we get all the answers of life.... God changes the question paper.... Valsaraj Viswanathan From haimv at perfectomobile.com Thu Feb 15 01:21:56 2018 From: haimv at perfectomobile.com (Haim Vana) Date: Thu, 15 Feb 2018 06:21:56 +0000 Subject: [keycloak-user] Offline tokens with external IDP In-Reply-To: References: , Message-ID: Hi, We generated the offline token using the UI flow, e.g. added offline_access to the URL. -------- Original message -------- From: Carlos Feria Date: 2/15/18 05:17 (GMT+02:00) To: Haim Vana Cc: stian at redhat.com, keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Offline tokens with external IDP I'm facing a similar problem like Haim Vana. I need offline access to External IDP (Google). I meant, I need to read user's inbox in offline mode (using external token), but the problem is that the token stored on Keycloak is just access_token and there is no refresh_token and because of that is not possible to get a new access_token from google without login again. I was searching a title about this and I found this message http://lists.jboss.org/pipermail/keycloak-dev/2015-April/004350.html where "Stian Thorgersen" > explains a title about the problem. In general, is there a way to have offline access to external IDP? How would I face this problem? please help me. On Mon, Sep 19, 2016 at 5:27 AM, Haim Vana > wrote: Hi, I have combined the offline-access and the saml-broker-authentication examples in order to create demo for generating offline tokens. It works as expected with External IDP however when the user is already logged in the offline token is not generated - a regular token is generated instead. Any idea if it as designed or am I doing something wrong ? if it is by design is there any work around to generate the External IDP offline token without user logout ? Thanks, Haim. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Tuesday, August 16, 2016 12:09 PM To: Haim Vana > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Offline tokens with external IDP On 16 August 2016 at 10:11, Haim Vana > wrote: Hi Stian, Thanks for your answer. What I meant to ask is how to create offline token for external IDP, I wasn't able to it with REST API (I am able to it if it's not external IDP). The only way I managed to do it was when adding offline_access to the UI login page, so for external IDP ? is it the only way ? REST API is not supported ? Login page is the only way for external IdPs. Assuming it's the only way I thought to create external UI service for the user to log in and get his offline token. What do you think about such solution ? also if the user will be already logged in ? do you know if the offline token will be created ? or the will have to logout and login again? Depends on what your script is implemented in it can also start a web server on localhost, then popup the browser window to do the login and finally it'll get the code and can get the offline token directly itself. Take a look at our customer-app-cli example. It doesn't do offline token, but would be trivial to change it to do that instead. Thanks, Haim. From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: Tuesday, August 16, 2016 10:52 AM To: Haim Vana > Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Offline tokens with external IDP On 25 July 2016 at 09:01, Haim Vana > wrote: Hi, We are using KeyCloak for a several weeks now, one of the flows is user script authentication with offline token: 1. The user log in to the UI 2. Generates offline token by entering his password again 3. Put the offline token in his script 4. Executes the script Now we want to add external IDP support, first is it possible to generate offline tokens for extremal IDP in KeyCloak ? if so how ? Assuming you're using the Keycloak login screen it's just a matter of configuring the external IdP as an identity broker provider and it will be displayed as an option on the login screen. Second in section #2 above the user enters his password to generate the offline token, with external IDP we can?t use his password, one alternative is to always generate the offline token in the login (add offline_access), however is it make sense to create offline token for every login ? You shouldn't create offline token for every login, just once for a new user or once offline token is no longer valid. Thanks, Haim. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user -- Carlos E. Feria Vila The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. From mposolda at redhat.com Thu Feb 15 03:55:48 2018 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 15 Feb 2018 09:55:48 +0100 Subject: [keycloak-user] Custom JAAS login module for Keyclock auth In-Reply-To: References: <6a587b96-7d13-2171-c6c6-8111732e2223@redhat.com> Message-ID: <33947ea2-b58a-0a18-6ebd-320e5003f82a@redhat.com> Hi, instead of add something to keycloak modules directly and rebuild them etc, it's usually much better to have your Java classes in the separate module and have dependency on Keycloak adapter modules if needed. For inspiration, you can maybe take a look at the another example for EJB client I wrote some time ago. It uses JAAS login module on server side: https://github.com/mposolda/keycloak-remote-ejb Marek On 15/02/18 04:59, valsaraj pv wrote: > Hi Marek, > > Yes, I see this but I want to include custom logic in my existing > login module as well. So how to create a custom keycloak login module? > Currently I have integrated keycloak using wildfly adapter. Should I > rebuild adapter with my custom module? If I add custom adapter with my > ear, I want dependency jars of Keycloak to build tha custom login > module. What is recommended to get the Keycloak jars (not using maven)? > > Thanks! > > On Thu, Feb 15, 2018 at 3:41 AM, Marek Posolda > wrote: > > We have some JAAS login modules. See [1]. You can either re-use > them or create something similar based on your needs. > > [1] > http://www.keycloak.org/docs/3.2/securing_apps/topics/oidc/java/jaas.html > > > Marek > > > On 12/02/18 15:04, valsaraj pv wrote: > > Hi, > > I would like to know how to write custom JAAS login module for > Keyclock > auth. > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > -- > Life is like this: "Just when we get all the answers of life.... God > changes the question paper.... > > Valsaraj Viswanathan From harary.or at gmail.com Thu Feb 15 05:00:03 2018 From: harary.or at gmail.com (Or Harary) Date: Thu, 15 Feb 2018 12:00:03 +0200 Subject: [keycloak-user] Share resource by checking if some other user is in a certain group In-Reply-To: References: Message-ID: On Wed, Feb 14, 2018 at 2:52 PM, Pedro Igor Silva wrote: > > > On Wed, Feb 14, 2018 at 10:11 AM, Or Harary wrote: > >> Hi, >> >> Thanks for the response. >> I have a policy which checks if a user is in a certain group which is >> related to the resource, but my case is a bit different because I want to >> check if another user (not the one who calls the authorization api) is in a >> group. >> I'll try to explain some more- >> >> I have one case like this: >> >> some resource with the following path: >> /company/{company id}/resource_name/{resource_id} >> >> a group representing the company with the name: >> /company/{company id} >> >> Users who are managers in the company are in this group. >> I have a group mapper which puts the groups with their full path inside >> the token. >> This way it's easy for me to check if a user has access to a company's >> resources by a JS policy (match the groups companies ids with the resource >> uri). >> >> My different case with the wallet is that the resource is not held by the >> company, it's the user's resource and this resource should be "visible" by >> multiple company's in the right conditions. >> This resource URI is: >> /{user-1-id}/wallet/{wallet-id} >> as I mentioned before >> >> So when a "manager" (a user in a company's group) try to access a >> different user resource like this, I don't have the option to check groups, >> because I need the resource owner groups and not the groups of the user who >> requests the permissions. >> Hope it clears the question a little more. >> > > Yeah, it is clear now. Thanks. > > I think we can improve the Evaluation API and expose the owner as an > object. Or even provide additional methods to check roles/groups that > accept an username/id (such as the owner as it stands today). > > That would be awesome! querying the resource owner groups/roles would work great for me here! > Other improvement we are planning is allow pushing additional claims when > obtaining a RPT (token with permissions) from the server. Not sure if this > is going to help you in this case, but you will be able to push these > claims to your policies and use them to determine a decision. > > For last, there is also an issue to introduce attributes to resources .... > Pushing claims could also help in some stuff but resource attributes will be more efficient. > > >> >> With the improvements you mentioned about the user managed access will it >> be possible to control it by a policy or will it be implicit by specifying >> specific users which will be able to access this resource? because I need a >> dynamic solution (managers can always change) >> > > By specifying specific users which will be able to access a resource. This > is not controlled by a policy, but a direct approval by the resource owner > to access some of his resources. The main idea behind this feature is > privacy. Users should be able to grant access, revoke and review access to > his resources anytime (such as using Keycloak User Account Service). But > you can also manage these permissions using the RESTful endpoints I > mentioned before. > > These permissions override any result produced by the evaluation engine. > If this user-defined permission exists (and are granted), access is granted > even though your policies voted for a DENY. > Sharing like this is also very useful and will also be a great improvement and let users control their resources access better. Thanks a lot for the help, Would love to see these improvements when they'll arrive! =] From subodhcjoshi82 at gmail.com Thu Feb 15 06:55:03 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Thu, 15 Feb 2018 17:25:03 +0530 Subject: [keycloak-user] How to use Keycloak Admin-CLI to enable certain properties Message-ID: Hi Alll, How can enable these properties of a client from admin-cli only? - Enable Direct Access Grants - Direct Access Grants Enabled - Service Accounts Enabled - Authorization Enabled -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.questioninmind.com From ba.andrzejczak at gmail.com Thu Feb 15 07:15:02 2018 From: ba.andrzejczak at gmail.com (Bartosz Andrzejczak) Date: Thu, 15 Feb 2018 13:15:02 +0100 Subject: [keycloak-user] How to use Keycloak Admin-CLI to enable certain properties In-Reply-To: References: Message-ID: <338DBBB5-A9B5-4495-AF73-EF1A04C11ACF@gmail.com> Hi, These are all described in ClientRepresenation in the docs: http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_clientrepresentation They?re in order: * For the first do you mean the template? The property is named the same as for client (listed below), just the endpoint is different. * directAccessGrantsEnabled * serviceAccountsEnabled * authorizationServicesEnabled Url for updating the client is listed here: http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_update_the_client Cheers, Bartek > On 15 Feb 2018, at 12:55 PM, Subodh Joshi wrote: > > Hi Alll, > > How can enable these properties of a client from admin-cli only? > > - Enable Direct Access Grants > > > - Direct Access Grants Enabled > > > - Service Accounts Enabled > > > - Authorization Enabled > > -- > Subodh Chandra Joshi > subodh1_joshi82 at yahoo.co.in > http://www.questioninmind.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From subodhcjoshi82 at gmail.com Thu Feb 15 07:29:07 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Thu, 15 Feb 2018 17:59:07 +0530 Subject: [keycloak-user] How to use Keycloak Admin-CLI to enable certain properties In-Reply-To: <338DBBB5-A9B5-4495-AF73-EF1A04C11ACF@gmail.com> References: <338DBBB5-A9B5-4495-AF73-EF1A04C11ACF@gmail.com> Message-ID: Thanks Bartosz For your quick response .Its worked. On Thu, Feb 15, 2018 at 5:45 PM, Bartosz Andrzejczak < ba.andrzejczak at gmail.com> wrote: > Hi, > > These are all described in ClientRepresenation in the docs: > http://www.keycloak.org/docs-api/2.5/rest-api/index. > html#_clientrepresentation > > They?re in order: > * For the first do you mean the template? The property is named the same > as for client (listed below), just the endpoint is different. > * directAccessGrantsEnabled > * serviceAccountsEnabled > * authorizationServicesEnabled > > Url for updating the client is listed here: http://www.keycloak.org/ > docs-api/2.5/rest-api/index.html#_update_the_client > > Cheers, > Bartek > > On 15 Feb 2018, at 12:55 PM, Subodh Joshi > wrote: > > Hi Alll, > > How can enable these properties of a client from admin-cli only? > > - Enable Direct Access Grants > > > - Direct Access Grants Enabled > > > - Service Accounts Enabled > > > - Authorization Enabled > > -- > Subodh Chandra Joshi > subodh1_joshi82 at yahoo.co.in > http://www.questioninmind.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.trendsinnews.com From lkrzyzan at redhat.com Thu Feb 15 09:18:47 2018 From: lkrzyzan at redhat.com (=?utf-8?Q?Libor_Krzy=C5=BEanek?=) Date: Thu, 15 Feb 2018 15:18:47 +0100 Subject: [keycloak-user] Keycloak 3.4.3 Failover with session replication In-Reply-To: <8789abb5-a2a8-d115-f68b-11e42c5aa709@redhat.com> References: <198C8306-E699-47B9-9099-807187F261F3@redhat.com> <7860F966-8A6F-411C-BE2A-2601E8D243FD@redhat.com> <58ff0801-1935-a938-ef9b-775cf306f9d9@redhat.com> <8789abb5-a2a8-d115-f68b-11e42c5aa709@redhat.com> Message-ID: Thanks for clarification. We?ll stay with owners=2 then. Thanks, Libor Krzy?anek Principal Software Engineer Middleware Engineering Services > On 14.02.2018, at 18:19, Marek Posolda wrote: > > We didn't try to test with replicated cache. I think the replicated cache is same thing like distributed cache where number-of-owners is same like number of nodes in cluster. For cluster with 2 nodes, I think there is no difference between replicated cache and distributed cache with 2 owners. > > For setup with more nodes, replication cache has the disadvantage that memory footprint is bigger (every item is saved on all cluster nodes) and writes are more expensive. Reads are less expensive with replicated cache as every item is available locally, but with sticky sessions (which we have some support in latest Keycloak), the advantage of cheaper reads is not so important as read items are usually available on the "local" nodes anyway. > > Marek > > On 14/02/18 16:24, Libor Krzy?anek wrote: >> Hi, >> thanks for advice. It looks to be working. >> >> Any reason why we should rather use ?replicated cache? instead of distributed with 2 owners? Is there any tricky implication? >> What would be your advice - stay with distributed cache with 2 osners or switch to replicated cache? >> >> Thank you very much, >> >> Libor Krzy?anek >> Principal Software Engineer >> Middleware Engineering Services >> >>> On 13.02.2018, at 21:52, Marek Posolda > wrote: >>> >>> Hi Libor, >>> >>> you need to increase owners also for "clientSessions" and "offlineClientSessions" . >>> >>> Marek >>> >>> On 13/02/18 10:23, Libor Krzy?anek wrote: >>>> And btw. this is output in log when one node is killed: >>>> >>>> >>>> 2018-02-12 15:16:44,794 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [developer-keycloak04|26] (1) [developer-keycloak04] >>>> 2018-02-12 15:16:44,794 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (thread-2) ISPN000094: Received new cluster view for channel ejb: [developer-keycloak04|26] (1) [developer-keycloak04] >>>> 2018-02-12 15:16:44,795 WARN [org.infinispan.CLUSTER] (transport-thread--p32-t6) [Context=client-mappings]ISPN000314: Lost at least half of the stable members, possible split brain causing data inconsistency. Current members are [developer-keycloak04], lost members are [developer-keycloak03], stable members are [developer-keycloak04, developer-keycloak03] >>>> 2018-02-12 15:16:44,801 FATAL [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=authenticationSessions]ISPN000313: Lost data because of abrupt leavers [developer-keycloak03] >>>> 2018-02-12 15:16:44,803 FATAL [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=sessions]ISPN000313: Lost data because of abrupt leavers [developer-keycloak03] >>>> 2018-02-12 15:16:44,805 FATAL [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=clientSessions]ISPN000313: Lost data because of abrupt leavers [developer-keycloak03] >>>> 2018-02-12 15:16:44,807 WARN [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=work]ISPN000314: Lost at least half of the stable members, possible split brain causing data inconsistency. Current members are [developer-keycloak04], lost members are [developer-keycloak03], stable members are [developer-keycloak04, developer-keycloak03] >>>> 2018-02-12 15:16:44,810 FATAL [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=offlineSessions]ISPN000313: Lost data because of abrupt leavers [developer-keycloak03] >>>> 2018-02-12 15:16:44,823 FATAL [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=loginFailures]ISPN000313: Lost data because of abrupt leavers [developer-keycloak03] >>>> 2018-02-12 15:16:44,825 WARN [org.infinispan.CLUSTER] (transport-thread--p36-t10) [Context=actionTokens]ISPN000314: Lost at least half of the stable members, possible split brain causing data inconsistency. Current members are [developer-keycloak04], lost members are [developer-keycloak03], stable members are [developer-keycloak04, developer-keycloak03] >>>> >>>> >>>> Thanks, >>>> >>>> Libor Krzy?anek >>>> Principal Software Engineer >>>> Middleware Engineering Services >>>> >>>>> On 13.02.2018, at 10:20, Libor Krzy?anek > wrote: >>>>> >>>>> Hi, >>>>> we?re upgrading keycloak from 1.9. to 3.4 and caches changed quite a lot. >>>>> >>>>> The setup is simply two nodes in HA mode. I see that nodes see each other but it?s not clear to me what is the easiest way how to achieve failover with session replication. In KC 1.9 we just increased owners=2 and it was enough. >>>>> >>>>> We tried the default setup with distributed-caches (most of them have owners=?1?) and when one node is killed (not shutdown.sh but hard java kill) then user lost session and is asked to login again once LB forward traffic to second node. >>>>> >>>>> We tried to increase owners on these caches >>>>> >>>>> >>>>> but with no luck. >>>>> >>>>> I read this article: http://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html > but we don?t have JDG because it?s just simple cluster with two nodes within same datacenter. >>>>> >>>>> What is the best and easiest approach to achieve failover with session replication? >>>>> >>>>> Thanks, >>>>> >>>>> Libor >>>>> >>>>> Libor Krzy?anek >>>>> Principal Software Engineer >>>>> Middleware Engineering Services >>>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user > From jonas.schoenenberger at gmail.com Thu Feb 15 10:37:51 2018 From: jonas.schoenenberger at gmail.com (=?UTF-8?Q?Jonas_Sch=C3=B6nenberger?=) Date: Thu, 15 Feb 2018 16:37:51 +0100 Subject: [keycloak-user] Set Client Roles for Users with Admin Rest Api Message-ID: Hi everyone We try to set client roles while creating users through the Admin Rest Api. The users get created successfully however no roles are mapped. We use the following payload: {"enabled":true,"username":"Jonas","credentials":[{"value":"zz","type":"password"}],"clientRoles":{"realm-management":["manage-users"]}} I something wrong with the payload or do you have to set the roles in a different way? Thank you and Best Regards Jonas From mmihaylovich at outlook.com Thu Feb 15 10:54:22 2018 From: mmihaylovich at outlook.com (=?koi8-r?B?5CDtycjBycw=?=) Date: Thu, 15 Feb 2018 15:54:22 +0000 Subject: [keycloak-user] Spring Security adapter Message-ID: Hello, I'm going to?use Spring Session to substitute container specific session managment and clustering session purposes. KeycloakSecurityContext also will be stored in HTTP session. It means that KeycloakPrincipal with KeycloakSecurityContext wil be serialized and deserialized between requests. In this case I faced with the following situation: ?-?After successfull authentication? 2018-02-14 01:02:52.672 DEBUG 14424 --- [nio-8080-exec-6] f.KeycloakAuthenticationProcessingFilter : Auth outcome: AUTHENTICATED 2018-02-14 01:02:52.672 DEBUG 14424 --- [nio-8080-exec-6] o.s.s.authentication.ProviderManager? ? ?: Authentication attempt using org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider 2018-02-14 01:02:52.672 DEBUG 14424 --- [nio-8080-exec-6] f.KeycloakAuthenticationProcessingFilter : Authentication success. Updating SecurityContextHolder to contain: org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken at b78d8e87: Principal: user1; Credentials: [PROTECTED]; Authenticated: true; Details: org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount at 1906910f; Granted Authorities: ROLE_user, ROLE_uma_authorization -?KeycloakSecurityContextRequestFilter clear?SecurityContextHolder . 2018-02-14 01:02:52.715 DEBUG 14424 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy? ? ? ? : /customers at position 11 of 15 in additional filter chain; firing Filter: 'KeycloakSecurityContextRequestFilter' 2018-02-14 01:02:52.715 DEBUG 14424 --- [nio-8080-exec-7] o.s.security.web.FilterChainProxy? ? ? ? : /customers at position 12 of 15 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' 2018-02-14 01:02:52.716 DEBUG 14424 --- [nio-8080-exec-7] o.s.s.w.a.AnonymousAuthenticationFilter? : Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken at 6fabe8e0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails at fffe9938: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 06690a32-ab3f-48d6-8776-de16f5d1ad05; Granted Authorities: ROLE_ANONYMOUS' As a result I had infinite loop of redirection between my webapp and Keycloak server. After some investigation I have found why it happend. When KeycloakSecurityContextRequestFilter check refreshableSecurityContext.isActive() refreshableSecurityContext do not contain KeycloakDeployment ( = null). Thus refreshableSecurityContext.isActive() always false. public boolean isActive() { return token != null && this.token.isActive() && deployment!=null && this.token.getIssuedAt() > deployment.getNotBefore(); } The cause of this situation that RefreshableKeycloakSecurityContext created via deserialization and deployment not reassigned. If you agree with that issue I can suggest the solution to set deployment in the doFilter method of the KeycloakSecurityContextRequestFilter. ... if (keycloakSecurityContext instanceof RefreshableKeycloakSecurityContext) { RefreshableKeycloakSecurityContext refreshableSecurityContext = (RefreshableKeycloakSecurityContext) keycloakSecurityContext; KeycloakDeployment deployment = resolveDeployment(request, response); if (refreshableSecurityContext.getDeployment() == null) { AdapterTokenStore adapterTokenStore = adapterTokenStoreFactory.createAdapterTokenStore(deployment,(HttpServletRequest)request); refreshableSecurityContext.setCurrentRequestInfo(deployment,adapterTokenStore); } ... From t.chambard at bee-buzziness.com Thu Feb 15 12:01:22 2018 From: t.chambard at bee-buzziness.com (Teddy CHAMBARD) Date: Thu, 15 Feb 2018 17:01:22 +0000 Subject: [keycloak-user] Performance problem with high number of resources with same type in resource server In-Reply-To: References: Message-ID: <318e6db66e974d3e88e6d11aed127aa9@BBUZ-EXCH01.bbuzg.net> Hello, I got an issue while using high number of resources with same type in resource server authorizations (Keycloak version 3.4.3.Final). I entered a JIRA issue : https://issues.jboss.org/browse/KEYCLOAK-6621 But hopefully some of you could testify of the same behaviour. Best regards From yuriy.yunikov at verygood.systems Thu Feb 15 14:12:36 2018 From: yuriy.yunikov at verygood.systems (Yuriy Yunikov) Date: Thu, 15 Feb 2018 19:12:36 +0000 Subject: [keycloak-user] KeyCloak CVE's Message-ID: There's been an issue before about KeyCloak CVE's however no more information found about it. http://lists.jboss.org/pipermail/keycloak-user/2017-December/012541.html I would like to get a clear understanding about https://nvd.nist.gov/vuln/detail/CVE-2017-12160 https://www.saucs.com/cve/CVE-2017-12159 https://www.saucs.com/cve/CVE-2017-12158 Why they're the case and if there are patches for them. There are no information on CVE websites. It's critical for us to make sure KeyCloak has known vulnerabilities fixed. Can anyone point me please in the right direction or post more information about them? Regards, Yuriy Yunikov From kurrent93 at gmail.com Fri Feb 16 00:55:31 2018 From: kurrent93 at gmail.com (Anton) Date: Fri, 16 Feb 2018 18:55:31 +1300 Subject: [keycloak-user] Social login - not getting user info Message-ID: Hello Im working with Keycloak in a mobile app, and am getting familiar with the features and capabilities of Keycloak using https://github.com/TommyJ1994/keyonic-v2. This project is proving to be very helpful! The issue that I am running into is, when I login with as a user using username/password, then I can see the users details in the app. However when I login using a social identity provider, such as facebook, then I do not get the user info in the app. But, in Keycloak, for both cases the user info is present. Does anyone know what I am doing wrong? Thanks From subodhcjoshi82 at gmail.com Fri Feb 16 01:25:22 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Fri, 16 Feb 2018 11:55:22 +0530 Subject: [keycloak-user] Is this possible to hard code the client id through Admin-CLI? Message-ID: Hi I want to create the Hard code client id at the time of client creationthrough admin-cli .Is this possible ? At the time of client creation we can give client-id like we can give secret ? ./kcadm.sh create clients -r MyRealm -s clientId=TEST_1 id=590c3a24-gf46-4ce2-9536-6d2d166d1a8d -s enabled=true -s clientAuthenticatorType=client-secret -s secret=d0b8122f-8dfb-46h7-b69a-f5cc4e25d000 From valsarajpv at gmail.com Fri Feb 16 03:37:08 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Fri, 16 Feb 2018 14:07:08 +0530 Subject: [keycloak-user] Keycloak user federation issue with email constraint Message-ID: Hi, I am checking Keycloak user federation with openldap sourcce. It worked fine & synced users but some users are not synced as they hace same email id as already sunced users. I see this constraint in Keycloak postgresql user_entity table: CONSTRAINT uk_dykn684sl8up1crfei6eckhd7 UNIQUE (realm_id, email_constraint) But we need only uid (userName in Keycloak) unique. Is there anyway to configure that email can be duplicated? From thomas.isaksen at sysco.no Fri Feb 16 04:00:15 2018 From: thomas.isaksen at sysco.no (Thomas Isaksen) Date: Fri, 16 Feb 2018 09:00:15 +0000 Subject: [keycloak-user] WebLogic and KeycloakOIDCFilter In-Reply-To: References: Message-ID: Hi Michal, Is there any progress on this ? ./t From: Michal Hajas [mailto:mhajas at redhat.com] Sent: tirsdag 30. januar 2018 10.01 To: Thomas Isaksen Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] WebLogic and KeycloakOIDCFilter Hi Thomas, I plan to work on PR for those tests at the end of this week or beginning of next week. Anyway I had the same problem and I fixed it by setting this value in admin console (it is only for saml clients): Assertion Consumer Service POST Binding URL to http://my-application/saml Michal On Fri, Jan 26, 2018 at 10:32 AM Thomas Isaksen > wrote: Does anyone have a working example of this setup on WebLogic? I am still having problems with the infinite loop after authentication. I don't know if my Client config might be wrong. ./t _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From mhajas at redhat.com Fri Feb 16 04:19:09 2018 From: mhajas at redhat.com (Michal Hajas) Date: Fri, 16 Feb 2018 09:19:09 +0000 Subject: [keycloak-user] WebLogic and KeycloakOIDCFilter In-Reply-To: References: Message-ID: Hi, there is PR in keycloak repo: https://github.com/keycloak/keycloak/pull/4987. However, I realized there are not OIDC tests, only SAML. On the other hand, these tests are easily expandable to run also with OIDC filter. One can just extend this class [1] by something similar to this: [2]. There [3] is also readme how to run tests with weblogic. Michal [1] https://github.com/mhajas/keycloak/blob/757e94f66535f775a07ca9b7ff4c9656f60ed709/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractDemoFilterServletAdapterTest.java [2] https://github.com/mhajas/keycloak/blob/757e94f66535f775a07ca9b7ff4c9656f60ed709/testsuite/integration-arquillian/tests/other/adapters/wls/wls12/src/test/java/org/keycloak/testsuite/adapter/WLSSAMLFilterAdapterTest.java [3] https://github.com/mhajas/keycloak/tree/757e94f66535f775a07ca9b7ff4c9656f60ed709/testsuite/integration-arquillian/tests/other/adapters/wls/wls12 On Fri, Feb 16, 2018 at 10:00 AM Thomas Isaksen wrote: > Hi Michal, > > > > Is there any progress on this ? > > > > ./t > > > > *From:* Michal Hajas [mailto:mhajas at redhat.com] > *Sent:* tirsdag 30. januar 2018 10.01 > *To:* Thomas Isaksen > *Cc:* keycloak-user at lists.jboss.org > *Subject:* Re: [keycloak-user] WebLogic and KeycloakOIDCFilter > > > > Hi Thomas, > > > > I plan to work on PR for those tests at the end of this week or beginning > of next week. > > > > Anyway I had the same problem and I fixed it by setting this value in > admin console (it is only for saml clients): > > > > *Assertion Consumer Service POST Binding URL *to > http://my-application/saml > > > > Michal > > > > On Fri, Jan 26, 2018 at 10:32 AM Thomas Isaksen > wrote: > > Does anyone have a working example of this setup on WebLogic? I am still > having problems with the infinite loop after authentication. I don't know > if my Client config might be wrong. > > ./t > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From neza.djukic at gmail.com Fri Feb 16 04:52:30 2018 From: neza.djukic at gmail.com (neza-dj) Date: Fri, 16 Feb 2018 02:52:30 -0700 (MST) Subject: [keycloak-user] iOS app with Keycloak for authentication Message-ID: <1518774750470-0.post@n6.nabble.com> Hi everyone! I'm new to the list as I just started to use Keycloak at a project of mine. It's an iOS app where I want to enable login via Keycloak Server but I need it in the native flow of my app (no WebViews, Safari, SFSafariViewControllers etc.). Therefore I'm trying to make it work with Resource Owner Password Credentials Grant (or Direct Access Grant in Keycloak). I know this is not the best practice for oAuth2 but this is how I'm required to do it. Right now I'm working with this library https://github.com/p2/OAuth2 that has the functionality of login but I also need a registration option for new users so I'm sondering if anyone has done that and how should I go about doing it - do I write my own https requests to Keycloak or how should I do it? Thank you in advance for any help, I am a newbie to all this so any advice would be appreciated. Neza -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From subodhcjoshi82 at gmail.com Fri Feb 16 05:41:15 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Fri, 16 Feb 2018 16:11:15 +0530 Subject: [keycloak-user] Admin-Cli Automate the realm/client creation Message-ID: Hi Is this possible to login through admin-cli without passing client and client-secret ? Right now i am trying like this ./kcadm.sh config credentials --server https://:8666/auth --realm master --user admin --password admin --client admin-cli --secret 8260c084-dd0a-4ed3-8a56-33186eab5d9d But after installation of keycloak i want to run the admin-cli to create a new realm/usergroup/client so i dont want to go to ui check the secret and then fire above command to login through admin-cli . Is their any way to get the default client admin-cli ,secret without going to ui? -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.trendsinnews.com From subodhcjoshi82 at gmail.com Fri Feb 16 06:33:55 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Fri, 16 Feb 2018 17:03:55 +0530 Subject: [keycloak-user] Admin-Cli Automate the realm/client creation In-Reply-To: References: Message-ID: Sorry for my mail ,Just got to know client(admin-cli) access-type is by default *public *so no need to give the secret. So After below command will work perfectly fine ./kcadm.sh config credentials --server https://:8666/auth --realm master --user admin --password admin --client admin-cli On Fri, Feb 16, 2018 at 4:11 PM, Subodh Joshi wrote: > Hi > > Is this possible to login through admin-cli without passing client and > client-secret ? > Right now i am trying like this > > ./kcadm.sh config credentials --server https://:8666/auth > --realm master --user admin --password admin --client admin-cli --secret > 8260c084-dd0a-4ed3-8a56-33186eab5d9d > > But after installation of keycloak i want to run the admin-cli to create a > new realm/usergroup/client so i dont want to go to ui check the secret and > then fire above command to login through admin-cli . > > Is their any way to get the default client admin-cli ,secret without going > to ui? > -- > Subodh Chandra Joshi > subodh1_joshi82 at yahoo.co.in > http://www.trendsinnews.com > -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.trendsinnews.com From psilva at redhat.com Fri Feb 16 06:48:29 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Fri, 16 Feb 2018 09:48:29 -0200 Subject: [keycloak-user] Share resource by checking if some other user is in a certain group In-Reply-To: References: Message-ID: Btw, created https://issues.jboss.org/browse/KEYCLOAK-6628. Fell free to review description and provide any information you find relevant. Thanks. On Thu, Feb 15, 2018 at 8:00 AM, Or Harary wrote: > On Wed, Feb 14, 2018 at 2:52 PM, Pedro Igor Silva wrot > e: > >> >> >> On Wed, Feb 14, 2018 at 10:11 AM, Or Harary wrote: >> >>> Hi, >>> >>> Thanks for the response. >>> I have a policy which checks if a user is in a certain group which is >>> related to the resource, but my case is a bit different because I want to >>> check if another user (not the one who calls the authorization api) is in a >>> group. >>> I'll try to explain some more- >>> >>> I have one case like this: >>> >>> some resource with the following path: >>> /company/{company id}/resource_name/{resource_id} >>> >>> a group representing the company with the name: >>> /company/{company id} >>> >>> Users who are managers in the company are in this group. >>> I have a group mapper which puts the groups with their full path inside >>> the token. >>> This way it's easy for me to check if a user has access to a company's >>> resources by a JS policy (match the groups companies ids with the resource >>> uri). >>> >>> My different case with the wallet is that the resource is not held by >>> the company, it's the user's resource and this resource should be "visible" >>> by multiple company's in the right conditions. >>> This resource URI is: >>> /{user-1-id}/wallet/{wallet-id} >>> as I mentioned before >>> >>> So when a "manager" (a user in a company's group) try to access a >>> different user resource like this, I don't have the option to check groups, >>> because I need the resource owner groups and not the groups of the user who >>> requests the permissions. >>> Hope it clears the question a little more. >>> >> >> Yeah, it is clear now. Thanks. >> >> I think we can improve the Evaluation API and expose the owner as an >> object. Or even provide additional methods to check roles/groups that >> accept an username/id (such as the owner as it stands today). >> >> > > That would be awesome! querying the resource owner groups/roles would work > great for me here! > > > >> Other improvement we are planning is allow pushing additional claims when >> obtaining a RPT (token with permissions) from the server. Not sure if this >> is going to help you in this case, but you will be able to push these >> claims to your policies and use them to determine a decision. >> >> For last, there is also an issue to introduce attributes to resources .... >> > > > Pushing claims could also help in some stuff but resource attributes will > be more efficient. > > > >> >> >>> >>> With the improvements you mentioned about the user managed access will >>> it be possible to control it by a policy or will it be implicit by >>> specifying specific users which will be able to access this resource? >>> because I need a dynamic solution (managers can always change) >>> >> >> By specifying specific users which will be able to access a resource. >> This is not controlled by a policy, but a direct approval by the resource >> owner to access some of his resources. The main idea behind this feature is >> privacy. Users should be able to grant access, revoke and review access to >> his resources anytime (such as using Keycloak User Account Service). But >> you can also manage these permissions using the RESTful endpoints I >> mentioned before. >> >> These permissions override any result produced by the evaluation engine. >> If this user-defined permission exists (and are granted), access is granted >> even though your policies voted for a DENY. >> > > > Sharing like this is also very useful and will also be a great improvement > and let users control their resources access better. > > Thanks a lot for the help, > Would love to see these improvements when they'll arrive! =] > > From valsarajpv at gmail.com Fri Feb 16 07:06:37 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Fri, 16 Feb 2018 17:36:37 +0530 Subject: [keycloak-user] Keycloak role mapper & group mapper Message-ID: Hi, What is difference between role mapper & group mapper. I have source LDAP with subtrees groups & people. Application specific roles are under groups and users under people subtree is member of these groups. So which mapper can I use to sync with Keycloak? Thanks! From hartror at gmail.com Fri Feb 16 16:06:29 2018 From: hartror at gmail.com (Rory Hart) Date: Sat, 17 Feb 2018 08:06:29 +1100 Subject: [keycloak-user] Keycloak Proxy Request Logging? Message-ID: Is there any way to get the proxy to log requests? Neither the configuration nor the launcher appear to accept log level settings. Thanks From xiaoning.sunx at gmail.com Sat Feb 17 16:42:13 2018 From: xiaoning.sunx at gmail.com (lucie lucas) Date: Sat, 17 Feb 2018 22:42:13 +0100 Subject: [keycloak-user] keycloak authorization code flow id_token missing Message-ID: Hi, I'm a new dev for the field of OpenID Connect. I want to do a test about the authorization code flow with keycloak. So, I just clarify what I did 1. installation the standalone version (keycloak) with configuration admin console 2. create a client app as client (protocole openid-connect), select standard flow enabled, 3. from browser: I use url like : http://localhost:8080/auth/ realms/master/protocol/openid-connect/auth?client_id={ client_id}&response_type=code 4. the request redirect to{redirect_uri} with *code* and *sessionstate* 5. with postman, I filled the information as below: POST http://localhost:8080/auth/realms/master/protocol/openid-connect/token body : client_id, client_secret,grant_type(authorization_code), scope(openid), response_type(id_token%20token), redirect_uri, state (copy from 5th step url), code (copy from 5th step url) *BUT* there are only access token, refresh token in the response, there is no id_token which I waited for. Could you tell me what's wrong ? or keycloak support only access token? (I don't think so, because when I test about Grant Access Flow, there's id_token) I looked for this information 2 weeks ago, until now, I've no solution. Thank you for your feedbacks Xiaoning From valsarajpv at gmail.com Sun Feb 18 00:49:56 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Sun, 18 Feb 2018 11:19:56 +0530 Subject: [keycloak-user] keycloak authorization code flow id_token missing In-Reply-To: References: Message-ID: Hi, Can you check implicit ir hybrid flow instead of cide flow? Thanks! On 18-Feb-2018 3:15 AM, "lucie lucas" wrote: Hi, I'm a new dev for the field of OpenID Connect. I want to do a test about the authorization code flow with keycloak. So, I just clarify what I did 1. installation the standalone version (keycloak) with configuration admin console 2. create a client app as client (protocole openid-connect), select standard flow enabled, 3. from browser: I use url like : http://localhost:8080/auth/ realms/master/protocol/openid-connect/auth?client_id={ client_id}&response_type=code 4. the request redirect to{redirect_uri} with *code* and *sessionstate* 5. with postman, I filled the information as below: POST http://localhost:8080/auth/realms/master/protocol/openid-connect/token body : client_id, client_secret,grant_type(authorization_code), scope(openid), response_type(id_token%20token), redirect_uri, state (copy from 5th step url), code (copy from 5th step url) *BUT* there are only access token, refresh token in the response, there is no id_token which I waited for. Could you tell me what's wrong ? or keycloak support only access token? (I don't think so, because when I test about Grant Access Flow, there's id_token) I looked for this information 2 weeks ago, until now, I've no solution. Thank you for your feedbacks Xiaoning _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From adrien.desbiaux at gmail.com Sun Feb 18 10:34:46 2018 From: adrien.desbiaux at gmail.com (Adrien Desbiaux) Date: Sun, 18 Feb 2018 15:34:46 +0000 Subject: [keycloak-user] Custom user storage (external user DB) + Social Login Message-ID: Hi there! I am currently implementing a custom `UserStorageProvider`. The Module does NOT store the user into Keycloak but rather in-memory. This is the, let's say, opposite of the Import method for a `UserStorageProvider`. For reference: http://www.keycloak.org/docs/latest/server_development/index.html#_user-storage-spi So, the user is properly Authenticated against the external User database/service and is into the `loadedUsers` in-memory Keycloak store. What about with a Facebook login then? How can the FB login be intercepted in the same way than for a usual username/password login so that the user is not stored into the Keycloak database but rather into the external user database/service? Thanks in advance for any hints! Cheers, From xiaoning.sunx at gmail.com Sun Feb 18 13:33:54 2018 From: xiaoning.sunx at gmail.com (lucie lucas) Date: Sun, 18 Feb 2018 19:33:54 +0100 Subject: [keycloak-user] Fwd: keycloak authorization code flow id_token missing In-Reply-To: References: Message-ID: Sorry, I didn't forward for everyone And another thing: do you think it's a bug of keycloak (version 3.4.3), if yes, how could I report this bug ? Thanks a lot ---------- Forwarded message ---------- From: lucie lucas Date: 2018-02-18 12:15 GMT+01:00 Subject: Re: [keycloak-user] keycloak authorization code flow id_token missing To: valsaraj pv And another thing: do you think it's a bug of keycloak (version 3.4.3), if yes, how could I report this bug ? Thanks a lot Xiaoning 2018-02-18 12:09 GMT+01:00 lucie lucas : > Hi, > Thank you for your response, but in my case, I can't use implicit or > hybrid flow because of security problem. And for information, I want use > keycloak just as Identify provider, and I've an authorization server. I > don't know if it works, so I want to do tests with postman to be sure. > > Have you had the similar situation? > > Thanks in advance > Have a nice day > Xiaoning > > 2018-02-18 6:49 GMT+01:00 valsaraj pv : > >> Hi, >> >> Can you check implicit ir hybrid flow instead of cide flow? >> >> Thanks! >> >> >> On 18-Feb-2018 3:15 AM, "lucie lucas" wrote: >> >> Hi, >> >> I'm a new dev for the field of OpenID Connect. I want to do a test about >> the authorization code flow with keycloak. >> >> So, I just clarify what I did >> >> 1. installation the standalone version (keycloak) with configuration >> admin console >> 2. create a client app as client (protocole openid-connect), select >> standard flow enabled, >> 3. from browser: I use url like : http://localhost:8080/auth/ >> realms/master/protocol/openid-connect/auth?client_id={ >> client_id}&response_type=code >> > onnect/auth?client_id=%7Bclient_id%7D&response_type=code> >> 4. the request redirect to{redirect_uri} with *code* and *sessionstate* >> 5. with postman, I filled the information as below: >> >> POST http://localhost:8080/auth/realms/master/protocol/openid-con >> nect/token >> body : >> client_id, client_secret,grant_type(authorization_code), scope(openid), >> response_type(id_token%20token), redirect_uri, state (copy from 5th step >> url), code (copy from 5th step url) >> >> *BUT* there are only access token, refresh token in the response, there is >> no id_token which I waited for. >> >> Could you tell me what's wrong ? or keycloak support only access token? (I >> don't think so, because when I test about Grant Access Flow, there's >> id_token) >> >> I looked for this information 2 weeks ago, until now, I've no solution. >> >> Thank you for your feedbacks >> >> Xiaoning >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > From subodhcjoshi82 at gmail.com Sun Feb 18 13:44:48 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Mon, 19 Feb 2018 00:14:48 +0530 Subject: [keycloak-user] Admin-Cli create user with user define userid? Message-ID: Hi I am trying to create a user with user define userid but below command throwing 400 error * ./kcadm.sh create users -s username=admin123 -s userid=f544f379-5dc4-49e5-8a8d-5cxb71f46f53 -s type=password -s value=admin at 123 -s enabled=true -srealm=master* Can some one please help me what is wrong with the above command? -- Subodh Chandra Joshi http://www.questioninmind.com From subodhcjoshi82 at gmail.com Sun Feb 18 14:02:30 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Mon, 19 Feb 2018 00:32:30 +0530 Subject: [keycloak-user] Admin-Cli create user with user define userid? In-Reply-To: References: Message-ID: After that i tried below command * ./kcadm.sh create users -s username=admin123 -s id=f544f379-5dc4-49e5-8a8d-5cxb71f46f53 -s enabled=true -r master* but output of above command *Created new user with id '839ba113-c6dd-4004-83f6-4171aa638bd6'* Can someone please let me know what wrong with the above command as well? On Mon, Feb 19, 2018 at 12:14 AM, Subodh Joshi wrote: > Hi > > I am trying to create a user with user define userid but below command > throwing 400 error > > > > * ./kcadm.sh create users -s username=admin123 -s > userid=f544f379-5dc4-49e5-8a8d-5cxb71f46f53 -s type=password -s > value=admin at 123 -s enabled=true -srealm=master* > Can some one please help me what is wrong with the above command? > > -- > Subodh Chandra Joshi > > http://www.questioninmind.com > -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.trendsinnews.com From valsarajpv at gmail.com Mon Feb 19 03:43:22 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Mon, 19 Feb 2018 14:13:22 +0530 Subject: [keycloak-user] Auth with Kaycloak Message-ID: Hi, I would like to know how to implement auth using Keyclock for an existing model using JAAS & LDAP. Currently a user is aithenticated with LDAP directly from login module. If the user is in LDAP group, those roles will be set. If there is no group for a user in LDAP, some hard coded roles will be set from login module. When Keyclock is used, what kind of role mapping required for this scenario? How to do this conditional role mapping? Thanks! From alessandro.meyer at gmail.com Mon Feb 19 04:23:41 2018 From: alessandro.meyer at gmail.com (Alessandro Meyer) Date: Mon, 19 Feb 2018 10:23:41 +0100 Subject: [keycloak-user] Set Client Roles for Users with Admin Rest Api Message-ID: Hey there We run into the same Problem, is this actually supposed to work? The UI seems to do it differently (not in an Atomic Operation, but in separate steps) Thanks a lot. Alessandro From larsmak at gmail.com Mon Feb 19 05:28:36 2018 From: larsmak at gmail.com (Lars Martin Kristensen) Date: Mon, 19 Feb 2018 11:28:36 +0100 Subject: [keycloak-user] Keycloak, OutOfMemoryError Message-ID: Hi, We're seeing occasional starvation of our keycloak instance in one of our environment. The instance becomes unresponsive and the logs reveals that it's running out of heap space: 19:54:22,305 ERROR [io.undertow.request] (default task-22) UT005023: Exception handling request to /auth/realms/MyRealm/protocol/openid-connect/certs: java.lang.OutOfMemoryError: Java heap space We're running in standalone mode (single instasnce), and this is the only environment we're using the paypal identity provider. Could this be the problem? In the log, around the time of the OutOfMemoryErrors we have seen: 19:39:08,036 INFO [org.apache.http.impl.execchain.RetryExec] (default task-21) Retrying request to {s}->https://api.paypal.com:443 19:40:36,330 INFO [org.apache.http.impl.execchain.RetryExec] (default task-21) I/O exception (java.net.SocketException) caught when processing request to {s}->https://api.paypal.com:443: Connection reset 19:40:40,362 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffff6468b804:-2ac1cab1:5a1ee0de:5cda0d in state RUN 19:40:37,591 INFO [org.apache.http.impl.execchain.RetryExec] (default task-21) Retrying request to {s}->https://api.paypal.com:443 19:41:51,957 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: TransactionReaper::check timeout for TX 0:ffff6468b804:-2ac1cab1:5a1ee0de:5cda0d in state CANCEL ..but whether this is the cause or a consequence of the OutOfMemoryError I'm a little bit uncertain about. Are there perhaps any way to tune the paypal connection configuration so that connection errors consumes less resources? Users: Around 50k Keycloak-version: 3.4.0.Final Java-version: 3.4.0.Final Memory-settings: -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m Any pointers would be greatly appreciated. Best Reagards, Lars Martin From pinguwien at gmail.com Mon Feb 19 08:05:26 2018 From: pinguwien at gmail.com (Dominik Guhr) Date: Mon, 19 Feb 2018 14:05:26 +0100 Subject: [keycloak-user] Keycloak issue 6115 workaround Message-ID: <2e10f98a-142d-31be-1972-cf3730ab725d@gmail.com> Hi everyone, so I made a comment here: https://issues.jboss.org/browse/KEYCLOAK-6115?_sscc=t explaining my problem, which is, in short terms, the bug issued in 6115 (localization with readonly ldap). Would be very nice to get some help here for a workaround, for this stops me to change the whole landscape to kc as authprovider. In short points: - I don't want to build kc sources myself, for the root cause is issued and will hopefully be worked on in near future - I want to create a custom provider spi module which does exactly the same than the "built-in", but want to apply the workaround(!) - catching the readonlyexception when its thrown. - This SPI seems not to have the same structure than the custom SPIs which are described in the docs for extending server Any help would be highly appreciated! Best regards, Dominik From betalb at gmail.com Mon Feb 19 08:21:32 2018 From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=) Date: Mon, 19 Feb 2018 13:21:32 +0000 Subject: [keycloak-user] Fine grain admin permissions are not exposed through admin-client Message-ID: Hi Is it intentional that admin-client doesn't have interfaces to control fine grain permissions? i.e. /auth/admin/realms/{realm}/roles/{role-name}/management/permissions From mposolda at redhat.com Mon Feb 19 09:16:52 2018 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 19 Feb 2018 15:16:52 +0100 Subject: [keycloak-user] Keycloak issue 6115 workaround In-Reply-To: <2e10f98a-142d-31be-1972-cf3730ab725d@gmail.com> References: <2e10f98a-142d-31be-1972-cf3730ab725d@gmail.com> Message-ID: Workaround can be to edit LDAP provider with edit mode UNSYNCED instead of READ_ONLY. That way, you can change the locale (+ some other properties), but those changes are written to DB, not to LDAP. Also not sure if you use "import" mode or "no-import" mode. From quickly looking at the code, it seems to me that with import mode, you can change the locale and exception won't be thrown. Marek On 19/02/18 14:05, Dominik Guhr wrote: > Hi everyone, > > so I made a comment here: > https://issues.jboss.org/browse/KEYCLOAK-6115?_sscc=t explaining my > problem, which is, in short terms, the bug issued in 6115 (localization > with readonly ldap). > Would be very nice to get some help here for a workaround, for this > stops me to change the whole landscape to kc as authprovider. > > In short points: > - I don't want to build kc sources myself, for the root cause is issued > and will hopefully be worked on in near future > - I want to create a custom provider spi module which does exactly the > same than the "built-in", but want to apply the workaround(!) - catching > the readonlyexception when its thrown. > - This SPI seems not to have the same structure than the custom SPIs > which are described in the docs for extending server > > Any help would be highly appreciated! > > Best regards, > Dominik > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Mon Feb 19 09:19:24 2018 From: mposolda at redhat.com (Marek Posolda) Date: Mon, 19 Feb 2018 15:19:24 +0100 Subject: [keycloak-user] Auth with Kaycloak In-Reply-To: References: Message-ID: <2fb486e8-f5f9-df8d-7dd5-53959158627a@redhat.com> You need to create LDAP UserStorage provider in admin console and then configure some mappers (Role mappers or Group mappers) for LDAP provider. See docs, admin console tooltips and our example "ldap" from keycloak-examples distribution for more details. Marek On 19/02/18 09:43, valsaraj pv wrote: > Hi, > > I would like to know how to implement auth using Keyclock for an existing > model using JAAS & LDAP. Currently a user is aithenticated with LDAP > directly from login module. If the user is in LDAP group, those roles will > be set. If there is no group for a user in LDAP, some hard coded roles will > be set from login module. When Keyclock is used, what kind of role mapping > required for this scenario? How to do this conditional role mapping? > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From valsarajpv at gmail.com Mon Feb 19 09:48:43 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Mon, 19 Feb 2018 20:18:43 +0530 Subject: [keycloak-user] Auth with Kaycloak In-Reply-To: <2fb486e8-f5f9-df8d-7dd5-53959158627a@redhat.com> References: <2fb486e8-f5f9-df8d-7dd5-53959158627a@redhat.com> Message-ID: Hi, Yes, I did these steps and created role mapper. But what is the difference between role mapper and group mapper? I checked roles and tooltips, need to check ldap sample. How to set default roles if a user don't have any role mapped in LDAP? Thanks! On 19-Feb-2018 7:49 PM, "Marek Posolda" wrote: You need to create LDAP UserStorage provider in admin console and then configure some mappers (Role mappers or Group mappers) for LDAP provider. See docs, admin console tooltips and our example "ldap" from keycloak-examples distribution for more details. Marek On 19/02/18 09:43, valsaraj pv wrote: > Hi, > > I would like to know how to implement auth using Keyclock for an existing > model using JAAS & LDAP. Currently a user is aithenticated with LDAP > directly from login module. If the user is in LDAP group, those roles will > be set. If there is no group for a user in LDAP, some hard coded roles will > be set from login module. When Keyclock is used, what kind of role mapping > required for this scenario? How to do this conditional role mapping? > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From jblashka at redhat.com Mon Feb 19 10:43:04 2018 From: jblashka at redhat.com (Jared Blashka) Date: Mon, 19 Feb 2018 10:43:04 -0500 Subject: [keycloak-user] Fwd: keycloak authorization code flow id_token missing In-Reply-To: References: Message-ID: It's in the documentation, see http://www.keycloak.org/docs/latest/upgrading/index.html#id-token-requires-scope-openid . You need to include scope=openid in your request if you want the ID token. Jared On Sun, Feb 18, 2018 at 1:33 PM, lucie lucas wrote: > Sorry, I didn't forward for everyone > > And another thing: do you think it's a bug of keycloak (version 3.4.3), if > yes, how could I report this bug ? > Thanks a lot > > > ---------- Forwarded message ---------- > From: lucie lucas > Date: 2018-02-18 12:15 GMT+01:00 > Subject: Re: [keycloak-user] keycloak authorization code flow id_token > missing > To: valsaraj pv > > > And another thing: do you think it's a bug of keycloak (version 3.4.3), if > yes, how could I report this bug ? > Thanks a lot > Xiaoning > > 2018-02-18 12:09 GMT+01:00 lucie lucas : > > > Hi, > > Thank you for your response, but in my case, I can't use implicit or > > hybrid flow because of security problem. And for information, I want use > > keycloak just as Identify provider, and I've an authorization server. I > > don't know if it works, so I want to do tests with postman to be sure. > > > > Have you had the similar situation? > > > > Thanks in advance > > Have a nice day > > Xiaoning > > > > 2018-02-18 6:49 GMT+01:00 valsaraj pv : > > > >> Hi, > >> > >> Can you check implicit ir hybrid flow instead of cide flow? > >> > >> Thanks! > >> > >> > >> On 18-Feb-2018 3:15 AM, "lucie lucas" wrote: > >> > >> Hi, > >> > >> I'm a new dev for the field of OpenID Connect. I want to do a test about > >> the authorization code flow with keycloak. > >> > >> So, I just clarify what I did > >> > >> 1. installation the standalone version (keycloak) with configuration > >> admin console > >> 2. create a client app as client (protocole openid-connect), select > >> standard flow enabled, > >> 3. from browser: I use url like : http://localhost:8080/auth/ > >> realms/master/protocol/openid-connect/auth?client_id={ > >> client_id}&response_type=code > >> >> onnect/auth?client_id=%7Bclient_id%7D&response_type=code> > >> 4. the request redirect to{redirect_uri} with *code* and > *sessionstate* > >> 5. with postman, I filled the information as below: > >> > >> POST http://localhost:8080/auth/realms/master/protocol/openid-con > >> nect/token > >> body : > >> client_id, client_secret,grant_type(authorization_code), scope(openid), > >> response_type(id_token%20token), redirect_uri, state (copy from 5th > step > >> url), code (copy from 5th step url) > >> > >> *BUT* there are only access token, refresh token in the response, there > is > >> no id_token which I waited for. > >> > >> Could you tell me what's wrong ? or keycloak support only access token? > (I > >> don't think so, because when I test about Grant Access Flow, there's > >> id_token) > >> > >> I looked for this information 2 weeks ago, until now, I've no solution. > >> > >> Thank you for your feedbacks > >> > >> Xiaoning > >> _______________________________________________ > >> keycloak-user mailing list > >> keycloak-user at lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-user > >> > >> > >> > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mstrukel at redhat.com Mon Feb 19 11:00:50 2018 From: mstrukel at redhat.com (Marko Strukelj) Date: Mon, 19 Feb 2018 17:00:50 +0100 Subject: [keycloak-user] Set Client Roles for Users with Admin Rest Api In-Reply-To: References: Message-ID: Right, you need to do it like UI does it. In separate steps. On Mon, Feb 19, 2018 at 10:23 AM, Alessandro Meyer < alessandro.meyer at gmail.com> wrote: > Hey there > > We run into the same Problem, is this actually supposed to work? The UI > seems to do it differently (not in an Atomic Operation, but in separate > steps) > > Thanks a lot. > Alessandro > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From carreraariel at gmail.com Mon Feb 19 17:02:39 2018 From: carreraariel at gmail.com (Ariel Carrera) Date: Mon, 19 Feb 2018 22:02:39 +0000 Subject: [keycloak-user] Keycloak, OutOfMemoryError In-Reply-To: References: Message-ID: Hi Lars maybe this a problem with provider but I believe that you need first to try with a higher max memory value. 512Mb with 50k users sounds not enough to keep data in cache and all programa data available... what happens if you increase value to 768mb or 1024mb? Have you got changed default infinispan values too? More data cached... more memory required.. El El lun, 19 feb. 2018 a las 07:29, Lars Martin Kristensen < larsmak at gmail.com> escribi?: > Hi, > > We're seeing occasional starvation of our keycloak instance in one of our > environment. The instance becomes unresponsive and the logs reveals that > it's running out of heap space: > > 19:54:22,305 ERROR [io.undertow.request] (default task-22) UT005023: > Exception handling request to > /auth/realms/MyRealm/protocol/openid-connect/certs: > java.lang.OutOfMemoryError: Java heap space > > We're running in standalone mode (single instasnce), and this is the only > environment we're using the paypal identity provider. Could this be the > problem? In the log, around the time of the OutOfMemoryErrors we have seen: > > 19:39:08,036 INFO [org.apache.http.impl.execchain.RetryExec] (default > task-21) Retrying request to {s}->https://api.paypal.com:443 > 19:40:36,330 INFO [org.apache.http.impl.execchain.RetryExec] (default > task-21) I/O exception (java.net.SocketException) caught when processing > request to {s}->https://api.paypal.com:443: Connection reset > 19:40:40,362 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) > ARJUNA012117: TransactionReaper::check timeout for TX > 0:ffff6468b804:-2ac1cab1:5a1ee0de:5cda0d in state RUN > 19:40:37,591 INFO [org.apache.http.impl.execchain.RetryExec] (default > task-21) Retrying request to {s}->https://api.paypal.com:443 > 19:41:51,957 WARN [com.arjuna.ats.arjuna] (Transaction Reaper) > ARJUNA012117: TransactionReaper::check timeout for TX > 0:ffff6468b804:-2ac1cab1:5a1ee0de:5cda0d in state CANCEL > > ..but whether this is the cause or a consequence of the OutOfMemoryError > I'm a little bit uncertain about. > Are there perhaps any way to tune the paypal connection configuration so > that connection errors consumes less resources? > > Users: Around 50k > Keycloak-version: 3.4.0.Final > Java-version: 3.4.0.Final > Memory-settings: -Xms64m -Xmx512m -XX:MetaspaceSize=96M > -XX:MaxMetaspaceSize=256m > > Any pointers would be greatly appreciated. > > Best Reagards, > Lars Martin > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- Ariel Carrera From kurrent93 at gmail.com Mon Feb 19 20:46:43 2018 From: kurrent93 at gmail.com (Anton) Date: Tue, 20 Feb 2018 14:46:43 +1300 Subject: [keycloak-user] How to generate jwt? Message-ID: Hello We are trying to integrate Keycloak into both a mobile app and also a web app. We need to be able to generate jwt tokens, specifically for development and research. Is there an api we can call that will return a jwt token? We cannot find anything in the docs about how to do this - which seems odd, I assumed this would be a very commonly used feature. Any help is appreciated. Regards Anton From kurrent93 at gmail.com Mon Feb 19 20:54:42 2018 From: kurrent93 at gmail.com (Anton) Date: Tue, 20 Feb 2018 14:54:42 +1300 Subject: [keycloak-user] Keycloak REST API In-Reply-To: References: <32a90b9a-1cc2-9aa1-acc7-c0d3e569288d@epardaud.fr> Message-ID: Yes there is already a jira request for this - https://issues.jboss.org/browse/KEYCLOAK-4474 On 8 November 2017 at 22:58, Marko Strukelj wrote: > We are aware of the issue. See > http://lists.jboss.org/pipermail/keycloak-user/2017-November/012181.html > for some suggestions. > > REST API Docs are autogenerated from code and javadoc and we prefer it this > way to minimise inconsistencies that would otherwise arise over time. > > The choice of documentation generation pipeline is a factor. We're not > using Swagger ATM, and OpenAPI seems to be the best option to move to in > the future. I don't think there's a JIRA for it yet. Feel free to open it. > > Any contributions welcome :) > > > On Wed, Nov 8, 2017 at 9:35 AM, Stephane Epardaud > wrote: > > > Hi, > > > > I'm trying to use the REST API of keycloak to seed an initial config for > > tests that depend on keycloak, but I only found this doc: > > http://www.keycloak.org/docs-api/3.3/rest-api/index.html > > > > Are there better docs somewhere else? > > > > If not: they barely explain what the entities are, and don't tell me > > which parts are settable, required, or server-generated. They also > > contain some links to types that are not documented (like Map), and > > don't explain how to get a token to play along (found that somewhere > > completely different). A set of examples with each endpoint and entity > > type would be _greatly_ appreciated too. Otherwise there's a lot of > > guesswork involved :( > > > > Otherwise, pretty impressed with the rest of KeyCloak, so don't take > > that issue harshly :) > > > > Cheers. > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From kurrent93 at gmail.com Mon Feb 19 21:06:20 2018 From: kurrent93 at gmail.com (Anton) Date: Tue, 20 Feb 2018 15:06:20 +1300 Subject: [keycloak-user] Curl Commands to create Realm/User/AdminUsergroup In-Reply-To: References: Message-ID: > > Rather than curl which would be quite tricky, > Why is it tricky? This is a concern if such simple tasks cannot be performed easily using the rest api. On 9 February 2018 at 00:46, Hynek Mlnarik wrote: > Rather than curl which would be quite tricky, have you looked at kcadm [1]? > > [1] > http://www.keycloak.org/docs/latest/server_admin/index.html#the-admin-cli > > On Thu, Feb 8, 2018 at 11:44 AM, Subodh Joshi > wrote: > > > Hi , > > > > Rather than using UI of keycloak some basic thing i will want to create > > dynamically so i am thinking to create a shell script file for linux > > server which will able to do following > > > > 1. Create realm > > 2. Create admin user group > > 3. Create Admin Role > > > > How to automate these feature through CURL ? Can someone please guide me? > > > > -- > > Subodh Chandra Joshi > > subodh1_joshi82 at yahoo.co.in > > http://www.trendsinnews.com > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > > --Hynek > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From kurrent93 at gmail.com Mon Feb 19 21:41:50 2018 From: kurrent93 at gmail.com (Anton) Date: Tue, 20 Feb 2018 15:41:50 +1300 Subject: [keycloak-user] Keycloak REST API In-Reply-To: References: <32a90b9a-1cc2-9aa1-acc7-c0d3e569288d@epardaud.fr> Message-ID: I have created another Jira on this topic - https://issues.jboss.org/browse/KEYCLOAK-6662 - as the keycloak rest docs are really poor quality in comparison to what many other products provide. If you also feel this way, please vote on this jira. On 20 February 2018 at 14:54, Anton wrote: > Yes there is already a jira request for this - https://issues.jboss.org/ > browse/KEYCLOAK-4474 > > > > On 8 November 2017 at 22:58, Marko Strukelj wrote: > >> We are aware of the issue. See >> http://lists.jboss.org/pipermail/keycloak-user/2017-November/012181.html >> for some suggestions. >> >> REST API Docs are autogenerated from code and javadoc and we prefer it >> this >> way to minimise inconsistencies that would otherwise arise over time. >> >> The choice of documentation generation pipeline is a factor. We're not >> using Swagger ATM, and OpenAPI seems to be the best option to move to in >> the future. I don't think there's a JIRA for it yet. Feel free to open it. >> >> Any contributions welcome :) >> >> >> On Wed, Nov 8, 2017 at 9:35 AM, Stephane Epardaud >> wrote: >> >> > Hi, >> > >> > I'm trying to use the REST API of keycloak to seed an initial config for >> > tests that depend on keycloak, but I only found this doc: >> > http://www.keycloak.org/docs-api/3.3/rest-api/index.html >> > >> > Are there better docs somewhere else? >> > >> > If not: they barely explain what the entities are, and don't tell me >> > which parts are settable, required, or server-generated. They also >> > contain some links to types that are not documented (like Map), and >> > don't explain how to get a token to play along (found that somewhere >> > completely different). A set of examples with each endpoint and entity >> > type would be _greatly_ appreciated too. Otherwise there's a lot of >> > guesswork involved :( >> > >> > Otherwise, pretty impressed with the rest of KeyCloak, so don't take >> > that issue harshly :) >> > >> > Cheers. >> > >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From d.weirshousky at xsb.com Mon Feb 19 22:39:16 2018 From: d.weirshousky at xsb.com (Drew Weirshousky) Date: Mon, 19 Feb 2018 21:39:16 -0600 (CST) Subject: [keycloak-user] Possible IDP configuration bug keycloak 3.4.3 Message-ID: <283402125.32980069.1519097956487.JavaMail.zimbra@xsb.com> Hi, I was wondering if anybody has seen this issue. I had an OIDC IDP configured and working using Okta as the IDP. This was setup with a trial account of Okta. When I modified the config to use the URL of the production server Keycloak had issues. The first login worked. The next user and all following logins received a 500 error using the IDP. I then deleted the entire config for the IDP and created a new configuration for it. Everytime I tried logging in using the IDP Keycloak just generated stack traces. Finally I had to delete the config, restart keycloak, and cleared all caches. Then when I recreated the config everything finally started working fine. I don't have logs from this at this time. I was wondering if there is some sort of bug I came across here or should I create a bug report for it. If a bug doesn't exist I will try to recreate the issue and get logs for it. Thanks Drew From betalb at gmail.com Tue Feb 20 01:07:28 2018 From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=) Date: Tue, 20 Feb 2018 06:07:28 +0000 Subject: [keycloak-user] Curl Commands to create Realm/User/AdminUsergroup In-Reply-To: References: Message-ID: I think it?s tricky, because with curl you have to do authentication yourself. In other aspects kcadm seems to be 1-to-1 mapping of REST API Joshi, kcadm is not a GUI app, it is shell app. ??, 20 ????. 2018 ?. ? 5:08, Anton : > > > > Rather than curl which would be quite tricky, > > > > Why is it tricky? > > This is a concern if such simple tasks cannot be performed easily using the > rest api. > > On 9 February 2018 at 00:46, Hynek Mlnarik wrote: > > > Rather than curl which would be quite tricky, have you looked at kcadm > [1]? > > > > [1] > > > http://www.keycloak.org/docs/latest/server_admin/index.html#the-admin-cli > > > > On Thu, Feb 8, 2018 at 11:44 AM, Subodh Joshi > > wrote: > > > > > Hi , > > > > > > Rather than using UI of keycloak some basic thing i will want to create > > > dynamically so i am thinking to create a shell script file for linux > > > server which will able to do following > > > > > > 1. Create realm > > > 2. Create admin user group > > > 3. Create Admin Role > > > > > > How to automate these feature through CURL ? Can someone please guide > me? > > > > > > -- > > > Subodh Chandra Joshi > > > subodh1_joshi82 at yahoo.co.in > > > http://www.trendsinnews.com > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > -- > > > > --Hynek > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From subodhcjoshi82 at gmail.com Tue Feb 20 01:13:25 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Tue, 20 Feb 2018 11:43:25 +0530 Subject: [keycloak-user] Admin-Cli create user with user define userid? In-Reply-To: References: Message-ID: ANy idea about this? On Mon, Feb 19, 2018 at 12:32 AM, Subodh Joshi wrote: > After that i tried below command > * ./kcadm.sh create users -s username=admin123 -s > id=f544f379-5dc4-49e5-8a8d-5cxb71f46f53 -s enabled=true -r master* > > but output of above command > > > *Created new user with id '839ba113-c6dd-4004-83f6-4171aa638bd6'* > Can someone please let me know what wrong with the above command as well? > > On Mon, Feb 19, 2018 at 12:14 AM, Subodh Joshi > wrote: > >> Hi >> >> I am trying to create a user with user define userid but below command >> throwing 400 error >> >> >> >> * ./kcadm.sh create users -s username=admin123 -s >> userid=f544f379-5dc4-49e5-8a8d-5cxb71f46f53 -s type=password -s >> value=admin at 123 -s enabled=true -srealm=master* >> Can some one please help me what is wrong with the above command? >> >> -- >> Subodh Chandra Joshi >> >> http://www.questioninmind.com >> > > > > -- > Subodh Chandra Joshi > subodh1_joshi82 at yahoo.co.in > http://www.trendsinnews.com > -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.trendsinnews.com From upananda313 at gmail.com Tue Feb 20 01:44:02 2018 From: upananda313 at gmail.com (Upananda Singha) Date: Tue, 20 Feb 2018 12:14:02 +0530 Subject: [keycloak-user] Connection pool configurations in Keycloak 3.4 Message-ID: Hi All, Can any one give some pointer how to change the connection pooling configurations in Keycloak. I am using Keycloak (3.4 latest version) standalone-ha cluster deployment. I want to use c3p0 connection pooling instead of the default connection pooling. Thanks & Regds, Upananda From pinguwien at gmail.com Tue Feb 20 02:01:22 2018 From: pinguwien at gmail.com (Dominik Guhr) Date: Tue, 20 Feb 2018 08:01:22 +0100 Subject: [keycloak-user] Keycloak issue 6115 workaround In-Reply-To: References: <2e10f98a-142d-31be-1972-cf3730ab725d@gmail.com> Message-ID: <63514db8-b201-981d-0d07-56b1e0842eeb@gmail.com> Hey Marek, thank you very much for the answer! I''ll try them out and will post the (hopefully) working workaround here and on the issue itself, too, to prevent other people from searching. Best regards, Dominik Am 19.02.18 um 15:16 schrieb Marek Posolda: > Workaround can be to edit LDAP provider with edit mode UNSYNCED instead > of READ_ONLY. That way, you can change the locale (+ some other > properties), but those changes are written to DB, not to LDAP. > > Also not sure if you use "import" mode or "no-import" mode. From quickly > looking at the code, it seems to me that with import mode, you can > change the locale and exception won't be thrown. > > Marek > > On 19/02/18 14:05, Dominik Guhr wrote: >> Hi everyone, >> >> so I made a comment here: >> https://issues.jboss.org/browse/KEYCLOAK-6115?_sscc=t explaining my >> problem, which is, in short terms, the bug issued in 6115 (localization >> with readonly ldap). >> Would be very nice to get some help here for a workaround, for this >> stops me to change the whole landscape to kc as authprovider. >> >> In short points: >> - I don't want to build kc sources myself, for the root cause is issued >> and will hopefully be worked on in near future >> - I want to create a custom provider spi module which does exactly the >> same than the "built-in", but want to apply the workaround(!) - catching >> the readonlyexception when its thrown. >> - This SPI seems not to have the same structure than the custom SPIs >> which are described in the docs for extending server >> >> Any help would be highly appreciated! >> >> Best regards, >> Dominik >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From mposolda at redhat.com Tue Feb 20 02:29:27 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 20 Feb 2018 08:29:27 +0100 Subject: [keycloak-user] Auth with Kaycloak In-Reply-To: References: <2fb486e8-f5f9-df8d-7dd5-53959158627a@redhat.com> Message-ID: On 19/02/18 15:48, valsaraj pv wrote: > Hi, > > Yes, I did these steps and created role mapper. > But what is the difference between role mapper and group mapper? Role mapper maps LDAP groups to Keycloak roles. Group mapper maps LDAP groups to Keycloak groups. > I checked roles and tooltips, need to check ldap sample. > ?How to set default roles if a user don't have any role mapped in LDAP? There is also Hardcoded-Role-LDAP-Mapper, which allows to automatically set specified role to all Keycloak users, which are saved in LDAP. But if you want to add specified role to the Keycloak user just in case that he doesn't have any other role, that is functionality, which is not available OOTB. You will need to code your own LDAP mapper if you want to achieve this. Marek > > Thanks! > > On 19-Feb-2018 7:49 PM, "Marek Posolda" > wrote: > > You need to create LDAP UserStorage provider in admin console and > then configure some mappers (Role mappers or Group mappers) for > LDAP provider. See docs, admin console tooltips and our example > "ldap" from keycloak-examples distribution for more details. > > Marek > > > On 19/02/18 09:43, valsaraj pv wrote: > > Hi, > > I would like to know how to implement auth using Keyclock for > an existing > model using JAAS & LDAP. Currently a user is aithenticated > with LDAP > directly from login module. If the user is in LDAP group, > those roles will > be set. If there is no group for a user in LDAP, some hard > coded roles will > be set from login module. When Keyclock is used, what kind of > role mapping > required for this scenario? How to do this conditional role > mapping? > > Thanks! > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > From hmlnarik at redhat.com Tue Feb 20 02:34:24 2018 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Tue, 20 Feb 2018 08:34:24 +0100 Subject: [keycloak-user] KeyCloak CVE's In-Reply-To: References: Message-ID: For critical production environment consider using Red Hat Single Sign On [1]. --Hynek [1] http://www.keycloak.org/support.html On Thu, Feb 15, 2018 at 8:12 PM, Yuriy Yunikov < yuriy.yunikov at verygood.systems> wrote: > There's been an issue before about KeyCloak CVE's however no more > information found about it. > http://lists.jboss.org/pipermail/keycloak-user/2017-December/012541.html > > I would like to get a clear understanding about > https://nvd.nist.gov/vuln/detail/CVE-2017-12160 > https://www.saucs.com/cve/CVE-2017-12159 > https://www.saucs.com/cve/CVE-2017-12158 > > Why they're the case and if there are patches for them. There are no > information on CVE websites. It's critical for us to make sure KeyCloak has > known vulnerabilities fixed. Can anyone point me please in the right > direction or post more information about them? > > Regards, > Yuriy Yunikov > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- --Hynek From hmlnarik at redhat.com Tue Feb 20 02:35:11 2018 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Tue, 20 Feb 2018 08:35:11 +0100 Subject: [keycloak-user] Possible IDP configuration bug keycloak 3.4.3 In-Reply-To: <283402125.32980069.1519097956487.JavaMail.zimbra@xsb.com> References: <283402125.32980069.1519097956487.JavaMail.zimbra@xsb.com> Message-ID: Hi Drew, could you please try to recreate the issue and log the issue with all available stacktraces? Thanks --Hynek On Tue, Feb 20, 2018 at 4:39 AM, Drew Weirshousky wrote: > Hi, > I was wondering if anybody has seen this issue. I had an OIDC IDP > configured and working using Okta as the IDP. This was setup with a trial > account of Okta. When I modified the config to use the URL of the > production server Keycloak had issues. The first login worked. The next > user and all following logins received a 500 error using the IDP. I then > deleted the entire config for the IDP and created a new configuration for > it. Everytime I tried logging in using the IDP Keycloak just generated > stack traces. Finally I had to delete the config, restart keycloak, and > cleared all caches. Then when I recreated the config everything finally > started working fine. > > I don't have logs from this at this time. I was wondering if there is > some sort of bug I came across here or should I create a bug report for > it. If a bug doesn't exist I will try to recreate the issue and get logs > for it. > > Thanks > Drew > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- --Hynek From hmlnarik at redhat.com Tue Feb 20 02:49:36 2018 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Tue, 20 Feb 2018 08:49:36 +0100 Subject: [keycloak-user] How to generate jwt? In-Reply-To: References: Message-ID: Depends a lot on what JWT you want to issue. For samples of generating access token, see [1], for action token, see [2], custom, see [3]. [1] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/oidc/TokenManager.java#L698 [2] https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/actiontoken/DefaultActionToken.java#L140 [3] https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/keycloak/jose/jws/JWSBuilder.java On Tue, Feb 20, 2018 at 2:46 AM, Anton wrote: > Hello > > We are trying to integrate Keycloak into both a mobile app and also a web > app. > > We need to be able to generate jwt tokens, specifically for development and > research. > > Is there an api we can call that will return a jwt token? We cannot find > anything in the docs about how to do this - which seems odd, I assumed this > would be a very commonly used feature. > > Any help is appreciated. > > Regards > Anton > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- --Hynek From betalb at gmail.com Tue Feb 20 02:50:44 2018 From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=) Date: Tue, 20 Feb 2018 07:50:44 +0000 Subject: [keycloak-user] How to generate jwt? In-Reply-To: References: Message-ID: Keycloak follows OIDC spec, and you can use any of flows, defined in OAuth2 [1] as well as some additional flows added in OIDC OIDC dictates usage of JWT, so access tokens (as well as refresh_token, id_token and others are JWT) will be returned in JWT format To find out addresses of token and authentication, keycloak provides OIDC discovery url, i.e. http://keycloakhost:keycloakport /auth/realms/{realm}/.well-known/openid-configuration There are bunch of libs that will allow to simplify token request procedures written for OIDC spec. But Keycloak has a set of adapters written, that can fit nicely into your existing technology stack [2]. I think allow of them allow to access raw JWT tokens [1] https://aaronparecki.com/oauth-2-simplified/ [2] http://www.keycloak.org/docs/latest/securing_apps/index.html#openid-connect-3 ??, 20 ????. 2018 ?. ? 4:49, Anton : > Hello > > We are trying to integrate Keycloak into both a mobile app and also a web > app. > > We need to be able to generate jwt tokens, specifically for development and > research. > > Is there an api we can call that will return a jwt token? We cannot find > anything in the docs about how to do this - which seems odd, I assumed this > would be a very commonly used feature. > > Any help is appreciated. > > Regards > Anton > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From valsarajpv at gmail.com Tue Feb 20 02:54:25 2018 From: valsarajpv at gmail.com (valsaraj pv) Date: Tue, 20 Feb 2018 13:24:25 +0530 Subject: [keycloak-user] Auth with Kaycloak In-Reply-To: References: <2fb486e8-f5f9-df8d-7dd5-53959158627a@redhat.com> Message-ID: Hi Marek, Thanks for the clarification. Please see comments inline. On Tue, Feb 20, 2018 at 12:59 PM, Marek Posolda wrote: > On 19/02/18 15:48, valsaraj pv wrote: > > Hi, > > Yes, I did these steps and created role mapper. > But what is the difference between role mapper and group mapper? > > Role mapper maps LDAP groups to Keycloak roles. Group mapper maps LDAP > groups to Keycloak groups. > > So both are same. > I checked roles and tooltips, need to check ldap sample. > How to set default roles if a user don't have any role mapped in LDAP? > > There is also Hardcoded-Role-LDAP-Mapper, which allows to automatically > set specified role to all Keycloak users, which are saved in LDAP. But if > you want to add specified role to the Keycloak user just in case that he > doesn't have any other role, that is functionality, which is not available > OOTB. You will need to code your own LDAP mapper if you want to achieve > this. > > Isn't it possible to set default roles from application filter class if the logged in user don't have any role? If so, we don't need to implement own LDAP mapper. Is there any documentation regarding how to create custom mapper in Keycloak? Thanks! Marek > > > Thanks! > > On 19-Feb-2018 7:49 PM, "Marek Posolda" wrote: > > You need to create LDAP UserStorage provider in admin console and then > configure some mappers (Role mappers or Group mappers) for LDAP provider. > See docs, admin console tooltips and our example "ldap" from > keycloak-examples distribution for more details. > > Marek > > > On 19/02/18 09:43, valsaraj pv wrote: > >> Hi, >> >> I would like to know how to implement auth using Keyclock for an existing >> model using JAAS & LDAP. Currently a user is aithenticated with LDAP >> directly from login module. If the user is in LDAP group, those roles will >> be set. If there is no group for a user in LDAP, some hard coded roles >> will >> be set from login module. When Keyclock is used, what kind of role mapping >> required for this scenario? How to do this conditional role mapping? >> >> Thanks! >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > > > -- Life is like this: "Just when we get all the answers of life.... God changes the question paper.... Valsaraj Viswanathan From sthorger at redhat.com Tue Feb 20 02:54:44 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 20 Feb 2018 08:54:44 +0100 Subject: [keycloak-user] KeyCloak CVE's In-Reply-To: References: Message-ID: The 3 CVEs you listed where all fixed in 3.3.0.Final, but for some reason the CVEs still haven't been updated. Will chase that (again). On 20 February 2018 at 08:34, Hynek Mlnarik wrote: > For critical production environment consider using Red Hat Single Sign On > [1]. > > --Hynek > > [1] http://www.keycloak.org/support.html > > On Thu, Feb 15, 2018 at 8:12 PM, Yuriy Yunikov < > yuriy.yunikov at verygood.systems> wrote: > > > There's been an issue before about KeyCloak CVE's however no more > > information found about it. > > http://lists.jboss.org/pipermail/keycloak-user/2017-December/012541.html > > > > I would like to get a clear understanding about > > https://nvd.nist.gov/vuln/detail/CVE-2017-12160 > > https://www.saucs.com/cve/CVE-2017-12159 > > https://www.saucs.com/cve/CVE-2017-12158 > > > > Why they're the case and if there are patches for them. There are no > > information on CVE websites. It's critical for us to make sure KeyCloak > has > > known vulnerabilities fixed. Can anyone point me please in the right > > direction or post more information about them? > > > > Regards, > > Yuriy Yunikov > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > -- > > --Hynek > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From hadhemi.jebnoun at kyalis.com Tue Feb 20 04:05:31 2018 From: hadhemi.jebnoun at kyalis.com (Hadhemi Jebnoun) Date: Tue, 20 Feb 2018 10:05:31 +0100 Subject: [keycloak-user] Migrate from Sql Server users authentication to keycloak Message-ID: <7552e56b-3a8f-378a-bda6-0f07949053c9@kyalis.com> Hello, I have to migrate my user's table in SQL SERVER to Keycloak. We migrate from .NET application to microservices architecture running in minikube. We use postgres to store keycloak data. I would load all my users into the keycloak database. How i can do that? Should I write an implementation of user federation? Is there an option to load data from Sql script into Keycloak database? Environment : minikube (kubernetes) ????????????????????????? User table using SHA512cng -- Hadhemi JEBNOUN From pinguwien at gmail.com Tue Feb 20 04:55:02 2018 From: pinguwien at gmail.com (Dominik Guhr) Date: Tue, 20 Feb 2018 10:55:02 +0100 Subject: [keycloak-user] Keycloak: Get Locale used at loginpages localeswitch in application via Wildfly adapter Message-ID: <3faafe19-e9c3-5410-a627-f7340fbdc6dc@gmail.com> Hi everyone, another day, another question: So I am using Keycloak w/ the wildfly adapter and internationalization enabled for my application. What I want to achieve: 1. User gets to kc loginpage 2. user switches the locale (using keycloaks ftl locale dropdown here on a custom theme) 3. user logs in 4. a phaselistener (jsf used) is set up and checks the kc login. Here I have access to idToken and securityContext etc. via clientadapter. My Problem: In the app itself, there's a locale witch, too. I want to use the locale provided at login in my app, therefor I need to sync these two locales (keycloak is leading system). What I've tried: 1. Setting up a mapper for the builtin locale and check it in my phaselistener. Problem: this locale doesn't change, even when I switch languages before login. e.g.: - I switch language to "en" in loginpage - I login with my credentials - getIdToken().getLocale() says "de" 2. looking in the context for another localefield, but didn't find one Could anyone tell me how to achieve this? I really don't like to add a cookie to the request myself via js or something, for this should work with the adapter I think. Thanks and best regards, Dominik From scott.finlay at sixt.com Tue Feb 20 05:08:13 2018 From: scott.finlay at sixt.com (Scott Finlay) Date: Tue, 20 Feb 2018 10:08:13 +0000 Subject: [keycloak-user] How to differentiate between invalid credentials and a blocked user? Message-ID: Hi, When using the Brute Force Detection it seems if a user is blocked the error message returned by the Keycloak API is "invalid_grant: Invalid user credentials" which is the same error message returned if the password was wrong. I understand the idea here is to prevent an attacker from knowing the difference but from a usability perspective it would be much nicer if we could somehow inform the user if his account is currently locked. Is there any reasonable way to do this? I'd rather not have to make an additional API call after every failed login attempt to see if the user is blocked. Regards, Scott From Michael.Poettgen at oeconnection.com Tue Feb 20 07:07:27 2018 From: Michael.Poettgen at oeconnection.com (Michael Poettgen) Date: Tue, 20 Feb 2018 12:07:27 +0000 Subject: [keycloak-user] Roles without "Full Scope Allowed"? Message-ID: All, I've got Keycloak 3.4.3 configured to return client roles in a "role" Claim to an OpenID Connect client. (The client has got a list of roles, these are assigned to the user and I've got a User Client Role Token mapper that maps the roles of that client into the "role" claim.) Everything works until I turn "Full Scope Allowed" off. Then all roles disappear and trying to request the roles via the "scope" (with or without client ID prefix) doesn't seem to work. Am I doing something stupid or is there something that does not work as (I) expected? Thanks for your help! Michael This message may contain confidential information. If you are not the intended recipient, do not disseminate, distribute, or copy this e-mail or its attachments. Please notify the sender of the error immediately by e-mail or at the telephone number listed below, and delete this e-mail and any attachments from your system. Receipt by anyone other than the intended recipient(s) is not a waiver of any trade secrets, proprietary interests, or other applicable rights. E-mail transmission is not necessarily secure or error-free, as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or may contain viruses. The sender disclaims all liability for any errors or omissions arising as a result of the e-mail transmission. OEConnection LLC, (888) 776-5792, www.oeconnection.com From tappe at transdata.net Tue Feb 20 08:01:54 2018 From: tappe at transdata.net (tdtappe) Date: Tue, 20 Feb 2018 06:01:54 -0700 (MST) Subject: [keycloak-user] SAML quickstart example Message-ID: <1519131714843-0.post@n6.nabble.com> Doing my first steps with keycloak I successfully setup a keycloak (3.4.3.Final) instance and explored the vanilla sample app. Now I want to try the SAML sample app (app-profile-saml-jee-jsp). After modifying the web.xml to use KEYCLOAK instead of KEYCLOAK-SAML as the auth-method (I was getting an error: "Unknown authentication mechanism KEYCLOAK-SAML") I was able to build and deploy the app to my Wildfly 10.1 instance. Question: Was it correct to change the auth-method to KEYCLOAK? If I now access the sample app and click on "Login" (or trying to access profile.jsp) I get a "Forbidden" error. AFAICT, I set up keycloak for the sample app as decribed in the documentation/readme. Any ideas? --Heiko -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From mposolda at redhat.com Tue Feb 20 08:12:39 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 20 Feb 2018 14:12:39 +0100 Subject: [keycloak-user] Roles without "Full Scope Allowed"? In-Reply-To: References: Message-ID: Once you changed "Full Scope Allowed" to off, you need to add scopes for the realm roles and client roles of other clients. This can be done in the "Scope" tab, pretty much same place where you turned "Full Scope Allowed" to off. I think we have also some docs around this somewhere (not 100% sure). Marek On 20/02/18 13:07, Michael Poettgen wrote: > All, > > I've got Keycloak 3.4.3 configured to return client roles in a "role" Claim to an OpenID Connect client. (The client has got a list of roles, these are assigned to the user and I've got a User Client Role Token mapper that maps the roles of that client into the "role" claim.) Everything works until I turn "Full Scope Allowed" off. Then all roles disappear and trying to request the roles via the "scope" (with or without client ID prefix) doesn't seem to work. > > Am I doing something stupid or is there something that does not work as (I) expected? > > Thanks for your help! > > Michael > > > This message may contain confidential information. If you are not the intended recipient, do not disseminate, distribute, or copy this e-mail or its attachments. Please notify the sender of the error immediately by e-mail or at the telephone number listed below, and delete this e-mail and any attachments from your system. Receipt by anyone other than the intended recipient(s) is not a waiver of any trade secrets, proprietary interests, or other applicable rights. E-mail transmission is not necessarily secure or error-free, as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or may contain viruses. The sender disclaims all liability for any errors or omissions arising as a result of the e-mail transmission. > > OEConnection LLC, (888) 776-5792, www.oeconnection.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Feb 20 08:15:57 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 20 Feb 2018 14:15:57 +0100 Subject: [keycloak-user] SAML quickstart example In-Reply-To: <1519131714843-0.post@n6.nabble.com> References: <1519131714843-0.post@n6.nabble.com> Message-ID: <16946429-2310-1c89-57f0-ce062688f84f@redhat.com> On 20/02/18 14:01, tdtappe wrote: > Doing my first steps with keycloak I successfully setup a keycloak > (3.4.3.Final) instance and explored the vanilla sample app. Now I want to > try the SAML sample app (app-profile-saml-jee-jsp). > After modifying the web.xml to use KEYCLOAK instead of KEYCLOAK-SAML as the > auth-method (I was getting an error: "Unknown authentication mechanism > KEYCLOAK-SAML") I was able to build and deploy the app to my Wildfly 10.1 > instance. > Question: Was it correct to change the auth-method to KEYCLOAK? No, it's not correct AFAIK. Method KEYCLOAK can be used just if you installed the OpenID Connect keycloak adapter subsystem into your Wildfly and it's useful just for OpenID Connect clients. SAML clients need KEYCLOAK-SAML authentication mechanism. Why you changed that? Is it stated in some documentation or README that SAML clients are supposed to use KEYCLOAK method? If yes, it's not correct and we should likely fix it. Marek > > If I now access the sample app and click on "Login" (or trying to access > profile.jsp) I get a "Forbidden" error. > AFAICT, I set up keycloak for the sample app as decribed in the > documentation/readme. > > Any ideas? > > --Heiko > > > > -- > Sent from: http://keycloak-user.88327.x6.nabble.com/ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Feb 20 08:17:36 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 20 Feb 2018 14:17:36 +0100 Subject: [keycloak-user] Migrate from Sql Server users authentication to keycloak In-Reply-To: <7552e56b-3a8f-378a-bda6-0f07949053c9@kyalis.com> References: <7552e56b-3a8f-378a-bda6-0f07949053c9@kyalis.com> Message-ID: <7b8e912f-d39f-355b-96ff-7fcd2a22ab0f@redhat.com> I suggest to use export / import. You can export the old environment into JSON files, which can then be imported into the new environment. See Keycloak docs for export/import for more details. Marek On 20/02/18 10:05, Hadhemi Jebnoun wrote: > Hello, > > I have to migrate my user's table in SQL SERVER to Keycloak. > > We migrate from .NET application to microservices architecture running > in minikube. > > We use postgres to store keycloak data. I would load all my users into > the keycloak database. > > How i can do that? Should I write an implementation of user federation? > Is there an option to load data from Sql script into Keycloak database? > > Environment : minikube (kubernetes) > > ????????????????????????? User table using SHA512cng > From Michael.Poettgen at oeconnection.com Tue Feb 20 08:28:22 2018 From: Michael.Poettgen at oeconnection.com (Michael Poettgen) Date: Tue, 20 Feb 2018 13:28:22 +0000 Subject: [keycloak-user] Roles without "Full Scope Allowed"? In-Reply-To: References: Message-ID: You said, that I need to "add scopes for the *realm roles* and client roles of *other clients*", but I don't even get the roles for this client anymore, no matter whether "Scope Param Required" is set for the role or not and no matter whether I add the role names to the "scope" or not. Michael From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Tuesday, February 20, 2018 2:13 PM To: Michael Poettgen; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Roles without "Full Scope Allowed"? Once you changed "Full Scope Allowed" to off, you need to add scopes for the realm roles and client roles of other clients. This can be done in the "Scope" tab, pretty much same place where you turned "Full Scope Allowed" to off. I think we have also some docs around this somewhere (not 100% sure). Marek On 20/02/18 13:07, Michael Poettgen wrote: > All, > > I've got Keycloak 3.4.3 configured to return client roles in a "role" Claim to an OpenID Connect client. (The client has got a list of roles, these are assigned to the user and I've got a User Client Role Token mapper that maps the roles of that client into the "role" claim.) Everything works until I turn "Full Scope Allowed" off. Then all roles disappear and trying to request the roles via the "scope" (with or without client ID prefix) doesn't seem to work. > > Am I doing something stupid or is there something that does not work as (I) expected? > > Thanks for your help! > > Michael > > > This message may contain confidential information. If you are not the intended recipient, do not disseminate, distribute, or copy this e-mail or its attachments. Please notify the sender of the error immediately by e-mail or at the telephone number listed below, and delete this e-mail and any attachments from your system. Receipt by anyone other than the intended recipient(s) is not a waiver of any trade secrets, proprietary interests, or other applicable rights. E-mail transmission is not necessarily secure or error-free, as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or may contain viruses. The sender disclaims all liability for any errors or omissions arising as a result of the e-mail transmission. > > OEConnection LLC, (888) 776-5792, www.oeconnection.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mstrukel at redhat.com Tue Feb 20 08:31:12 2018 From: mstrukel at redhat.com (Marko Strukelj) Date: Tue, 20 Feb 2018 14:31:12 +0100 Subject: [keycloak-user] Admin-Cli create user with user define userid? In-Reply-To: References: Message-ID: You can not set the id - it is automatically generated by storage provider. You can have different storage providers - it's a pluggable mechanism via Storage Provider SPI. Also, there is no 'userid' attribute on UserRepresentation json object ( http://www.keycloak.org/docs-api/3.4/rest-api/index.html#_userrepresentation ). On Tue, Feb 20, 2018 at 7:13 AM, Subodh Joshi wrote: > ANy idea about this? > > On Mon, Feb 19, 2018 at 12:32 AM, Subodh Joshi > wrote: > > > After that i tried below command > > * ./kcadm.sh create users -s username=admin123 -s > > id=f544f379-5dc4-49e5-8a8d-5cxb71f46f53 -s enabled=true -r master* > > > > but output of above command > > > > > > *Created new user with id '839ba113-c6dd-4004-83f6-4171aa638bd6'* > > Can someone please let me know what wrong with the above command as well? > > > > On Mon, Feb 19, 2018 at 12:14 AM, Subodh Joshi > > > wrote: > > > >> Hi > >> > >> I am trying to create a user with user define userid but below command > >> throwing 400 error > >> > >> > >> > >> * ./kcadm.sh create users -s username=admin123 -s > >> userid=f544f379-5dc4-49e5-8a8d-5cxb71f46f53 -s type=password -s > >> value=admin at 123 -s enabled=true -srealm=master* > >> Can some one please help me what is wrong with the above command? > >> > >> -- > >> Subodh Chandra Joshi > >> > >> http://www.questioninmind.com > >> > > > > > > > > -- > > Subodh Chandra Joshi > > subodh1_joshi82 at yahoo.co.in > > http://www.trendsinnews.com > > > > > > -- > Subodh Chandra Joshi > subodh1_joshi82 at yahoo.co.in > http://www.trendsinnews.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From pinguwien at gmail.com Tue Feb 20 08:34:21 2018 From: pinguwien at gmail.com (Dominik Guhr) Date: Tue, 20 Feb 2018 14:34:21 +0100 Subject: [keycloak-user] Keycloak issue 6115 workaround In-Reply-To: References: <2e10f98a-142d-31be-1972-cf3730ab725d@gmail.com> Message-ID: So, I tried it with unsynced and it seems to work (around ;) ) Thanks for the hint! Am 19.02.18 um 15:16 schrieb Marek Posolda: > Workaround can be to edit LDAP provider with edit mode UNSYNCED instead > of READ_ONLY. That way, you can change the locale (+ some other > properties), but those changes are written to DB, not to LDAP. > > Also not sure if you use "import" mode or "no-import" mode. From quickly > looking at the code, it seems to me that with import mode, you can > change the locale and exception won't be thrown. > > Marek > > On 19/02/18 14:05, Dominik Guhr wrote: >> Hi everyone, >> >> so I made a comment here: >> https://issues.jboss.org/browse/KEYCLOAK-6115?_sscc=t explaining my >> problem, which is, in short terms, the bug issued in 6115 (localization >> with readonly ldap). >> Would be very nice to get some help here for a workaround, for this >> stops me to change the whole landscape to kc as authprovider. >> >> In short points: >> - I don't want to build kc sources myself, for the root cause is issued >> and will hopefully be worked on in near future >> - I want to create a custom provider spi module which does exactly the >> same than the "built-in", but want to apply the workaround(!) - catching >> the readonlyexception when its thrown. >> - This SPI seems not to have the same structure than the custom SPIs >> which are described in the docs for extending server >> >> Any help would be highly appreciated! >> >> Best regards, >> Dominik >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From mstrukel at redhat.com Tue Feb 20 08:34:35 2018 From: mstrukel at redhat.com (Marko Strukelj) Date: Tue, 20 Feb 2018 14:34:35 +0100 Subject: [keycloak-user] Curl Commands to create Realm/User/AdminUsergroup In-Reply-To: References: Message-ID: Correct, kcadm allows you to perform any kind of REST API request against Admin REST API. There are some documented recipes on what you can do with it: http://www.keycloak.org/docs/latest/server_admin/index.html#the-admin-cli On Tue, Feb 20, 2018 at 7:07 AM, ??????? ?????? wrote: > I think it?s tricky, because with curl you have to do authentication > yourself. > > In other aspects kcadm seems to be 1-to-1 mapping of REST API > > Joshi, kcadm is not a GUI app, it is shell app. > ??, 20 ????. 2018 ?. ? 5:08, Anton : > > > > > > > Rather than curl which would be quite tricky, > > > > > > > Why is it tricky? > > > > This is a concern if such simple tasks cannot be performed easily using > the > > rest api. > > > > On 9 February 2018 at 00:46, Hynek Mlnarik wrote: > > > > > Rather than curl which would be quite tricky, have you looked at kcadm > > [1]? > > > > > > [1] > > > > > http://www.keycloak.org/docs/latest/server_admin/index. > html#the-admin-cli > > > > > > On Thu, Feb 8, 2018 at 11:44 AM, Subodh Joshi < > subodhcjoshi82 at gmail.com> > > > wrote: > > > > > > > Hi , > > > > > > > > Rather than using UI of keycloak some basic thing i will want to > create > > > > dynamically so i am thinking to create a shell script file for linux > > > > server which will able to do following > > > > > > > > 1. Create realm > > > > 2. Create admin user group > > > > 3. Create Admin Role > > > > > > > > How to automate these feature through CURL ? Can someone please guide > > me? > > > > > > > > -- > > > > Subodh Chandra Joshi > > > > subodh1_joshi82 at yahoo.co.in > > > > http://www.trendsinnews.com > > > > _______________________________________________ > > > > keycloak-user mailing list > > > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > > > > > > > > > -- > > > > > > --Hynek > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From tappe at transdata.net Tue Feb 20 09:09:12 2018 From: tappe at transdata.net (Tappe, Heiko) Date: Tue, 20 Feb 2018 14:09:12 +0000 Subject: [keycloak-user] Re-2: SAML quickstart example In-Reply-To: <16946429-2310-1c89-57f0-ce062688f84f@redhat.com> References: <1519131714843-0.post@n6.nabble.com> <16946429-2310-1c89-57f0-ce062688f84f@redhat.com> Message-ID: <0004182D.5A8C3A14@mail.transdata.net> > No, it's not correct AFAIK. Method KEYCLOAK can be used just if you > installed the OpenID Connect keycloak adapter subsystem into your > Wildfly and it's useful just for OpenID Connect clients. SAML clients > need KEYCLOAK-SAML authentication mechanism. > > Why you changed that? Is it stated in some documentation or README that > SAML clients are supposed to use KEYCLOAK method? If yes, it's not > correct and we should likely fix it. No. I changed it because of the error I mentioned and I wanted to give it a try after some research on the internet where I found some stuff with "KEYCLOAK" instead of "KEYCLOAK-SAML". But by mentioning my mistake with KEYCLOAK / KEYCLOAK-SAML you helped me to get on the right track. I started from scratch and now it works as expected. I think something went wrong when I tried to install the Wildfly SAML adapter. Thanks a lot for your help! --Heiko Original Message processed by david? Re: [keycloak-user] SAML quickstart example 20. Februar 2018, 14:15 Uhr Von Marek Posolda An (2) tdtappe|keycloak-user at lists.jboss.org On 20/02/18 14:01, tdtappe wrote: > Doing my first steps with keycloak I successfully setup a keycloak > (3.4.3.Final) instance and explored the vanilla sample app. Now I want to > try the SAML sample app (app-profile-saml-jee-jsp). > After modifying the web.xml to use KEYCLOAK instead of KEYCLOAK-SAML as the > auth-method (I was getting an error: "Unknown authentication mechanism > KEYCLOAK-SAML") I was able to build and deploy the app to my Wildfly 10.1 > instance. > Question: Was it correct to change the auth-method to KEYCLOAK? No, it's not correct AFAIK. Method KEYCLOAK can be used just if you installed the OpenID Connect keycloak adapter subsystem into your Wildfly and it's useful just for OpenID Connect clients. SAML clients need KEYCLOAK-SAML authentication mechanism. Why you changed that? Is it stated in some documentation or README that SAML clients are supposed to use KEYCLOAK method? If yes, it's not correct and we should likely fix it. Marek > > If I now access the sample app and click on "Login" (or trying to access > profile.jsp) I get a "Forbidden" error. > AFAICT, I set up keycloak for the sample app as decribed in the > documentation/readme. > > Any ideas? > > --Heiko > > > > -- > Sent from: http://keycloak-user.88327.x6.nabble.com/ > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user To: keycloak-user at lists.jboss.org mposolda at redhat.com From subodhcjoshi82 at gmail.com Tue Feb 20 09:19:29 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Tue, 20 Feb 2018 19:49:29 +0530 Subject: [keycloak-user] Admin-Cli create user with user define userid? In-Reply-To: References: Message-ID: Thanks for your reply anyhow I am using USER_ID=`/opt/keycloak/bin/kcadm.sh create users -s username=admin -s enabled=true -s realm=myrealm` On 20 Feb 2018 7:01 pm, "Marko Strukelj" wrote: > You can not set the id - it is automatically generated by storage > provider. You can have different storage providers - it's a pluggable > mechanism via Storage Provider SPI. > > Also, there is no 'userid' attribute on UserRepresentation json object ( > http://www.keycloak.org/docs-api/3.4/rest-api/index.html#_ > userrepresentation). > > > > On Tue, Feb 20, 2018 at 7:13 AM, Subodh Joshi > wrote: > >> ANy idea about this? >> >> On Mon, Feb 19, 2018 at 12:32 AM, Subodh Joshi >> wrote: >> >> > After that i tried below command >> > * ./kcadm.sh create users -s username=admin123 -s >> > id=f544f379-5dc4-49e5-8a8d-5cxb71f46f53 -s enabled=true -r master* >> > >> > but output of above command >> > >> > >> > *Created new user with id '839ba113-c6dd-4004-83f6-4171aa638bd6'* >> > Can someone please let me know what wrong with the above command as >> well? >> > >> > On Mon, Feb 19, 2018 at 12:14 AM, Subodh Joshi < >> subodhcjoshi82 at gmail.com> >> > wrote: >> > >> >> Hi >> >> >> >> I am trying to create a user with user define userid but below command >> >> throwing 400 error >> >> >> >> >> >> >> >> * ./kcadm.sh create users -s username=admin123 -s >> >> userid=f544f379-5dc4-49e5-8a8d-5cxb71f46f53 -s type=password -s >> >> value=admin at 123 -s enabled=true -srealm=master* >> >> Can some one please help me what is wrong with the above command? >> >> >> >> -- >> >> Subodh Chandra Joshi >> >> >> >> http://www.questioninmind.com >> >> >> > >> > >> > >> > -- >> > Subodh Chandra Joshi >> > subodh1_joshi82 at yahoo.co.in >> > http://www.trendsinnews.com >> > >> >> >> >> -- >> Subodh Chandra Joshi >> subodh1_joshi82 at yahoo.co.in >> http://www.trendsinnews.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From moritz.becker at gmx.at Tue Feb 20 09:38:21 2018 From: moritz.becker at gmx.at (moritz.becker at gmx.at) Date: Tue, 20 Feb 2018 15:38:21 +0100 Subject: [keycloak-user] Keycloak AJAX authentication flow Message-ID: <065401d3aa58$755bc9b0$60135d10$@gmx.at> Hi, I am trying to implement a Keycloak registration theme using the Aurelia JS Framework. The problem is that there is currently no possibility to submit the registration form via AJAX and get back a reduced response that just contains validation errors etc. instead of reloading the whole page. Page reload is problematic in this scenario since it causes a reload of the Aurelia-App which takes too long. As far as I can see, I would need to customize the org.keycloak.authentication.FormAuthenticationFlow but there is not SPI to do so at the moment. Do you have any recommendations for me? Thanks, Moritz From viliam.rockai at gmail.com Tue Feb 20 11:27:46 2018 From: viliam.rockai at gmail.com (Viliam Rockai) Date: Tue, 20 Feb 2018 17:27:46 +0100 Subject: [keycloak-user] E-mail verification required action issues Message-ID: Hey all, I got a couple of problems with the e-mail verification required action. 1. If it's turned on in the realm settings ("login tab") and I change the account e-mail (in "manage account"), I can't get back to the app. 2. While the (?) tooltip text in the realm settings clearly says "Require the user to verify their email address the first time they login.", the feature includes verification with each e-mail change (not only the first login). If that's expected behavior, it would be nice to have it more clear in the (?) tooltip text. For 1., the steps to reproduce are: 1. Download latest KC, unzip it, start it. 2. Configure logged-in user (admin) e-mail (in "manage account") and the Email realm settings. Make sure e-mail sending works. 3. Go to "manage account" and change your email. 4. Click "Back to Security Admin Console" 5. You should see the "EMAIL VERIFICATION" page 6. Click on the verification link in the e-mail 7. You should see the "YOU ARE ALREADY LOGGED IN" page, click on the "? Back to Application" link. This brings you back to step 5. instead of the admin console. And this is the error itself, you will find yourself in an endless loop defined by steps 5 - 7. I can create a JIRA for that, just wanted to make sure this is a bug, not a feature. Thanks! Viliam From betalb at gmail.com Tue Feb 20 12:40:41 2018 From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=) Date: Tue, 20 Feb 2018 17:40:41 +0000 Subject: [keycloak-user] Roles without "Full Scope Allowed"? In-Reply-To: References: Message-ID: This is mentioned in docs: http://www.keycloak.org/docs/latest/server_admin/index.html#_client_scope If full scope is disabled: access token, issued to specific client will have intersection of user own roles with client scope, defined in scope section of client configuration ??, 20 ????. 2018 ?. ? 16:34, Michael Poettgen < Michael.Poettgen at oeconnection.com>: > You said, that I need to "add scopes for the *realm roles* and client > roles of *other clients*", but I don't even get the roles for this client > anymore, no matter whether "Scope Param Required" is set for the role or > not and no matter whether I add the role names to the "scope" or not. > > Michael > > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: Tuesday, February 20, 2018 2:13 PM > To: Michael Poettgen; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Roles without "Full Scope Allowed"? > > Once you changed "Full Scope Allowed" to off, you need to add scopes for > the realm roles and client roles of other clients. This can be done in > the "Scope" tab, pretty much same place where you turned "Full Scope > Allowed" to off. I think we have also some docs around this somewhere > (not 100% sure). > > Marek > > On 20/02/18 13:07, Michael Poettgen wrote: > > All, > > > > I've got Keycloak 3.4.3 configured to return client roles in a "role" > Claim to an OpenID Connect client. (The client has got a list of roles, > these are assigned to the user and I've got a User Client Role Token mapper > that maps the roles of that client into the "role" claim.) Everything works > until I turn "Full Scope Allowed" off. Then all roles disappear and trying > to request the roles via the "scope" (with or without client ID prefix) > doesn't seem to work. > > > > Am I doing something stupid or is there something that does not work as > (I) expected? > > > > Thanks for your help! > > > > Michael > > > > > > This message may contain confidential information. If you are not the > intended recipient, do not disseminate, distribute, or copy this e-mail or > its attachments. Please notify the sender of the error immediately by > e-mail or at the telephone number listed below, and delete this e-mail and > any attachments from your system. Receipt by anyone other than the intended > recipient(s) is not a waiver of any trade secrets, proprietary interests, > or other applicable rights. E-mail transmission is not necessarily secure > or error-free, as information could be intercepted, corrupted, lost, > destroyed, delayed, incomplete, or may contain viruses. The sender > disclaims all liability for any errors or omissions arising as a result of > the e-mail transmission. > > > > OEConnection LLC, (888) 776-5792, www.oeconnection.com > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Michael.Poettgen at oeconnection.com Tue Feb 20 13:39:40 2018 From: Michael.Poettgen at oeconnection.com (Michael Poettgen) Date: Tue, 20 Feb 2018 18:39:40 +0000 Subject: [keycloak-user] Roles without "Full Scope Allowed"? In-Reply-To: References: Message-ID: Betalb, That?s what I thought as well, but if I turn off ?Full Scope Allowed? and look at the ?Client Roles? of my client then all client roles appear under ?Effective Roles?. I cannot assign or un-assign any of these roles. So my assumption was that, since these are all roles of my client anyways, that they would always be available (at least for my client). Also the user does have the proper roles (I get them with ?Full Scope Allowed? enabled), but nevertheless I don?t get any. Thanks, Michael From: ??????? ?????? [mailto:betalb at gmail.com] Sent: Tuesday, February 20, 2018 6:41 PM To: Michael Poettgen Cc: Marek Posolda; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Roles without "Full Scope Allowed"? This is mentioned in docs: http://www.keycloak.org/docs/latest/server_admin/index.html#_client_scope If full scope is disabled: access token, issued to specific client will have intersection of user own roles with client scope, defined in scope section of client configuration ??, 20 ????. 2018 ?. ? 16:34, Michael Poettgen >: You said, that I need to "add scopes for the *realm roles* and client roles of *other clients*", but I don't even get the roles for this client anymore, no matter whether "Scope Param Required" is set for the role or not and no matter whether I add the role names to the "scope" or not. Michael From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Tuesday, February 20, 2018 2:13 PM To: Michael Poettgen; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Roles without "Full Scope Allowed"? Once you changed "Full Scope Allowed" to off, you need to add scopes for the realm roles and client roles of other clients. This can be done in the "Scope" tab, pretty much same place where you turned "Full Scope Allowed" to off. I think we have also some docs around this somewhere (not 100% sure). Marek On 20/02/18 13:07, Michael Poettgen wrote: > All, > > I've got Keycloak 3.4.3 configured to return client roles in a "role" Claim to an OpenID Connect client. (The client has got a list of roles, these are assigned to the user and I've got a User Client Role Token mapper that maps the roles of that client into the "role" claim.) Everything works until I turn "Full Scope Allowed" off. Then all roles disappear and trying to request the roles via the "scope" (with or without client ID prefix) doesn't seem to work. > > Am I doing something stupid or is there something that does not work as (I) expected? > > Thanks for your help! > > Michael > > > This message may contain confidential information. If you are not the intended recipient, do not disseminate, distribute, or copy this e-mail or its attachments. Please notify the sender of the error immediately by e-mail or at the telephone number listed below, and delete this e-mail and any attachments from your system. Receipt by anyone other than the intended recipient(s) is not a waiver of any trade secrets, proprietary interests, or other applicable rights. E-mail transmission is not necessarily secure or error-free, as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or may contain viruses. The sender disclaims all liability for any errors or omissions arising as a result of the e-mail transmission. > > OEConnection LLC, (888) 776-5792, www.oeconnection.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From betalb at gmail.com Tue Feb 20 14:51:25 2018 From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=) Date: Tue, 20 Feb 2018 19:51:25 +0000 Subject: [keycloak-user] Roles without "Full Scope Allowed"? In-Reply-To: References: Message-ID: I was able to reproduce this issue It only happens for a claim, produced by the mapper. But I can see correct list of roles in a different claim: resource_access[clientId].roles. It seems like a bug, you can raise it with the team. As a workaround, you can use existing claim On Tue, Feb 20, 2018 at 9:39 PM Michael Poettgen < Michael.Poettgen at oeconnection.com> wrote: > Betalb, > > > > That?s what I thought as well, but if I turn off ?Full Scope Allowed? and > look at the ?Client Roles? of my client then all client roles appear under > ?Effective Roles?. I cannot assign or un-assign any of these roles. So my > assumption was that, since these are all roles of my client anyways, that > they would always be available (at least for my client). Also the user does > have the proper roles (I get them with ?Full Scope Allowed? enabled), but > nevertheless I don?t get any. > > > > Thanks, > > Michael > > > > *From:* ??????? ?????? [mailto:betalb at gmail.com] > *Sent:* Tuesday, February 20, 2018 6:41 PM > *To:* Michael Poettgen > *Cc:* Marek Posolda; keycloak-user at lists.jboss.org > > > *Subject:* Re: [keycloak-user] Roles without "Full Scope Allowed"? > > > > This is mentioned in docs: > http://www.keycloak.org/docs/latest/server_admin/index.html#_client_scope > > > If full scope is disabled: access token, issued to specific client will > have intersection of user own roles with client scope, defined in scope > section of client configuration > > ??, 20 ????. 2018 ?. ? 16:34, Michael Poettgen < > Michael.Poettgen at oeconnection.com>: > > You said, that I need to "add scopes for the *realm roles* and client > roles of *other clients*", but I don't even get the roles for this client > anymore, no matter whether "Scope Param Required" is set for the role or > not and no matter whether I add the role names to the "scope" or not. > > Michael > > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: Tuesday, February 20, 2018 2:13 PM > To: Michael Poettgen; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Roles without "Full Scope Allowed"? > > Once you changed "Full Scope Allowed" to off, you need to add scopes for > the realm roles and client roles of other clients. This can be done in > the "Scope" tab, pretty much same place where you turned "Full Scope > Allowed" to off. I think we have also some docs around this somewhere > (not 100% sure). > > Marek > > On 20/02/18 13:07, Michael Poettgen wrote: > > All, > > > > I've got Keycloak 3.4.3 configured to return client roles in a "role" > Claim to an OpenID Connect client. (The client has got a list of roles, > these are assigned to the user and I've got a User Client Role Token mapper > that maps the roles of that client into the "role" claim.) Everything works > until I turn "Full Scope Allowed" off. Then all roles disappear and trying > to request the roles via the "scope" (with or without client ID prefix) > doesn't seem to work. > > > > Am I doing something stupid or is there something that does not work as > (I) expected? > > > > Thanks for your help! > > > > Michael > > > > > > This message may contain confidential information. If you are not the > intended recipient, do not disseminate, distribute, or copy this e-mail or > its attachments. Please notify the sender of the error immediately by > e-mail or at the telephone number listed below, and delete this e-mail and > any attachments from your system. Receipt by anyone other than the intended > recipient(s) is not a waiver of any trade secrets, proprietary interests, > or other applicable rights. E-mail transmission is not necessarily secure > or error-free, as information could be intercepted, corrupted, lost, > destroyed, delayed, incomplete, or may contain viruses. The sender > disclaims all liability for any errors or omissions arising as a result of > the e-mail transmission. > > > > OEConnection LLC, (888) 776-5792, www.oeconnection.com > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From ba.andrzejczak at gmail.com Tue Feb 20 15:43:17 2018 From: ba.andrzejczak at gmail.com (Bartosz Andrzejczak) Date: Tue, 20 Feb 2018 21:43:17 +0100 Subject: [keycloak-user] Keycloak AJAX authentication flow In-Reply-To: <065401d3aa58$755bc9b0$60135d10$@gmx.at> References: <065401d3aa58$755bc9b0$60135d10$@gmx.at> Message-ID: Hi Moritz, The usual path with SPA would be to just redirect user to the Keycloak authentication page, that if user?s logged in would just redirect them back with authentication code in the query parameter, and if not - would require user to log in. I?ve described that for Angular here: https://medium.com/andrzejczak/sso-for-your-single-page-application-part-1-2-angularjs-1d79edb7d9c8 But if your app load time is quite long there might be something else you can do. There?s a token endpoint that would return you a JSON containing authentication token and refresh token, both with expiration times. All you need to provide is login and password (and additionally grant_type (`password`) and your client_id). So if you decide to implement authentication form on your side you could just use that to get a token for a user and treat this user as logged into the application. You?re loosing the SSO capabilities of Keycloak, but it might still be enough for you. You can see example of this token request in step 1 of this blogpost https://blog.softwaremill.com/who-am-i-keycloak-impersonation-api-bfe7acaf051a . Be sure to enable Direct Flow in the Keycloak Client, though. Cheers, Bartek > On 20 Feb 2018, at 3:38 PM, wrote: > > Hi, > > > > I am trying to implement a Keycloak registration theme using the Aurelia JS > Framework. > > > > The problem is that there is currently no possibility to submit the > registration form via AJAX and get back a reduced response that just > contains validation errors etc. instead of reloading the whole page. Page > reload is problematic in this scenario since it causes a reload of the > Aurelia-App which takes too long. > > > > As far as I can see, I would need to customize the > org.keycloak.authentication.FormAuthenticationFlow but there is not SPI to > do so at the moment. > > > > Do you have any recommendations for me? > > > > Thanks, > > Moritz > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From myoder at cloudera.com Tue Feb 20 18:58:27 2018 From: myoder at cloudera.com (Michael Yoder) Date: Tue, 20 Feb 2018 15:58:27 -0800 Subject: [keycloak-user] How to create a realm using the admin client Message-ID: I've got the json from a realm export. Now I'd like to re-create that realm using the keycloak-admin-client library. Is there any sample code out there? Hints? I've found http://www.keycloak.org/docs/3.4/server_development/#admin-rest-api and http://www.keycloak.org/docs-api/3.4/javadocs/ and even https://github.com/keycloak/keycloak/blob/master/integration/admin-client/src/main/java/org/keycloak/admin/client/resource/RealmResource.java I feel like I've got parts of it, but I don't know how to put the pieces together. Any help would be appreciated. Thanks, -Mike Yoder From philenz at gmail.com Tue Feb 20 21:42:59 2018 From: philenz at gmail.com (Phil Evans) Date: Wed, 21 Feb 2018 02:42:59 +0000 Subject: [keycloak-user] Unable to log in to admin console Keycloak 3.4.1 Message-ID: Hi all, I've recently upgrade the version of Keycloak we're running from 2.5.5 to 3.4.1. In a single instance environment everything works fine. In a clustered environment, when I try logging in to the admin console, I'm logged out again as soon as I've logged in. It seems like I'm logging in to one cluster instance successfully, but then I'm sent to a page on another instance and my session information hasn't been shared with that instance so it kicks me out. This worked fine with 2.5.5. I've attached the standalone-ha.xml I'm using. Kind regards, Phil Evans -------------- next part -------------- A non-text attachment was scrubbed... Name: standalone-ha.xml Type: text/xml Size: 36156 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180221/0be7aec7/attachment-0001.xml From upananda313 at gmail.com Wed Feb 21 01:52:18 2018 From: upananda313 at gmail.com (Upananda Singha) Date: Wed, 21 Feb 2018 12:22:18 +0530 Subject: [keycloak-user] Fine tuning KC for performance Message-ID: Hi All, I am trying to test a KC cluster (with 2 KC nodes) using standalone-ha mode. I have configured a shared database of PostgreSQL (2ndQuadrant with BDR - having 2 Database nodes and pointing KC nodes pointing to single node). Each of the KC nodes is configured with JAVA_OPTS="-*Xms256m* -*Xmx1024m* -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true" And default connection pool size set to 40 each. But when I run traffic I don't see combined throughput going beyond 80/90 per sec when traffic hits both the KC nodes in a round robin fashion. Can anybody give some idea what kind of tuning I can try to increase the throughput. With 2 nodes of KC we are looking for throughput at least 200-300. Thanks & Regds, Upananda From mposolda at redhat.com Wed Feb 21 02:35:28 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 21 Feb 2018 08:35:28 +0100 Subject: [keycloak-user] Roles without "Full Scope Allowed"? In-Reply-To: References: Message-ID: <422608bd-c0cf-ea9b-38f0-c600f160dcbb@redhat.com> Please create a JIRA if you think that it's a bug. Please add the detailed steps to reproduce. TBH from this email, I don't know what exactly is broken, or if it's just misconfiguration. BTV. Client has always automatically scope to his own roles. And it's not possible to remove them from the scope. It's just possible to add/remove scopes for realm roles or client roles of different clients. So the behaviour described by Michael is expected. Marek On 20/02/18 20:51, ??????? ?????? wrote: > I was able to reproduce this issue > > It only happens for a?claim, produced by the mapper. > But I can see correct list of roles in a different claim: > resource_access[clientId].roles. > > It seems like a bug, you can raise it with the team. > As a workaround, you can use existing claim > > On Tue, Feb 20, 2018 at 9:39 PM Michael Poettgen > > wrote: > > Betalb, > > That?s what I thought as well, but if I turn off ?Full Scope > Allowed? and look at the ?Client Roles? of my client then all > client roles appear under ?Effective Roles?. I cannot assign or > un-assign any of these roles. So my assumption was that, since > these are all roles of my client anyways, that they would always > be available (at least for my client). Also the user does have the > proper roles (I get them with ?Full Scope Allowed? enabled), but > nevertheless I don?t get any. > > Thanks, > > Michael > > *From:*??????? ?????? [mailto:betalb at gmail.com > ] > *Sent:* Tuesday, February 20, 2018 6:41 PM > *To:* Michael Poettgen > *Cc:* Marek Posolda; keycloak-user at lists.jboss.org > > > > *Subject:* Re: [keycloak-user] Roles without "Full Scope Allowed"? > > This is mentioned in docs: > http://www.keycloak.org/docs/latest/server_admin/index.html#_client_scope > > > If full scope is disabled: access token, issued to specific client > will have intersection of user own roles with client scope, > defined in scope section of client configuration > > ??, 20 ????. 2018 ?. ? 16:34, Michael Poettgen > >: > > You said, that I need to "add scopes for the *realm roles* and > client roles of *other clients*", but I don't even get the > roles for this client anymore, no matter whether "Scope Param > Required" is set for the role or not and no matter whether I > add the role names to the "scope" or not. > > Michael > > From: Marek Posolda [mailto:mposolda at redhat.com > ] > Sent: Tuesday, February 20, 2018 2:13 PM > To: Michael Poettgen; keycloak-user at lists.jboss.org > > Subject: Re: [keycloak-user] Roles without "Full Scope Allowed"? > > Once you changed "Full Scope Allowed" to off, you need to add > scopes for > the realm roles and client roles of other clients. This can be > done in > the "Scope" tab, pretty much same place where you turned "Full > Scope > Allowed" to off. I think we have also some docs around this > somewhere > (not 100% sure). > > Marek > > On 20/02/18 13:07, Michael Poettgen wrote: > > All, > > > > I've got Keycloak 3.4.3 configured to return client roles in > a "role" Claim to an OpenID Connect client. (The client has > got a list of roles, these are assigned to the user and I've > got a User Client Role Token mapper that maps the roles of > that client into the "role" claim.) Everything works until I > turn "Full Scope Allowed" off. Then all roles disappear and > trying to request the roles via the "scope" (with or without > client ID prefix) doesn't seem to work. > > > > Am I doing something stupid or is there something that does > not work as (I) expected? > > > > Thanks for your help! > > > > Michael > > > > > > This message may contain confidential information. If you > are not the intended recipient, do not disseminate, > distribute, or copy this e-mail or its attachments. Please > notify the sender of the error immediately by e-mail or at the > telephone number listed below, and delete this e-mail and any > attachments from your system. Receipt by anyone other than the > intended recipient(s) is not a waiver of any trade secrets, > proprietary interests, or other applicable rights. E-mail > transmission is not necessarily secure or error-free, as > information could be intercepted, corrupted, lost, destroyed, > delayed, incomplete, or may contain viruses. The sender > disclaims all liability for any errors or omissions arising as > a result of the e-mail transmission. > > > > OEConnection LLC, (888) 776-5792 , > www.oeconnection.com > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From moritz.becker at gmx.at Wed Feb 21 02:53:50 2018 From: moritz.becker at gmx.at (moritz.becker at gmx.at) Date: Wed, 21 Feb 2018 08:53:50 +0100 Subject: [keycloak-user] Keycloak AJAX authentication flow In-Reply-To: References: <065401d3aa58$755bc9b0$60135d10$@gmx.at> Message-ID: <06a601d3aae9$1cad07c0$56071740$@gmx.at> Hi Bartek, thank you for your answer. The login using the Keycloak redirect you described is not the problem ? this actually works fine already. I am talking about the user registration form that uses a custom Keycloak theme. I need some more advanced UI elements in the registration theme and thus I am trying to use Aurelia in the theme. However, when the user clicks the ?Register? button and the registration form contains validation errors, Keycloak responds with reloading the whole page (which now has the validation error messages baked in). In my case, this causes an unwanted reload of the SPA that takes too long. So what I want to do is to submit the registration form via AJAX and just receive a JSON response containing the validation errors which I can then render on the client without reloading the whole app. Von: Bartosz Andrzejczak [mailto:ba.andrzejczak at gmail.com] Gesendet: Dienstag, 20. Februar 2018 21:43 An: moritz.becker at gmx.at Cc: keycloak-user at lists.jboss.org Betreff: Re: [keycloak-user] Keycloak AJAX authentication flow Hi Moritz, The usual path with SPA would be to just redirect user to the Keycloak authentication page, that if user?s logged in would just redirect them back with authentication code in the query parameter, and if not - would require user to log in. I?ve described that for Angular here: https://medium.com/andrzejczak/sso-for-your-single-page-application-part-1-2-angularjs-1d79edb7d9c8 But if your app load time is quite long there might be something else you can do. There?s a token endpoint that would return you a JSON containing authentication token and refresh token, both with expiration times. All you need to provide is login and password (and additionally grant_type (`password`) and your client_id). So if you decide to implement authentication form on your side you could just use that to get a token for a user and treat this user as logged into the application. You?re loosing the SSO capabilities of Keycloak, but it might still be enough for you. You can see example of this token request in step 1 of this blogpost https://blog.softwaremill.com/who-am-i-keycloak-impersonation-api-bfe7acaf051a. Be sure to enable Direct Flow in the Keycloak Client, though. Cheers, Bartek On 20 Feb 2018, at 3:38 PM, > > wrote: Hi, I am trying to implement a Keycloak registration theme using the Aurelia JS Framework. The problem is that there is currently no possibility to submit the registration form via AJAX and get back a reduced response that just contains validation errors etc. instead of reloading the whole page. Page reload is problematic in this scenario since it causes a reload of the Aurelia-App which takes too long. As far as I can see, I would need to customize the org.keycloak.authentication.FormAuthenticationFlow but there is not SPI to do so at the moment. Do you have any recommendations for me? Thanks, Moritz _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From postmaster at lists.jboss.org Wed Feb 21 06:50:21 2018 From: postmaster at lists.jboss.org (Automatic Email Delivery Software) Date: Wed, 21 Feb 2018 17:20:21 +0530 Subject: [keycloak-user] Mail System Error - Returned Mail Message-ID: <201802211150.w1LBoRf4012059@lists01.dmz-a.mwc.hst.phx2.redhat.com> This message was not delivered due to the following reason(s): Your message could not be delivered because the destination computer was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura- tion parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within 7 days: Mail server 39.68.177.219 is not responding. The following recipients could not receive this message: Please reply to postmaster at lists.jboss.org if you feel this message to be in error. -------------- next part -------------- A non-text attachment was scrubbed... Name: transcript.zip Type: application/octet-stream Size: 29358 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180221/06bdd364/attachment-0001.obj From subodhcjoshi82 at gmail.com Wed Feb 21 07:07:34 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Wed, 21 Feb 2018 17:37:34 +0530 Subject: [keycloak-user] Group Id not available in storage provider Message-ID: [root at server tmp]# GROUP_ID=`/opt/keycloak/bin/kcadm.sh create groups -r master -s name=Admin_UserGroup` But when i am checking echo $GROUP_ID Nothing displaying What is wrong with the approach? While when i tried USER_ID=`/opt/keycloak/bin/kcadm.sh create users -s username=admin -s enabled=true -s realm=myrealm` and then echo $USER_ID It is displaying generated userid. -- Subodh Chandra Joshi http://www.questioninmind.com From psilva at redhat.com Wed Feb 21 07:14:58 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 21 Feb 2018 09:14:58 -0300 Subject: [keycloak-user] Fine grain admin permissions are not exposed through admin-client In-Reply-To: References: Message-ID: I don't think so, can you create an issue so we can check this out ? Thanks. On Mon, Feb 19, 2018 at 10:21 AM, ??????? ?????? wrote: > Hi > > Is it intentional that admin-client doesn't have interfaces to control fine > grain permissions? > > i.e. /auth/admin/realms/{realm}/roles/{role-name}/management/permissions > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From betalb at gmail.com Wed Feb 21 10:32:18 2018 From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=) Date: Wed, 21 Feb 2018 15:32:18 +0000 Subject: [keycloak-user] Fine grain admin permissions are not exposed through admin-client In-Reply-To: References: Message-ID: Thank you, created ticket https://issues.jboss.org/browse/KEYCLOAK-6658 some time ago On Wed, Feb 21, 2018 at 3:14 PM Pedro Igor Silva wrote: > I don't think so, can you create an issue so we can check this out ? > > Thanks. > > On Mon, Feb 19, 2018 at 10:21 AM, ??????? ?????? wrote: > >> Hi >> >> Is it intentional that admin-client doesn't have interfaces to control >> fine >> grain permissions? >> >> i.e. /auth/admin/realms/{realm}/roles/{role-name}/management/permissions >> > _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From betalb at gmail.com Wed Feb 21 12:02:44 2018 From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=) Date: Wed, 21 Feb 2018 17:02:44 +0000 Subject: [keycloak-user] Roles without "Full Scope Allowed"? In-Reply-To: <422608bd-c0cf-ea9b-38f0-c600f160dcbb@redhat.com> References: <422608bd-c0cf-ea9b-38f0-c600f160dcbb@redhat.com> Message-ID: Hi Marek The behaviour for automatically adding client own roles to scope seems fine, the issue is with client mappers (or lack of documentation, hence misunderstanding), their logic is not clear when full scope is not enabled. Also at the bottom, I've mentioned two other quirks that can be observed even with full scope enabled. Suppose we have following setup == Clients == client-with-roles Roles: * role * role-composite-child test-client Roles: * role * role-composite-child Mappers: #1 type: User Client Type client id: client-with-roles claim: rolesOtherClient #2 type: User Client Type client id: test-client claim: rolesCurrentClient #3 type: User Realm Role claim: rolesRealm == REALM Roles == * ROLE * ROLE_COMPOSITE_CHILD * ROLE_COMPOSITE (contains ROLE_COMPOSITE_CHILD, client-with-roles/role-composite-child, test-client/role-composite-child) == Users == name: "a" mapped roles * ROLE * ROLE_COMPOSITE * test-client/role * client-with-roles/role Now if I issue token using test-client and user "a" credentials (direct grant), token will have following claims (they have the same set of roles as realm_access and resource_access claims) "rolesRealm": [ "ROLE", "ROLE_COMPOSITE", "ROLE_COMPOSITE_CHILD" ], "rolesOtherClient": [ "role-composite-child", "role" ], "rolesCurrentClient": [ "role-composite-child", "role" ] But if I disable full scope and will add all user "a" roles to scope, token will look like this (realm_access and resource_access haven't changed) "rolesRealm": [ "ROLE", "ROLE_COMPOSITE" ], "rolesOtherClient": [ "role" ] rolesCurrentClient claim is absent Also Found few other strange behaviours with mappers * realm-management roles are not mapped at all * scoped roles are included into claims, produced by mappers, even if scope parameter was not provided during token request (This one may be useful get potential list of roles) On Wed, Feb 21, 2018 at 10:35 AM Marek Posolda wrote: > Please create a JIRA if you think that it's a bug. Please add the detailed > steps to reproduce. TBH from this email, I don't know what exactly is > broken, or if it's just misconfiguration. > > BTV. Client has always automatically scope to his own roles. And it's not > possible to remove them from the scope. It's just possible to add/remove > scopes for realm roles or client roles of different clients. So the > behaviour described by Michael is expected. > > > Marek > > > On 20/02/18 20:51, ??????? ?????? wrote: > > I was able to reproduce this issue > > It only happens for a claim, produced by the mapper. > But I can see correct list of roles in a different claim: > resource_access[clientId].roles. > > It seems like a bug, you can raise it with the team. > As a workaround, you can use existing claim > > On Tue, Feb 20, 2018 at 9:39 PM Michael Poettgen < > Michael.Poettgen at oeconnection.com> wrote: > >> Betalb, >> >> >> >> That?s what I thought as well, but if I turn off ?Full Scope Allowed? and >> look at the ?Client Roles? of my client then all client roles appear under >> ?Effective Roles?. I cannot assign or un-assign any of these roles. So my >> assumption was that, since these are all roles of my client anyways, that >> they would always be available (at least for my client). Also the user does >> have the proper roles (I get them with ?Full Scope Allowed? enabled), but >> nevertheless I don?t get any. >> >> >> >> Thanks, >> >> Michael >> >> >> >> *From:* ??????? ?????? [mailto:betalb at gmail.com] >> *Sent:* Tuesday, February 20, 2018 6:41 PM >> *To:* Michael Poettgen >> *Cc:* Marek Posolda; keycloak-user at lists.jboss.org >> >> >> *Subject:* Re: [keycloak-user] Roles without "Full Scope Allowed"? >> >> >> >> This is mentioned in docs: >> http://www.keycloak.org/docs/latest/server_admin/index.html#_client_scope >> >> >> If full scope is disabled: access token, issued to specific client will >> have intersection of user own roles with client scope, defined in scope >> section of client configuration >> >> ??, 20 ????. 2018 ?. ? 16:34, Michael Poettgen < >> Michael.Poettgen at oeconnection.com>: >> >> You said, that I need to "add scopes for the *realm roles* and client >> roles of *other clients*", but I don't even get the roles for this client >> anymore, no matter whether "Scope Param Required" is set for the role or >> not and no matter whether I add the role names to the "scope" or not. >> >> Michael >> >> From: Marek Posolda [mailto:mposolda at redhat.com] >> Sent: Tuesday, February 20, 2018 2:13 PM >> To: Michael Poettgen; keycloak-user at lists.jboss.org >> Subject: Re: [keycloak-user] Roles without "Full Scope Allowed"? >> >> Once you changed "Full Scope Allowed" to off, you need to add scopes for >> the realm roles and client roles of other clients. This can be done in >> the "Scope" tab, pretty much same place where you turned "Full Scope >> Allowed" to off. I think we have also some docs around this somewhere >> (not 100% sure). >> >> Marek >> >> On 20/02/18 13:07, Michael Poettgen wrote: >> > All, >> > >> > I've got Keycloak 3.4.3 configured to return client roles in a "role" >> Claim to an OpenID Connect client. (The client has got a list of roles, >> these are assigned to the user and I've got a User Client Role Token mapper >> that maps the roles of that client into the "role" claim.) Everything works >> until I turn "Full Scope Allowed" off. Then all roles disappear and trying >> to request the roles via the "scope" (with or without client ID prefix) >> doesn't seem to work. >> > >> > Am I doing something stupid or is there something that does not work as >> (I) expected? >> > >> > Thanks for your help! >> > >> > Michael >> > >> > >> > This message may contain confidential information. If you are not the >> intended recipient, do not disseminate, distribute, or copy this e-mail or >> its attachments. Please notify the sender of the error immediately by >> e-mail or at the telephone number listed below, and delete this e-mail and >> any attachments from your system. Receipt by anyone other than the intended >> recipient(s) is not a waiver of any trade secrets, proprietary interests, >> or other applicable rights. E-mail transmission is not necessarily secure >> or error-free, as information could be intercepted, corrupted, lost, >> destroyed, delayed, incomplete, or may contain viruses. The sender >> disclaims all liability for any errors or omissions arising as a result of >> the e-mail transmission. >> > >> > OEConnection LLC, (888) 776-5792, www.oeconnection.com >> >> > >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> >> > From Michael.Poettgen at oeconnection.com Wed Feb 21 13:44:53 2018 From: Michael.Poettgen at oeconnection.com (Michael Poettgen) Date: Wed, 21 Feb 2018 18:44:53 +0000 Subject: [keycloak-user] Roles without "Full Scope Allowed"? In-Reply-To: References: <422608bd-c0cf-ea9b-38f0-c600f160dcbb@redhat.com> Message-ID: This describes pretty well what I?m getting as well. The only thing I don?t see is the realm_access and resource_access claims. Are they only enabled when activating Authorization? Regards, Michael From: ??????? ?????? [mailto:betalb at gmail.com] Sent: Wednesday, February 21, 2018 6:03 PM To: Marek Posolda Cc: Michael Poettgen; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Roles without "Full Scope Allowed"? Hi Marek The behaviour for automatically adding client own roles to scope seems fine, the issue is with client mappers (or lack of documentation, hence misunderstanding), their logic is not clear when full scope is not enabled. Also at the bottom, I've mentioned two other quirks that can be observed even with full scope enabled. Suppose we have following setup == Clients == client-with-roles Roles: * role * role-composite-child test-client Roles: * role * role-composite-child Mappers: #1 type: User Client Type client id: client-with-roles claim: rolesOtherClient #2 type: User Client Type client id: test-client claim: rolesCurrentClient #3 type: User Realm Role claim: rolesRealm == REALM Roles == * ROLE * ROLE_COMPOSITE_CHILD * ROLE_COMPOSITE (contains ROLE_COMPOSITE_CHILD, client-with-roles/role-composite-child, test-client/role-composite-child) == Users == name: "a" mapped roles * ROLE * ROLE_COMPOSITE * test-client/role * client-with-roles/role Now if I issue token using test-client and user "a" credentials (direct grant), token will have following claims (they have the same set of roles as realm_access and resource_access claims) "rolesRealm": [ "ROLE", "ROLE_COMPOSITE", "ROLE_COMPOSITE_CHILD" ], "rolesOtherClient": [ "role-composite-child", "role" ], "rolesCurrentClient": [ "role-composite-child", "role" ] But if I disable full scope and will add all user "a" roles to scope, token will look like this (realm_access and resource_access haven't changed) "rolesRealm": [ "ROLE", "ROLE_COMPOSITE" ], "rolesOtherClient": [ "role" ] rolesCurrentClient claim is absent Also Found few other strange behaviours with mappers * realm-management roles are not mapped at all * scoped roles are included into claims, produced by mappers, even if scope parameter was not provided during token request (This one may be useful get potential list of roles) On Wed, Feb 21, 2018 at 10:35 AM Marek Posolda > wrote: Please create a JIRA if you think that it's a bug. Please add the detailed steps to reproduce. TBH from this email, I don't know what exactly is broken, or if it's just misconfiguration. BTV. Client has always automatically scope to his own roles. And it's not possible to remove them from the scope. It's just possible to add/remove scopes for realm roles or client roles of different clients. So the behaviour described by Michael is expected. Marek On 20/02/18 20:51, ??????? ?????? wrote: I was able to reproduce this issue It only happens for a claim, produced by the mapper. But I can see correct list of roles in a different claim: resource_access[clientId].roles. It seems like a bug, you can raise it with the team. As a workaround, you can use existing claim On Tue, Feb 20, 2018 at 9:39 PM Michael Poettgen > wrote: Betalb, That?s what I thought as well, but if I turn off ?Full Scope Allowed? and look at the ?Client Roles? of my client then all client roles appear under ?Effective Roles?. I cannot assign or un-assign any of these roles. So my assumption was that, since these are all roles of my client anyways, that they would always be available (at least for my client). Also the user does have the proper roles (I get them with ?Full Scope Allowed? enabled), but nevertheless I don?t get any. Thanks, Michael From: ??????? ?????? [mailto:betalb at gmail.com] Sent: Tuesday, February 20, 2018 6:41 PM To: Michael Poettgen Cc: Marek Posolda; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Roles without "Full Scope Allowed"? This is mentioned in docs: http://www.keycloak.org/docs/latest/server_admin/index.html#_client_scope If full scope is disabled: access token, issued to specific client will have intersection of user own roles with client scope, defined in scope section of client configuration ??, 20 ????. 2018 ?. ? 16:34, Michael Poettgen >: You said, that I need to "add scopes for the *realm roles* and client roles of *other clients*", but I don't even get the roles for this client anymore, no matter whether "Scope Param Required" is set for the role or not and no matter whether I add the role names to the "scope" or not. Michael From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Tuesday, February 20, 2018 2:13 PM To: Michael Poettgen; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Roles without "Full Scope Allowed"? Once you changed "Full Scope Allowed" to off, you need to add scopes for the realm roles and client roles of other clients. This can be done in the "Scope" tab, pretty much same place where you turned "Full Scope Allowed" to off. I think we have also some docs around this somewhere (not 100% sure). Marek On 20/02/18 13:07, Michael Poettgen wrote: > All, > > I've got Keycloak 3.4.3 configured to return client roles in a "role" Claim to an OpenID Connect client. (The client has got a list of roles, these are assigned to the user and I've got a User Client Role Token mapper that maps the roles of that client into the "role" claim.) Everything works until I turn "Full Scope Allowed" off. Then all roles disappear and trying to request the roles via the "scope" (with or without client ID prefix) doesn't seem to work. > > Am I doing something stupid or is there something that does not work as (I) expected? > > Thanks for your help! > > Michael > > > This message may contain confidential information. If you are not the intended recipient, do not disseminate, distribute, or copy this e-mail or its attachments. Please notify the sender of the error immediately by e-mail or at the telephone number listed below, and delete this e-mail and any attachments from your system. Receipt by anyone other than the intended recipient(s) is not a waiver of any trade secrets, proprietary interests, or other applicable rights. E-mail transmission is not necessarily secure or error-free, as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or may contain viruses. The sender disclaims all liability for any errors or omissions arising as a result of the e-mail transmission. > > OEConnection LLC, (888) 776-5792, www.oeconnection.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From ba.andrzejczak at gmail.com Wed Feb 21 14:42:35 2018 From: ba.andrzejczak at gmail.com (Bartosz Andrzejczak) Date: Wed, 21 Feb 2018 20:42:35 +0100 Subject: [keycloak-user] Keycloak AJAX authentication flow In-Reply-To: <06a601d3aae9$1cad07c0$56071740$@gmx.at> References: <065401d3aa58$755bc9b0$60135d10$@gmx.at> <06a601d3aae9$1cad07c0$56071740$@gmx.at> Message-ID: <9787121E-54E8-4403-BFE3-11477BFE1538@gmail.com> Hi Moritz, Thanks for clarification. I don?t know why I thought you mean just the log in process. If you?re creating this registration as a part of keycloak (an SPI), I?m afraid I can?t help you. I don?t really know if that can be done like that. On the other hand if you want to impelement a registration form as a part of your application, I?d simply send a registration request to your backend, where you would use admin offline token or login and password to get admin?s token, and then create a user using this API - http://www.keycloak.org/docs-api/2.5/rest-api/index.html#_create_a_new_user . Why wouldldn?t I do it from the front and using AJAX? For starters you would need to store admin user offline token or credentials in a way accessible to all visitors of your registration page. Doing that on in your backend application you can conceal this information and make it safe, validate the data etc. Cheers, Bartek > On 21 Feb 2018, at 8:53 AM, moritz.becker at gmx.at wrote: > > Hi Bartek, > > thank you for your answer. > > The login using the Keycloak redirect you described is not the problem ? this actually works fine already. > > I am talking about the user registration form that uses a custom Keycloak theme. I need some more advanced UI elements in the registration theme and thus I am trying to use Aurelia in the theme. However, when the user clicks the ?Register? button and the registration form contains validation errors, Keycloak responds with reloading the whole page (which now has the validation error messages baked in). In my case, this causes an unwanted reload of the SPA that takes too long. So what I want to do is to submit the registration form via AJAX and just receive a JSON response containing the validation errors which I can then render on the client without reloading the whole app. > > Von: Bartosz Andrzejczak [mailto:ba.andrzejczak at gmail.com] > Gesendet: Dienstag, 20. Februar 2018 21:43 > An: moritz.becker at gmx.at > Cc: keycloak-user at lists.jboss.org > Betreff: Re: [keycloak-user] Keycloak AJAX authentication flow > > Hi Moritz, > > The usual path with SPA would be to just redirect user to the Keycloak authentication page, that if user?s logged in would just redirect them back with authentication code in the query parameter, and if not - would require user to log in. I?ve described that for Angular here: https://medium.com/andrzejczak/sso-for-your-single-page-application-part-1-2-angularjs-1d79edb7d9c8 > > But if your app load time is quite long there might be something else you can do. There?s a token endpoint that would return you a JSON containing authentication token and refresh token, both with expiration times. All you need to provide is login and password (and additionally grant_type (`password`) and your client_id). So if you decide to implement authentication form on your side you could just use that to get a token for a user and treat this user as logged into the application. You?re loosing the SSO capabilities of Keycloak, but it might still be enough for you. You can see example of this token request in step 1 of this blogpost https://blog.softwaremill.com/who-am-i-keycloak-impersonation-api-bfe7acaf051a . Be sure to enable Direct Flow in the Keycloak Client, though. > > Cheers, > Bartek > > >> On 20 Feb 2018, at 3:38 PM, > > wrote: >> >> Hi, >> >> >> >> I am trying to implement a Keycloak registration theme using the Aurelia JS >> Framework. >> >> >> >> The problem is that there is currently no possibility to submit the >> registration form via AJAX and get back a reduced response that just >> contains validation errors etc. instead of reloading the whole page. Page >> reload is problematic in this scenario since it causes a reload of the >> Aurelia-App which takes too long. >> >> >> >> As far as I can see, I would need to customize the >> org.keycloak.authentication.FormAuthenticationFlow but there is not SPI to >> do so at the moment. >> >> >> >> Do you have any recommendations for me? >> >> >> >> Thanks, >> >> Moritz >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From betalb at gmail.com Wed Feb 21 16:47:57 2018 From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=) Date: Wed, 21 Feb 2018 21:47:57 +0000 Subject: [keycloak-user] Group Id not available in storage provider In-Reply-To: References: Message-ID: Try to add -i flag to create command Execute following command to get more flags ./kcadm.sh create --help On Wed, Feb 21, 2018 at 3:09 PM Subodh Joshi wrote: > [root at server tmp]# GROUP_ID=`/opt/keycloak/bin/kcadm.sh create groups -r > master -s name=Admin_UserGroup` > > But when i am checking > > echo $GROUP_ID > > Nothing displaying > > What is wrong with the approach? > > While when i tried > USER_ID=`/opt/keycloak/bin/kcadm.sh create users -s username=admin -s > enabled=true -s realm=myrealm` > > and then > echo $USER_ID > > It is displaying generated userid. > -- > Subodh Chandra Joshi > > http://www.questioninmind.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From postmaster at lists.jboss.org Wed Feb 21 22:59:49 2018 From: postmaster at lists.jboss.org (Mail Delivery Subsystem) Date: Thu, 22 Feb 2018 09:29:49 +0530 Subject: [keycloak-user] status Message-ID: <201802220359.w1M3xsVF016950@lists01.dmz-a.mwc.hst.phx2.redhat.com> This message was not delivered due to the following reason: Your message was not delivered because the destination computer was unreachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configura- tion parameters. Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message could not be delivered within 6 days: Host 66.110.37.223 is not responding. The following recipients could not receive this message: Please reply to postmaster at lists.jboss.org if you feel this message to be in error. -------------- next part -------------- A non-text attachment was scrubbed... Name: mail.zip Type: application/octet-stream Size: 29104 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180222/a4c76e4c/attachment-0001.obj From sthorger at redhat.com Thu Feb 22 02:34:58 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 22 Feb 2018 08:34:58 +0100 Subject: [keycloak-user] Review updates to German translations Message-ID: Can someone fluent in German review the following PR please: https://github.com/keycloak/keycloak/pull/5002 From Michael.Poettgen at oeconnection.com Thu Feb 22 09:56:09 2018 From: Michael.Poettgen at oeconnection.com (Michael Poettgen) Date: Thu, 22 Feb 2018 14:56:09 +0000 Subject: [keycloak-user] Roles without "Full Scope Allowed"? References: <422608bd-c0cf-ea9b-38f0-c600f160dcbb@redhat.com> Message-ID: Vitaliy, Forget the remark on realm_access and resource_access. I found them on the access_token and refresh_token (but not on the id_token, which may be why I couldn?t find them easily on the .NET Core OpenIdConnect authentication provider). I found https://issues.jboss.org/browse/KEYCLOAK-5259 by Luiz Carlos Viana Melo, with a comment by Manfred Duchrow which I found interesting. I left a comment there and voted for the issue instead of raising another one. Regards, Michael From: Michael Poettgen Sent: Wednesday, February 21, 2018 7:45 PM To: '??????? ??????'; Marek Posolda Cc: keycloak-user at lists.jboss.org Subject: RE: [keycloak-user] Roles without "Full Scope Allowed"? This describes pretty well what I?m getting as well. The only thing I don?t see is the realm_access and resource_access claims. Are they only enabled when activating Authorization? Regards, Michael From: ??????? ?????? [mailto:betalb at gmail.com] Sent: Wednesday, February 21, 2018 6:03 PM To: Marek Posolda Cc: Michael Poettgen; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Roles without "Full Scope Allowed"? Hi Marek The behaviour for automatically adding client own roles to scope seems fine, the issue is with client mappers (or lack of documentation, hence misunderstanding), their logic is not clear when full scope is not enabled. Also at the bottom, I've mentioned two other quirks that can be observed even with full scope enabled. Suppose we have following setup == Clients == client-with-roles Roles: * role * role-composite-child test-client Roles: * role * role-composite-child Mappers: #1 type: User Client Type client id: client-with-roles claim: rolesOtherClient #2 type: User Client Type client id: test-client claim: rolesCurrentClient #3 type: User Realm Role claim: rolesRealm == REALM Roles == * ROLE * ROLE_COMPOSITE_CHILD * ROLE_COMPOSITE (contains ROLE_COMPOSITE_CHILD, client-with-roles/role-composite-child, test-client/role-composite-child) == Users == name: "a" mapped roles * ROLE * ROLE_COMPOSITE * test-client/role * client-with-roles/role Now if I issue token using test-client and user "a" credentials (direct grant), token will have following claims (they have the same set of roles as realm_access and resource_access claims) "rolesRealm": [ "ROLE", "ROLE_COMPOSITE", "ROLE_COMPOSITE_CHILD" ], "rolesOtherClient": [ "role-composite-child", "role" ], "rolesCurrentClient": [ "role-composite-child", "role" ] But if I disable full scope and will add all user "a" roles to scope, token will look like this (realm_access and resource_access haven't changed) "rolesRealm": [ "ROLE", "ROLE_COMPOSITE" ], "rolesOtherClient": [ "role" ] rolesCurrentClient claim is absent Also Found few other strange behaviours with mappers * realm-management roles are not mapped at all * scoped roles are included into claims, produced by mappers, even if scope parameter was not provided during token request (This one may be useful get potential list of roles) On Wed, Feb 21, 2018 at 10:35 AM Marek Posolda > wrote: Please create a JIRA if you think that it's a bug. Please add the detailed steps to reproduce. TBH from this email, I don't know what exactly is broken, or if it's just misconfiguration. BTV. Client has always automatically scope to his own roles. And it's not possible to remove them from the scope. It's just possible to add/remove scopes for realm roles or client roles of different clients. So the behaviour described by Michael is expected. Marek On 20/02/18 20:51, ??????? ?????? wrote: I was able to reproduce this issue It only happens for a claim, produced by the mapper. But I can see correct list of roles in a different claim: resource_access[clientId].roles. It seems like a bug, you can raise it with the team. As a workaround, you can use existing claim On Tue, Feb 20, 2018 at 9:39 PM Michael Poettgen > wrote: Betalb, That?s what I thought as well, but if I turn off ?Full Scope Allowed? and look at the ?Client Roles? of my client then all client roles appear under ?Effective Roles?. I cannot assign or un-assign any of these roles. So my assumption was that, since these are all roles of my client anyways, that they would always be available (at least for my client). Also the user does have the proper roles (I get them with ?Full Scope Allowed? enabled), but nevertheless I don?t get any. Thanks, Michael From: ??????? ?????? [mailto:betalb at gmail.com] Sent: Tuesday, February 20, 2018 6:41 PM To: Michael Poettgen Cc: Marek Posolda; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Roles without "Full Scope Allowed"? This is mentioned in docs: http://www.keycloak.org/docs/latest/server_admin/index.html#_client_scope If full scope is disabled: access token, issued to specific client will have intersection of user own roles with client scope, defined in scope section of client configuration ??, 20 ????. 2018 ?. ? 16:34, Michael Poettgen >: You said, that I need to "add scopes for the *realm roles* and client roles of *other clients*", but I don't even get the roles for this client anymore, no matter whether "Scope Param Required" is set for the role or not and no matter whether I add the role names to the "scope" or not. Michael From: Marek Posolda [mailto:mposolda at redhat.com] Sent: Tuesday, February 20, 2018 2:13 PM To: Michael Poettgen; keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Roles without "Full Scope Allowed"? Once you changed "Full Scope Allowed" to off, you need to add scopes for the realm roles and client roles of other clients. This can be done in the "Scope" tab, pretty much same place where you turned "Full Scope Allowed" to off. I think we have also some docs around this somewhere (not 100% sure). Marek On 20/02/18 13:07, Michael Poettgen wrote: > All, > > I've got Keycloak 3.4.3 configured to return client roles in a "role" Claim to an OpenID Connect client. (The client has got a list of roles, these are assigned to the user and I've got a User Client Role Token mapper that maps the roles of that client into the "role" claim.) Everything works until I turn "Full Scope Allowed" off. Then all roles disappear and trying to request the roles via the "scope" (with or without client ID prefix) doesn't seem to work. > > Am I doing something stupid or is there something that does not work as (I) expected? > > Thanks for your help! > > Michael > > > This message may contain confidential information. If you are not the intended recipient, do not disseminate, distribute, or copy this e-mail or its attachments. Please notify the sender of the error immediately by e-mail or at the telephone number listed below, and delete this e-mail and any attachments from your system. Receipt by anyone other than the intended recipient(s) is not a waiver of any trade secrets, proprietary interests, or other applicable rights. E-mail transmission is not necessarily secure or error-free, as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or may contain viruses. The sender disclaims all liability for any errors or omissions arising as a result of the e-mail transmission. > > OEConnection LLC, (888) 776-5792, www.oeconnection.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From betalb at gmail.com Thu Feb 22 09:59:17 2018 From: betalb at gmail.com (=?UTF-8?B?0JLQuNGC0LDQu9C40Lkg0JjRidC10L3QutC+?=) Date: Thu, 22 Feb 2018 14:59:17 +0000 Subject: [keycloak-user] Roles without "Full Scope Allowed"? In-Reply-To: References: <422608bd-c0cf-ea9b-38f0-c600f160dcbb@redhat.com> Message-ID: Hi Michael Looks, like this issue, is exactly about this case realm_access && resource_access claims are indeed only for access tokens. There is no much sense in adding them to id_token On Thu, Feb 22, 2018 at 5:56 PM Michael Poettgen < Michael.Poettgen at oeconnection.com> wrote: > Vitaliy, > > > > Forget the remark on realm_access and resource_access. I found them on the > access_token and refresh_token (but not on the id_token, which may be why I > couldn?t find them easily on the .NET Core OpenIdConnect authentication > provider). > > > > I found https://issues.jboss.org/browse/KEYCLOAK-5259 by Luiz Carlos > Viana Melo, with a comment by Manfred Duchrow which I found interesting. I > left a comment there and voted for the issue instead of raising another one. > > > > Regards, > > Michael > > > > *From:* Michael Poettgen > *Sent:* Wednesday, February 21, 2018 7:45 PM > *To:* '??????? ??????'; Marek Posolda > *Cc:* keycloak-user at lists.jboss.org > *Subject:* RE: [keycloak-user] Roles without "Full Scope Allowed"? > > > > This describes pretty well what I?m getting as well. The only thing I > don?t see is the realm_access and resource_access claims. Are they only > enabled when activating Authorization? > > > > Regards, > > Michael > > > > *From:* ??????? ?????? [mailto:betalb at gmail.com > > ] > > *Sent:* Wednesday, February 21, 2018 6:03 PM > *To:* Marek Posolda > > *Cc:* Michael Poettgen; keycloak-user at lists.jboss.org > > > *Subject:* Re: [keycloak-user] Roles without "Full Scope Allowed"? > > > > Hi Marek > > > > The behaviour for automatically adding client own roles to scope seems > fine, the issue is with client mappers (or lack of documentation, hence > misunderstanding), their logic is not clear when full scope is not enabled. > Also at the bottom, I've mentioned two other quirks that can be observed > even with full scope enabled. > > > > Suppose we have following setup > > > > == Clients == > > client-with-roles > > Roles: > > * role > > * role-composite-child > > > > test-client > > Roles: > > * role > > * role-composite-child > > Mappers: > > #1 > > type: User Client Type > > client id: client-with-roles > > claim: rolesOtherClient > > #2 > > type: User Client Type > > client id: test-client > > claim: rolesCurrentClient > > #3 > > type: User Realm Role > > claim: rolesRealm > > > > == REALM Roles == > > * ROLE > > * ROLE_COMPOSITE_CHILD > > * ROLE_COMPOSITE (contains ROLE_COMPOSITE_CHILD, > client-with-roles/role-composite-child, test-client/role-composite-child) > > > > == Users == > > name: "a" > > mapped roles > > * ROLE > > * ROLE_COMPOSITE > > * test-client/role > > * client-with-roles/role > > > > Now if I issue token using test-client and user "a" credentials (direct > grant), > > token will have following claims (they have the same set of roles > as realm_access and resource_access claims) > > "rolesRealm": [ > > "ROLE", > > "ROLE_COMPOSITE", > > "ROLE_COMPOSITE_CHILD" > > ], > > "rolesOtherClient": [ > > "role-composite-child", > > "role" > > ], > > "rolesCurrentClient": [ > > "role-composite-child", > > "role" > > ] > > > > But if I disable full scope and will add all user "a" roles to scope, > > token will look like this (realm_access and resource_access haven't > changed) > > "rolesRealm": [ > > "ROLE", > > "ROLE_COMPOSITE" > > ], > > "rolesOtherClient": [ > > "role" > > ] > > > > rolesCurrentClient claim is absent > > > > Also Found few other strange behaviours with mappers > > * realm-management roles are not mapped at all > > * scoped roles are included into claims, produced by mappers, > > even if scope parameter was not provided during token request > > (This one may be useful get potential list of roles) > > > > On Wed, Feb 21, 2018 at 10:35 AM Marek Posolda > wrote: > > Please create a JIRA if you think that it's a bug. Please add the detailed > steps to reproduce. TBH from this email, I don't know what exactly is > broken, or if it's just misconfiguration. > > BTV. Client has always automatically scope to his own roles. And it's not > possible to remove them from the scope. It's just possible to add/remove > scopes for realm roles or client roles of different clients. So the > behaviour described by Michael is expected. > > > > Marek > > > > On 20/02/18 20:51, ??????? ?????? wrote: > > I was able to reproduce this issue > > > > It only happens for a claim, produced by the mapper. > > But I can see correct list of roles in a different claim: > resource_access[clientId].roles. > > > > It seems like a bug, you can raise it with the team. > > As a workaround, you can use existing claim > > > > On Tue, Feb 20, 2018 at 9:39 PM Michael Poettgen < > Michael.Poettgen at oeconnection.com> wrote: > > Betalb, > > > > That?s what I thought as well, but if I turn off ?Full Scope Allowed? and > look at the ?Client Roles? of my client then all client roles appear under > ?Effective Roles?. I cannot assign or un-assign any of these roles. So my > assumption was that, since these are all roles of my client anyways, that > they would always be available (at least for my client). Also the user does > have the proper roles (I get them with ?Full Scope Allowed? enabled), but > nevertheless I don?t get any. > > > > Thanks, > > Michael > > > > *From:* ??????? ?????? [mailto:betalb at gmail.com] > *Sent:* Tuesday, February 20, 2018 6:41 PM > *To:* Michael Poettgen > *Cc:* Marek Posolda; keycloak-user at lists.jboss.org > > > *Subject:* Re: [keycloak-user] Roles without "Full Scope Allowed"? > > > > This is mentioned in docs: > http://www.keycloak.org/docs/latest/server_admin/index.html#_client_scope > > > If full scope is disabled: access token, issued to specific client will > have intersection of user own roles with client scope, defined in scope > section of client configuration > > ??, 20 ????. 2018 ?. ? 16:34, Michael Poettgen < > Michael.Poettgen at oeconnection.com>: > > You said, that I need to "add scopes for the *realm roles* and client > roles of *other clients*", but I don't even get the roles for this client > anymore, no matter whether "Scope Param Required" is set for the role or > not and no matter whether I add the role names to the "scope" or not. > > Michael > > From: Marek Posolda [mailto:mposolda at redhat.com] > Sent: Tuesday, February 20, 2018 2:13 PM > To: Michael Poettgen; keycloak-user at lists.jboss.org > Subject: Re: [keycloak-user] Roles without "Full Scope Allowed"? > > Once you changed "Full Scope Allowed" to off, you need to add scopes for > the realm roles and client roles of other clients. This can be done in > the "Scope" tab, pretty much same place where you turned "Full Scope > Allowed" to off. I think we have also some docs around this somewhere > (not 100% sure). > > Marek > > On 20/02/18 13:07, Michael Poettgen wrote: > > All, > > > > I've got Keycloak 3.4.3 configured to return client roles in a "role" > Claim to an OpenID Connect client. (The client has got a list of roles, > these are assigned to the user and I've got a User Client Role Token mapper > that maps the roles of that client into the "role" claim.) Everything works > until I turn "Full Scope Allowed" off. Then all roles disappear and trying > to request the roles via the "scope" (with or without client ID prefix) > doesn't seem to work. > > > > Am I doing something stupid or is there something that does not work as > (I) expected? > > > > Thanks for your help! > > > > Michael > > > > > > This message may contain confidential information. If you are not the > intended recipient, do not disseminate, distribute, or copy this e-mail or > its attachments. Please notify the sender of the error immediately by > e-mail or at the telephone number listed below, and delete this e-mail and > any attachments from your system. Receipt by anyone other than the intended > recipient(s) is not a waiver of any trade secrets, proprietary interests, > or other applicable rights. E-mail transmission is not necessarily secure > or error-free, as information could be intercepted, corrupted, lost, > destroyed, delayed, incomplete, or may contain viruses. The sender > disclaims all liability for any errors or omissions arising as a result of > the e-mail transmission. > > > > OEConnection LLC, (888) 776-5792, www.oeconnection.com > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > From mstrukel at redhat.com Thu Feb 22 10:12:56 2018 From: mstrukel at redhat.com (Marko Strukelj) Date: Thu, 22 Feb 2018 16:12:56 +0100 Subject: [keycloak-user] How to create a realm using the admin client In-Reply-To: References: Message-ID: You can achieve that by using Admin CLI (for example - if you have exported a demorealm.json using boot time export, you can import it into a live server as follows): $ kcadm.sh create -r demorealm partialImport -s ifResourceExists=FAIL -o -f - < demorealm.json Basically you POST the demorealm.json as a body to http://localhost:8080/auth/admin/realms/demorealm/partialImport And you add additional attribute into realm JSON body ("ifResourceExists": "FAIL"). If you only want to add extra things into existing realm, you can use "SKIP". And there is also "OVERWRITE" which you probably want to avoid. On Wed, Feb 21, 2018 at 12:58 AM, Michael Yoder wrote: > I've got the json from a realm export. Now I'd like to re-create that realm > using the keycloak-admin-client library. Is there any sample code out > there? Hints? > I've found > > http://www.keycloak.org/docs/3.4/server_development/#admin-rest-api > > and > > http://www.keycloak.org/docs-api/3.4/javadocs/ > > and even > > https://github.com/keycloak/keycloak/blob/master/ > integration/admin-client/src/main/java/org/keycloak/admin/ > client/resource/RealmResource.java > > I feel like I've got parts of it, but I don't know how to put the pieces > together. Any help would be appreciated. > > Thanks, > -Mike Yoder > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mstrukel at redhat.com Thu Feb 22 10:19:59 2018 From: mstrukel at redhat.com (Marko Strukelj) Date: Thu, 22 Feb 2018 16:19:59 +0100 Subject: [keycloak-user] How to create a realm using the admin client In-Reply-To: References: Message-ID: And of course if the realm does not yet exist in the target server you have to create it first: $ kcadm.sh create realms -s realm=demorealm -s enabled=true On Thu, Feb 22, 2018 at 4:12 PM, Marko Strukelj wrote: > You can achieve that by using Admin CLI (for example - if you have > exported a demorealm.json using boot time export, you can import it into a > live server as follows): > > $ kcadm.sh create -r demorealm partialImport -s ifResourceExists=FAIL -o > -f - < demorealm.json > > > Basically you POST the demorealm.json as a body to > http://localhost:8080/auth/admin/realms/demorealm/partialImport > > > And you add additional attribute into realm JSON body ("ifResourceExists": > "FAIL"). > > > If you only want to add extra things into existing realm, you can use > "SKIP". And there is also "OVERWRITE" which you probably want to avoid. > > On Wed, Feb 21, 2018 at 12:58 AM, Michael Yoder > wrote: > >> I've got the json from a realm export. Now I'd like to re-create that >> realm >> using the keycloak-admin-client library. Is there any sample code out >> there? Hints? >> I've found >> >> http://www.keycloak.org/docs/3.4/server_development/#admin-rest-api >> >> and >> >> http://www.keycloak.org/docs-api/3.4/javadocs/ >> >> and even >> >> https://github.com/keycloak/keycloak/blob/master/integration >> /admin-client/src/main/java/org/keycloak/admin/client/ >> resource/RealmResource.java >> >> I feel like I've got parts of it, but I don't know how to put the pieces >> together. Any help would be appreciated. >> >> Thanks, >> -Mike Yoder >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From luke at code-house.org Thu Feb 22 10:32:52 2018 From: luke at code-house.org (luke at code-house.org) Date: Thu, 22 Feb 2018 16:32:52 +0100 Subject: [keycloak-user] Authorization returning less scopes than requested Message-ID: <6D661B25-8912-466C-A6CB-9D65B0F6B7AB@code-house.org> Hey, At the beginning, I would like to say thank you, for delivering such great software, and also people who read this message for handling community support. :-) I come into key cloak because I do need two functionalities of it - oidc provider and also identity broker. I do integrate with services which have predefined set of scopes. My application can request multiple scopes such "patient/*.write? (write data related to patient), however user or system where authentication takes place, may decide to grant lower access than requested. For example above patient write scope request might be constrained to "patient/*.read" or even subset of that "patient/Patient.read? (patient demographics). Reason why it might happen depends on few things - because user who decides to unmark these on consent page or it might not be allowed by system. In second case user will not be even asked about giving such permission to his data. >From logical point of view, as long as authorisation request ends up with token grant, these are still proper tokens which application must handle. Question is - is such use case is supported by Keycloak? Also, how should I map such wildcard scopes in keycloak? Second use case, which I have, is similar to first one. Main difference is that it must be implemented on key cloak authorisation part - when user application requests access token, it sends two scopes, lets call them ?user" and "patient?. Because application doesn?t know actual permissions of the user, it can not decide which scopes should be used. We theoretically could work around that with two login pages resulting in different scope requests. However, our intention is to implement this on keycloak side - based on our own logic we will know what is role of given user and which scope is permitted. Biggest question - which extension point, if any available, we could use for that? Kind regards, ?ukasz From mstrukel at redhat.com Thu Feb 22 12:28:18 2018 From: mstrukel at redhat.com (Marko Strukelj) Date: Thu, 22 Feb 2018 18:28:18 +0100 Subject: [keycloak-user] Downloading docker compose certs using cli In-Reply-To: <1518162097617.82948@mentor.com> References: <1518162097617.82948@mentor.com> Message-ID: Try the following (replace ID_OF_CLIENT with UUID of the client, and REALM with target realm e.g. 'master'): $ kcadm.sh get http://localhost:8080/auth/admin/realms/demorealm/clients/ID_OF_CLIENT/installation/providers/docker-v2-compose-yaml -r REALM > keycloak-docker-compose-yaml.zip On Fri, Feb 9, 2018 at 8:41 AM, Rehman, Abdur wrote: > Hi > > I am able to download the docker compose bundle by navigating the web UI > as follows: > > Clients -> {client id} -> Installation -> Format Option -> Docker Compose > YAML -> Download > > Is there a programmatic way to do the same? I am able to authenticate by > calling auth/admin rest api from curl. But I am not sure how to proceed > with downloading the yaml archive. I am only interested in the certs > directory inside the archive. Can I get these certificates/key from some > other method? > > I do not have graphical access to the machine I am running keycloak on, so > I am limited to using command line. > > Best Regards > Abdur > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From corentin.dupont at gmail.com Thu Feb 22 15:14:15 2018 From: corentin.dupont at gmail.com (Corentin Dupont) Date: Thu, 22 Feb 2018 21:14:15 +0100 Subject: [keycloak-user] Authorization Services and UMA 2.0 changes In-Reply-To: References: Message-ID: Hi Pedro and all, how is it going with those changes? Any landing date in view? It looks very promising. On Mon, Jan 29, 2018 at 3:09 PM, Corentin Dupont wrote: > That sounds great, thanks a lot! > > On Mon, Jan 22, 2018 at 2:07 PM, Pedro Igor Silva > wrote: > >> Hi All, >> >> We are about to finish the initial round of changes to make Keycloak >> Authorization Services compliant with UMA 2.0. >> >> One of the main changes is related with a new OAuth2 Grant Type introduced >> by UMA 2.0 [1] and how it will be used as a replacement for both >> Entitlement and Authorization API. In UMA 2.0, there is no Authorization >> API anymore, thus it will be removed on future versions of Keycloak. >> Regarding Entitlement API, it will also be removed in favor of the new >> grant type, but in this case we are using some extensions to UMA grant >> type >> to provide the same functionality. One of the objectives of this change in >> particular is to have a single endpoint from where permissions can be >> obtained. >> >> Another important change is also related with UMA where end-users should >> be >> able now to manage their own resource and permissions via Account >> Management Console. Users would be able to access a "Resource" page from >> where they can: >> >> * See the resources they own >> * Check for pending permission requests (waiting for the owners approval). >> As well options to grant/deny the request. >> * Check for all "shared resources" / granted permissions. As well options >> to revoke permissions >> * Select an user they want to grant access to a resource and/or scope >> >> Other changes are related with the Policy Enforcer, Authorization Client >> Java API and configuration. For these areas in particular changes are >> minimal, specially regarding policy enforcer configuration. >> >> These changes are targeted to Keycloak v4 and we'll be updating docs >> accordingly, specially on how to migrate to the new version. >> >> Regards. >> Pedro Igor >> >> [1] https://docs.kantarainitiative.org/uma/wg/oauth-uma-grant-2.0-09.html >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From viggo.navarsete at gmail.com Thu Feb 22 16:14:47 2018 From: viggo.navarsete at gmail.com (Viggo Navarsete) Date: Thu, 22 Feb 2018 21:14:47 +0000 Subject: [keycloak-user] Response for preflight is invalid (redirect) Message-ID: Hi, I need some pointer on how to debug the issue with Response for preflight is invalid (redirect). I have made a client running on localhost:3000, and a REST-service running on localhost:8080. I've followed the tutorials for https://github.com/keycloak/keycloak-quickstarts/blob/latest/service-jee-jaxrs/README.md to make my service. In keycloak I've made a client for the client and a client for the service. I've read somewhere that webOrigin could be an issue, but not sure. I've set enable-cors=true for the service. access type public Root URL: http://localhost:3000 Valid Redirect URIs: http://localhost:3000/* Base URL is empty Admin URL http://localhost:3000 Web Origins http://localhost:3000 I've also read that I need to install undertow-cors-filter in wildfly (running wildfly 11.0.0.Final and Keycloak 3.4.3.Final), but I haven't done this yet. Where should I look to dig into this? Best regards, Viggo Navarsete From psilva at redhat.com Thu Feb 22 17:45:42 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Thu, 22 Feb 2018 19:45:42 -0300 Subject: [keycloak-user] Authorization Services and UMA 2.0 changes In-Reply-To: References: Message-ID: PR is being reviewed. It should be merged very soon. On Thu, Feb 22, 2018 at 5:14 PM, Corentin Dupont wrote: > Hi Pedro and all, > how is it going with those changes? Any landing date in view? > It looks very promising. > > On Mon, Jan 29, 2018 at 3:09 PM, Corentin Dupont < > corentin.dupont at gmail.com> wrote: > >> That sounds great, thanks a lot! >> >> On Mon, Jan 22, 2018 at 2:07 PM, Pedro Igor Silva >> wrote: >> >>> Hi All, >>> >>> We are about to finish the initial round of changes to make Keycloak >>> Authorization Services compliant with UMA 2.0. >>> >>> One of the main changes is related with a new OAuth2 Grant Type >>> introduced >>> by UMA 2.0 [1] and how it will be used as a replacement for both >>> Entitlement and Authorization API. In UMA 2.0, there is no Authorization >>> API anymore, thus it will be removed on future versions of Keycloak. >>> Regarding Entitlement API, it will also be removed in favor of the new >>> grant type, but in this case we are using some extensions to UMA grant >>> type >>> to provide the same functionality. One of the objectives of this change >>> in >>> particular is to have a single endpoint from where permissions can be >>> obtained. >>> >>> Another important change is also related with UMA where end-users should >>> be >>> able now to manage their own resource and permissions via Account >>> Management Console. Users would be able to access a "Resource" page from >>> where they can: >>> >>> * See the resources they own >>> * Check for pending permission requests (waiting for the owners >>> approval). >>> As well options to grant/deny the request. >>> * Check for all "shared resources" / granted permissions. As well options >>> to revoke permissions >>> * Select an user they want to grant access to a resource and/or scope >>> >>> Other changes are related with the Policy Enforcer, Authorization Client >>> Java API and configuration. For these areas in particular changes are >>> minimal, specially regarding policy enforcer configuration. >>> >>> These changes are targeted to Keycloak v4 and we'll be updating docs >>> accordingly, specially on how to migrate to the new version. >>> >>> Regards. >>> Pedro Igor >>> >>> [1] https://docs.kantarainitiative.org/uma/wg/oauth-uma-grant-2. >>> 0-09.html >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> > From jonathan.j.carrasco at jpl.nasa.gov Thu Feb 22 18:02:29 2018 From: jonathan.j.carrasco at jpl.nasa.gov (Carrasco, Jonathan J (173F)) Date: Thu, 22 Feb 2018 23:02:29 +0000 Subject: [keycloak-user] Testing Keycloak DynamicOP using openid.net Message-ID: Hello. I?m reaching out to ask about the Conformance Testing Suite, available at http://openid.net/certification/testing/. At this time, we are evaluating Keycloak and some of the available OpenID Connect Libraries and Products, and would like to perform certification testing locally. So, the question is? do you have a breakdown of Keycloak configuration to allow for Conformance Testing in a local dev environment, i.e. localhost. I have tried to test and keep getting a connection refused error when I try the Dynamic Discovery and Registration test. To give some insight? I am using the oidctest repo locally I have keycloak running, no problem I?ve set realm to not require ssl I deleted all anonymous client registration policies But when I run the test, using the issuer ashttp://localhost:8080/auth/realms/master orhttps://localhost:8443/auth/realms/master, I get Discovery:OP-Response-Missing: status=ERROR, message=HTTPSConnectionPool(host='localhost', port=8443): Max retries exceeded with url: /auth/realms/master/.well-known/openid-configuration (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 111] Connection refused',)) I also tried setting up a reverse proxy to handle ssl traffic, to no avail. I don?t have a problem, working with keycloak since I can curl most of the commands or use python requests, etc?And, really the point of this is to test(out-of-the-box) without having to alter any source code from Github. Hence, I?m reaching out to the source and I want to ask if you have a setup to allow keycloak to be tested on a local machine. -- Jonathan Carrasco (173F) Jet Propulsion Laboratory ? California Institute of Technology From mposolda at redhat.com Fri Feb 23 02:46:21 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 23 Feb 2018 08:46:21 +0100 Subject: [keycloak-user] Roles without "Full Scope Allowed"? In-Reply-To: References: <422608bd-c0cf-ea9b-38f0-c600f160dcbb@redhat.com> Message-ID: Thanks for the detailed report. I am currently working on ClientScope support, which involves some refactoring and better support for OAuth2 scope parameter. I will try to doublecheck behaviour of User Client Role Mapper as well during this work. I will try to ensure that this is fixed in next weeks. Thanks, Marek On 22/02/18 15:59, ??????? ?????? wrote: > Hi Michael > > Looks, like this issue, is exactly about this case > > realm_access && resource_access claims are indeed only for access > tokens. There is no much sense in adding them to id_token > > On Thu, Feb 22, 2018 at 5:56 PM Michael Poettgen > > wrote: > > Vitaliy, > > Forget the remark on realm_access and resource_access. I found > them on the access_token and refresh_token (but not on the > id_token, which may be why I couldn?t find them easily on the .NET > Core OpenIdConnect authentication provider). > > I found https://issues.jboss.org/browse/KEYCLOAK-5259 by Luiz > Carlos Viana Melo, with a comment by Manfred Duchrow which I found > interesting. I left a comment there and voted for the issue > instead of raising another one. > > Regards, > > Michael > > *From:*Michael Poettgen > *Sent:* Wednesday, February 21, 2018 7:45 PM > *To:* '??????? ??????'; Marek Posolda > *Cc:* keycloak-user at lists.jboss.org > > *Subject:* RE: [keycloak-user] Roles without "Full Scope Allowed"? > > This describes pretty well what I?m getting as well. The only > thing I don?t see is the realm_access and?resource_access claims. > Are they only enabled when activating Authorization? > > Regards, > > Michael > > *From:*?????????????[mailto:betalb at gmail.com > > ] > > *Sent:* Wednesday, February 21, 2018 6:03 PM > *To:* Marek Posolda > > *Cc:* Michael Poettgen; keycloak-user at lists.jboss.org > > > > *Subject:* Re: [keycloak-user] Roles without "Full Scope Allowed"? > > Hi Marek > > The behaviour for automatically adding client own roles to scope > seems fine, the issue is with client mappers (or lack of > documentation, hence misunderstanding), their logic is not clear > when full scope is not enabled. Also at the bottom, I've mentioned > two other quirks that can be observed even with full scope enabled. > > Suppose we have following setup > > == Clients == > > client-with-roles > > Roles: > > ? ?* role > > ? ?* role-composite-child > > test-client > > Roles: > > ? ?* role > > ? ?* role-composite-child > > Mappers: > > ? ?#1 > > ?type: User Client Type > > ?client id: client-with-roles > > ?claim:?rolesOtherClient > > ? ?#2 > > ?type: User Client Type > > ?client id: test-client > > ?claim:?rolesCurrentClient > > ? ?#3 > > ?type:?User Realm Role > > ?claim: rolesRealm > > == REALM Roles == > > ?* ROLE > > ?* ROLE_COMPOSITE_CHILD > > ?* ROLE_COMPOSITE (contains ROLE_COMPOSITE_CHILD, > client-with-roles/role-composite-child, > test-client/role-composite-child) > > == Users == > > name:?"a" > > mapped roles > > ? ?* ROLE > > ? ?* ROLE_COMPOSITE > > ? ?* test-client/role > > ? ?* client-with-roles/role > > Now if I issue token using test-client and user "a" credentials > (direct grant), > > token will have following claims (they have the same set of roles > as?realm_access and?resource_access claims) > > "rolesRealm": [ > > "ROLE", > > "ROLE_COMPOSITE", > > "ROLE_COMPOSITE_CHILD" > > ? ], > > "rolesOtherClient": [ > > "role-composite-child", > > "role" > > ? ], > > "rolesCurrentClient": [ > > "role-composite-child", > > "role" > > ? ] > > But if I disable full scope and will add all user "a" roles to scope, > > token will look like this (realm_access and resource_access > haven't changed) > > "rolesRealm": [ > > "ROLE", > > "ROLE_COMPOSITE" > > ? ], > > "rolesOtherClient": [ > > "role" > > ? ] > > rolesCurrentClient claim is absent > > Also Found few other strange behaviours with mappers > > ?* realm-management roles are not mapped at all > > ?* scoped roles are included into claims, produced by mappers, > > ?even if scope?parameter was not provided during token request > > ?(This one may be useful get potential list of roles) > > On Wed, Feb 21, 2018 at 10:35 AM Marek Posolda > > wrote: > > Please create a JIRA if you think that it's a bug. Please add > the detailed steps to reproduce. TBH from this email, I don't > know what exactly is broken, or if it's just misconfiguration. > > BTV. Client has always automatically scope to his own roles. > And it's not possible to remove them from the scope. It's just > possible to add/remove scopes for realm roles or client roles > of different clients. So the behaviour described by Michael is > expected. > > > > Marek > > > > On 20/02/18 20:51, ??????? ?????? wrote: > > I was able to reproduce this issue > > It only happens for a?claim, produced by the mapper. > > But I can see correct list of roles in a different claim: > resource_access[clientId].roles. > > It seems like a bug, you can raise it with the team. > > As a workaround, you can use existing claim > > On Tue, Feb 20, 2018 at 9:39 PM Michael Poettgen > > wrote: > > Betalb, > > That?s what I thought as well, but if I turn off ?Full > Scope Allowed? and look at the ?Client Roles? of my > client then all client roles appear under ?Effective > Roles?. I cannot assign or un-assign any of these > roles. So my assumption was that, since these are all > roles of my client anyways, that they would always be > available (at least for my client). Also the user does > have the proper roles (I get them with ?Full Scope > Allowed? enabled), but nevertheless I don?t get any. > > Thanks, > > Michael > > *From:*??????? ?????? [mailto:betalb at gmail.com > ] > *Sent:* Tuesday, February 20, 2018 6:41 PM > *To:* Michael Poettgen > *Cc:* Marek Posolda; keycloak-user at lists.jboss.org > > > > *Subject:* Re: [keycloak-user] Roles without "Full > Scope Allowed"? > > This is mentioned in docs: > http://www.keycloak.org/docs/latest/server_admin/index.html#_client_scope > > > If full scope is disabled: access token, issued to > specific client will have intersection of user own > roles with client scope, defined in scope section of > client configuration > > ??, 20 ????. 2018 ?. ? 16:34, Michael Poettgen > >: > > You said, that I need to "add scopes for the > *realm roles* and client roles of *other > clients*", but I don't even get the roles for this > client anymore, no matter whether "Scope Param > Required" is set for the role or not and no matter > whether I add the role names to the "scope" or not. > > Michael > > From: Marek Posolda [mailto:mposolda at redhat.com > ] > Sent: Tuesday, February 20, 2018 2:13 PM > To: Michael Poettgen; > keycloak-user at lists.jboss.org > > Subject: Re: [keycloak-user] Roles without "Full > Scope Allowed"? > > Once you changed "Full Scope Allowed" to off, you > need to add scopes for > the realm roles and client roles of other clients. > This can be done in > the "Scope" tab, pretty much same place where you > turned "Full Scope > Allowed" to off. I think we have also some docs > around this somewhere > (not 100% sure). > > Marek > > On 20/02/18 13:07, Michael Poettgen wrote: > > All, > > > > I've got Keycloak 3.4.3 configured to return > client roles in a "role" Claim to an OpenID > Connect client. (The client has got a list of > roles, these are assigned to the user and I've got > a User Client Role Token mapper that maps the > roles of that client into the "role" claim.) > Everything works until I turn "Full Scope Allowed" > off. Then all roles disappear and trying to > request the roles via the "scope" (with or without > client ID prefix) doesn't seem to work. > > > > Am I doing something stupid or is there > something that does not work as (I) expected? > > > > Thanks for your help! > > > > Michael > > > > > > This message may contain confidential > information. If you are not the intended > recipient, do not disseminate, distribute, or copy > this e-mail or its attachments. Please notify the > sender of the error immediately by e-mail or at > the telephone number listed below, and delete this > e-mail and any attachments from your system. > Receipt by anyone other than the intended > recipient(s) is not a waiver of any trade secrets, > proprietary interests, or other applicable rights. > E-mail transmission is not necessarily secure or > error-free, as information could be intercepted, > corrupted, lost, destroyed, delayed, incomplete, > or may contain viruses. The sender disclaims all > liability for any errors or omissions arising as a > result of the e-mail transmission. > > > > OEConnection LLC, (888) 776-5792 > , www.oeconnection.com > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > From mposolda at redhat.com Fri Feb 23 05:10:11 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 23 Feb 2018 11:10:11 +0100 Subject: [keycloak-user] E-mail verification required action issues In-Reply-To: References: Message-ID: <9d6b922a-dce3-dcdc-0ce9-550c2e3f2f2b@redhat.com> Hi Viliam! Nice to see you back on Keycloak mailing lists :) On 20/02/18 17:27, Viliam Rockai wrote: > Hey all, > > I got a couple of problems with the e-mail verification required action. > 1. If it's turned on in the realm settings ("login tab") and I change > the account e-mail (in "manage account"), I can't get back to the app. > 2. While the (?) tooltip text in the realm settings clearly says > "Require the user to verify their email address the first time they > login.", the feature includes verification with each e-mail change > (not only the first login). If that's expected behavior, it would be > nice to have it more clear in the (?) tooltip text. Yes, agree. We can probably improve the tooltip. I don't think we should change the logic. If email was changed, it shouldn't be treated as verified anymore and should be re-verified IMO. > > For 1., the steps to reproduce are: > 1. Download latest KC, unzip it, start it. > 2. Configure logged-in user (admin) e-mail (in "manage account") and > the Email realm settings. Make sure e-mail sending works. > 3. Go to "manage account" and change your email. > 4. Click "Back to Security Admin Console" > 5. You should see the "EMAIL VERIFICATION" page > 6. Click on the verification link in the e-mail > 7. You should see the "YOU ARE ALREADY LOGGED IN" page, click on the > "? Back to Application" link. This brings you back to step 5. instead > of the admin console. > > And this is the error itself, you will find yourself in an endless > loop defined by steps 5 - 7. > > I can create a JIRA for that, just wanted to make sure this is a bug, > not a feature. We did some fixes in 3.4.3, but it's possible that not for everything. Feel free to create JIRA. Marek > > Thanks! > > Viliam > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From scott.finlay at sixt.com Fri Feb 23 05:33:03 2018 From: scott.finlay at sixt.com (Scott Finlay) Date: Fri, 23 Feb 2018 10:33:03 +0000 Subject: [keycloak-user] Keycloak Unable to Handle Heavy Load Message-ID: Hi, We've been doing some load tests of our services, and we've found that when we raise the traffic rate to about 50 logins per second (with a roughly similar rate of logouts) we kill our Keycloak instances after just a few minutes. What are the normal recommended specs for a Keycloak instance to be able to handle such a load? We're running three instances of Keycloak in AWS (c4.large instances) with a db.t2.medium database. The CPU is Intel Xeon E5-2666 v3 dual core and the instances have 4GB memory with 2GB allocated to Keycloak. Regards, Scott From viliam.rockai at gmail.com Fri Feb 23 05:51:30 2018 From: viliam.rockai at gmail.com (Viliam Rockai) Date: Fri, 23 Feb 2018 11:51:30 +0100 Subject: [keycloak-user] E-mail verification required action issues In-Reply-To: <9d6b922a-dce3-dcdc-0ce9-550c2e3f2f2b@redhat.com> References: <9d6b922a-dce3-dcdc-0ce9-550c2e3f2f2b@redhat.com> Message-ID: Thanks a lot! I'm going to create JIRA issues. On Fri, Feb 23, 2018 at 11:10 AM, Marek Posolda wrote: > Hi Viliam! > > Nice to see you back on Keycloak mailing lists :) > > On 20/02/18 17:27, Viliam Rockai wrote: >> >> Hey all, >> >> I got a couple of problems with the e-mail verification required action. >> 1. If it's turned on in the realm settings ("login tab") and I change >> the account e-mail (in "manage account"), I can't get back to the app. >> 2. While the (?) tooltip text in the realm settings clearly says >> "Require the user to verify their email address the first time they >> login.", the feature includes verification with each e-mail change >> (not only the first login). If that's expected behavior, it would be >> nice to have it more clear in the (?) tooltip text. > > Yes, agree. We can probably improve the tooltip. > > I don't think we should change the logic. If email was changed, it shouldn't > be treated as verified anymore and should be re-verified IMO. >> >> >> For 1., the steps to reproduce are: >> 1. Download latest KC, unzip it, start it. >> 2. Configure logged-in user (admin) e-mail (in "manage account") and >> the Email realm settings. Make sure e-mail sending works. >> 3. Go to "manage account" and change your email. >> 4. Click "Back to Security Admin Console" >> 5. You should see the "EMAIL VERIFICATION" page >> 6. Click on the verification link in the e-mail >> 7. You should see the "YOU ARE ALREADY LOGGED IN" page, click on the >> "? Back to Application" link. This brings you back to step 5. instead >> of the admin console. >> >> And this is the error itself, you will find yourself in an endless >> loop defined by steps 5 - 7. >> >> I can create a JIRA for that, just wanted to make sure this is a bug, >> not a feature. > > We did some fixes in 3.4.3, but it's possible that not for everything. Feel > free to create JIRA. > > Marek >> >> >> Thanks! >> >> Viliam >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From jpperata at gmail.com Fri Feb 23 08:08:28 2018 From: jpperata at gmail.com (Juan Pablo Perata) Date: Fri, 23 Feb 2018 13:08:28 +0000 Subject: [keycloak-user] User session logout in Keycloak Console seems not to work if using User Federation Provider In-Reply-To: References: Message-ID: I found that I needed to configure Admin URL for client for logout through admin console to poperly work. It was really usefull an answer of Stian Torgersen made on another thread about logout on bearer and non-bearer clients. Regards, Juan On Thu, Feb 1, 2018 at 10:29 AM Juan Pablo Perata wrote: > To add something else: > > I discovered I was changing JSESSIONID after successfull login in a > callback servlet. I removed that because Keycloak itself is invalidating > old session and assigning a new id. > > Otherwise, for my surprise after logout session from keycloak admin > console, session remains active and I am still logged in application. > > Any tip is appreciated. > Regards, > Juan > > > On Wed, Jan 31, 2018 at 12:20 PM Juan Pablo Perata > wrote: > >> Hello, >> >> This issue seems application specific, but I could not reach to the root >> yet. >> >> I would like to know if someone faced this in Keycloak Admin Console or >> some tips you could give me to see what is going on. >> >> *Environment* >> Web application running on Wildfly 10.1.0.Final and secured with Keycloak. >> Keycloak 3.4.3.Final server running in : >> Wildfly 10.1.0.Final server running in : >> *Description* >> Found that session logout from Keycloak admin does not have effect for >> federated users in my web application. >> Steps: >> - develop your own user federation provider to connect to internal >> database (implements interfaces _UserStorageProvider, >> CredentialInputValidator, UserLookupProvider, OnUserCache_) >> - properly configured user federation provider in keycloak realm >> - configure and deploy a JSF based web OIDC client application in Wildfly >> secured by Keycloak >> - Go to: _:/_ and authenticate using >> federation provider >> Authentication succeeded >> - Go to Keycloak Console -> Realm -> Sessions -> (select web application >> client) -> Show sessions. Then select from displayed >> table -> "Sessions" tab >> - Click "Logout all sessions" or "Logout" the specific session. A success >> message is displayed and session disappears from table. >> - Go to _:/_ and check that session is >> still alive and user is authenticated. >> - Checked in a Filter in web application that >> "org.keycloak.KeycloakSecurityContext" security context is present with >> information from logged in user. >> >> *To note:* >> - (correct behaviour) If logout is performed from web application, single >> sign on session is logged out properly (HttpRequest.logout()). >> - (correct behaviour) Tested behaviour with [product-portal sample | >> https://github.com/keycloak/keycloak/tree/master/examples/demo-template/product-app] >> application and *it works ok as expected*. >> Tested with users loaded in "demo" json and also using my own user >> federation provider and works well. >> >> Thanks in advance, >> Juan >> > From ulrich.merckx at vlaanderen.be Fri Feb 23 08:20:35 2018 From: ulrich.merckx at vlaanderen.be (Merckx, Ulrich) Date: Fri, 23 Feb 2018 13:20:35 +0000 Subject: [keycloak-user] Missing Basic Authentication functionality for connecting to an OpenId Identity Provider Message-ID: Hi, We are having an issue while connecting from keycloak to a certain OpenId Identity Provider. The OpenId Provider only supports logging in with Basic Authentication (client_id and client_secret), as specified in "token_endpoint_auth_methods_supported": [ "client_secret_basic? ] Currently keycloak does only support ?posting' the client_id and client_secret. This will not work with the OpenID Identity Provider. Or maybe I don?t see how to configure it. Code: https://github.com/keycloak/keycloak/blob/63efee6e158c4a06d4948819cb36ccf88bcf5e0f/services/src/main/java/org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.java#L423 Can you confirm connecting to an OpenId Identity Provider with Basic Authentication is not implemented in keycloak. If this is not implemented I will make a JIRA issue. The OAuth RFC also states that it is recommended to use Basic Authentication over Posting. (see: https://tools.ietf.org/html/rfc6749#section-2.3.1). Kind regards, Ulrich Merckx Ontwikkelaar DEPARTEMENT OMGEVING Afdeling Data- en informatiebeheer en Digitale Maatschappij T 02 553 00 00, M 0478 69 59 18 Koning Albert II-laan 20 bus 8, 1000 Brussel www.omgevingvlaanderen.be www.milieuinfo.be [cid:88CF64B4-2C47-48FB-B4AF-3AEF93EE6B24 at mmis.be] -------------- next part -------------- A non-text attachment was scrubbed... Name: pastedGraphic_3.png Type: image/png Size: 5699 bytes Desc: pastedGraphic_3.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180223/0ad4b9f1/attachment.png From j.muis at copas.nl Fri Feb 23 09:56:58 2018 From: j.muis at copas.nl (Jeroen Muis) Date: Fri, 23 Feb 2018 14:56:58 +0000 Subject: [keycloak-user] Resource owner credential grant & required actions Message-ID: Hi, Due to some legacy we have to use (jaas) direct access grants and that?s actually working really well until the account get?s a required action, such as update password, verify email, ? Before keycloak 3.4.1 if the credentials are ok we get a 400 response with ?Account is not fully setup?, but without any details on what actually is the required action. As per ?KEYCLOAK-5284: Information disclosure when brute force detection is on using the token endpoint? (1) this behavior has changed and apparently there is no feedback anymore even though the credentials itself are ok. How should we now detect ?required actions? to be performed if we can?t even tell the difference anymore between invalid credentials and required actions to be completed. Why is brute force detection done like this when there actually is a brute force detection setting in the realm which by default is switched off? 1. https://issues.jboss.org/browse/KEYCLOAK-5284 Thanks very much. Jeroen Muis From viggo.navarsete at gmail.com Sat Feb 24 05:27:36 2018 From: viggo.navarsete at gmail.com (Viggo Navarsete) Date: Sat, 24 Feb 2018 10:27:36 +0000 Subject: [keycloak-user] Quickstart tutorials (app-angular2 and app-jee-html5) not working Message-ID: Hi, I've deployed the jax-rs service tutorial https://github.com/keycloak/keycloak-quickstarts/tree/latest/service-jee-jaxrs, and then tried to run the various quickstart tutorial clients towards it: app-angular2, app-jee-html5: I get the following in the console: errors.ts:42 ERROR SyntaxError: Unexpected end of JSON input The wildfly access log shows me this: 11:13:29,795 INFO [io.undertow.accesslog] (default task-27) 127.0.0.1 [24/Feb/2018:11:13:29 +0100] "OPTIONS /service/secured HTTP/1.1" 200 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36" 11:13:29,831 INFO [io.undertow.accesslog] (default task-25) 127.0.0.1 [24/Feb/2018:11:13:29 +0100] "GET /service/secured HTTP/1.1" 200 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36" But, when I run the app-jee-jsp it works as expected, I can see this in the wildfly access log: public gives 11:18:35,840 INFO [stdout] (default task-22) Service url: http://localhost:8080/service 11:18:35,865 INFO [stdout] (default task-30) Public endpoint called 11:18:35,865 INFO [io.undertow.accesslog] (default task-30) 127.0.0.1 [24/Feb/2018:11:18:35 +0100] "GET /service/public HTTP/1.1" 200 "Apache-HttpClient/4.5 (Java/1.8.0_151)" 11:18:35,867 INFO [io.undertow.accesslog] (default task-22) 127.0.0.1 [24/Feb/2018:11:18:35 +0100] "GET /app-jsp/index.jsp?action=public HTTP/1.1" 200 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36" secured gives 11:19:00,781 INFO [stdout] (default task-21) Service url: http://localhost:8080/service 11:19:00,806 INFO [stdout] (default task-29) Secured endpoint called 11:19:00,807 INFO [io.undertow.accesslog] (default task-29) 127.0.0.1 [24/Feb/2018:11:19:00 +0100] "GET /service/secured HTTP/1.1" 200 "Apache-HttpClient/4.5 (Java/1.8.0_151)" 11:19:00,808 INFO [io.undertow.accesslog] (default task-21) 127.0.0.1 [24/Feb/2018:11:19:00 +0100] "GET /app-jsp/index.jsp?action=secured HTTP/1.1" 200 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36" admin gives 11:19:21,979 INFO [stdout] (default task-26) Service url: http://localhost:8080/service 11:19:22,003 INFO [stdout] (default task-24) Admin endpoint called 11:19:22,003 INFO [io.undertow.accesslog] (default task-24) 127.0.0.1 [24/Feb/2018:11:19:22 +0100] "GET /service/admin HTTP/1.1" 200 "Apache-HttpClient/4.5 (Java/1.8.0_151)" 11:19:22,005 INFO [io.undertow.accesslog] (default task-26) 127.0.0.1 [24/Feb/2018:11:19:22 +0100] "GET /app-jsp/index.jsp?action=admin HTTP/1.1" 200 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.75 Safari/537.36" So, to me it seem like the request reach the REST endpoint at all for the app-angular2 and app-jee-html5 clients ! This is confusing me a lot, and I get into similar issues with my own projects, hence I want to make sure the tutorials at least work properly. I run this on Wildfly 11.0.0.Final and Keycloak 3.4.3.Final. Could there be some issues with Wildfly 11.0.0.Final vs the Wildfly 10.0.0.Final, or the Keycloak versions? Could someone please confirm that they're able to run these tutorials themselves? Best regards, Viggo Navarsete From moritz.becker at gmx.at Sat Feb 24 10:24:35 2018 From: moritz.becker at gmx.at (moritz.becker at gmx.at) Date: Sat, 24 Feb 2018 16:24:35 +0100 Subject: [keycloak-user] Register custom JAX-RS Providers Message-ID: <019d01d3ad83$93ff9d00$bbfed700$@gmx.at> How can I register custom JAX-RS providers or filters? And why was this never picked up: http://lists.jboss.org/pipermail/keycloak-dev/2016-September/008164.html ? From jason.lei.wang at gmail.com Mon Feb 26 00:26:50 2018 From: jason.lei.wang at gmail.com (Jason Wang) Date: Mon, 26 Feb 2018 18:26:50 +1300 Subject: [keycloak-user] A couple of questions on TOTP registration and two stage resource owner auth Message-ID: Hi all, Resource owner auth flow with TOTP enabled works by providing both username, password and totp code in one go. For example, to authenticate user 'test3' on reaml 'test' with totp code 123456, the following HTTP post works well: curl -v \ scope=openid -d grant_type=password \ --data-urlencode client_id=public \ --data-urlencode username=test3 \ --data-urlencode password=test3 \ --data-urlencode totp=123456 \ 127.0.0.1:8080/auth/realms/test/protocol/openid-connect/token It returns two tokens as expected. In my usecase, I would like to do this in 2 stages, similar to how this user would login to Keycloak: he needs to enter username and password first. Only valid credentials will lead him to the totp page. Does keycloak provide APIs to support such way? Interestingly, after totp is set, providing only username and password when calling the API would only result in a generic 401. I have seen quite a few reference to an API endpoint that looks like: $BASE_URL/realms/$REALM/credential-validation which does not seem to exist ( https://gist.github.com/sts/4c6f8fa759cec88197ca6dfcf306c391). The second question is if there an API to set the authenticator for the given user. For example return the long binding code (can be displayed by this link http://127.0.0.1:8080/auth/realms/test/account/totp?mode=manual), which is what the QR code links to. With this API, I can do the registration process outside of Keycloak. The last question is that the Keycloak UI does not seem to be using OCID APIs with the server? I tried to find out which APIs those pages are invoking by debugging in the browser which did not give me Json resources. This is a lazy question to save me looking into the source code which I know I will need to do later ;-). Many thanks, Jason From dz at scoutsengidsenvlaanderen.be Mon Feb 26 08:56:37 2018 From: dz at scoutsengidsenvlaanderen.be (Daan Zwaenepoel) Date: Mon, 26 Feb 2018 14:56:37 +0100 Subject: [keycloak-user] You cannot set autocommit during a managed transaction Message-ID: Hello Everyone In our keycloak project we are using a external database in combination with the keycloak database. In our Registration formaction I need to get? some data form the external database and also write some data back. Here for I create a entity manger in my Registration factory and I know that my connection works because I successfully get data from the database but every time I try to write data back ( entityManager.getTransaction().begin(); entityManager.merge(lid); entityManager.getTransaction().commit();) to the database I get the error "You cannot set autocommit during a managed transaction". When I use entityManager.merge(lid); entityManager.flush(); to write data back I get the error " javax.persistence.TransactionRequiredException: no transaction is in progress". What is the problem here or what is the best way to write data to the database. ?Daan From subodhcjoshi82 at gmail.com Tue Feb 27 01:07:30 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Tue, 27 Feb 2018 11:37:30 +0530 Subject: [keycloak-user] Missing id_token with Keycloak3.2.1 Message-ID: Hi All I am using below curl command curl -k https://135.250.139.249:8443/auth/realms/Test123/protocol/openid-connect/token -d "grant_type=client_credentials" -d "client_id=SURE_APP" -d "client_secret=ca3c4212-f3e8-43a4-aa14-1011c7601c67" In the above command's response *id_token* is missing ,which is require for kong to tell who i am? In my keycloak realm->client-> Full Scope Allowed ->True -- Subodh Chandra Joshi http://www.questioninmind.com From subodhcjoshi82 at gmail.com Tue Feb 27 01:24:43 2018 From: subodhcjoshi82 at gmail.com (Subodh Joshi) Date: Tue, 27 Feb 2018 11:54:43 +0530 Subject: [keycloak-user] Missing id_token with Keycloak3.2.1 In-Reply-To: References: Message-ID: Ok I found it we have to add* scope=openid* then only it will work On Tue, Feb 27, 2018 at 11:37 AM, Subodh Joshi wrote: > Hi All > > I am using below curl command > > curl -k https://135.250.139.249:8443/auth/realms/Test123/ > protocol/openid-connect/token -d "grant_type=client_credentials" -d > "client_id=SURE_APP" -d "client_secret=ca3c4212-f3e8- > 43a4-aa14-1011c7601c67" > > In the above command's response *id_token* is missing ,which is require > for kong to tell who i am? > > In my keycloak realm->client-> Full Scope Allowed ->True > > -- > Subodh Chandra Joshi > > http://www.questioninmind.com > -- Subodh Chandra Joshi subodh1_joshi82 at yahoo.co.in http://www.trendsinnews.com From upananda313 at gmail.com Tue Feb 27 01:42:17 2018 From: upananda313 at gmail.com (Upananda Singha) Date: Tue, 27 Feb 2018 12:12:17 +0530 Subject: [keycloak-user] Fine tuning KC for performance In-Reply-To: References: Message-ID: Hi All, Could anybody please point out whats the Keycloak load bearing capacity in terms of TPS (transactions per sec). As I already indicated I have been using 2 instances of Keycloak connected to shared PostgreSQL Database. (Keycloak instances being clustered using standalone-ha configuration). I have been trying Reset Pwd api call on a 500 user base. I am running Jmeter test suit to reset pwd and trying to post in a rate around 100 msg per sec. But as per Jemeter thoroughput results I can see max around thoroughput 80 which seems really less when I am having 2 instances of KCs. My load balancer is doing a round robin scheduling for forwarding the requests to the KC instances. Can anybody share his/her experience regarding the load test results for Keycloak? Any information will be highly appreciated. Any KC optimization configuration would be great... Thanks & Regds Upananda Singha On Wed, Feb 21, 2018 at 12:22 PM, Upananda Singha wrote: > Hi All, > > I am trying to test a KC cluster (with 2 KC nodes) using standalone-ha > mode. > I have configured a shared database of PostgreSQL (2ndQuadrant with BDR - > having 2 Database nodes and pointing KC nodes pointing to single node). > > Each of the KC nodes is configured with > JAVA_OPTS="-*Xms256m* -*Xmx1024m* -XX:MetaspaceSize=96M > -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true" > > And default connection pool size set to 40 each. > > But when I run traffic I don't see combined throughput going beyond 80/90 > per sec > when traffic hits both the KC nodes in a round robin fashion. > > Can anybody give some idea what kind of tuning I can try to increase the > throughput. With 2 nodes of KC we are looking for throughput at least > 200-300. > > Thanks & Regds, > Upananda > > From mkanis at redhat.com Tue Feb 27 03:35:33 2018 From: mkanis at redhat.com (Martin Kanis) Date: Tue, 27 Feb 2018 09:35:33 +0100 Subject: [keycloak-user] Register custom JAX-RS Providers In-Reply-To: <019d01d3ad83$93ff9d00$bbfed700$@gmx.at> References: <019d01d3ad83$93ff9d00$bbfed700$@gmx.at> Message-ID: Hi, try to have a look at https://github.com/keycloak/keycloak/tree/master/examples/providers/rest. Alternately you can do a hot deployment of a provider by copying the provider's jar to /standalone/deployment folder. Regards, Martin On Sat, Feb 24, 2018 at 4:24 PM, wrote: > How can I register custom JAX-RS providers or filters? > > And why was this never picked up: > http://lists.jboss.org/pipermail/keycloak-dev/2016-September/008164.html ? > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From rudreshsj at gmail.com Tue Feb 27 04:09:06 2018 From: rudreshsj at gmail.com (Rudresh Shashikant) Date: Tue, 27 Feb 2018 16:09:06 +0700 Subject: [keycloak-user] Multiple 'standalone' in k8s setup Message-ID: Hello hivemind, I have deployed keycloak at the moment with the following setup: - kubernetes in openshift - 1 pod - RDS (postgres) for database - standalone mode - not across data centre I was exploring the possibility of avoiding single point of failure by simply increasing the number of pods in openshift to 2 or 3 (note, each instance is still in standalone mode). I tested this by increasing the number of pods and ensuring the logs of all the keycloak pods are registering access when I hit the service endpoint with my web browser. Since they are identical replicas of one another, they will all communicate with the same RDS (postgres) endpoint on AWS. The above setup works for me as a proof of concept, ie., im able to login and refresh multiple times to ensure load balancing etc is working across keycloak pods. yay! But I wanted to do due diligence and RTFM [ http://www.keycloak.org/docs/latest/server_installation/index.html#_operating-mode] upon which I found there was information on how to run in standalone-ha mode and many others as well. This is where the confusion sets in. Isn't Keycloak stateless? Wont the above setup work for me? is there any known issues I will run in to with the above setup (all standalone). What is the need to run in standalone-ha mode given the context of my above deployment environment? Appreciate if someone can point me in the right direction or help provide some answers. Thanks! Regards, Rudy. Regards, Rudy. From mposolda at redhat.com Tue Feb 27 10:44:25 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 27 Feb 2018 16:44:25 +0100 Subject: [keycloak-user] Testing Keycloak DynamicOP using openid.net In-Reply-To: References: Message-ID: <403c7ec2-e634-dd08-5f89-892daa035078@redhat.com> Hi, it won't work on localhost as the openid.net server needs to be able to connect to your Keycloak server over the network, which is not possible with using localhost. You need to be able to bind Keycloak on real host and have a possibility to access it over the network. When I was working on Keycloak certification, I was mainly using the Keycloak deployed on openshift cartridge. See the instructions here: https://github.com/keycloak/keycloak/blob/master/misc/OIDCConformanceTestsuite.md . But Keycloak OpenShift cartridge is not supported anymore from latest versions, so you would need something different if you want to try latest version. BTV: Keycloak is OpenID Connect certified with all 5 profiles: http://openid.net/developers/certified/ Marek On 23/02/18 00:02, Carrasco, Jonathan J (173F) wrote: > Hello. > > I?m reaching out to ask about the Conformance Testing Suite, available at http://openid.net/certification/testing/. At this time, we are evaluating Keycloak and some of the available OpenID Connect Libraries and Products, and would like to perform certification testing locally. > > So, the question is? do you have a breakdown of Keycloak configuration to allow for Conformance Testing in a local dev environment, i.e. localhost. I have tried to test and keep getting a connection refused error when I try the Dynamic Discovery and Registration test. > > To give some insight? > I am using the oidctest repo locally > I have keycloak running, no problem > I?ve set realm to not require ssl > I deleted all anonymous client registration policies > But when I run the test, using the issuer ashttp://localhost:8080/auth/realms/master orhttps://localhost:8443/auth/realms/master, I get > > Discovery:OP-Response-Missing: status=ERROR, message=HTTPSConnectionPool(host='localhost', port=8443): Max retries exceeded with url: /auth/realms/master/.well-known/openid-configuration (Caused by NewConnectionError(': Failed to establish a new connection: [Errno 111] Connection refused',)) > I also tried setting up a reverse proxy to handle ssl traffic, to no avail. > > I don?t have a problem, working with keycloak since I can curl most of the commands or use python requests, etc?And, really the point of this is to test(out-of-the-box) without having to alter any source code from Github. Hence, I?m reaching out to the source and I want to ask if you have a setup to allow keycloak to be tested on a local machine. > > > -- > Jonathan Carrasco (173F) > Jet Propulsion Laboratory ? California Institute of Technology > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Feb 27 11:00:56 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 27 Feb 2018 17:00:56 +0100 Subject: [keycloak-user] Authorization returning less scopes than requested In-Reply-To: <6D661B25-8912-466C-A6CB-9D65B0F6B7AB@code-house.org> References: <6D661B25-8912-466C-A6CB-9D65B0F6B7AB@code-house.org> Message-ID: <00de6c6f-99c7-7662-83b8-85c767422aba@redhat.com> On 22/02/18 16:32, luke at code-house.org wrote: > Hey, > At the beginning, I would like to say thank you, for delivering such great software, and also people who read this message for handling community support. :-) > > I come into key cloak because I do need two functionalities of it - oidc provider and also identity broker. I do integrate with services which have predefined set of scopes. My application can request multiple scopes such "patient/*.write? (write data related to patient), however user or system where authentication takes place, may decide to grant lower access than requested. > For example above patient write scope request might be constrained to "patient/*.read" or even subset of that "patient/Patient.read? (patient demographics). Reason why it might happen depends on few things - because user who decides to unmark these on consent page or it might not be allowed by system. In second case user will not be even asked about giving such permission to his data. > > From logical point of view, as long as authorisation request ends up with token grant, these are still proper tokens which application must handle. Question is - is such use case is supported by Keycloak? > Also, how should I map such wildcard scopes in keycloak? Those are interesting usecases. At this moment, we don't have support for "unmark" specific consents on consent screen. Maybe it's something, which will be good to support. I know Facebook has some support for it (some consents are mandatory and can't be unchecked on the consent screen. Some are optional and can be unchecked). This may be nice to have. Feel free to create JIRA. For the second part, I am working on refactoring of scope parameter support. This will allow some more flexibility - especially you will be able to map more roles into single client scope (which defacto means, single value of scope parameter and single item on consent screen for whole group of roles). Maybe it's something, which would help you with the usecase? In other words, there won't likely be support for regexes (at least in first stage, which should be finished in few weeks), but maybe your usecase can be addressed with it still. > > Second use case, which I have, is similar to first one. Main difference is that it must be implemented on key cloak authorisation part - when user application requests access token, it sends two scopes, lets call them ?user" and "patient?. Because application doesn?t know actual permissions of the user, it can not decide which scopes should be used. We theoretically could work around that with two login pages resulting in different scope requests. However, our intention is to implement this on keycloak side - based on our own logic we will know what is role of given user and which scope is permitted. Biggest question - which extension point, if any available, we could use for that? That's also interesting usecase. We don't have it OOTB, but I think that there is a way to "plug" your own logic for it. I think you can do custom requiredAction implementation, which will remove some values from scope parameter based on the actual permissions, which authenticated user have and hence the roles won't be shown on the consent screen at all then. But note that I am working on refactoring of this part, so if you do some "extension" of your own at current Keycloak, you might need to refactor it later. Anyway, feel free to create JIRA for the better support of this usecase OOTB. I suggest to keep an eye on our MLs, hope there will be something about better support of client scopes (scope parameter) very soon. I would be curious for feedback. Thanks, Marek > > Kind regards, > ?ukasz > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From hmidi.slim2 at gmail.com Tue Feb 27 12:58:33 2018 From: hmidi.slim2 at gmail.com (hmidi slim) Date: Tue, 27 Feb 2018 18:58:33 +0100 Subject: [keycloak-user] Authorization Services (2.4. Build, Deploy, and Test Your Application) Message-ID: Hi, I'm trying to test the tutorial concerning the Authorization Services (2.4. Build, Deploy, and Test Your Application). I followed all the instructions mentioned: I run this command .../bin/standalone.sh -Djboss.socket.binding.port-offset=100 then I created a realm and a user as mentioned in section *2.2 Creating a Realm and a User.* After that I enable the authorization services as mention in *2.3 Enabling Authorization Services*. Then I installed maven v3.5.0 and jsdk 8 and I installed the repo keycloak-quickstarts and follow the instructions. First of all in the doc in the section *2.4.2 Building and Deploying the Application *it's mentioned *cd redhat-sso-quickstarts/app-authz-jee-vanilla * I don't found redhat-sso-quickstarts maybe it is a fault. I run: cd keycloak-quickstarts/app-authz-jee-vanilla mvn clean package wildfly:deploy I got this error: ------------------------------------------------------- T E S T S ------------------------------------------------------- Running org.keycloak.quickstart.ArquillianJeeAuthzVanillaTest Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.436 sec <<< FAILURE! org.keycloak.quickstart.ArquillianJeeAuthzVanillaTest Time elapsed: 0.435 sec <<< ERROR! java.lang.RuntimeException: Could not create new instance of class org.jboss.arquillian.test.impl.EventTestRunnerAdaptor at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:166) at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:103) at org.jboss.arquillian.test.spi.TestRunnerAdaptorBuilder.build(TestRunnerAdaptorBuilder.java:52) at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:114) at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252) at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141) at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189) at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165) at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85) at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115) at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75) Caused by: java.lang.reflect.InvocationTargetException at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:162) ... 15 more Caused by: org.jboss.arquillian.container.impl.ContainerCreationException: Could not create Container jboss at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:85) at org.jboss.arquillian.container.impl.client.container.ContainerRegistryCreator.createRegistry(ContainerRegistryCreator.java:78) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96) at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116) at org.jboss.arquillian.core.impl.ManagerImpl.bindAndFire(ManagerImpl.java:265) at org.jboss.arquillian.core.impl.InstanceImpl.set(InstanceImpl.java:74) at org.jboss.arquillian.config.impl.extension.ConfigurationRegistrar.loadConfiguration(ConfigurationRegistrar.java:73) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96) at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116) at org.jboss.arquillian.core.impl.ManagerImpl.start(ManagerImpl.java:290) at org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.(EventTestRunnerAdaptor.java:63) ... 20 more Caused by: java.lang.IllegalArgumentException: DeployableContainer must be specified at org.jboss.arquillian.core.spi.Validate.notNull(Validate.java:44) at org.jboss.arquillian.container.impl.ContainerImpl.(ContainerImpl.java:71) at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:80) ... 44 more Results : Tests in error: org.keycloak.quickstart.ArquillianJeeAuthzVanillaTest: Could not create new instance of class org.jboss.arquillian.test.impl.EventTestRunnerAdaptor Tests run: 1, Failures: 0, Errors: 1, Skipped: 0 [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 3.144 s [INFO] Finished at: 2018-02-27T18:57:34+01:00 [INFO] Final Memory: 37M/389M [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:2.12.4:test (default-test) on project keycloak-app-authz-jee-vanilla: There are test failures. [ERROR] [ERROR] Please refer to /home/user1/Downloads/keycloak-quickstarts-latest/app-authz-jee-vanilla/target/surefire-reports for the individual test results. [ERROR] -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException I didn't know what's the problem and how can I fix that? From hmidi.slim2 at gmail.com Tue Feb 27 13:48:50 2018 From: hmidi.slim2 at gmail.com (hmidi slim) Date: Tue, 27 Feb 2018 19:48:50 +0100 Subject: [keycloak-user] Authorization Services (2.4. Build, Deploy, and Test Your Application) In-Reply-To: References: Message-ID: Thank you for your answer Jonathan. Now when I run the command mvn -DskipTests clean wildfly:deploy I got this error : [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 2.793 s [INFO] Finished at: 2018-02-27T19:46:09+01:00 [INFO] Final Memory: 46M/382M [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Final:deploy (default-cli) on project keycloak-app-authz-jee-vanilla: Failed to execute goal deploy.: java.net.ConnectException: WFLYPRT0053: Could not connect to http-remoting://localhost:9990. The connection failed: Connection refused -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException And the server is runing. From psilva at redhat.com Tue Feb 27 14:01:16 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 27 Feb 2018 16:01:16 -0300 Subject: [keycloak-user] Authorization Services (2.4. Build, Deploy, and Test Your Application) In-Reply-To: References: Message-ID: We need to fix documentation. Thanks for the feedback. Could you try following the steps in README.md [1] ? It should be better to follow ... [1] https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-jee-vanilla On Tue, Feb 27, 2018 at 3:48 PM, hmidi slim wrote: > Thank you for your answer Jonathan. Now when I run the command mvn > -DskipTests clean wildfly:deploy I got this error : > [INFO] > ------------------------------------------------------------------------ > [INFO] BUILD FAILURE > [INFO] > ------------------------------------------------------------------------ > [INFO] Total time: 2.793 s > [INFO] Finished at: 2018-02-27T19:46:09+01:00 > [INFO] Final Memory: 46M/382M > [INFO] > ------------------------------------------------------------------------ > [ERROR] Failed to execute goal > org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Final:deploy (default-cli) > on project keycloak-app-authz-jee-vanilla: Failed to execute goal deploy.: > java.net.ConnectException: WFLYPRT0053: Could not connect to > http-remoting://localhost:9990. The connection failed: Connection refused > -> [Help 1] > [ERROR] > [ERROR] To see the full stack trace of the errors, re-run Maven with the -e > switch. > [ERROR] Re-run Maven using the -X switch to enable full debug logging. > [ERROR] > [ERROR] For more information about the errors and possible solutions, > please read the following articles: > [ERROR] [Help 1] > http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException > > And the server is runing. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From gregory.ruch at elca.ch Tue Feb 27 15:55:19 2018 From: gregory.ruch at elca.ch (=?utf-8?B?UnVjaCBHcsOpZ29yeQ==?=) Date: Tue, 27 Feb 2018 20:55:19 +0000 Subject: [keycloak-user] Verify email unwanted when users authenticate via Kerberos Message-ID: <3BD7D142-9172-4666-A1CE-06EA6D09C4E5@elca.ch> Hi all, I have configured a realm in which I have allowed user registration and Kerberos authentication. For user registration I have activated email address verification. Now my issue is that when I do the first login through Kerberos I also need to validate the email address. I configured it in the same realm because I configured a SAML client application which both self-registered and Kerberos authenticated users need to access. What I want is having self-registered users validating their email address and authenticating themselves with username/password and accessing all trusted applications with SSO. I want to have ?corporate? users authenticate with Kerberos and access all trusted applications (same applications as self-registered users). Is there another/ a right way to configure keycloak to do what I would like to do? Or should it be implemented as an option in ldap/Kerberos User federation provider such as ?Trust email address? which will bypass the required action ?verify email?? Thank you in advance for your help, Regards, Greg From sthorger at redhat.com Tue Feb 27 23:06:52 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 28 Feb 2018 05:06:52 +0100 Subject: [keycloak-user] Review French translation update Message-ID: Can someone fluent in French review the following PR please: https://github.com/keycloak/keycloak/pull/5036 From sthorger at redhat.com Tue Feb 27 23:08:14 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 28 Feb 2018 05:08:14 +0100 Subject: [keycloak-user] Review French translation update In-Reply-To: References: Message-ID: and the following PR as well: https://github.com/keycloak/keycloak/pull/5013 On 28 February 2018 at 05:06, Stian Thorgersen wrote: > Can someone fluent in French review the following PR please: > https://github.com/keycloak/keycloak/pull/5036 > From soundrachan at gmail.com Wed Feb 28 00:53:45 2018 From: soundrachan at gmail.com (Chandran Soundrapandian) Date: Wed, 28 Feb 2018 11:23:45 +0530 Subject: [keycloak-user] Getting SSLPeerUnverifiedException Message-ID: Hi, When we moved the working QA Setup to Production, we are getting the following error when user uses Google identity provider: I do see the CN name doesn't match the name in the certificate. But I am not sure if that is the problem. We are using Keycloak version - keycloak-3.2.0.Final 2018-02-27 03:16:50,531 ERROR [org.keycloak.broker.oidc. AbstractOAuth2IdentityProvider] (default task-63) Failed to make identity provider oauth callback: javax.net.ssl.SSLPeerUnverifiedException: Host name 'www.googleapis.com' does not match the certificate subject provided by the peer (*CN=gateway.***.***.org*, OU=PositiveSSL, OU=Domain Control Validated) at org.apache.http.conn.ssl.SSLConnectionSocketFactory. verifyHostname(SSLConnectionSocketFactory.java:465) at org.apache.http.conn.ssl.SSLConnectionSocketFactory. createLayeredSocket(SSLConnectionSocketFactory.java:395) at org.apache.http.conn.ssl.SSLConnectionSocketFactory. connectSocket(SSLConnectionSocketFactory.java:353) at org.apache.http.impl.conn.DefaultHttpClientConnectionOpe rator.connect(DefaultHttpClientConnectionOperator.java:134) at org.apache.http.impl.conn.PoolingHttpClientConnectionMan ager.connect(PoolingHttpClientConnectionManager.java:353) at org.apache.http.impl.execchain.MainClientExec. establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec. execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec. execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute( RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec. execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute( InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute( CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute( CloseableHttpClient.java:107) at org.apache.http.impl.client.CloseableHttpClient.execute( CloseableHttpClient.java:55) at org.keycloak.broker.provider.util.SimpleHttp.makeRequest( SimpleHttp.java:142) at org.keycloak.broker.provider.util.SimpleHttp.asString( SimpleHttp.java:90) at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider $Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:230) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke( NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke( DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke( MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker. invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker. invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke( SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke( SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet. ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet. HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet. HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) Please let me know, when do we get this error. I really appreciate your help. Thanks, -Chandran From luke at code-house.org Wed Feb 28 04:54:54 2018 From: luke at code-house.org (=?utf-8?Q?=C5=81ukasz_Dywicki?=) Date: Wed, 28 Feb 2018 10:54:54 +0100 Subject: [keycloak-user] Identity broker and token refresh Message-ID: <852F26F6-9776-4322-B7C2-0F1F506B7935@code-house.org> Hi all, During my tests I?ve ran into situation where keycloak identity broker returned me expired access token. Is there a way to let keycloak refresh tokens automatically? Kind regards, ?ukasz Dywicki From mposolda at redhat.com Wed Feb 28 06:53:45 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 28 Feb 2018 12:53:45 +0100 Subject: [keycloak-user] [keycloak-dev] Running Keycloak in a clustered mode In-Reply-To: References: Message-ID: On 28/02/18 11:15, Shankar_Bhaskaran wrote: > Hi , > > We are running 2 standalone instances of keycloak with a shared database(later on a clustered database) in active passive mode using haproxy as the loadbalancer . I had tested some rest services by running the request again with the same bearer token with the active keycloak server down and passive server now becomes active one and it still works. > Can we run 2 instances of keycloak in the standalone mode behind a proxy with a shared database ? Or should we cluster it first using standlone-ha.xml configuration? > What features will be disabled if we use the former way of loadbalancing keycloak I suggest to always rather use clustered keycloak with standalone-ha.xml and since you want failover support, increase number of owners to 2 for distributed caches. One of the things, which won't work for the former setup (with standalone instances) is the replication of user sessions. In other words, userSession created on node1 won't be visible on node2. The scenario you mentioned may work (EG. the REST endpoint triggered on node2 will be able to successfully verify accessToken created on node1). However access tokens are usually short lived and it is assumed that you periodically "refresh" them (our adapters do refresh automatically). And refreshing the token requires userSession to be present, so with the former setup, it will fail as userSession created on node1 won't be available on node2. User session is one example. There are some other things, which won't work. We never tried to test such setup and I wouldn't do it. Marek > > Regards. > Shankar > _______________________________________________ > keycloak-dev mailing list > keycloak-dev at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev From mposolda at redhat.com Wed Feb 28 06:56:23 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 28 Feb 2018 12:56:23 +0100 Subject: [keycloak-user] Identity broker and token refresh In-Reply-To: <852F26F6-9776-4322-B7C2-0F1F506B7935@code-house.org> References: <852F26F6-9776-4322-B7C2-0F1F506B7935@code-house.org> Message-ID: <4fdbbec4-b40c-251c-93b6-469d3d9a2c19@redhat.com> From the 3.4.3 (or maybe even earlier) release, there is TokenExchange service. I am not 100% sure, but maybe it supports the mentioned scenario and it will allow you to always return "fresh" token from 3rd party identity provider. I don't think we support any other way to do it OOTB, but not 100% sure. Marek On 28/02/18 10:54, ?ukasz Dywicki wrote: > Hi all, > During my tests I?ve ran into situation where keycloak identity broker returned me expired access token. > Is there a way to let keycloak refresh tokens automatically? > > Kind regards, > ?ukasz Dywicki > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From pinguwien at gmail.com Wed Feb 28 08:30:45 2018 From: pinguwien at gmail.com (Dominik Guhr) Date: Wed, 28 Feb 2018 14:30:45 +0100 Subject: [keycloak-user] Kerberos & login, multiple environments with multiple users Message-ID: Hi everyone, so I've built a custom kerberos authenticator which should, depending on a querystring, not automatically login. So, when I add &login=manual to the url, kerberos authenticator starts, checks, and stops. Now everything is fine when I use this authenticator under normal conditions, in one tab, but: - As a dev, I sometimes have different tabs with different environments open. e.g. http://myapp-local, http://myapp-dev - these apps are different clients in keycloak as well, e.g. my-webapp-local, my-webapp-dev Now I get logged in via kerberos in myapp-local, logout in myapp-test and try to login with different credentials manually in myapp-test. Then, the AuthenticationProcessor raises the following exception when doing this with kerberos login-enabled browsers (chrome, ie): ===================== 2018-02-28 09:57:12,236 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=myrealm, clientId=my-webapp-dev, userId=null, ipAddress=10.242.50.137, error=different_user_authenticated, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://myurl/my-webapp-dev/, consent=no_consent_required, previous_user=f:1661b7a5-933a-4bda-8bb9-6822c7f40211:412997, code_id=eb950380-511d-41a0-b816-d06b2331569c, response_mode=query 2018-02-28 09:57:12,236 WARN [org.keycloak.services] (default task-2) KC-SERVICES0013: Failed authentication: org.keycloak.services.ErrorPageException: HTTP 500 Internal Server Error at org.keycloak.authentication.AuthenticationProcessor.attachSession(AuthenticationProcessor.java:898) at org.keycloak.services.managers.AuthenticationManager.finishedRequiredActions(AuthenticationManager.java:796) at org.keycloak.authentication.AuthenticationProcessor.authenticationComplete(AuthenticationProcessor.java:951) at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:724) at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:145) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:395) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:139) at sun.reflect.GeneratedMethodAccessor513.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) ================= and in the browser I get an "unexpected error when handling request to identity provider" errormsg. When doing the same thing in firefox (no kerberos, manual login, open 2 tabs in 2 different environments and login with different users), I get at least the errormsg "You are already authenticated as different user [name] in this session. Please logout first." So, my questions are: - Why is this not possible? - Is there anything I can do (having a custom authenticator for kerberos/AD and a custom userstorageprovider for applicationdb) to make it possible to have different users logged in in different tabs for different kc-clients in the same realm? - More specifically: Is there a possibility to use the AuthenticationProcessor in an SPI without having to make a custom keycloakbuild and remove the check in line 246/setAuthenticatedUser, or does this mess up the whole authentication session? Would be great to get a hint here. Thanks! Best regards, Dominik From akoserwa at redhat.com Wed Feb 28 10:34:11 2018 From: akoserwa at redhat.com (Abhishek Koserwal) Date: Wed, 28 Feb 2018 21:04:11 +0530 Subject: [keycloak-user] Is keycloak also affect with this: https://www.kb.cert.org/vuls/id/475445 Message-ID: Hi, I don't see keycloak (SAML 2.0) list here: https://www.kb.cert.org/vuls/id/475445 Is it also affected? -- Regards, Abhishek Koserwal From cedric.vidaillac at gmail.com Wed Feb 28 12:22:36 2018 From: cedric.vidaillac at gmail.com (Cedric Vidaillac) Date: Wed, 28 Feb 2018 18:22:36 +0100 Subject: [keycloak-user] Poor response time for User REST API Message-ID: Hi all, I have ~4k users imported in my (postgres) database, when I go for GET /{realm}/users/ For max=100 (default) it takes about 20-22s to respond (60kb document). For max=20, I still get 4s response time, which is kinda... not ideal. I?m not sure if those response time are normal, and if not why is this so slow ? I?m guessing this overhead is caused by the JSON response, I tried on the database (>20ms). -> is there a way to reduce the JSON data response produced by Keycloak ? I only need usernames. I didnt find anything on the docs, I tried ?fields=username in query param, sadly it doesn?t work. In case you?re wondering why I do that, I want to use an auto-complete on my app, with usernames.) Thanks for reading. C?dric. From asaran at redhat.com Wed Feb 28 14:41:23 2018 From: asaran at redhat.com (Anurag Saran) Date: Wed, 28 Feb 2018 14:41:23 -0500 Subject: [keycloak-user] Linkedin Login Issue Message-ID: Hello all I am trying to login with linked in and I get the below error: invalid redirect_uri. This value must match a URL registered with the API Key. invalid redirect_uri. This value must match a URL registered with the API Key. URL: http://localhost:8080/auth/realms/designer-springboot/broker/linkedin/endpoint Thanks, ------------------------------------- Anurag Saran Middleware Solutions Architect Email: asaran at redhat.com Mobile: (732) 662-8053 Schedule A Meeting With Me: https://calendly.com/asaran/ From mposolda at redhat.com Wed Feb 28 15:01:16 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 28 Feb 2018 21:01:16 +0100 Subject: [keycloak-user] Poor response time for User REST API In-Reply-To: References: Message-ID: <1cc656ba-d11c-b4a5-6db3-dc311fa55bfa@redhat.com> I think there is some fix in latest Keycloak master related to that. Could you try to build latest master and check if you see better perofmrnace? Marek On 28/02/18 18:22, Cedric Vidaillac wrote: > Hi all, > > > > I have ~4k users imported in my (postgres) database, when I go for > > > > GET /{realm}/users/ > > > > For max=100 (default) it takes about 20-22s to respond (60kb document). > > For max=20, I still get 4s response time, which is kinda... not ideal. > > > > I?m not sure if those response time are normal, and if not why is this so > slow ? > > > > I?m guessing this overhead is caused by the JSON response, I tried on the > database (>20ms). -> is there a way to reduce the JSON data response > produced by Keycloak ? I only need usernames. > > > > I didnt find anything on the docs, I tried ?fields=username in query param, > sadly it doesn?t work. > > > > > > In case you?re wondering why I do that, I want to use an auto-complete on > my app, with usernames.) > > > Thanks for reading. > > > > C?dric. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Feb 28 15:04:44 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 28 Feb 2018 21:04:44 +0100 Subject: [keycloak-user] Is keycloak also affect with this: https://www.kb.cert.org/vuls/id/475445 In-Reply-To: References: Message-ID: <4b56e4a3-10e9-9921-4ff1-00f4b4be271a@redhat.com> No, it's not. Keycloak is safe of course :) Marek On 28/02/18 16:34, Abhishek Koserwal wrote: > Hi, > > I don't see keycloak (SAML 2.0) list here: > https://www.kb.cert.org/vuls/id/475445 > Is it also affected? > > From mposolda at redhat.com Wed Feb 28 15:06:02 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 28 Feb 2018 21:06:02 +0100 Subject: [keycloak-user] Linkedin Login Issue In-Reply-To: References: Message-ID: <7ce70a00-f582-db06-09cd-3ef48070868e@redhat.com> It seems you need to configure correct redirect URI on LinkedIn side. I suggest to look at the documentation for additional details and also maybe to LinkedIn documentation about how to setup redirect uri. Marek On 28/02/18 20:41, Anurag Saran wrote: > Hello all > > I am trying to login with linked in and I get the below error: > > invalid redirect_uri. This value must match a URL registered with the API > Key. > invalid redirect_uri. This value must match a URL registered with the API > Key. > URL: > http://localhost:8080/auth/realms/designer-springboot/broker/linkedin/endpoint > > Thanks, > ------------------------------------- > Anurag Saran > Middleware Solutions Architect > Email: asaran at redhat.com > Mobile: (732) 662-8053 > Schedule A Meeting With Me: https://calendly.com/asaran/ > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Feb 28 15:11:04 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 28 Feb 2018 21:11:04 +0100 Subject: [keycloak-user] Verify email unwanted when users authenticate via Kerberos In-Reply-To: <3BD7D142-9172-4666-A1CE-06EA6D09C4E5@elca.ch> References: <3BD7D142-9172-4666-A1CE-06EA6D09C4E5@elca.ch> Message-ID: <06367a1c-3d9c-3a03-b47c-0e3a9751805c@redhat.com> It's not available OOTB. There are few extension points, which you can use to achieve that. For example: - Create requiredAction (maybe subclass of existing VerifyEmail requiredAction), which will automatically "Approve" in case that user was imported from LDAP (or Kerberos) provider - Create registration form action, which will add the requiredAction to the user in case they were registered through the registration form. This assumes that "Verify Email" option on realm level is off - Create LDAP mapper, which will automatically set emailVerified to users imported from LDAP (assuming that you use LDAP provider with KErberos support. Not plain Kerberos provider) Marek On 27/02/18 21:55, Ruch Gr?gory wrote: > Hi all, > > I have configured a realm in which I have allowed user registration and Kerberos authentication. For user registration I have activated email address verification. Now my issue is that when I do the first login through Kerberos I also need to validate the email address. > > I configured it in the same realm because I configured a SAML client application which both self-registered and Kerberos authenticated users need to access. > > What I want is having self-registered users validating their email address and authenticating themselves with username/password and accessing all trusted applications with SSO. I want to have ?corporate? users authenticate with Kerberos and access all trusted applications (same applications as self-registered users). > > Is there another/ a right way to configure keycloak to do what I would like to do? Or should it be implemented as an option in ldap/Kerberos User federation provider such as ?Trust email address? which will bypass the required action ?verify email?? > > Thank you in advance for your help, > Regards, > Greg > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Wed Feb 28 15:21:06 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 28 Feb 2018 21:21:06 +0100 Subject: [keycloak-user] Kerberos & login, multiple environments with multiple users In-Reply-To: References: Message-ID: I am not sure I understand correctly, but generally, Keycloak is browser SSO and being logged in 2 browser tabs in 2 clients as different user is something generally unsupported and can cause various kind of issues. If you want something like this just for development, you can maybe use different realms? Marek On 28/02/18 14:30, Dominik Guhr wrote: > Hi everyone, > > so I've built a custom kerberos authenticator which should, depending on > a querystring, not automatically login. So, when I add &login=manual to > the url, kerberos authenticator starts, checks, and stops. > Now everything is fine when I use this authenticator under normal > conditions, in one tab, but: > > - As a dev, I sometimes have different tabs with different environments > open. e.g. http://myapp-local, http://myapp-dev - these apps are > different clients in keycloak as well, e.g. my-webapp-local, my-webapp-dev > > Now I get logged in via kerberos in myapp-local, logout in myapp-test > and try to login with different credentials manually in myapp-test. > Then, the AuthenticationProcessor raises the following exception when > doing this with kerberos login-enabled browsers (chrome, ie): > > ===================== > 2018-02-28 09:57:12,236 WARN [org.keycloak.events] (default task-2) > type=LOGIN_ERROR, realmId=myrealm, clientId=my-webapp-dev, userId=null, > ipAddress=10.242.50.137, error=different_user_authenticated, > auth_method=openid-connect, auth_type=code, response_type=code, > redirect_uri=https://myurl/my-webapp-dev/, consent=no_consent_required, > previous_user=f:1661b7a5-933a-4bda-8bb9-6822c7f40211:412997, > code_id=eb950380-511d-41a0-b816-d06b2331569c, response_mode=query > 2018-02-28 09:57:12,236 WARN [org.keycloak.services] (default task-2) > KC-SERVICES0013: Failed authentication: > org.keycloak.services.ErrorPageException: HTTP 500 Internal Server Error > at > org.keycloak.authentication.AuthenticationProcessor.attachSession(AuthenticationProcessor.java:898) > at > org.keycloak.services.managers.AuthenticationManager.finishedRequiredActions(AuthenticationManager.java:796) > at > org.keycloak.authentication.AuthenticationProcessor.authenticationComplete(AuthenticationProcessor.java:951) > at > org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:724) > at > org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:145) > at > org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:395) > at > org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:139) > at sun.reflect.GeneratedMethodAccessor513.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > at > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > at > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > at > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > > ================= > and in the browser I get an "unexpected error when handling request to > identity provider" errormsg. > > When doing the same thing in firefox (no kerberos, manual login, open 2 > tabs in 2 different environments and login with different users), I get > at least the errormsg "You are already authenticated as different user > [name] in this session. Please logout first." > > So, my questions are: > - Why is this not possible? > - Is there anything I can do (having a custom authenticator for > kerberos/AD and a custom userstorageprovider for applicationdb) to make > it possible to have different users logged in in different tabs for > different kc-clients in the same realm? > - More specifically: Is there a possibility to use the > AuthenticationProcessor in an SPI without having to make a custom > keycloakbuild and remove the check in line 246/setAuthenticatedUser, or > does this mess up the whole authentication session? > > Would be great to get a hint here. > > Thanks! > > Best regards, > Dominik > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From j.keith at xsb.com Wed Feb 28 15:46:52 2018 From: j.keith at xsb.com (Jordan Keith) Date: Wed, 28 Feb 2018 14:46:52 -0600 (CST) Subject: [keycloak-user] SSO Session Idle timeout - strange behavior Message-ID: <1524069822.36295132.1519850812113.JavaMail.zimbra@xsb.com> We have an angular application which is using keycloak js and keycloak 3.4.3. We set a token timeout of 15 minutes, but if the user closes the application and comes back after 15 minutes, they are not forced to log back in because Chrome does not delete session cookies if it is set to restore the browser session. When the application is loaded, we issue a call to keycloak similar to the following: keycloakAuth.init({onLoad: 'login-required', checkLoginIframe: false}).success(...) This is the only call made to keycloak on startup. After that, periodic updateToken calls are made. We are trying to work around the persistent session cookie problem by setting the SSO Session Idle timeout to 15 minutes so that it matches our token timeout. I tested the behavior by issuing a refresh request 15 minutes after login. I received a 400 response as expected, but I'm encountering 2 issues: 1). If I close the browser tab and reopen it immediately after the idle timeout occurs, I will be logged right back in via keycloak as if nothing happened. If I close the tab and wait approximately 2 minutes (really about 1:45), only then will I be redirected to the login screen. If the session is invalid, why am I not redirected to the login page immediately after reopening the application? I've tried this with different SSO Session Idle timeout values, and the time I need to wait is always the same. 2). After the idle timeout occurs and I reopen the tab (after waiting 2 minutes), when I attempt to log in, I receive a message that I took too long to login and am forced to log in a second time. This occurs even if I try to log back in immediately after opening the tab. If it matters, these are my login-related timeouts: Client login timeout = 1 minute Login timeout = 30 minutes Login action timeout = 30 minutes Any help would be appreciated. Thanks, Jordan Keith From ryans at jlab.org Wed Feb 28 16:05:58 2018 From: ryans at jlab.org (Ryan Slominski) Date: Wed, 28 Feb 2018 16:05:58 -0500 (EST) Subject: [keycloak-user] Kerberos & login, multiple environments with multiple users In-Reply-To: <626985191.1101971.1519851914062.JavaMail.zimbra@jlab.org> References: Message-ID: <189223019.1102224.1519851958233.JavaMail.zimbra@jlab.org> I think whether or not session cookies are shared between browser tabs is browser specific, but in Firefox I believe they are shared. You can create separate Firefox "profiles" to get around it: https://bugzilla.mozilla.org/show_bug.cgi?id=117222 ----- Original Message ----- From: "Marek Posolda" To: "Dominik Guhr" , "keycloak-user" Sent: Wednesday, February 28, 2018 3:21:06 PM Subject: Re: [keycloak-user] Kerberos & login, multiple environments with multiple users I am not sure I understand correctly, but generally, Keycloak is browser SSO and being logged in 2 browser tabs in 2 clients as different user is something generally unsupported and can cause various kind of issues. If you want something like this just for development, you can maybe use different realms? Marek On 28/02/18 14:30, Dominik Guhr wrote: > Hi everyone, > > so I've built a custom kerberos authenticator which should, depending on > a querystring, not automatically login. So, when I add &login=manual to > the url, kerberos authenticator starts, checks, and stops. > Now everything is fine when I use this authenticator under normal > conditions, in one tab, but: > > - As a dev, I sometimes have different tabs with different environments > open. e.g. https://urldefense.proofpoint.com/v2/url?u=http-3A__myapp-2Dlocal&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rbVneQGyuD2_ohpMBk82h38bNjcYhXXSOhpS1LoAxSE&s=KsLgzw-uL3z8DjfqL3pUJmhZEt6c8Epy2NtsRa0v3Jk&e= , https://urldefense.proofpoint.com/v2/url?u=http-3A__myapp-2Ddev&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rbVneQGyuD2_ohpMBk82h38bNjcYhXXSOhpS1LoAxSE&s=LRaVXH7vIKAzcH2_9g3X42VYXB4A4GRwQE9TwEzMXgI&e= - these apps are > different clients in keycloak as well, e.g. my-webapp-local, my-webapp-dev > > Now I get logged in via kerberos in myapp-local, logout in myapp-test > and try to login with different credentials manually in myapp-test. > Then, the AuthenticationProcessor raises the following exception when > doing this with kerberos login-enabled browsers (chrome, ie): > > ===================== > 2018-02-28 09:57:12,236 WARN [org.keycloak.events] (default task-2) > type=LOGIN_ERROR, realmId=myrealm, clientId=my-webapp-dev, userId=null, > ipAddress=10.242.50.137, error=different_user_authenticated, > auth_method=openid-connect, auth_type=code, response_type=code, > redirect_uri=https://urldefense.proofpoint.com/v2/url?u=https-3A__myurl_my-2Dwebapp-2Ddev_&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rbVneQGyuD2_ohpMBk82h38bNjcYhXXSOhpS1LoAxSE&s=bSQjZ3_zcDMsNK4ei84x5ttorM0vonfokR_P9kF0H8s&e= , consent=no_consent_required, > previous_user=f:1661b7a5-933a-4bda-8bb9-6822c7f40211:412997, > code_id=eb950380-511d-41a0-b816-d06b2331569c, response_mode=query > 2018-02-28 09:57:12,236 WARN [org.keycloak.services] (default task-2) > KC-SERVICES0013: Failed authentication: > org.keycloak.services.ErrorPageException: HTTP 500 Internal Server Error > at > org.keycloak.authentication.AuthenticationProcessor.attachSession(AuthenticationProcessor.java:898) > at > org.keycloak.services.managers.AuthenticationManager.finishedRequiredActions(AuthenticationManager.java:796) > at > org.keycloak.authentication.AuthenticationProcessor.authenticationComplete(AuthenticationProcessor.java:951) > at > org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:724) > at > org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:145) > at > org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:395) > at > org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:139) > at sun.reflect.GeneratedMethodAccessor513.invoke(Unknown Source) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) > at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) > at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) > at > org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) > at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) > at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > at > io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) > at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) > at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) > at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) > at > io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) > at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) > at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) > at > org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) > at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) > at > io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > at > io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) > at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) > at > io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) > at > io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) > at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) > at > io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) > at > io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) > at > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) > at > org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > at > org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) > at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) > at > io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) > at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) > at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) > at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) > at java.lang.Thread.run(Thread.java:745) > > > ================= > and in the browser I get an "unexpected error when handling request to > identity provider" errormsg. > > When doing the same thing in firefox (no kerberos, manual login, open 2 > tabs in 2 different environments and login with different users), I get > at least the errormsg "You are already authenticated as different user > [name] in this session. Please logout first." > > So, my questions are: > - Why is this not possible? > - Is there anything I can do (having a custom authenticator for > kerberos/AD and a custom userstorageprovider for applicationdb) to make > it possible to have different users logged in in different tabs for > different kc-clients in the same realm? > - More specifically: Is there a possibility to use the > AuthenticationProcessor in an SPI without having to make a custom > keycloakbuild and remove the check in line 246/setAuthenticatedUser, or > does this mess up the whole authentication session? > > Would be great to get a hint here. > > Thanks! > > Best regards, > Dominik > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rbVneQGyuD2_ohpMBk82h38bNjcYhXXSOhpS1LoAxSE&s=vrogPjcTKKWk3OCa5Dos5Tf-XY7MRxHOWbhfeIiWqu4&e= _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=lz9TcOasaINaaC3U7FbMev2lsutwpI4--09aP8Lu18s&r=EMs2e6afv3D1GQJO76Z9Fg&m=rbVneQGyuD2_ohpMBk82h38bNjcYhXXSOhpS1LoAxSE&s=vrogPjcTKKWk3OCa5Dos5Tf-XY7MRxHOWbhfeIiWqu4&e= From gregory.ruch at elca.ch Wed Feb 28 16:44:04 2018 From: gregory.ruch at elca.ch (=?utf-8?B?UnVjaCBHcsOpZ29yeQ==?=) Date: Wed, 28 Feb 2018 21:44:04 +0000 Subject: [keycloak-user] Verify email unwanted when users authenticate via Kerberos In-Reply-To: <06367a1c-3d9c-3a03-b47c-0e3a9751805c@redhat.com> References: <3BD7D142-9172-4666-A1CE-06EA6D09C4E5@elca.ch> <06367a1c-3d9c-3a03-b47c-0e3a9751805c@redhat.com> Message-ID: Thank you for your answers! I used your second idea. It works fine. Greg ?On 28.02.18, 21:11, "Marek Posolda" wrote: It's not available OOTB. There are few extension points, which you can use to achieve that. For example: - Create requiredAction (maybe subclass of existing VerifyEmail requiredAction), which will automatically "Approve" in case that user was imported from LDAP (or Kerberos) provider - Create registration form action, which will add the requiredAction to the user in case they were registered through the registration form. This assumes that "Verify Email" option on realm level is off - Create LDAP mapper, which will automatically set emailVerified to users imported from LDAP (assuming that you use LDAP provider with KErberos support. Not plain Kerberos provider) Marek On 27/02/18 21:55, Ruch Gr?gory wrote: > Hi all, > > I have configured a realm in which I have allowed user registration and Kerberos authentication. For user registration I have activated email address verification. Now my issue is that when I do the first login through Kerberos I also need to validate the email address. > > I configured it in the same realm because I configured a SAML client application which both self-registered and Kerberos authenticated users need to access. > > What I want is having self-registered users validating their email address and authenticating themselves with username/password and accessing all trusted applications with SSO. I want to have ?corporate? users authenticate with Kerberos and access all trusted applications (same applications as self-registered users). > > Is there another/ a right way to configure keycloak to do what I would like to do? Or should it be implemented as an option in ldap/Kerberos User federation provider such as ?Trust email address? which will bypass the required action ?verify email?? > > Thank you in advance for your help, > Regards, > Greg > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From chris.savory at edlogics.com Wed Feb 28 17:13:03 2018 From: chris.savory at edlogics.com (Chris Savory) Date: Wed, 28 Feb 2018 22:13:03 +0000 Subject: [keycloak-user] Poor response time for User REST API In-Reply-To: <1cc656ba-d11c-b4a5-6db3-dc311fa55bfa@redhat.com> References: <1cc656ba-d11c-b4a5-6db3-dc311fa55bfa@redhat.com> Message-ID: <8633603B-8574-4B06-9979-494DD4CD01EB@edlogics.com> Has that performance fix been released yet? If so, do you know which version it is in? -- Christopher Savory On 2/28/18, 2:01 PM, "keycloak-user-bounces at lists.jboss.org on behalf of Marek Posolda" wrote: I think there is some fix in latest Keycloak master related to that. Could you try to build latest master and check if you see better perofmrnace? Marek On 28/02/18 18:22, Cedric Vidaillac wrote: > Hi all, > > > > I have ~4k users imported in my (postgres) database, when I go for > > > > GET /{realm}/users/ > > > > For max=100 (default) it takes about 20-22s to respond (60kb document). > > For max=20, I still get 4s response time, which is kinda... not ideal. > > > > I?m not sure if those response time are normal, and if not why is this so > slow ? > > > > I?m guessing this overhead is caused by the JSON response, I tried on the > database (>20ms). -> is there a way to reduce the JSON data response > produced by Keycloak ? I only need usernames. > > > > I didnt find anything on the docs, I tried ?fields=username in query param, > sadly it doesn?t work. > > > > > > In case you?re wondering why I do that, I want to use an auto-complete on > my app, with usernames.) > > > Thanks for reading. > > > > C?dric. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user From jerry.saravia at virginpulse.com Wed Feb 28 18:52:15 2018 From: jerry.saravia at virginpulse.com (Jerry Saravia) Date: Wed, 28 Feb 2018 23:52:15 +0000 Subject: [keycloak-user] Reset credentials flow loses context if browser cookie not present Message-ID: Hey all, I ran into an issue. Suppose I go to my keycloak instance with this url ` auth/realms/myrealm /login-actions/reset-credentials?client_id=my_client_id`. The reset email gets sent after entering my email. However, if I copy that link and open it in a separate browser session it fails to maintain the the client_id used in the original request. Instead it switches to client_id = account. I know why this happens. In LoginActionsService there is this @Path(RESET_CREDENTIALS_PATH) @GET public Response resetCredentialsGET(@QueryParam("code") String code, @QueryParam("execution") String execution, @QueryParam("client_id") String clientId) { AuthenticationSessionModel authSession = new AuthenticationSessionManager(session).getCurrentAuthenticationSession(realm); // we allow applications to link to reset credentials without going through OAuth or SAML handshakes if (authSession == null && code == null) { if (!realm.isResetPasswordAllowed()) { event.event(EventType.RESET_PASSWORD); event.error(Errors.NOT_ALLOWED); return ErrorPage.error(session, authSession, Messages.RESET_CREDENTIAL_NOT_ALLOWED); } authSession = createAuthenticationSessionForClient(); return processResetCredentials(false, null, authSession, null); } event.event(EventType.RESET_PASSWORD); return resetCredentials(code, execution, clientId); } The getCurrentAuthenticationSession method checks a cookie to get the session, which isn?t present in a fresh browser session. Afterward, the `createAutenticationSessionForClient` doesn?t use the clientId query parameter and defaults to the account client. Is this a bug? A security issue? I couldn?t find a bug for it. Should I create a bug and fix it? It?s not easy to overwrite this but if you have any workarounds let me know. My current approach is going to be to attempt to create a realm resource that exhibits the right behavior. Jerry S Jerry Saravia Senior Software Engineer P (516) 603-6914 virginpulse.com globalchallenge.virginpulse.com 75 Fountain Street, Suite 310, Providence, RI 02902 Australia | Brazil | Canada | Singapore | Switzerland | United Kingdom | USA Confidentiality Notice: The information contained in this e-mail, including any attachment(s), is intended solely for use by the designated recipient(s). Unauthorized use, dissemination, distribution, or reproduction of this message by anyone other than the intended recipient(s), or a person designated as responsible for delivering such messages to the intended recipient, is strictly prohibited and may be unlawful. This e-mail may contain proprietary, confidential or privileged information. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Virgin Pulse, Inc. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message. -------------- next part -------------- A non-text attachment was scrubbed... Name: image927661.jpg Type: image/jpeg Size: 114273 bytes Desc: image927661.jpg Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180228/d95102b8/attachment-0001.jpg -------------- next part -------------- A non-text attachment was scrubbed... Name: image046323.png Type: image/png Size: 691 bytes Desc: image046323.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180228/d95102b8/attachment-0003.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image093178.png Type: image/png Size: 710 bytes Desc: image093178.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180228/d95102b8/attachment-0004.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image117568.png Type: image/png Size: 783 bytes Desc: image117568.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180228/d95102b8/attachment-0005.png