From tahonen at redhat.com Tue Jan 2 04:27:42 2018 From: tahonen at redhat.com (Tero Ahonen) Date: Tue, 2 Jan 2018 11:27:42 +0200 Subject: [keycloak-user] Correct Maven dependencies in 3.4.2 Keycloak and admin client Message-ID: Hi, What are correct Maven settings to get keycloak-admin-client working on Wildfly 10 From command line client it works with following below. When using same code in Wildfly with most recent keycloak module execution fails with following Caused by: javax.ws.rs.client.ResponseProcessingException: javax.ws.rs.ProcessingException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "access_token" (class org.keycloak.representations.AccessTokenResponse), not marked as ignorable (9 known properties: "notBeforePolicy", "otherClaims", "tokenType", "token", "expiresIn", "sessionState", "refreshExpiresIn", "idToken", "refreshToken"]) at [Source: org.apache.http.conn.EofSensorInputStream at 9d6aba2; line: 1, column: 18] (through reference chain: org.keycloak.representations.AccessTokenResponse["access_token"]) I got that fixed in command line example by changing jackson provider to resteasy-jackson2-provider org.keycloak keycloak-core 3.4.2.Final provided org.keycloak keycloak-adapter-core 3.4.2.Final provided org.keycloak keycloak-common 3.4.2.Final org.keycloak keycloak-admin-client 3.4.2.Final org.jboss.resteasy resteasy-client 3.0.24.Final provided org.jboss.resteasy resteasy-jackson2-provider 3.0.24.Final provided .t From K.Buler at adbglobal.com Tue Jan 2 04:27:48 2018 From: K.Buler at adbglobal.com (Karol Buler) Date: Tue, 2 Jan 2018 10:27:48 +0100 Subject: [keycloak-user] Problem with Keys Message-ID: <293eba41-0a7f-a1db-58de-0cd7d5d85e94@adbglobal.com> Hi Keycloak community! At the beginning I would wish you a Happy New Year! :) About the problem... If we run Keycloak as a docker, every time Keycloak is rebooted the Keys (Realm Setting -> Keys) are generated again. Result is that each application which use Keycloak's adapter throws "Didn't find publicKey for specified kid" error. This error occurs because the Keys are not rotated in right way, and application does not know about the rotation. Have you met this problem? What is your workaround? Is it an issue? Best regards, Karol [https://www.adbglobal.com/wp-content/uploads/adb.png] adbglobal.com From hmlnarik at redhat.com Tue Jan 2 04:52:20 2018 From: hmlnarik at redhat.com (Hynek Mlnarik) Date: Tue, 2 Jan 2018 10:52:20 +0100 Subject: [keycloak-user] Deadlock Encountered while Trying Keycloak with Azure SQL In-Reply-To: References: Message-ID: There are issues with SQL server, tracked in https://issues.jboss.org/browse/KEYCLOAK-4966 On Tue, Dec 19, 2017 at 11:35 AM, Buddhi Iroshana wrote: > HI Team, > > I am running the community version of Keycloak (version - 2.3.0.Final). I > am using Azure SQL : https://azure.microsoft.com/ > en-us/services/sql-database > as the database server for this keycloak instance. > Keycloak instance is deployed in Azure VM in this scenario. > > Keycloak started successfully without any issues with Azure SQL database. > > I have a JMeter script which is invoking following two Keycloak's RESTFul > endpoints with 10 parallel threads (can consider it as 10 different > clients). > > 1. POST auth/admin/realms/iotpdev/users - User creation > 2. PUT auth/admin/realms/iotpdev/users//groups/ - Adding > users > to a group > > Behaviour: > > During the first few invocations, above two endpoints got executed > successfully without any issue. > But, after sometime, keycloak was logging some database deadlock exceptions > in the log file. Stacktrace for this exception is as follows, > > --------------------------------- > > 2017-12-19T07:13:34.084336783Z [0m [33m07:13:34,079 WARN > [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-15) SQL > Error: 1205, SQLState: 40001 > 2017-12-19T07:13:34.084377183Z [0m [31m07:13:34,080 ERROR > [org.hibernate.engine.jdbc.spi.SqlExceptionHelper] (default task-15) > Transaction (Process ID 123) was deadlocked on lock resources with another > process and has been chosen as the deadlock victim. Rerun the transaction. > 2017-12-19T07:13:34.116059274Z [0m [31m07:13:34,097 ERROR > [io.undertow.request] (default task-15) UT005023: Exception handling > request to /auth/admin/realms/iotpdev/users: > org.jboss.resteasy.spi.UnhandledException: > javax.persistence.PersistenceException: > org.hibernate.exception.LockAcquisitionException: could not execute > statement > 2017-12-19T07:13:34.116097074Z at > org.jboss.resteasy.core.ExceptionHandler.handleApplicationException( > ExceptionHandler.java:76) > 2017-12-19T07:13:34.116104774Z at > org.jboss.resteasy.core.ExceptionHandler.handleException( > ExceptionHandler.java:212) > 2017-12-19T07:13:34.116111874Z at > org.jboss.resteasy.core.SynchronousDispatcher.writeException( > SynchronousDispatcher.java:168) > 2017-12-19T07:13:34.116118574Z at > org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:411) > 2017-12-19T07:13:34.116124973Z at > org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:202) > 2017-12-19T07:13:34.116131373Z at > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher. > service(ServletContainerDispatcher.java:221) > 2017-12-19T07:13:34.116137873Z at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( > HttpServletDispatcher.java:56) > 2017-12-19T07:13:34.116144673Z at > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service( > HttpServletDispatcher.java:51) > 2017-12-19T07:13:34.116151173Z at > javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > 2017-12-19T07:13:34.116157473Z at > io.undertow.servlet.handlers.ServletHandler.handleRequest( > ServletHandler.java:85) > 2017-12-19T07:13:34.116163773Z at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:129) > 2017-12-19T07:13:34.116170273Z at > org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter( > KeycloakSessionServletFilter.java:90) > 2017-12-19T07:13:34.116176673Z at > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60) > 2017-12-19T07:13:34.116183072Z at > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl. > doFilter(FilterHandler.java:131) > 2017-12-19T07:13:34.116189472Z at > io.undertow.servlet.handlers.FilterHandler.handleRequest( > FilterHandler.java:84) > 2017-12-19T07:13:34.116195872Z at > io.undertow.servlet.handlers.security.ServletSecurityRoleHandler. > handleRequest(ServletSecurityRoleHandler.java:62) > 2017-12-19T07:13:34.116202272Z at > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest( > ServletDispatchingHandler.java:36) > 2017-12-19T07:13:34.116210672Z at > org.wildfly.extension.undertow.security.SecurityContextAssociationHand > ler.handleRequest(SecurityContextAssociationHandler.java:78) > 2017-12-19T07:13:34.116233672Z at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > 2017-12-19T07:13:34.116240472Z at > io.undertow.servlet.handlers.security.SSLInformationAssociationHandl > er.handleRequest(SSLInformationAssociationHandler.java:131) > 2017-12-19T07:13:34.116246771Z at > io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl > er.handleRequest(ServletAuthenticationCallHandler.java:57) > 2017-12-19T07:13:34.116253171Z at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > 2017-12-19T07:13:34.116259271Z at > io.undertow.security.handlers.AbstractConfidentialityHandler > .handleRequest(AbstractConfidentialityHandler.java:46) > 2017-12-19T07:13:34.116265471Z at > io.undertow.servlet.handlers.security.ServletConfidentialityConstrai > ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) > 2017-12-19T07:13:34.116271871Z at > io.undertow.security.handlers.AuthenticationMechanismsHandle > r.handleRequest(AuthenticationMechanismsHandler.java:60) > 2017-12-19T07:13:34.116278071Z at > io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand > ler.handleRequest(CachedAuthenticatedSessionHandler.java:77) > 2017-12-19T07:13:34.116284371Z at > io.undertow.security.handlers.NotificationReceiverHandler.handleRequest( > NotificationReceiverHandler.java:50) > 2017-12-19T07:13:34.116290571Z at > io.undertow.security.handlers.AbstractSecurityContextAssocia > tionHandler.handleRequest(AbstractSecurityContextAssocia > tionHandler.java:43) > 2017-12-19T07:13:34.116296771Z at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > 2017-12-19T07:13:34.116302871Z at > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler. > handleRequest(JACCContextIdHandler.java:61) > 2017-12-19T07:13:34.116308970Z at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > 2017-12-19T07:13:34.116315270Z at > io.undertow.server.handlers.PredicateHandler.handleRequest( > PredicateHandler.java:43) > 2017-12-19T07:13:34.116321470Z at > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest( > ServletInitialHandler.java:284) > 2017-12-19T07:13:34.116327670Z at > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest( > ServletInitialHandler.java:263) > 2017-12-19T07:13:34.116333770Z at > io.undertow.servlet.handlers.ServletInitialHandler.access$ > 000(ServletInitialHandler.java:81) > 2017-12-19T07:13:34.116339770Z at > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest( > ServletInitialHandler.java:174) > 2017-12-19T07:13:34.116346770Z at > io.undertow.server.Connectors.executeRootHandler(Connectors.java:202) > 2017-12-19T07:13:34.116352770Z at > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793) > 2017-12-19T07:13:34.116358770Z at > java.util.concurrent.ThreadPoolExecutor.runWorker( > ThreadPoolExecutor.java:1142) > 2017-12-19T07:13:34.116364770Z at > java.util.concurrent.ThreadPoolExecutor$Worker.run( > ThreadPoolExecutor.java:617) > 2017-12-19T07:13:34.116375069Z at java.lang.Thread.run(Thread.java:745) > 2017-12-19T07:13:34.116384569Z Caused by: > javax.persistence.PersistenceException: > org.hibernate.exception.LockAcquisitionException: could not execute > statement > 2017-12-19T07:13:34.116390969Z at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( > AbstractEntityManagerImpl.java:1692) > 2017-12-19T07:13:34.116397269Z at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert( > AbstractEntityManagerImpl.java:1602) > 2017-12-19T07:13:34.116403369Z at > org.hibernate.jpa.spi.AbstractEntityManagerImpl.throwPersistenceException( > AbstractEntityManagerImpl.java:1700) > 2017-12-19T07:13:34.116409469Z at > org.hibernate.jpa.spi.AbstractQueryImpl.executeUpdate( > AbstractQueryImpl.java:70) > 2017-12-19T07:13:34.116415469Z at > org.keycloak.models.jpa.UserAdapter.removeAttribute(UserAdapter.java:161) > 2017-12-19T07:13:34.116421469Z at > org.keycloak.models.jpa.UserAdapter.setAttribute(UserAdapter.java:137) > 2017-12-19T07:13:34.116427469Z at > org.keycloak.services.resources.admin.UsersResource.updateUserFromRep( > UsersResource.java:267) > 2017-12-19T07:13:34.116433468Z at > org.keycloak.services.resources.admin.UsersResource. > createUser(UsersResource.java:216) > 2017-12-19T07:13:34.116439568Z at > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > 2017-12-19T07:13:34.116445468Z at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java: > 62) > 2017-12-19T07:13:34.116451368Z at > sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > 2017-12-19T07:13:34.116457368Z at > java.lang.reflect.Method.invoke(Method.java:498) > 2017-12-19T07:13:34.116463168Z at > org.jboss.resteasy.core.MethodInjectorImpl.invoke( > MethodInjectorImpl.java:139) > 2017-12-19T07:13:34.116469168Z at > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( > ResourceMethodInvoker.java:295) > 2017-12-19T07:13:34.116475168Z at > org.jboss.resteasy.core.ResourceMethodInvoker.invoke( > ResourceMethodInvoker.java:249) > 2017-12-19T07:13:34.116481268Z at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > ResourceLocatorInvoker.java:138) > 2017-12-19T07:13:34.116487268Z at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:107) > 2017-12-19T07:13:34.116494767Z at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > ResourceLocatorInvoker.java:133) > 2017-12-19T07:13:34.116500967Z at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:107) > 2017-12-19T07:13:34.116506967Z at > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject( > ResourceLocatorInvoker.java:133) > 2017-12-19T07:13:34.116513067Z at > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( > ResourceLocatorInvoker.java:101) > 2017-12-19T07:13:34.116519067Z at > org.jboss.resteasy.core.SynchronousDispatcher.invoke( > SynchronousDispatcher.java:395) > 2017-12-19T07:13:34.116525067Z ... 37 more > 2017-12-19T07:13:34.116530767Z Caused by: > org.hibernate.exception.LockAcquisitionException: could not execute > statement > 2017-12-19T07:13:34.116541467Z at > org.hibernate.exception.internal.SQLStateConversionDelegate.convert( > SQLStateConversionDelegate.java:123) > 2017-12-19T07:13:34.116547967Z at > org.hibernate.exception.internal.StandardSQLExceptionConverter.convert( > StandardSQLExceptionConverter.java:42) > 2017-12-19T07:13:34.116554067Z at > org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert( > SqlExceptionHelper.java:109) > 2017-12-19T07:13:34.116560166Z at > org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert( > SqlExceptionHelper.java:95) > 2017-12-19T07:13:34.116566166Z at > org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate( > ResultSetReturnImpl.java:207) > 2017-12-19T07:13:34.116572366Z at > org.hibernate.hql.internal.ast.exec.BasicExecutor. > doExecute(BasicExecutor.java:91) > 2017-12-19T07:13:34.116578366Z at > org.hibernate.hql.internal.ast.exec.BasicExecutor. > execute(BasicExecutor.java:60) > 2017-12-19T07:13:34.116584366Z at > org.hibernate.hql.internal.ast.exec.DeleteExecutor. > execute(DeleteExecutor.java:111) > 2017-12-19T07:13:34.116590566Z at > org.hibernate.hql.internal.ast.QueryTranslatorImpl.executeUpdate( > QueryTranslatorImpl.java:429) > 2017-12-19T07:13:34.116596666Z at > org.hibernate.engine.query.spi.HQLQueryPlan.performExecuteUpdate( > HQLQueryPlan.java:374) > 2017-12-19T07:13:34.116602666Z at > org.hibernate.internal.SessionImpl.executeUpdate(SessionImpl.java:1348) > 2017-12-19T07:13:34.116608666Z at > org.hibernate.internal.QueryImpl.executeUpdate(QueryImpl.java:102) > 2017-12-19T07:13:34.116614666Z at > org.hibernate.jpa.internal.QueryImpl.internalExecuteUpdate( > QueryImpl.java:405) > 2017-12-19T07:13:34.116620665Z at > org.hibernate.jpa.spi.AbstractQueryImpl.executeUpdate( > AbstractQueryImpl.java:61) > 2017-12-19T07:13:34.116626665Z ... 55 more > 2017-12-19T07:13:34.116632465Z Caused by: > com.microsoft.sqlserver.jdbc.SQLServerException: Transaction (Process ID > 123) was deadlocked on lock resources with another process and has been > chosen as the deadlock victim. Rerun the transaction. > 2017-12-19T07:13:34.124029047Z at > com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDatabaseError( > SQLServerException.java:216) > 2017-12-19T07:13:34.124058646Z at > com.microsoft.sqlserver.jdbc.SQLServerStatement.getNextResult( > SQLServerStatement.java:1515) > 2017-12-19T07:13:34.124066146Z at > com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement. > doExecutePreparedStatement(SQLServerPreparedStatement.java:404) > 2017-12-19T07:13:34.124082446Z at > com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement$ > PrepStmtExecCmd.doExecute(SQLServerPreparedStatement.java:350) > 2017-12-19T07:13:34.124089946Z at > com.microsoft.sqlserver.jdbc.TDSCommand.execute(IOBuffer.java:5696) > 2017-12-19T07:13:34.124095946Z at > com.microsoft.sqlserver.jdbc.SQLServerConnection.executeCommand( > SQLServerConnection.java:1715) > 2017-12-19T07:13:34.124102145Z at > com.microsoft.sqlserver.jdbc.SQLServerStatement.executeCommand( > SQLServerStatement.java:180) > 2017-12-19T07:13:34.124108245Z at > com.microsoft.sqlserver.jdbc.SQLServerStatement.executeStatement( > SQLServerStatement.java:155) > 2017-12-19T07:13:34.124126445Z at > com.microsoft.sqlserver.jdbc.SQLServerPreparedStatement.executeUpdate( > SQLServerPreparedStatement.java:314) > 2017-12-19T07:13:34.124133245Z at > org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeUpdate( > WrappedPreparedStatement.java:537) > 2017-12-19T07:13:34.124139545Z at > org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.executeUpdate( > ResultSetReturnImpl.java:204) > 2017-12-19T07:13:34.124145745Z ... 64 more > 2017-12-19T07:13:34.124151645Z > > ------------------------- > > This JMeter script will create 1000 users in 10 threads. So, above user > creation and adding to group endpoints will be invoked 1000 times each with > typical TPS of 1 - 2 requests per second. > When we run JMeter script several times, we can create 1000 users - means, > when we run JMeter in first round, it will create 300 users approximately > and other 700 requests will fail due to above deadlock issue, and once we > run it for the second time it will create another 200 of users and so on... > (at some point, we will get all 1000 users). > > The dialect which I am using for this instance is > : org.hibernate.dialect.SQLServer2012Dialect > > Is there any specific configurations to be done if we are using Azure SQL > as the database ? > I am attaching the complete log file herewith. > > Appreciate your help on this. > > > Regards, > Buddhi Iroshana De Silva > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- --Hynek From orivat at janua.fr Tue Jan 2 09:13:50 2018 From: orivat at janua.fr (Olivier Rivat) Date: Tue, 2 Jan 2018 15:13:50 +0100 Subject: [keycloak-user] admin user in clustered domain In-Reply-To: <83245872-feaa-b376-80ea-07eb25d8feb3@janua.fr> References: <83245872-feaa-b376-80ea-07eb25d8feb3@janua.fr> Message-ID: <17500e49-e240-d987-51de-71a0ea16eb7b@janua.fr> Hi, I am re-sending my email question submitted last week with further precisions. other precision: -standalone cluster works: both solutions works fine (GUI, CLI) =============== a) GUI : I get a boot login screen asking to enter name of administrator we want to use, and password b) Using CLI script: file keycloak-add-user.json correctly uploaded Domain cluster: ========== a) GUI mode: I never get boot login screen asking to specify the administrator. I get immediately a normal login screen where I am already supposed to know teh admin username b) CLI Mode: file keycloak-add-user.json is not uploaded How is it possible to overcome this ? Regards, Olivier Le 29/12/2017 ? 15:03, Olivier Rivat a ?crit?: > > Hi, > > I am trying to setup a clustered domain. > I have been to boot the master and the slave as described in keycloak > > But when tring to login, I cannot with user admin. > > Troubleshooting I have done so far: > > 1) With standalone mode (or standalone cluster mode), first login > screen is welcome screen to define teh admini user and password. > > With clustered domain, I never obtain this, but a usual login screen, > asking for username/password. > Of course, I cannot answer to this, as the admin as not yet been defined. > > > 2) I have also tried teh script add-user-keycloak.sh > > > bin/add-user-keycloak.sh -r master -u admin6 -p admin6? --domain > Added 'admin6' to > '/home/orivat/rh_test/rh-sso-7.1/domain/configuration/keycloak-add-user.json', > restart server to load user > It creates a file domain/configuration/keycloak-add-user.json, but > this file is never upon restart of RH-SSO domain cluster instance > (master or slave). > > (I have seen equivalent file being loaded, when doing standalone > clsueter tests). > > > So my question is very simple: > Ho is it possibel to get hold of an admin user allowing to connect to > the keycloak admin master login screen ? > > > Regards, > > Olivier Rivat > > > -- > > > > > > > Olivier Rivat > CTO > orivat at janua.fr > Gsm: +33(0)682 801 609 > T?l: +33(0)489 829 238 > Fax: +33(0)955 260 370 > http://www.janua.fr > > > -- Olivier Rivat CTO orivat at janua.fr Gsm: +33(0)682 801 609 T?l: +33(0)489 829 238 Fax: +33(0)955 260 370 http://www.janua.fr From psilva at redhat.com Tue Jan 2 09:33:58 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 2 Jan 2018 12:33:58 -0200 Subject: [keycloak-user] SSO on non-protected / public urls In-Reply-To: <0c18e3d8-a2e6-e5de-8898-46e4f0945791@gmail.com> References: <0c18e3d8-a2e6-e5de-8898-46e4f0945791@gmail.com> Message-ID: Why do you need to create session when accessing a public resource ? On Thu, Dec 28, 2017 at 6:01 PM, Michalis Siochos wrote: > Hi All, > > I'm evaluating keycloak and identifying the possibility to provide SSO > services on non protected (public) pages. > > Assume the following environment: > > Portal 1 > - https://site1.example.com/public > - https://site1.example.com/protected > > Portal 2 > - https://site2.example.com/public > - https://site2.example.com/protected > > /protected is the restricted area of the portal, that only logged in > users may access > /public is the public area where both logged in and anonymous users may > navigate > > I'm trying to achieve the following > - User logs in @ https://site1.example.com > - SSO session and site1 session are created > - User goes to public area of site2, https://site2.example.com/public > - User is automatically logged in (site2 session is created) > > It seems that the above is not possible with OIDC / SAML since the user > has to land on a protected page to initiate federation, or perform an > action (e.g. click a button). > > Any other thoughts, feedback? > > Thanks in advance, > Michalis > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mposolda at redhat.com Tue Jan 2 11:21:41 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 2 Jan 2018 17:21:41 +0100 Subject: [keycloak-user] Problem with Keys In-Reply-To: <293eba41-0a7f-a1db-58de-0cd7d5d85e94@adbglobal.com> References: <293eba41-0a7f-a1db-58de-0cd7d5d85e94@adbglobal.com> Message-ID: <450d7ece-871a-5fbe-ae36-a16000e81365@redhat.com> Hi, isn't the problem that your whole database is always "restarted" during each keycloak reboot? Or that you always force reimport things? If you use docker image pointed to shared database, you won't see this problem though. We have docker images for databases like PostgreSQL, MySQL AFAIR. Marek On 02/01/18 10:27, Karol Buler wrote: > Hi Keycloak community! > > At the beginning I would wish you a Happy New Year! :) > > About the problem... If we run Keycloak as a docker, every time Keycloak > is rebooted the Keys (Realm Setting -> Keys) are generated again. Result > is that each application which use Keycloak's adapter throws "Didn't > find publicKey for specified kid" error. This error occurs because the > Keys are not rotated in right way, and application does not know about > the rotation. > > Have you met this problem? What is your workaround? Is it an issue? > > Best regards, > Karol > > [https://www.adbglobal.com/wp-content/uploads/adb.png] > adbglobal.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From psilva at redhat.com Tue Jan 2 11:25:42 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Tue, 2 Jan 2018 14:25:42 -0200 Subject: [keycloak-user] admin user in clustered domain In-Reply-To: <17500e49-e240-d987-51de-71a0ea16eb7b@janua.fr> References: <83245872-feaa-b376-80ea-07eb25d8feb3@janua.fr> <17500e49-e240-d987-51de-71a0ea16eb7b@janua.fr> Message-ID: Try creating a "configuration" directory for master server like this: mkdir ${KEYCLOAK_HOME}/domain/servers/${server_name}/configuration Then copy "keycloak-add-user.json" to the directory above. Restart the server. On Tue, Jan 2, 2018 at 12:13 PM, Olivier Rivat wrote: > Hi, > > I am re-sending my email question submitted last week with further > precisions. > > other precision: > > -standalone cluster works: both solutions works fine (GUI, CLI) > =============== > a) GUI : > I get a boot login screen asking to enter name of administrator we want > to use, and password > > b) Using CLI script: > file keycloak-add-user.json correctly uploaded > > Domain cluster: > ========== > a) GUI mode: > I never get boot login screen asking to specify the administrator. I get > immediately a normal login screen > where I am already supposed to know teh admin username > > b) CLI Mode: > file keycloak-add-user.json is not uploaded > > How is it possible to overcome this ? > > Regards, > Olivier > > > Le 29/12/2017 ? 15:03, Olivier Rivat a ?crit : > > > > Hi, > > > > I am trying to setup a clustered domain. > > I have been to boot the master and the slave as described in keycloak > > > > But when tring to login, I cannot with user admin. > > > > Troubleshooting I have done so far: > > > > 1) With standalone mode (or standalone cluster mode), first login > > screen is welcome screen to define teh admini user and password. > > > > With clustered domain, I never obtain this, but a usual login screen, > > asking for username/password. > > Of course, I cannot answer to this, as the admin as not yet been defined. > > > > > > 2) I have also tried teh script add-user-keycloak.sh > > > > > > bin/add-user-keycloak.sh -r master -u admin6 -p admin6 --domain > > Added 'admin6' to > > '/home/orivat/rh_test/rh-sso-7.1/domain/configuration/ > keycloak-add-user.json', > > restart server to load user > > It creates a file domain/configuration/keycloak-add-user.json, but > > this file is never upon restart of RH-SSO domain cluster instance > > (master or slave). > > > > (I have seen equivalent file being loaded, when doing standalone > > clsueter tests). > > > > > > So my question is very simple: > > Ho is it possibel to get hold of an admin user allowing to connect to > > the keycloak admin master login screen ? > > > > > > Regards, > > > > Olivier Rivat > > > > > > -- > > > > > > janua.fr/images/LogoSignature.gif> > > > > > > > > Olivier Rivat > > CTO > > orivat at janua.fr > > Gsm: +33(0)682 801 609 > > T?l: +33(0)489 829 238 > > Fax: +33(0)955 260 370 > > http://www.janua.fr > > > > > > > > -- > > > janua.fr/images/LogoSignature.gif> > > > > Olivier Rivat > CTO > orivat at janua.fr > Gsm: +33(0)682 801 609 > T?l: +33(0)489 829 238 > Fax: +33(0)955 260 370 > http://www.janua.fr > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From orivat at janua.fr Tue Jan 2 11:41:39 2018 From: orivat at janua.fr (Olivier Rivat) Date: Tue, 2 Jan 2018 17:41:39 +0100 Subject: [keycloak-user] admin user in clustered domain In-Reply-To: References: <83245872-feaa-b376-80ea-07eb25d8feb3@janua.fr> <17500e49-e240-d987-51de-71a0ea16eb7b@janua.fr> Message-ID: Hi Pedro, It works fine. Tkx for your help. I guess such a hint should be added to RH-SSO and keycloak documentation as well. Regards, Olivier Le 02/01/2018 ? 17:25, Pedro Igor Silva a ?crit?: > Try creating a "configuration" directory for master server like this: > > ? ? ?mkdir ${KEYCLOAK_HOME}/domain/servers/${server_name}/configuration > > Then copy "keycloak-add-user.json" to the directory above. Restart the > server. > > > On Tue, Jan 2, 2018 at 12:13 PM, Olivier Rivat > wrote: > > Hi, > > I am re-sending my email question submitted last week with further > precisions. > > other precision: > > -standalone cluster works: both solutions works fine (GUI, CLI) > =============== > a) GUI : > I get a boot login screen asking to enter name of administrator we > want > to use, and password > > b) Using CLI script: > file keycloak-add-user.json correctly uploaded > > Domain cluster: > ========== > a) GUI mode: > I never get boot login screen asking to specify the administrator. > I get > immediately a normal login screen > where I am already supposed to know teh admin username > > b) CLI Mode: > file keycloak-add-user.json is not uploaded > > How is it possible to overcome this ? > > Regards, > Olivier > > > Le 29/12/2017 ? 15:03, Olivier Rivat a ?crit?: > > > > Hi, > > > > I am trying to setup a clustered domain. > > I have been to boot the master and the slave as described in > keycloak > > > > But when tring to login, I cannot with user admin. > > > > Troubleshooting I have done so far: > > > > 1) With standalone mode (or standalone cluster mode), first login > > screen is welcome screen to define teh admini user and password. > > > > With clustered domain, I never obtain this, but a usual login > screen, > > asking for username/password. > > Of course, I cannot answer to this, as the admin as not yet been > defined. > > > > > > 2) I have also tried teh script add-user-keycloak.sh > > > > > > bin/add-user-keycloak.sh -r master -u admin6 -p admin6? --domain > > Added 'admin6' to > > > '/home/orivat/rh_test/rh-sso-7.1/domain/configuration/keycloak-add-user.json', > > restart server to load user > > It creates a file domain/configuration/keycloak-add-user.json, but > > this file is never upon restart of RH-SSO domain cluster instance > > (master or slave). > > > > (I have seen equivalent file being loaded, when doing standalone > > clsueter tests). > > > > > > So my question is very simple: > > Ho is it possibel to get hold of an admin user allowing to > connect to > > the keycloak admin master login screen ? > > > > > > Regards, > > > > Olivier Rivat > > > > > > -- > > > > > > > > > > > >? ? ? ? > > > > > Olivier Rivat > > CTO > > orivat at janua.fr > > > > Gsm: +33(0)682 801 609 > > T?l: +33(0)489 829 238 > > Fax: +33(0)955 260 370 > > http://www.janua.fr > >? ? ? ? > > > > > > > -- > > > > > > > ? ? ? ? > > > Olivier Rivat > CTO > orivat at janua.fr > > > Gsm: +33(0)682 801 609 > T?l: +33(0)489 829 238 > Fax: +33(0)955 260 370 > http://www.janua.fr > ? ? ? ? > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- Olivier Rivat CTO orivat at janua.fr Gsm: +33(0)682 801 609 T?l: +33(0)489 829 238 Fax: +33(0)955 260 370 http://www.janua.fr From K.Buler at adbglobal.com Tue Jan 2 11:47:00 2018 From: K.Buler at adbglobal.com (Karol Buler) Date: Tue, 2 Jan 2018 17:47:00 +0100 Subject: [keycloak-user] Problem with Keys In-Reply-To: <450d7ece-871a-5fbe-ae36-a16000e81365@redhat.com> References: <293eba41-0a7f-a1db-58de-0cd7d5d85e94@adbglobal.com> <450d7ece-871a-5fbe-ae36-a16000e81365@redhat.com> Message-ID: <35aa8c1c-768c-3797-6e45-d0e675aa71ea@adbglobal.com> Hi Marek, thanks for the response! Of course we use specific docker image (at this moment jboss/keycloak-postgres:3.2.1.Final), so database is persistent, but (checked twice) RSA and also HMAC from "Realm settings -> Keys" are different after rebooting the Keycloak's docker. The only additional thing we do in dockerfile is adding our User Federation's provider. Do you see any mistake that we could do? Karol On 02.01.2018 17:21, Marek Posolda wrote: > Hi, > > isn't the problem that your whole database is always "restarted" > during each keycloak reboot? Or that you always force reimport things? > If you use docker image pointed to shared database, you won't see this > problem though. We have docker images for databases like PostgreSQL, > MySQL AFAIR. > > Marek > > On 02/01/18 10:27, Karol Buler wrote: >> Hi Keycloak community! >> >> At the beginning I would wish you a Happy New Year! :) >> >> About the problem... If we run Keycloak as a docker, every time Keycloak >> is rebooted the Keys (Realm Setting -> Keys) are generated again. Result >> is that each application which use Keycloak's adapter throws "Didn't >> find publicKey for specified kid" error. This error occurs because the >> Keys are not rotated in right way, and application does not know about >> the rotation. >> >> Have you met this problem? What is your workaround? Is it an issue? >> >> Best regards, >> Karol >> >> [https://www.adbglobal.com/wp-content/uploads/adb.png] >> adbglobal.com >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From sthorger at redhat.com Tue Jan 2 13:47:14 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 2 Jan 2018 19:47:14 +0100 Subject: [keycloak-user] admin user in clustered domain In-Reply-To: References: <83245872-feaa-b376-80ea-07eb25d8feb3@janua.fr> <17500e49-e240-d987-51de-71a0ea16eb7b@janua.fr>

Message-ID: In clustered mode you can access one of the nodes directly over an SSH tunnel and it should show you the add user form. Alternative is the add-user script, but I believe the docs there are incorrect so you can create a JIRA for it and we'll fix the instructions in the docs. On 2 January 2018 at 17:41, Olivier Rivat wrote: > Hi Pedro, > > It works fine. Tkx for your help. > I guess such a hint should be added to RH-SSO and keycloak documentation > as well. > > Regards, > Olivier > > > Le 02/01/2018 ? 17:25, Pedro Igor Silva a ?crit : > > Try creating a "configuration" directory for master server like this: > > > > mkdir ${KEYCLOAK_HOME}/domain/servers/${server_name}/configuration > > > > Then copy "keycloak-add-user.json" to the directory above. Restart the > > server. > > > > > > On Tue, Jan 2, 2018 at 12:13 PM, Olivier Rivat > > wrote: > > > > Hi, > > > > I am re-sending my email question submitted last week with further > > precisions. > > > > other precision: > > > > -standalone cluster works: both solutions works fine (GUI, CLI) > > =============== > > a) GUI : > > I get a boot login screen asking to enter name of administrator we > > want > > to use, and password > > > > b) Using CLI script: > > file keycloak-add-user.json correctly uploaded > > > > Domain cluster: > > ========== > > a) GUI mode: > > I never get boot login screen asking to specify the administrator. > > I get > > immediately a normal login screen > > where I am already supposed to know teh admin username > > > > b) CLI Mode: > > file keycloak-add-user.json is not uploaded > > > > How is it possible to overcome this ? > > > > Regards, > > Olivier > > > > > > Le 29/12/2017 ? 15:03, Olivier Rivat a ?crit : > > > > > > Hi, > > > > > > I am trying to setup a clustered domain. > > > I have been to boot the master and the slave as described in > > keycloak > > > > > > But when tring to login, I cannot with user admin. > > > > > > Troubleshooting I have done so far: > > > > > > 1) With standalone mode (or standalone cluster mode), first login > > > screen is welcome screen to define teh admini user and password. > > > > > > With clustered domain, I never obtain this, but a usual login > > screen, > > > asking for username/password. > > > Of course, I cannot answer to this, as the admin as not yet been > > defined. > > > > > > > > > 2) I have also tried teh script add-user-keycloak.sh > > > > > > > > > bin/add-user-keycloak.sh -r master -u admin6 -p admin6 --domain > > > Added 'admin6' to > > > > > '/home/orivat/rh_test/rh-sso-7.1/domain/configuration/ > keycloak-add-user.json', > > > restart server to load user > > > It creates a file domain/configuration/keycloak-add-user.json, but > > > this file is never upon restart of RH-SSO domain cluster instance > > > (master or slave). > > > > > > (I have seen equivalent file being loaded, when doing standalone > > > clsueter tests). > > > > > > > > > So my question is very simple: > > > Ho is it possibel to get hold of an admin user allowing to > > connect to > > > the keycloak admin master login screen ? > > > > > > > > > Regards, > > > > > > Olivier Rivat > > > > > > > > > -- > > > > > > > > > > > www.janua.fr/images/LogoSignature.gif > > > > > > > > > > > > > > > > > Olivier Rivat > > > CTO > > > orivat at janua.fr > > > > > > Gsm: +33(0)682 801 609 > > > T?l: +33(0)489 829 238 > > > Fax: +33(0)955 260 370 > > > http://www.janua.fr > > > > > > > > > > > > > > > -- > > > > > > > > www.janua.fr/images/LogoSignature.gif > > > > > > > > > > > > > Olivier Rivat > > CTO > > orivat at janua.fr > > > > > Gsm: +33(0)682 801 609 > > T?l: +33(0)489 829 238 > > Fax: +33(0)955 260 370 > > http://www.janua.fr > > > > > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > > > > > -- > > > janua.fr/images/LogoSignature.gif> > > > > Olivier Rivat > CTO > orivat at janua.fr > Gsm: +33(0)682 801 609 > T?l: +33(0)489 829 238 > Fax: +33(0)955 260 370 > http://www.janua.fr > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From mposolda at redhat.com Wed Jan 3 03:08:58 2018 From: mposolda at redhat.com (Marek Posolda) Date: Wed, 3 Jan 2018 09:08:58 +0100 Subject: [keycloak-user] Problem with Keys In-Reply-To: <35aa8c1c-768c-3797-6e45-d0e675aa71ea@adbglobal.com> References: <293eba41-0a7f-a1db-58de-0cd7d5d85e94@adbglobal.com> <450d7ece-871a-5fbe-ae36-a16000e81365@redhat.com> <35aa8c1c-768c-3797-6e45-d0e675aa71ea@adbglobal.com> Message-ID: <4c93abe8-b059-0cc2-de1f-015a277c2604@redhat.com> On 02/01/18 17:47, Karol Buler wrote: > Hi Marek, > > thanks for the response! > > Of course we use specific docker image (at this moment > jboss/keycloak-postgres:3.2.1.Final), so database is persistent, but > (checked twice) RSA and also HMAC from "Realm settings -> Keys" are > different after rebooting the Keycloak's docker. The only additional > thing we do in dockerfile is adding our User Federation's provider. Do > you see any mistake that we could do? I guess you may do import (or reimport) of the realm after the reboot? Re-import will always generate new keys by default. You can either skip re-import or if skip re-import is really needed, then you may need to use different key provider, and perhaps hardcode the keys instead of always generate them. Marek > > Karol > > > On 02.01.2018 17:21, Marek Posolda wrote: >> Hi, >> >> isn't the problem that your whole database is always "restarted" >> during each keycloak reboot? Or that you always force reimport >> things? If you use docker image pointed to shared database, you won't >> see this problem though. We have docker images for databases like >> PostgreSQL, MySQL AFAIR. >> >> Marek >> >> On 02/01/18 10:27, Karol Buler wrote: >>> Hi Keycloak community! >>> >>> At the beginning I would wish you a Happy New Year! :) >>> >>> About the problem... If we run Keycloak as a docker, every time >>> Keycloak >>> is rebooted the Keys (Realm Setting -> Keys) are generated again. >>> Result >>> is that each application which use Keycloak's adapter throws "Didn't >>> find publicKey for specified kid" error. This error occurs because the >>> Keys are not rotated in right way, and application does not know about >>> the rotation. >>> >>> Have you met this problem? What is your workaround? Is it an issue? >>> >>> Best regards, >>> Karol >>> >>> [https://www.adbglobal.com/wp-content/uploads/adb.png] >>> adbglobal.com >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > From K.Buler at adbglobal.com Wed Jan 3 04:34:14 2018 From: K.Buler at adbglobal.com (Karol Buler) Date: Wed, 3 Jan 2018 10:34:14 +0100 Subject: [keycloak-user] Problem with Keys In-Reply-To: <4c93abe8-b059-0cc2-de1f-015a277c2604@redhat.com> References: <293eba41-0a7f-a1db-58de-0cd7d5d85e94@adbglobal.com> <450d7ece-871a-5fbe-ae36-a16000e81365@redhat.com> <35aa8c1c-768c-3797-6e45-d0e675aa71ea@adbglobal.com> <4c93abe8-b059-0cc2-de1f-015a277c2604@redhat.com> Message-ID: <05244f2c-7b82-1f21-e4ea-dcf1ab401e7e@adbglobal.com> We don't (re)import anything after rebooting. As I said the only thing we do is adding our User Federation. Is it possible that Keycloak regenerate Keys while User Federation injecting? In other hand... where those keys are stored? I mean which table in DB? On 03.01.2018 09:08, Marek Posolda wrote: > On 02/01/18 17:47, Karol Buler wrote: >> Hi Marek, >> >> thanks for the response! >> >> Of course we use specific docker image (at this moment >> jboss/keycloak-postgres:3.2.1.Final), so database is persistent, but >> (checked twice) RSA and also HMAC from "Realm settings -> Keys" are >> different after rebooting the Keycloak's docker. The only additional >> thing we do in dockerfile is adding our User Federation's provider. >> Do you see any mistake that we could do? > I guess you may do import (or reimport) of the realm after the reboot? > Re-import will always generate new keys by default. You can either > skip re-import or if skip re-import is really needed, then you may > need to use different key provider, and perhaps hardcode the keys > instead of always generate them. > > Marek >> >> Karol >> >> >> On 02.01.2018 17:21, Marek Posolda wrote: >>> Hi, >>> >>> isn't the problem that your whole database is always "restarted" >>> during each keycloak reboot? Or that you always force reimport >>> things? If you use docker image pointed to shared database, you >>> won't see this problem though. We have docker images for databases >>> like PostgreSQL, MySQL AFAIR. >>> >>> Marek >>> >>> On 02/01/18 10:27, Karol Buler wrote: >>>> Hi Keycloak community! >>>> >>>> At the beginning I would wish you a Happy New Year! :) >>>> >>>> About the problem... If we run Keycloak as a docker, every time >>>> Keycloak >>>> is rebooted the Keys (Realm Setting -> Keys) are generated again. >>>> Result >>>> is that each application which use Keycloak's adapter throws "Didn't >>>> find publicKey for specified kid" error. This error occurs because the >>>> Keys are not rotated in right way, and application does not know about >>>> the rotation. >>>> >>>> Have you met this problem? What is your workaround? Is it an issue? >>>> >>>> Best regards, >>>> Karol >>>> >>>> [https://www.adbglobal.com/wp-content/uploads/adb.png] >>>> adbglobal.com >>>> >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >> > From Tony.Harris at oneadvanced.com Wed Jan 3 06:11:29 2018 From: Tony.Harris at oneadvanced.com (Tony Harris) Date: Wed, 3 Jan 2018 11:11:29 +0000 Subject: [keycloak-user] Password Policy API end points Message-ID: <632ef053111d42f4babcf35bbbba42c2@SL1ACSEXCMB01.acsresource.com> Wondering if anyone can point me in the right direction. I want to be able to add and amend password policy setting on a realm via the Rest API, I can see how to retrieve the available PasswordPolicyTypeRepresentation from the ServerInfoRepresentation object but other than basic human readable string value representation of the password profile against the realm from the RealmRepresentation but I can not find a way of adding or amending the realm specific password policy settings, is this even currently possible with the API? Tony ***** Email confidentiality ***** This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. The dissemination, copying or distribution of this message, or related files, by anyone other than the intended recipient is strictly prohibited. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advanced Computer Software Group Limited. ***** Email monitoring ***** Advanced Computer Software Group Limited may monitor email traffic data and also the content of email for the purposes of security and staff training. ***** Email security ***** In keeping with good computing practice, the recipient of this email should ensure that it is virus-free. Advanced Computer Software Group Limited does not accept responsibility for any virus that may be transferred by way of this email. Email may be susceptible to data corruption, interception and/or unauthorised amendment. Advanced Computer Software Group Limited does not accept liability for any such corruption, interception or amendment or any consequences thereof. This email has been scanned for viruses by the Symantec Email Security.cloud service. Advanced Computer Software Group Limited Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire, SL3 9LL, UK Registered in England under number 5965280 ________________________________ Please consider the environment: Think before you print! This message has been scanned for malware by Websense. www.websense.com From K.Buler at adbglobal.com Wed Jan 3 06:25:58 2018 From: K.Buler at adbglobal.com (Karol Buler) Date: Wed, 3 Jan 2018 12:25:58 +0100 Subject: [keycloak-user] Problem with Keys In-Reply-To: <05244f2c-7b82-1f21-e4ea-dcf1ab401e7e@adbglobal.com> References: <293eba41-0a7f-a1db-58de-0cd7d5d85e94@adbglobal.com> <450d7ece-871a-5fbe-ae36-a16000e81365@redhat.com> <35aa8c1c-768c-3797-6e45-d0e675aa71ea@adbglobal.com> <4c93abe8-b059-0cc2-de1f-015a277c2604@redhat.com> <05244f2c-7b82-1f21-e4ea-dcf1ab401e7e@adbglobal.com> Message-ID: <40a90382-4bab-d83b-73c0-d22345beabd9@adbglobal.com> Hmm... I just checked again on local machine with docker-compose and those Keys aren't changed. It looks like this issue occurs only on OpenShift which we use for whole system. I have to check how it works step by step. On 03.01.2018 10:34, Karol Buler wrote: > [This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing at http://aka.ms/LearnAboutSpoofing] > > We don't (re)import anything after rebooting. As I said the only thing > we do is adding our User Federation. Is it possible that Keycloak > regenerate Keys while User Federation injecting? In other hand... where > those keys are stored? I mean which table in DB? > > > On 03.01.2018 09:08, Marek Posolda wrote: >> On 02/01/18 17:47, Karol Buler wrote: >>> Hi Marek, >>> >>> thanks for the response! >>> >>> Of course we use specific docker image (at this moment >>> jboss/keycloak-postgres:3.2.1.Final), so database is persistent, but >>> (checked twice) RSA and also HMAC from "Realm settings -> Keys" are >>> different after rebooting the Keycloak's docker. The only additional >>> thing we do in dockerfile is adding our User Federation's provider. >>> Do you see any mistake that we could do? >> I guess you may do import (or reimport) of the realm after the reboot? >> Re-import will always generate new keys by default. You can either >> skip re-import or if skip re-import is really needed, then you may >> need to use different key provider, and perhaps hardcode the keys >> instead of always generate them. >> >> Marek >>> Karol >>> >>> >>> On 02.01.2018 17:21, Marek Posolda wrote: >>>> Hi, >>>> >>>> isn't the problem that your whole database is always "restarted" >>>> during each keycloak reboot? Or that you always force reimport >>>> things? If you use docker image pointed to shared database, you >>>> won't see this problem though. We have docker images for databases >>>> like PostgreSQL, MySQL AFAIR. >>>> >>>> Marek >>>> >>>> On 02/01/18 10:27, Karol Buler wrote: >>>>> Hi Keycloak community! >>>>> >>>>> At the beginning I would wish you a Happy New Year! :) >>>>> >>>>> About the problem... If we run Keycloak as a docker, every time >>>>> Keycloak >>>>> is rebooted the Keys (Realm Setting -> Keys) are generated again. >>>>> Result >>>>> is that each application which use Keycloak's adapter throws "Didn't >>>>> find publicKey for specified kid" error. This error occurs because the >>>>> Keys are not rotated in right way, and application does not know about >>>>> the rotation. >>>>> >>>>> Have you met this problem? What is your workaround? Is it an issue? >>>>> >>>>> Best regards, >>>>> Karol >>>>> >>>>> [https://www.adbglobal.com/wp-content/uploads/adb.png] >>>>> adbglobal.com >>>>> >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Wed Jan 3 06:29:00 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Wed, 3 Jan 2018 12:29:00 +0100 Subject: [keycloak-user] Password Policy API end points In-Reply-To: <632ef053111d42f4babcf35bbbba42c2@SL1ACSEXCMB01.acsresource.com> References: <632ef053111d42f4babcf35bbbba42c2@SL1ACSEXCMB01.acsresource.com> Message-ID: It's just a string on the RealmRepresentation so you just need to update the realm itself On 3 January 2018 at 12:11, Tony Harris wrote: > Wondering if anyone can point me in the right direction. > > I want to be able to add and amend password policy setting on a realm via > the Rest API, I can see how to retrieve the available > PasswordPolicyTypeRepresentation from the ServerInfoRepresentation object > but other than basic human readable string value representation of the > password profile against the realm from the RealmRepresentation but I can > not find a way of adding or amending the realm specific password policy > settings, is this even currently possible with the API? > > Tony > > ***** Email confidentiality ***** > > This message is private and confidential. If you have received this > message in error, please notify us and remove it from your system. The > dissemination, copying or distribution of this message, or related files, > by anyone other than the intended recipient is strictly prohibited. > > > > Any views or opinions expressed are solely those of the author and do not > necessarily represent those of Advanced Computer Software Group Limited. > > > > ***** Email monitoring ***** > > Advanced Computer Software Group Limited may monitor email traffic data > and also the content of email for the purposes of security and staff > training. > > > > ***** Email security ***** > > In keeping with good computing practice, the recipient of this email > should ensure that it is virus-free. Advanced Computer Software Group > Limited does not accept responsibility for any virus that may be > transferred by way of this email. > > > > Email may be susceptible to data corruption, interception and/or > unauthorised amendment. Advanced Computer Software Group Limited does not > accept liability for any such corruption, interception or amendment or any > consequences thereof. > > > > This email has been scanned for viruses by the Symantec Email > Security.cloud service. > > > > Advanced Computer Software Group Limited > > Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire, SL3 > 9LL, UK > > Registered in England under number 5965280 > > ________________________________ > > Please consider the environment: Think before you print! > > > This message has been scanned for malware by Websense. www.websense.com > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From Tony.Harris at oneadvanced.com Wed Jan 3 06:30:40 2018 From: Tony.Harris at oneadvanced.com (Tony Harris) Date: Wed, 3 Jan 2018 11:30:40 +0000 Subject: [keycloak-user] Password Policy API end points In-Reply-To: References: <632ef053111d42f4babcf35bbbba42c2@SL1ACSEXCMB01.acsresource.com> Message-ID: Thanks, didn?t think it would be that simple! From: Stian Thorgersen [mailto:sthorger at redhat.com] Sent: 03 January 2018 11:29 To: Tony Harris Cc: keycloak-user at lists.jboss.org Subject: Re: [keycloak-user] Password Policy API end points It's just a string on the RealmRepresentation so you just need to update the realm itself On 3 January 2018 at 12:11, Tony Harris > wrote: Wondering if anyone can point me in the right direction. I want to be able to add and amend password policy setting on a realm via the Rest API, I can see how to retrieve the available PasswordPolicyTypeRepresentation from the ServerInfoRepresentation object but other than basic human readable string value representation of the password profile against the realm from the RealmRepresentation but I can not find a way of adding or amending the realm specific password policy settings, is this even currently possible with the API? Tony ***** Email confidentiality ***** This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. The dissemination, copying or distribution of this message, or related files, by anyone other than the intended recipient is strictly prohibited. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advanced Computer Software Group Limited. ***** Email monitoring ***** Advanced Computer Software Group Limited may monitor email traffic data and also the content of email for the purposes of security and staff training. ***** Email security ***** In keeping with good computing practice, the recipient of this email should ensure that it is virus-free. Advanced Computer Software Group Limited does not accept responsibility for any virus that may be transferred by way of this email. Email may be susceptible to data corruption, interception and/or unauthorised amendment. Advanced Computer Software Group Limited does not accept liability for any such corruption, interception or amendment or any consequences thereof. This email has been scanned for viruses by the Symantec Email Security.cloud service. Advanced Computer Software Group Limited Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire, SL3 9LL, UK Registered in England under number 5965280 ________________________________ Please consider the environment: Think before you print! This message has been scanned for malware by Websense. www.websense.com _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user Click here to report this email as spam. ***** Email confidentiality ***** This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. The dissemination, copying or distribution of this message, or related files, by anyone other than the intended recipient is strictly prohibited. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advanced Computer Software Group Limited. ***** Email monitoring ***** Advanced Computer Software Group Limited may monitor email traffic data and also the content of email for the purposes of security and staff training. ***** Email security ***** In keeping with good computing practice, the recipient of this email should ensure that it is virus-free. Advanced Computer Software Group Limited does not accept responsibility for any virus that may be transferred by way of this email. Email may be susceptible to data corruption, interception and/or unauthorised amendment. Advanced Computer Software Group Limited does not accept liability for any such corruption, interception or amendment or any consequences thereof. This email has been scanned for viruses by the Symantec Email Security.cloud service. Advanced Computer Software Group Limited Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire, SL3 9LL, UK Registered in England under number 5965280 From khirschmann at huebinet.de Wed Jan 3 10:15:27 2018 From: khirschmann at huebinet.de (Kevin Hirschmann) Date: Wed, 3 Jan 2018 15:15:27 +0000 Subject: [keycloak-user] custom ldap attribute mapper Message-ID: <65646dbabdcf493d9a23a6e576395231@huebinet.de> Hello, I would like to add my own custom user-attribute-ldap-mapper. It is needed, because the usernames, groups and roles of a test environment are prefixed to distinguish them from production usernames etc. . First I took the example "user-storage-simple" which worked right away. Now I transfered this to ldap mappers. I created a maven project, added a) A class org.keycloak.examples.ldap.mappers.XxMapperFactory b) a file org.keycloak.storage.ldap.mappers.LDAPStorageMapperFactory and added to it the entry org.keycloak.examples.ldap.mappers.XxMapperFactory c) I added a jboss-deployment-structure.xml file I added the jboss-deployment-structure.xml because I found this https://issues.jboss.org/browse/KEYCLOAK-4428 which matches my problem INFO [org.jboss.as.server.deployment] (MSC service thread 1-8) WFLYSRV0027: Starting deployment of "ldap-mapper-example.jar" (runtime-name: "ldap-mapper-example.jar") WARN [org.jboss.as.dependency.private] (MSC service thread 1-6) WFLYSRV0018: Deployment "deployment.ldap-mapper-example.jar" is using a private module ("org.keycloak.keycloak-server-spi-private:main") which may be changed or removed in future versions without notice. WARN [org.jboss.modules] (MSC service thread 1-6) Failed to define class org.keycloak.examples.ldap.mappers.XxMapperFactory in Module "deployment.ldap-mapper-example.jar:main" from Service Module Loader: java.lang.NoClassDefFoundError: Failed to link org/keycloak/examples/ldap/mappers/XxMapperFactory (Module "deployment.ldap-mapper-example.jar:main" from Service Module Loader): org/keycloak/storage/ldap/mappers/LDAPConfigDecorator at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) at java.lang.reflect.Constructor.newInstance(Unknown Source) at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446) at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274) at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:78) at org.jboss.modules.Module.loadModuleClass(Module.java:605) at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190) at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363) at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351) at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Unknown Source) at java.util.ServiceLoader$LazyIterator.nextService(Unknown Source) at java.util.ServiceLoader$LazyIterator.next(Unknown Source) at java.util.ServiceLoader$1.next(Unknown Source) at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47) at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93) at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:206) at org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:112) at org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42) at org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54) at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) But it didn't help (why would I write this mail if it did). What have I missed? Thx Kevin From s.hoffman at xsb.com Wed Jan 3 11:39:34 2018 From: s.hoffman at xsb.com (Steve Hoffman) Date: Wed, 3 Jan 2018 10:39:34 -0600 (CST) Subject: [keycloak-user] Add required action "Update Password" to all users after Password Policy change Message-ID: <1095562809.16778079.1514997574414.JavaMail.zimbra@xsb.com> Currently updating the Password Policy for a realm, and I was looking for an easier (safer) way of forcing users to update password on login once we've set our new preferences. I'm aware that I can iterate through the users in the admin console (time/cost prohibitive) or POST/Update to the Admin REST API for each individual user after a GET for the user list. Is there another simpler built-in mechanism that I'm overlooking? Thanks, Stephen Hoffman -- XSB, Inc Office (631) 371-8100 Ext. 8128 Mobile (631) 579-9857 Fax (631) 382-8228 http://www.xsb.com/ DISCLAIMER: This e-mail is intended for the use of the addressee(s) only and may contain privileged, confidential, or proprietary information that is exempt from disclosure under law. If you are not the intended recipient, please do not read, copy, use or disclose the contents of this communication to others. Please notify the sender that you have received this e-mail in error by replying to the e-mail. Please then delete the e-mail and destroy any copies of it. Thank you. From msiochos at gmail.com Wed Jan 3 12:07:42 2018 From: msiochos at gmail.com (Michalis Siochos) Date: Wed, 3 Jan 2018 19:07:42 +0200 Subject: [keycloak-user] SSO on non-protected / public urls In-Reply-To: References: <0c18e3d8-a2e6-e5de-8898-46e4f0945791@gmail.com> Message-ID: <91a4af70-097e-cee0-e4e8-dea2ff8e476a@gmail.com> Greetings Pedro, We need SSO on non protected resources for a number of reasons outlined below: 1) We have a series of portals (company, services, products, subsidiaries, etc) that have both public and protected areas. So, we need to be able to identify a user that lands on a public url (e.g. by following a link) in order to show personalized content. Google offers similar functionality - Go to https://mail.google.com - Login - Then go to https://www.youtube.com - You see personalized content on a page that is obviously public In my view, this is an important added value of SSO. 2) The main website consists of a series of applications (actually portals) than are put together at user interface level. So, the user may navigate from a protected portal to a public portal e.g. - From: https://www.example.com/customers (protected) - To: https://www.example.com/services (public) As the customer navigates to public urls then the application cannot show logged in user information and list of available actions. This is bad from user experience point of view since the user will see himself/herself as logged in on /customers but as anonymous on /service while on the same website (the user cannot understand that he navigates to different apps) 3) We have been using this functionality for 10+ years so renouncing it would be a major regression. Best Regards, Michalis On 01/02/2018 04:33 PM, Pedro Igor Silva wrote: > Why do you need to create session when accessing a public resource ? > > On Thu, Dec 28, 2017 at 6:01 PM, Michalis Siochos > wrote: > > Hi All, > > I'm evaluating keycloak and identifying the possibility to provide SSO > services on non protected (public) pages. > > Assume the following environment: > > Portal 1 > - https://site1.example.com/public > - https://site1.example.com/protected > > > Portal 2 > - https://site2.example.com/public > - https://site2.example.com/protected > > > /protected is the restricted area of the portal, that only logged in > users may access > /public is the public area where both logged in and anonymous > users may > navigate > > I'm trying to achieve the following > - User logs in @ https://site1.example.com > - SSO session and site1 session are created > - User goes to public area of site2, > https://site2.example.com/public > - User is automatically logged in (site2 session is created) > > It seems that the above is not possible with OIDC / SAML since the > user > has to land on a protected page to initiate federation, or perform an > action (e.g. click a button). > > Any other thoughts, feedback? > > Thanks in advance, > Michalis > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From psilva at redhat.com Wed Jan 3 13:37:42 2018 From: psilva at redhat.com (Pedro Igor Silva) Date: Wed, 3 Jan 2018 16:37:42 -0200 Subject: [keycloak-user] SSO on non-protected / public urls In-Reply-To: <91a4af70-097e-cee0-e4e8-dea2ff8e476a@gmail.com> References: <0c18e3d8-a2e6-e5de-8898-46e4f0945791@gmail.com> <91a4af70-097e-cee0-e4e8-dea2ff8e476a@gmail.com> Message-ID: I see now. As you noticed, the adapters rely on a set of one or more paths in order to trigger authentication and intercept requests. I'm not sure either how we can accomplish this, but maybe we can start by understanding how your clients look like. For instance: * Which adapter are you using with your clients (site1 and site2) ? * Are these clients confidential clients ? I think that if you are using JS in your clients (e.g.: angular or something else) it should be easier to support these requirements. On Wed, Jan 3, 2018 at 3:07 PM, Michalis Siochos wrote: > Greetings Pedro, > > We need SSO on non protected resources for a number of reasons outlined > below: > > 1) We have a series of portals (company, services, products, subsidiaries, > etc) that have both public and protected areas. > So, we need to be able to identify a user that lands on a public url (e.g. > by following a link) in order to show personalized content. > > Google offers similar functionality > - Go to https://mail.google.com > - Login > - Then go to https://www.youtube.com > - You see personalized content on a page that is obviously public > > In my view, this is an important added value of SSO. > > 2) The main website consists of a series of applications (actually > portals) than are put together at user interface level. So, the user may > navigate from a protected portal to a public portal e.g. > - From: https://www.example.com/customers (protected) > - To: https://www.example.com/services (public) > > As the customer navigates to public urls then the application cannot show > logged in user information and list of available actions. This is bad from > user experience point of view since the user will see himself/herself as > logged in on /customers but as anonymous on /service while on the same > website (the user cannot understand that he navigates to different apps) > > 3) We have been using this functionality for 10+ years so renouncing it > would be a major regression. > > Best Regards, > Michalis > > > On 01/02/2018 04:33 PM, Pedro Igor Silva wrote: > > Why do you need to create session when accessing a public resource ? > > On Thu, Dec 28, 2017 at 6:01 PM, Michalis Siochos > wrote: > >> Hi All, >> >> I'm evaluating keycloak and identifying the possibility to provide SSO >> services on non protected (public) pages. >> >> Assume the following environment: >> >> Portal 1 >> - https://site1.example.com/public >> - https://site1.example.com/protected >> >> Portal 2 >> - https://site2.example.com/public >> - https://site2.example.com/protected >> >> /protected is the restricted area of the portal, that only logged in >> users may access >> /public is the public area where both logged in and anonymous users may >> navigate >> >> I'm trying to achieve the following >> - User logs in @ https://site1.example.com >> - SSO session and site1 session are created >> - User goes to public area of site2, https://site2.example.com/public >> - User is automatically logged in (site2 session is created) >> >> It seems that the above is not possible with OIDC / SAML since the user >> has to land on a protected page to initiate federation, or perform an >> action (e.g. click a button). >> >> Any other thoughts, feedback? >> >> Thanks in advance, >> Michalis >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > > From carreraariel at gmail.com Wed Jan 3 14:13:31 2018 From: carreraariel at gmail.com (Ariel Carrera) Date: Wed, 3 Jan 2018 16:13:31 -0300 Subject: [keycloak-user] Fwd: Trojan in Keycloak Javascript Adapter? In-Reply-To: References: Message-ID: Hi, I have downloaded Keycloak Javascript Adapter from http://www.keycloak.org/downloads.html and when it is done a Windows Defender's popup alerts about a Trojan inside. Windows Defender info: adapter file: keycloak-js-adapter-dist-3.4.2.Final.zip trojan name: Trojan:JS/Jorv.A!cl file: keycloak-js-adapter-dist-3.4.2.Final/keycloak.min.js Am I the only one with this problem? Thanks, -- Ariel Carrera -- Ariel Carrera From carreraariel at gmail.com Wed Jan 3 16:07:44 2018 From: carreraariel at gmail.com (Ariel Carrera) Date: Wed, 03 Jan 2018 21:07:44 +0000 Subject: [keycloak-user] [keycloak-dev] Trojan in Keycloak Javascript Adapter? In-Reply-To: References:

Message-ID: Thanks Ramunas, I will check My Windows defender?s definition version to compare with you. I have Windows 10 (64 bit) updated on December 2017. El El mi?, 3 ene. 2018 a las 17:45, Rumanas escribi?: > * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file > * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final" folder with > Windows Defender on Windows 10 - no issues found > * checked for Windows updates. New update "Definition Update for Windows > Defender Antivirus - KB2267602 (Definition 1.259.1141.0)" was found and > installed. > * scanned again. No issues found. > > Ram?nas > -- Ariel Carrera From csalazar at devsu.com Wed Jan 3 17:59:10 2018 From: csalazar at devsu.com (Cesar Salazar) Date: Wed, 3 Jan 2018 17:59:10 -0500 Subject: [keycloak-user] GET users endpoint is making lots of requests to the database (its really slow!) Message-ID: Hi, First of all, thanks for the great work on keycloak! We are using keycloak for an application, and it was working great (until we launched to production) We have 150 users which are connected to an Active Directory using the Federation functionality. It works, but the endpoint GET /{realm}/users takes about 23 seconds to respond (Keycloak running on a container in GKE backed by a mysql server on Google Cloud SQL). I enabled mysql logging and the problem seems to be that just for responding this endpoint, the server makes 901 queries to the database! These are the queries: First query, to get the users: select userentity0_.ID as ID1_71_, userentity0_.CREATED_TIMESTAMP as CREATED_2_71_, userentity0_.EMAIL as EMAIL3_71_, userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_71_, userentity0_.EMAIL_VERIFIED as EMAIL_VE5_71_, userentity0_.ENABLED as ENABLED6_71_, userentity0_.FEDERATION_LINK as FEDERATI7_71_, userentity0_.FIRST_NAME as FIRST_NA8_71_, userentity0_.LAST_NAME as LAST_NAM9_71_, userentity0_.NOT_BEFORE as NOT_BEF10_71_, userentity0_.REALM_ID as REALM_I11_71_, userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE12_71_, userentity0_.USERNAME as USERNAM13_71_ from USER_ENTITY userentity0_ where userentity0_.REALM_ID='my-realm' and (userentity0_.SERVICE_ACCOUNT_CLIENT_LINK is null) order by userentity0_.USERNAME Then,* for each user *a query like this, (getting user attributes I guess) select attributes0_.USER_ID as USER_ID4_67_0_, attributes0_.ID as ID1_67_0_, attributes0_.ID as ID1_67_1_, attributes0_.NAME as NAME2_67_1_, attributes0_.USER_ID as USER_ID4_67_1_, attributes0_.VALUE as VALUE3_67_1_ from USER_ATTRIBUTE attributes0_ where attributes0_.USER_ID='b920df7c-a419-4150-86bd-9f81c7ea0b70' Then,* for each user* 4 queries similar to this, (getting credentials I guess) select credential0_.ID as ID1_18_, credential0_.ALGORITHM as ALGORITH2_18_, credential0_.COUNTER as COUNTER3_18_, credential0_.CREATED_DATE as CREATED_4_18_, credential0_.DEVICE as DEVICE5_18_, credential0_.DIGITS as DIGITS6_18_, credential0_.HASH_ITERATIONS as HASH_ITE7_18_, credential0_.PERIOD as PERIOD8_18_, credential0_.SALT as SALT9_18_, credential0_.TYPE as TYPE10_18_, credential0_.USER_ID as USER_ID12_18_, credential0_.VALUE as VALUE11_18_ from CREDENTIAL credential0_ where credential0_.USER_ID='94525793-297b-4895-ab2b-7cf8b580e9fa' and credential0_.TYPE='totp' A query with type *totp* is queried 2 times, the other 2 times are queried with type *hotp* and *password* and finally one more query* for each user* (getting required actions I guess) select requiredac0_.USER_ID as USER_ID2_77_0_, requiredac0_.REQUIRED_ACTION as REQUIRED1_77_0_, requiredac0_.REQUIRED_ACTION as REQUIRED1_77_1_, requiredac0_.USER_ID as USER_ID2_77_1_ from USER_REQUIRED_ACTION requiredac0_ where requiredac0_.USER_ID='94525793-297b-4895-ab2b-7cf8b580e9fa' So, in total, for 150 users, Keycloak is making 901 requests to the database! If I increase the number to 500 users, will it be 30001 requests??? How can this be improved? Is there something wrong I'm doing in the configuration? Does this happens only with Federated users? Thanks! -- *Cesar Salazar* Development Manager DEVSU | www.devsu.com skype: cesarsalazar007 P: (213)-291-0752 M: +593 9 2917 160 (Ecuador) From jonas.schoenenberger at gmail.com Thu Jan 4 02:55:22 2018 From: jonas.schoenenberger at gmail.com (=?UTF-8?Q?Jonas_Sch=C3=B6nenberger?=) Date: Thu, 4 Jan 2018 08:55:22 +0100 Subject: [keycloak-user] CORS in Keycloak 3.4 Message-ID: Hey there I?ve been trying to figure out how to enable CORS in the later versions of KeyCloak. I can?t seem to find a valid way to achieve this besides hardcoding response headers in the standalone.xml. I?m using a standalone deployment. I know the functionality to handle preflight and other CORS scenarios is there, so there must be surely a way to activate it? Could somebody enlighten me please? Thanks a lot Jonas From mposolda at redhat.com Thu Jan 4 05:31:15 2018 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 4 Jan 2018 11:31:15 +0100 Subject: [keycloak-user] custom ldap attribute mapper In-Reply-To: <65646dbabdcf493d9a23a6e576395231@huebinet.de> References: <65646dbabdcf493d9a23a6e576395231@huebinet.de> Message-ID: <7293e78c-b65c-d913-40db-5330b6513132@redhat.com> I think you need few more dependencies in your jboss-deployment-structure.xml . At least also org.keycloak.keycloak-ldap-federation and maybe some more. Marek On 03/01/18 16:15, Kevin Hirschmann wrote: > Hello, > > I would like to add my own custom user-attribute-ldap-mapper. It is needed, because the usernames, groups and roles of a test environment are prefixed to distinguish them from production usernames etc. . > First I took the example "user-storage-simple" which worked right away. > > Now I transfered this to ldap mappers. I created a maven project, added > a) A class org.keycloak.examples.ldap.mappers.XxMapperFactory > b) a file org.keycloak.storage.ldap.mappers.LDAPStorageMapperFactory and added to it the entry org.keycloak.examples.ldap.mappers.XxMapperFactory > c) I added a jboss-deployment-structure.xml file > > > > > > > > > > I added the jboss-deployment-structure.xml because I found this https://issues.jboss.org/browse/KEYCLOAK-4428 which > matches my problem > > INFO [org.jboss.as.server.deployment] (MSC service thread 1-8) WFLYSRV0027: Starting deployment of "ldap-mapper-example.jar" (runtime-name: "ldap-mapper-example.jar") > WARN [org.jboss.as.dependency.private] (MSC service thread 1-6) WFLYSRV0018: Deployment "deployment.ldap-mapper-example.jar" is using a private module ("org.keycloak.keycloak-server-spi-private:main") which may be changed or removed in future versions without notice. > WARN [org.jboss.modules] (MSC service thread 1-6) Failed to define class org.keycloak.examples.ldap.mappers.XxMapperFactory in Module "deployment.ldap-mapper-example.jar:main" from Service Module Loader: java.lang.NoClassDefFoundError: Failed to link org/keycloak/examples/ldap/mappers/XxMapperFactory (Module "deployment.ldap-mapper-example.jar:main" from Service Module Loader): org/keycloak/storage/ldap/mappers/LDAPConfigDecorator > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) > at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) > at java.lang.reflect.Constructor.newInstance(Unknown Source) > at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446) > at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274) > at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:78) > at org.jboss.modules.Module.loadModuleClass(Module.java:605) > at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190) > at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363) > at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351) > at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93) > at java.lang.Class.forName0(Native Method) > at java.lang.Class.forName(Unknown Source) > at java.util.ServiceLoader$LazyIterator.nextService(Unknown Source) > at java.util.ServiceLoader$LazyIterator.next(Unknown Source) > at java.util.ServiceLoader$1.next(Unknown Source) > at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47) > at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93) > at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:206) > at org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:112) > at org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42) > at org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54) > at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) > at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) > at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) > at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) > at java.lang.Thread.run(Unknown Source) > > > > But it didn't help (why would I write this mail if it did). > > What have I missed? > > Thx > > Kevin > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Jan 4 05:39:29 2018 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 4 Jan 2018 11:39:29 +0100 Subject: [keycloak-user] GET users endpoint is making lots of requests to the database (its really slow!) In-Reply-To: References: Message-ID: <6148174c-f714-b56d-03a6-4dc5d4309cb6@redhat.com> On 03/01/18 23:59, Cesar Salazar wrote: > Hi, > > First of all, thanks for the great work on keycloak! > > We are using keycloak for an application, and it was working great (until > we launched to production) > > We have 150 users which are connected to an Active Directory using the > Federation functionality. > > It works, but the endpoint GET /{realm}/users takes about 23 seconds to > respond (Keycloak running on a container in GKE backed by a mysql server on > Google Cloud SQL). > > I enabled mysql logging and the problem seems to be that just for > responding this endpoint, the server makes 901 queries to the database! > > These are the queries: > > First query, to get the users: > > select userentity0_.ID as ID1_71_, userentity0_.CREATED_TIMESTAMP as > CREATED_2_71_, userentity0_.EMAIL as EMAIL3_71_, > userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_71_, userentity0_.EMAIL_VERIFIED > as EMAIL_VE5_71_, userentity0_.ENABLED as ENABLED6_71_, > userentity0_.FEDERATION_LINK as FEDERATI7_71_, userentity0_.FIRST_NAME as > FIRST_NA8_71_, userentity0_.LAST_NAME as LAST_NAM9_71_, > userentity0_.NOT_BEFORE as NOT_BEF10_71_, userentity0_.REALM_ID as > REALM_I11_71_, userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE12_71_, > userentity0_.USERNAME as USERNAM13_71_ from USER_ENTITY userentity0_ where > userentity0_.REALM_ID='my-realm' and > (userentity0_.SERVICE_ACCOUNT_CLIENT_LINK is null) order by > userentity0_.USERNAME > > > Then,* for each user *a query like this, (getting user attributes I guess) > > select attributes0_.USER_ID as USER_ID4_67_0_, attributes0_.ID as > ID1_67_0_, attributes0_.ID as ID1_67_1_, attributes0_.NAME as NAME2_67_1_, > attributes0_.USER_ID as USER_ID4_67_1_, attributes0_.VALUE as VALUE3_67_1_ > from USER_ATTRIBUTE attributes0_ where > attributes0_.USER_ID='b920df7c-a419-4150-86bd-9f81c7ea0b70' > > > Then,* for each user* 4 queries similar to this, (getting credentials I > guess) > > select credential0_.ID as ID1_18_, credential0_.ALGORITHM as ALGORITH2_18_, > credential0_.COUNTER as COUNTER3_18_, credential0_.CREATED_DATE as > CREATED_4_18_, credential0_.DEVICE as DEVICE5_18_, credential0_.DIGITS as > DIGITS6_18_, credential0_.HASH_ITERATIONS as HASH_ITE7_18_, > credential0_.PERIOD as PERIOD8_18_, credential0_.SALT as SALT9_18_, > credential0_.TYPE as TYPE10_18_, credential0_.USER_ID as USER_ID12_18_, > credential0_.VALUE as VALUE11_18_ from CREDENTIAL credential0_ where > credential0_.USER_ID='94525793-297b-4895-ab2b-7cf8b580e9fa' and > credential0_.TYPE='totp' > > > A query with type *totp* is queried 2 times, the other 2 times are queried > with type *hotp* and *password* > > and finally one more query* for each user* (getting required actions I > guess) > > select requiredac0_.USER_ID as USER_ID2_77_0_, requiredac0_.REQUIRED_ACTION > as REQUIRED1_77_0_, requiredac0_.REQUIRED_ACTION as REQUIRED1_77_1_, > requiredac0_.USER_ID as USER_ID2_77_1_ from USER_REQUIRED_ACTION > requiredac0_ where > requiredac0_.USER_ID='94525793-297b-4895-ab2b-7cf8b580e9fa' > > > So, in total, for 150 users, Keycloak is making 901 requests to the > database! If I increase the number to 500 users, will it be 30001 > requests??? > > How can this be improved? Is there something wrong I'm doing in the > configuration? Does this happens only with Federated users? I don't think it is specific only for federated users. IMO the same will happen for 150 non-federated users too. You can create JIRA, but not sure if we are able to fix it on our side, we are using JPA/Hibernate under the covers and I think it doesn't easily allow something like "batch" query to retrieve attributes, requiredActions, credentials in single SQL query for current page of users... Maybe the options for you to improve this are: - Improve DB connection and make sure that there is no big network latency between DB and Keycloak (It seems this is the big issue in your env). - Use LDAP No-Import mode Marek > > Thanks! > From mposolda at redhat.com Thu Jan 4 05:44:13 2018 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 4 Jan 2018 11:44:13 +0100 Subject: [keycloak-user] Add required action "Update Password" to all users after Password Policy change In-Reply-To: <1095562809.16778079.1514997574414.JavaMail.zimbra@xsb.com> References: <1095562809.16778079.1514997574414.JavaMail.zimbra@xsb.com> Message-ID: I guess you can go to tab "Required actions" in the admin console and switch the checkbox for "Update Password" required action to "default" . Then all new users should automatically be added to this action AFAIK. If it's not sufficient, the easiest is likely really to update each user and manually add requiredAction to him. I would do it with admin REST API. Marek On 03/01/18 17:39, Steve Hoffman wrote: > Currently updating the Password Policy for a realm, and I was looking for an easier (safer) way of forcing users to update password on login once we've set our new preferences. > > I'm aware that I can iterate through the users in the admin console (time/cost prohibitive) or POST/Update to the Admin REST API for each individual user after a GET for the user list. > > Is there another simpler built-in mechanism that I'm overlooking? > > Thanks, > Stephen Hoffman > From rgshepherd at gmail.com Thu Jan 4 06:42:36 2018 From: rgshepherd at gmail.com (Rob Shepherd) Date: Thu, 4 Jan 2018 11:42:36 +0000 Subject: [keycloak-user] GET users endpoint is making lots of requests to the database (its really slow!) In-Reply-To: References: Message-ID: <1F7FCB77-0DF9-4BDF-8CCA-060859FBC6D3@gmail.com> Cesar, Do you have Caching enabled? Realm > User Federation > Cache Settings > Cache Policy I posted to the list a few week ago to point out that with Caching enabled, the Keycloak was actually making More requests to a custom federated user backend. http://lists.jboss.org/pipermail/keycloak-user/2017-November/012230.html I appreciate that you use a different form of user federation, but it is the same unexpected scenario. Rob > On 3 Jan 2018, at 22:59, Cesar Salazar wrote: > > Hi, > > First of all, thanks for the great work on keycloak! > > We are using keycloak for an application, and it was working great (until > we launched to production) > > We have 150 users which are connected to an Active Directory using the > Federation functionality. > > It works, but the endpoint GET /{realm}/users takes about 23 seconds to > respond (Keycloak running on a container in GKE backed by a mysql server on > Google Cloud SQL). > > I enabled mysql logging and the problem seems to be that just for > responding this endpoint, the server makes 901 queries to the database! > > These are the queries: > > First query, to get the users: > > select userentity0_.ID as ID1_71_, userentity0_.CREATED_TIMESTAMP as > CREATED_2_71_, userentity0_.EMAIL as EMAIL3_71_, > userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_71_, userentity0_.EMAIL_VERIFIED > as EMAIL_VE5_71_, userentity0_.ENABLED as ENABLED6_71_, > userentity0_.FEDERATION_LINK as FEDERATI7_71_, userentity0_.FIRST_NAME as > FIRST_NA8_71_, userentity0_.LAST_NAME as LAST_NAM9_71_, > userentity0_.NOT_BEFORE as NOT_BEF10_71_, userentity0_.REALM_ID as > REALM_I11_71_, userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE12_71_, > userentity0_.USERNAME as USERNAM13_71_ from USER_ENTITY userentity0_ where > userentity0_.REALM_ID='my-realm' and > (userentity0_.SERVICE_ACCOUNT_CLIENT_LINK is null) order by > userentity0_.USERNAME > > > Then,* for each user *a query like this, (getting user attributes I guess) > > select attributes0_.USER_ID as USER_ID4_67_0_, attributes0_.ID as > ID1_67_0_, attributes0_.ID as ID1_67_1_, attributes0_.NAME as NAME2_67_1_, > attributes0_.USER_ID as USER_ID4_67_1_, attributes0_.VALUE as VALUE3_67_1_ > from USER_ATTRIBUTE attributes0_ where > attributes0_.USER_ID='b920df7c-a419-4150-86bd-9f81c7ea0b70' > > > Then,* for each user* 4 queries similar to this, (getting credentials I > guess) > > select credential0_.ID as ID1_18_, credential0_.ALGORITHM as ALGORITH2_18_, > credential0_.COUNTER as COUNTER3_18_, credential0_.CREATED_DATE as > CREATED_4_18_, credential0_.DEVICE as DEVICE5_18_, credential0_.DIGITS as > DIGITS6_18_, credential0_.HASH_ITERATIONS as HASH_ITE7_18_, > credential0_.PERIOD as PERIOD8_18_, credential0_.SALT as SALT9_18_, > credential0_.TYPE as TYPE10_18_, credential0_.USER_ID as USER_ID12_18_, > credential0_.VALUE as VALUE11_18_ from CREDENTIAL credential0_ where > credential0_.USER_ID='94525793-297b-4895-ab2b-7cf8b580e9fa' and > credential0_.TYPE='totp' > > > A query with type *totp* is queried 2 times, the other 2 times are queried > with type *hotp* and *password* > > and finally one more query* for each user* (getting required actions I > guess) > > select requiredac0_.USER_ID as USER_ID2_77_0_, requiredac0_.REQUIRED_ACTION > as REQUIRED1_77_0_, requiredac0_.REQUIRED_ACTION as REQUIRED1_77_1_, > requiredac0_.USER_ID as USER_ID2_77_1_ from USER_REQUIRED_ACTION > requiredac0_ where > requiredac0_.USER_ID='94525793-297b-4895-ab2b-7cf8b580e9fa' > > > So, in total, for 150 users, Keycloak is making 901 requests to the > database! If I increase the number to 500 users, will it be 30001 > requests??? > > How can this be improved? Is there something wrong I'm doing in the > configuration? Does this happens only with Federated users? > > Thanks! > > -- > *Cesar Salazar* > Development Manager > DEVSU | www.devsu.com > skype: cesarsalazar007 > P: (213)-291-0752 > M: +593 9 2917 160 (Ecuador) > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Thu Jan 4 07:09:47 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Thu, 4 Jan 2018 13:09:47 +0100 Subject: [keycloak-user] Keycloak 3.4.3.Final released Message-ID: http://blog.keycloak.org/2018/01/keycloak-343final-released.html From tomas at intrahouse.com Thu Jan 4 09:12:36 2018 From: tomas at intrahouse.com (=?UTF-8?B?VG9tw6FzIEdhcmPDrWE=?=) Date: Thu, 04 Jan 2018 14:12:36 +0000 Subject: [keycloak-user] [Feature request] Adding scheduled tasks / change order of required actions / searchable user attributes Message-ID: Hi, I'm trying to fulfill the needs of the GDPR of my company in Keycloak and I noticed these things: - I cannot add a scheduled task. I don't know where to put code like you have in KeycloakApplication like: TimerProvider timer = session.getProvider(TimerProvider.class); timer.schedule(new ClusterAwareScheduledTaskRunner(sessionFactory, new ClearExpiredEvents(), interval), interval, "ClearExpiredEvents"); , so I can add a recurrent task starting from the startup of Keycloak. My use case is that I want to remove users that didn't verify their email or accepted terms & conditions after a week of first registration. So I was thinking to add a task to be run daily to do that. - The order of required actions execution is in alphabetical order, so if I wanted a custom required action to be run after the "Verify email" action I need to be sure that the name of my custom required action starts with "W" at least. An UI interface like what we already have in the Authenticators part would be nice. - There are no facilities inside Keycloak to search users with a specific attribute key or value. It would be nice too to have long integers as attibute values, in case we want to search for users with greater / less than a specific timestamp attribute like the one you use in the terms & conditions required action. For example, for the removal task, I'd like to search for users without a custom attribute, then I'll remove those. I guess I'll just extend the data model if needed to workaround this issue. - If someone declines the terms & conditions, the user is redirected to a blank page with an "error" in the screen. I don't care about this since I'm going to make my custom required action if I can find an alternative for the things I'm saying above. If I'm wrong about something, please let me know. Thanks, Tom?s From simonpayne58 at gmail.com Thu Jan 4 09:21:05 2018 From: simonpayne58 at gmail.com (Simon Payne) Date: Thu, 4 Jan 2018 14:21:05 +0000 Subject: [keycloak-user] cockroachdb Message-ID: Hi, has anyone successfully managed to use cockroachdb with keycloak? if so, what steps were taken? thanks Simon. From csalazar at devsu.com Thu Jan 4 09:51:19 2018 From: csalazar at devsu.com (Cesar Salazar) Date: Thu, 4 Jan 2018 09:51:19 -0500 Subject: [keycloak-user] GET users endpoint is making lots of requests to the database (its really slow!) In-Reply-To: <6148174c-f714-b56d-03a6-4dc5d4309cb6@redhat.com> References: <6148174c-f714-b56d-03a6-4dc5d4309cb6@redhat.com> Message-ID: Hi Marek, thanks for your answer. I just created a ticket in JIRA: https://issues.jboss.org/browse/KEYCLOAK-6134 I was able to reduce the time to around 2.5 - 3 seconds by installing Keycloak and mysql dockerized on bare metal (on a powerful server), but still it should be considered slow, taking into account that we plan to have not less than a few thousand users... and also considering that it's not affordable to have such environment just for the authentication service. If 150 users require 901 queries, and it takes around 3 seconds to respond, with 3000 users, we would have 18001 requests, which would mean around 60 seconds for querying the users. (calculated using simple rule of three) I tried the solution of using LDAP No-Import mode, but that doesn't solve my use case, since I do need the /realm/users endpoint to return all the users (not only allow them to login). Anyways, for now we will stop scaling and I will ask one of my developers to take a look at the code to see if we can find a fix and send a PR or otherwise we will implement our own endpoint to get all the users (which is something we need for our app). Thanks! 2018-01-04 5:39 GMT-05:00 Marek Posolda : > On 03/01/18 23:59, Cesar Salazar wrote: > >> Hi, >> >> First of all, thanks for the great work on keycloak! >> >> We are using keycloak for an application, and it was working great (until >> we launched to production) >> >> We have 150 users which are connected to an Active Directory using the >> Federation functionality. >> >> It works, but the endpoint GET /{realm}/users takes about 23 seconds to >> respond (Keycloak running on a container in GKE backed by a mysql server >> on >> Google Cloud SQL). >> >> I enabled mysql logging and the problem seems to be that just for >> responding this endpoint, the server makes 901 queries to the database! >> >> These are the queries: >> >> First query, to get the users: >> >> select userentity0_.ID as ID1_71_, userentity0_.CREATED_TIMESTAMP as >> CREATED_2_71_, userentity0_.EMAIL as EMAIL3_71_, >> userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_71_, >> userentity0_.EMAIL_VERIFIED >> as EMAIL_VE5_71_, userentity0_.ENABLED as ENABLED6_71_, >> userentity0_.FEDERATION_LINK as FEDERATI7_71_, userentity0_.FIRST_NAME as >> FIRST_NA8_71_, userentity0_.LAST_NAME as LAST_NAM9_71_, >> userentity0_.NOT_BEFORE as NOT_BEF10_71_, userentity0_.REALM_ID as >> REALM_I11_71_, userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE12_71_, >> userentity0_.USERNAME as USERNAM13_71_ from USER_ENTITY userentity0_ where >> userentity0_.REALM_ID='my-realm' and >> (userentity0_.SERVICE_ACCOUNT_CLIENT_LINK is null) order by >> userentity0_.USERNAME >> >> >> Then,* for each user *a query like this, (getting user attributes I guess) >> >> select attributes0_.USER_ID as USER_ID4_67_0_, attributes0_.ID as >> ID1_67_0_, attributes0_.ID as ID1_67_1_, attributes0_.NAME as NAME2_67_1_, >> attributes0_.USER_ID as USER_ID4_67_1_, attributes0_.VALUE as VALUE3_67_1_ >> from USER_ATTRIBUTE attributes0_ where >> attributes0_.USER_ID='b920df7c-a419-4150-86bd-9f81c7ea0b70' >> >> >> Then,* for each user* 4 queries similar to this, (getting credentials I >> guess) >> >> select credential0_.ID as ID1_18_, credential0_.ALGORITHM as >> ALGORITH2_18_, >> credential0_.COUNTER as COUNTER3_18_, credential0_.CREATED_DATE as >> CREATED_4_18_, credential0_.DEVICE as DEVICE5_18_, credential0_.DIGITS as >> DIGITS6_18_, credential0_.HASH_ITERATIONS as HASH_ITE7_18_, >> credential0_.PERIOD as PERIOD8_18_, credential0_.SALT as SALT9_18_, >> credential0_.TYPE as TYPE10_18_, credential0_.USER_ID as USER_ID12_18_, >> credential0_.VALUE as VALUE11_18_ from CREDENTIAL credential0_ where >> credential0_.USER_ID='94525793-297b-4895-ab2b-7cf8b580e9fa' and >> credential0_.TYPE='totp' >> >> >> A query with type *totp* is queried 2 times, the other 2 times are queried >> with type *hotp* and *password* >> >> and finally one more query* for each user* (getting required actions I >> guess) >> >> select requiredac0_.USER_ID as USER_ID2_77_0_, >> requiredac0_.REQUIRED_ACTION >> as REQUIRED1_77_0_, requiredac0_.REQUIRED_ACTION as REQUIRED1_77_1_, >> requiredac0_.USER_ID as USER_ID2_77_1_ from USER_REQUIRED_ACTION >> requiredac0_ where >> requiredac0_.USER_ID='94525793-297b-4895-ab2b-7cf8b580e9fa' >> >> >> So, in total, for 150 users, Keycloak is making 901 requests to the >> database! If I increase the number to 500 users, will it be 30001 >> requests??? >> >> How can this be improved? Is there something wrong I'm doing in the >> configuration? Does this happens only with Federated users? >> > I don't think it is specific only for federated users. IMO the same will > happen for 150 non-federated users too. > > You can create JIRA, but not sure if we are able to fix it on our side, we > are using JPA/Hibernate under the covers and I think it doesn't easily > allow something like "batch" query to retrieve attributes, requiredActions, > credentials in single SQL query for current page of users... > > Maybe the options for you to improve this are: > - Improve DB connection and make sure that there is no big network latency > between DB and Keycloak (It seems this is the big issue in your env). > - Use LDAP No-Import mode > > Marek > >> >> Thanks! >> >> > -- *Cesar Salazar* Development Manager DEVSU | www.devsu.com skype: cesarsalazar007 P: (213)-291-0752 M: +593 9 2917 160 (Ecuador) From raphoa at worteks.com Thu Jan 4 09:59:00 2018 From: raphoa at worteks.com (=?UTF-8?Q?Rapha=c3=abl_HOAREAU?=) Date: Thu, 4 Jan 2018 15:59:00 +0100 Subject: [keycloak-user] OpenID Connect IdP and nonce parameter Message-ID: <49fc1c6b-a2a4-282b-6d69-ac458734923f@worteks.com> Hi, I'm facing an issue where I use an external oidc IdP (FranceConnect) for my users to log in. When trying to login with this provider, i have this error : {"status":"fail","message":"The following fields are missing or empty : nonce"} If i put, manually, &nonce=someRandomInt, in the URL, the process continues. Am i missing something in my Identity Provider configuration ? Is there a way to add a parameter when requesting the external provider ? Regards, Rapha?l HOAREAU. From csalazar at devsu.com Thu Jan 4 10:00:12 2018 From: csalazar at devsu.com (Cesar Salazar) Date: Thu, 4 Jan 2018 10:00:12 -0500 Subject: [keycloak-user] GET users endpoint is making lots of requests to the database (its really slow!) In-Reply-To: <1F7FCB77-0DF9-4BDF-8CCA-060859FBC6D3@gmail.com> References: <1F7FCB77-0DF9-4BDF-8CCA-060859FBC6D3@gmail.com> Message-ID: Hi Rob, caching was set to "DEFAULT". I just tested with "NO CACHING", but I found no noticeable improvement. Querying the users endpoint still takes around 22 seconds. 2018-01-04 6:42 GMT-05:00 Rob Shepherd : > Cesar, > > Do you have Caching enabled? > > Realm > User Federation > Cache Settings > Cache Policy > > > I posted to the list a few week ago to point out that with Caching > *enabled*, the Keycloak was actually making More requests to a custom > federated user backend. > > http://lists.jboss.org/pipermail/keycloak-user/2017-November/012230.html > > > I appreciate that you use a different form of user federation, but it is > the same unexpected scenario. > > Rob > > > > > On 3 Jan 2018, at 22:59, Cesar Salazar wrote: > > Hi, > > First of all, thanks for the great work on keycloak! > > We are using keycloak for an application, and it was working great (until > we launched to production) > > We have 150 users which are connected to an Active Directory using the > Federation functionality. > > It works, but the endpoint GET /{realm}/users takes about 23 seconds to > respond (Keycloak running on a container in GKE backed by a mysql server on > Google Cloud SQL). > > I enabled mysql logging and the problem seems to be that just for > responding this endpoint, the server makes 901 queries to the database! > > These are the queries: > > First query, to get the users: > > select userentity0_.ID as ID1_71_, userentity0_.CREATED_TIMESTAMP as > CREATED_2_71_, userentity0_.EMAIL as EMAIL3_71_, > userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_71_, userentity0_.EMAIL_VERIFIED > as EMAIL_VE5_71_, userentity0_.ENABLED as ENABLED6_71_, > userentity0_.FEDERATION_LINK as FEDERATI7_71_, userentity0_.FIRST_NAME as > FIRST_NA8_71_, userentity0_.LAST_NAME as LAST_NAM9_71_, > userentity0_.NOT_BEFORE as NOT_BEF10_71_, userentity0_.REALM_ID as > REALM_I11_71_, userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE12_71_, > userentity0_.USERNAME as USERNAM13_71_ from USER_ENTITY userentity0_ where > userentity0_.REALM_ID='my-realm' and > (userentity0_.SERVICE_ACCOUNT_CLIENT_LINK is null) order by > userentity0_.USERNAME > > > Then,* for each user *a query like this, (getting user attributes I guess) > > select attributes0_.USER_ID as USER_ID4_67_0_, attributes0_.ID as > ID1_67_0_, attributes0_.ID as ID1_67_1_, attributes0_.NAME as NAME2_67_1_, > attributes0_.USER_ID as USER_ID4_67_1_, attributes0_.VALUE as VALUE3_67_1_ > from USER_ATTRIBUTE attributes0_ where > attributes0_.USER_ID='b920df7c-a419-4150-86bd-9f81c7ea0b70' > > > Then,* for each user* 4 queries similar to this, (getting credentials I > guess) > > select credential0_.ID as ID1_18_, credential0_.ALGORITHM as ALGORITH2_18_, > credential0_.COUNTER as COUNTER3_18_, credential0_.CREATED_DATE as > CREATED_4_18_, credential0_.DEVICE as DEVICE5_18_, credential0_.DIGITS as > DIGITS6_18_, credential0_.HASH_ITERATIONS as HASH_ITE7_18_, > credential0_.PERIOD as PERIOD8_18_, credential0_.SALT as SALT9_18_, > credential0_.TYPE as TYPE10_18_, credential0_.USER_ID as USER_ID12_18_, > credential0_.VALUE as VALUE11_18_ from CREDENTIAL credential0_ where > credential0_.USER_ID='94525793-297b-4895-ab2b-7cf8b580e9fa' and > credential0_.TYPE='totp' > > > A query with type *totp* is queried 2 times, the other 2 times are queried > with type *hotp* and *password* > > and finally one more query* for each user* (getting required actions I > guess) > > select requiredac0_.USER_ID as USER_ID2_77_0_, requiredac0_.REQUIRED_ACTION > as REQUIRED1_77_0_, requiredac0_.REQUIRED_ACTION as REQUIRED1_77_1_, > requiredac0_.USER_ID as USER_ID2_77_1_ from USER_REQUIRED_ACTION > requiredac0_ where > requiredac0_.USER_ID='94525793-297b-4895-ab2b-7cf8b580e9fa' > > > So, in total, for 150 users, Keycloak is making 901 requests to the > database! If I increase the number to 500 users, will it be 30001 > requests??? > > How can this be improved? Is there something wrong I'm doing in the > configuration? Does this happens only with Federated users? > > Thanks! > > -- > *Cesar Salazar* > Development Manager > DEVSU | www.devsu.com > skype: cesarsalazar007 > P: (213)-291-0752 <(213)%20291-0752> > M: +593 9 2917 160 (Ecuador) > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -- *Cesar Salazar* Development Manager DEVSU | www.devsu.com skype: cesarsalazar007 P: (213)-291-0752 M: +593 9 2917 160 (Ecuador) From jens.schliesser at gmail.com Thu Jan 4 10:27:57 2018 From: jens.schliesser at gmail.com (Jens Schliesser) Date: Thu, 4 Jan 2018 16:27:57 +0100 Subject: [keycloak-user] Keycloak JS + Cordova Adapter + iOS Message-ID: Hello, we have a Angular4 web application running with keycloak.js that works great. We are now trying to put this application into a cordova container running on iOS, but in the login function of the keycloak cordova adapter var loginUrl = kc.createLoginUrl(options); var ref = window.open(loginUrl, '_blank', o); ref is always null, so adding the event listener fails ?!? We are bootstrapping (main.ts) our angular application like this: function bootstrapKeyCloak() { KeycloakService.init({ 'url': environment.keycloakConfig.url, 'realm': environment.keycloakConfig.realm, 'clientId': environment.keycloakConfig.clientId, }, { onLoad: 'login-required', flow: 'standard' }).then(() => { platformBrowserDynamic().bootstrapModule(AppModule); }).catch((e: any) => { alert(e); }); } if (typeof window['cordova'] !== 'undefined') { if(document) { document.addEventListener('deviceready', () => { bootstrapKeyCloak(); }, false); } } else { bootstrapKeyCloak(); } Any ideas why window.open fails and how to fix this? -- Kind Regards, Jens Schliesser From s.hoffman at xsb.com Thu Jan 4 15:23:35 2018 From: s.hoffman at xsb.com (Steve Hoffman) Date: Thu, 4 Jan 2018 14:23:35 -0600 (CST) Subject: [keycloak-user] Add required action "Update Password" to all users after Password Policy change In-Reply-To: References: <1095562809.16778079.1514997574414.JavaMail.zimbra@xsb.com> Message-ID: <580807947.17116970.1515097415839.JavaMail.zimbra@xsb.com> I was looking for a shortcut rather than invoking the REST API for each individual user, which is what I ended up doing in a quick utility. The documentation seems to indicate a new feature would be added soon and/or in the future. Guess I was hoping it already existed and hadn't made it into the docs yet. Thanks, -Stephen Hoffman ----- Original Message ----- From: "Marek Posolda" To: "Steve Hoffman" , "keycloak-user" Sent: Thursday, January 4, 2018 5:44:13 AM Subject: Re: [keycloak-user] Add required action "Update Password" to all users after Password Policy change I guess you can go to tab "Required actions" in the admin console and switch the checkbox for "Update Password" required action to "default" . Then all new users should automatically be added to this action AFAIK. If it's not sufficient, the easiest is likely really to update each user and manually add requiredAction to him. I would do it with admin REST API. Marek On 03/01/18 17:39, Steve Hoffman wrote: > Currently updating the Password Policy for a realm, and I was looking for an easier (safer) way of forcing users to update password on login once we've set our new preferences. > > I'm aware that I can iterate through the users in the admin console (time/cost prohibitive) or POST/Update to the Admin REST API for each individual user after a GET for the user list. > > Is there another simpler built-in mechanism that I'm overlooking? > > Thanks, > Stephen Hoffman > -- XSB, Inc Office (631) 371-8100 Ext. 8128 Mobile (631) 579-9857 Fax (631) 382-8228 http://www.xsb.com/ DISCLAIMER: This e-mail is intended for the use of the addressee(s) only and may contain privileged, confidential, or proprietary information that is exempt from disclosure under law. If you are not the intended recipient, please do not read, copy, use or disclose the contents of this communication to others. Please notify the sender that you have received this e-mail in error by replying to the e-mail. Please then delete the e-mail and destroy any copies of it. Thank you. From mposolda at redhat.com Thu Jan 4 16:06:40 2018 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 4 Jan 2018 22:06:40 +0100 Subject: [keycloak-user] OpenID Connect IdP and nonce parameter In-Reply-To: <49fc1c6b-a2a4-282b-6d69-ac458734923f@worteks.com> References: <49fc1c6b-a2a4-282b-6d69-ac458734923f@worteks.com> Message-ID: <9c40afc7-bddd-3951-4d30-9f2bdfa1bc1d@redhat.com> Yes, Keycloak doesn't add "nonce" to the requests to identity providers. But IMO that's not the Keycloak's fault that your scenario doesn't work because "nonce" is not required, but just "optional" per OIDC specification in Authorization Code flow. See [1] . Is FranceConnect using Authorization Code Flow or some other OIDC/OAuth2 flow? If it's using some other flow (EG. Implicit flow), is it possible to switch it to use Authorization Code flow instead? If it already uses Authorization Code flow, then it's mistake on their side as "nonce" is optional parameter per specs, so they shouldn't require it though. Still, you can maybe create JIRA in Keycloak for adding nonce. There shouldn't be any significant issue with adding it (besides the URL to identityProviders will be a bit longer). [1] http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest Marek On 04/01/18 15:59, Rapha?l HOAREAU wrote: > Hi, > > I'm facing an issue where I use an external oidc IdP (FranceConnect) for > my users to log in. > > When trying to login with this provider, i have this error : > > {"status":"fail","message":"The following fields are missing or empty : nonce"} > > If i put, manually, &nonce=someRandomInt, in the URL, the process continues. > > Am i missing something in my Identity Provider configuration ? Is there > a way to add a parameter when requesting the external provider ? > > > Regards, > > Rapha?l HOAREAU. > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Thu Jan 4 16:17:01 2018 From: mposolda at redhat.com (Marek Posolda) Date: Thu, 4 Jan 2018 22:17:01 +0100 Subject: [keycloak-user] [Feature request] Adding scheduled tasks / change order of required actions / searchable user attributes In-Reply-To: References: Message-ID: <11173036-2963-92f7-4834-3a8e63c84027@redhat.com> On 04/01/18 15:12, Tom?s Garc?a wrote: > Hi, > > I'm trying to fulfill the needs of the GDPR of my company in Keycloak > and I noticed these things: > > - I cannot add a scheduled task. I don't know where to put code like you > have in KeycloakApplication like: > TimerProvider timer = session.getProvider(TimerProvider.class); > timer.schedule(new > ClusterAwareScheduledTaskRunner(sessionFactory, new ClearExpiredEvents(), > interval), interval, "ClearExpiredEvents"); > > , so I can add a recurrent task starting from the startup of Keycloak. My > use case is that I want to remove users that didn't verify their email or > accepted terms & conditions after a week of first registration. So I was > thinking to add a task to be run daily to do that. There are ways to do that indirectly. For example, you can create custom provider of any type and add this to the "postInit" method here. But rather listen to the PostMigrationEven to ensure that tasks are triggered after the DB migration is finished. See for example InfinispanAuthenticationSessionProviderFactory.postInit for inspiration. > > - The order of required actions execution is in alphabetical order, so if I > wanted a custom required action to be run after the "Verify email" action I > need to be sure that the name of my custom required action starts with "W" > at least. An UI interface like what we already have in the Authenticators > part would be nice. +1 that it would be nice. On the other hand, is it a big issue to create the action starting with "W" ? Feel free to create JIRA for add priority to requiredActions, just not sure when it will be done (unless you send PR by yourself :) > > - There are no facilities inside Keycloak to search users with a specific > attribute key or value. It would be nice too to have long integers as > attibute values, in case we want to search for users with greater / less > than a specific timestamp attribute like the one you use in the terms & > conditions required action. For example, for the removal task, I'd like to > search for users without a custom attribute, then I'll remove those. I > guess I'll just extend the data model if needed to workaround this issue. There is model method for search by attribute - UserProvider.searchForUserByUserAttribute . There is no REST endpoint, but you can create your own custom REST endpoint for this though if you need it. But if you need to use this from your requiredAction, it should work fine. > > - If someone declines the terms & conditions, the user is redirected to a > blank page with an "error" in the screen. I don't care about this since I'm > going to make my custom required action if I can find an alternative for > the things I'm saying above. > > If I'm wrong about something, please let me know. > > Thanks, > Tom?s > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From sthorger at redhat.com Fri Jan 5 03:02:53 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Fri, 5 Jan 2018 09:02:53 +0100 Subject: [keycloak-user] CORS in Keycloak 3.4 In-Reply-To: References: Message-ID: https://github.com/keycloak/keycloak/tree/master/examples/cors On 4 January 2018 at 08:55, Jonas Sch?nenberger < jonas.schoenenberger at gmail.com> wrote: > Hey there > > I?ve been trying to figure out how to enable CORS in the later versions of > KeyCloak. I can?t seem to find a valid way to achieve this besides > hardcoding response headers in the standalone.xml. I?m using a standalone > deployment. > I know the functionality to handle preflight and other CORS scenarios is > there, so there must be surely a way to activate it? > > Could somebody enlighten me please? > > Thanks a lot > Jonas > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From tomas at intrahouse.com Fri Jan 5 03:08:18 2018 From: tomas at intrahouse.com (=?UTF-8?B?VG9tw6FzIEdhcmPDrWE=?=) Date: Fri, 05 Jan 2018 08:08:18 +0000 Subject: [keycloak-user] [Feature request] Adding scheduled tasks / change order of required actions / searchable user attributes In-Reply-To: <11173036-2963-92f7-4834-3a8e63c84027@redhat.com> References: <11173036-2963-92f7-4834-3a8e63c84027@redhat.com> Message-ID: On Thu, Jan 4, 2018 at 9:17 PM Marek Posolda wrote: > On 04/01/18 15:12, Tom?s Garc?a wrote: > > Hi, > > > > I'm trying to fulfill the needs of the GDPR of my company in Keycloak > > and I noticed these things: > > > > - I cannot add a scheduled task. I don't know where to put code like you > > have in KeycloakApplication like: > > TimerProvider timer = > session.getProvider(TimerProvider.class); > > timer.schedule(new > > ClusterAwareScheduledTaskRunner(sessionFactory, new ClearExpiredEvents(), > > interval), interval, "ClearExpiredEvents"); > > > > , so I can add a recurrent task starting from the startup of Keycloak. My > > use case is that I want to remove users that didn't verify their email or > > accepted terms & conditions after a week of first registration. So I was > > thinking to add a task to be run daily to do that. > There are ways to do that indirectly. For example, you can create custom > provider of any type and add this to the "postInit" method here. But > rather listen to the PostMigrationEven to ensure that tasks are > triggered after > the DB migration is finished. See for example > InfinispanAuthenticationSessionProviderFactory.postInit for inspiration. > > > Thanks! > - The order of required actions execution is in alphabetical order, so if > I > > wanted a custom required action to be run after the "Verify email" > action I > > need to be sure that the name of my custom required action starts with > "W" > > at least. An UI interface like what we already have in the Authenticators > > part would be nice. > +1 that it would be nice. On the other hand, is it a big issue to create > the action starting with "W" ? > > Feel free to create JIRA for add priority to requiredActions, just not > sure when it will be done (unless you send PR by yourself :) > > > Absolutely not :D I'll do that in the mean time. I'll create the JIRA issue too. > - There are no facilities inside Keycloak to search users with a specific > > attribute key or value. It would be nice too to have long integers as > > attibute values, in case we want to search for users with greater / less > > than a specific timestamp attribute like the one you use in the terms & > > conditions required action. For example, for the removal task, I'd like > to > > search for users without a custom attribute, then I'll remove those. I > > guess I'll just extend the data model if needed to workaround this issue. > There is model method for search by attribute - > UserProvider.searchForUserByUserAttribute . There is no REST endpoint, > but you can create your own custom REST endpoint for this though if you > need it. But if you need to use this from your requiredAction, it should > work fine. > > > I missed that! Thanks. > - If someone declines the terms & conditions, the user is redirected to a > > blank page with an "error" in the screen. I don't care about this since > I'm > > going to make my custom required action if I can find an alternative for > > the things I'm saying above. > > > > If I'm wrong about something, please let me know. > > > I forgot to say I'll open a JIRA for this too anyway. > Thanks, > > Tom?s > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From moritz.keppler at daimler.com Fri Jan 5 05:08:23 2018 From: moritz.keppler at daimler.com (moritz.keppler at daimler.com) Date: Fri, 05 Jan 2018 10:08:23 +0000 Subject: [keycloak-user] cockroachdb In-Reply-To: References: Message-ID: <8bba78d6b9e6477d95113c7adb090337@DE35S004EXC1H.wp.corpintra.net> Hi Simon, we got that running - not in a production environment but as a demo. We had to: (1) update the liquibase version used. The one keycloak uses generates some SQL statements cockroachdb 1.0 does not support. (2) patch the DefaultLiquibaseConnectionProvider in a way that no "SELECT FOR UPDATE" is generated. This breaks the lock functionality, definitely not recommended in an productive environment! (see https://github.com/cockroachdb/cockroach/issues/6583) (3) generate liquibase scripts cockroach is able to understand. The most important thing is that a primary key has to be defined during table creation. To do so we applied all scripts to a postgres instance, generated a changeset from this db via liquibase, rewrote it to be cockroach compatible, applied it to a cockroach instance and filled the liquibase changelog tables so that keycloak believes all changes are already applied. An alternative approach is described here https://github.com/cloudtrust/keycloak-cockroach Would be great if one day cockroachdb was supported out of the box. Moritz Keppler Daimler TSS GmbH Wilhelm-Runge-Stra?e 11 89081 Ulm/Germany mailto:moritz.keppler at daimler.com http://www.daimler-tss.com Daimler TSS GmbH Sitz und Registergericht/Domicile and Register Court: Ulm, HRB-Nr./Commercial Register No.: 3844 Gesch?ftsf?hrung/Management: Christoph R?ger (Vorsitzender/Chairperson), Steffen B?uerle -----Original Message----- From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Simon Payne Sent: Thursday, January 04, 2018 3:21 PM To: keycloak-user Subject: [keycloak-user] cockroachdb Hi, has anyone successfully managed to use cockroachdb with keycloak? if so, what steps were taken? thanks Simon. _______________________________________________ keycloak-user mailing list keycloak-user at lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support. From raphoa at worteks.com Fri Jan 5 05:34:49 2018 From: raphoa at worteks.com (=?UTF-8?Q?Rapha=c3=abl_HOAREAU?=) Date: Fri, 5 Jan 2018 11:34:49 +0100 Subject: [keycloak-user] OpenID Connect IdP and nonce parameter In-Reply-To: <9c40afc7-bddd-3951-4d30-9f2bdfa1bc1d@redhat.com> References: <49fc1c6b-a2a4-282b-6d69-ac458734923f@worteks.com> <9c40afc7-bddd-3951-4d30-9f2bdfa1bc1d@redhat.com> Message-ID: Marek, Thank you for the explanations. FranceConnect already seems to use Authorization Code flow, but defines "nonce" as a mandatory field : https://partenaires.franceconnect.gouv.fr/fournisseur-service FR : "NONCE Champ obligatoire, g?n?r? al?atoirement par le FS que FC renvoie tel quel dans la r?ponse ? l'appel ? /token, pour ?tre ensuite v?rifi? par le FS. Il est utilis? pour emp?cher les attaques par rejeu" EN : "NONCE Mandatory field, ramdonly generated by FS (client) that FC (FranceConnect) resend as-is in the request to /token, to be verified by the FS. It is used to prevent replay attacks" I'll create a JIRA in Keycloak. Rapha?l. Le 04/01/2018 ? 22:06, Marek Posolda a ?crit?: > Yes, Keycloak doesn't add "nonce" to the requests to identity > providers. But IMO that's not the Keycloak's fault that your scenario > doesn't work because "nonce" is not required, but just "optional" per > OIDC specification in Authorization Code flow. See [1] . > > Is FranceConnect using Authorization Code Flow or some other > OIDC/OAuth2 flow? If it's using some other flow (EG. Implicit flow), > is it possible to switch it to use Authorization Code flow instead? If > it already uses Authorization Code flow, then it's mistake on their > side as "nonce" is optional parameter per specs, so they shouldn't > require it though. > > Still, you can maybe create JIRA in Keycloak for adding nonce. There > shouldn't be any significant issue with adding it (besides the URL to > identityProviders will be a bit longer). > > [1] http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest > > Marek > > > On 04/01/18 15:59, Rapha?l HOAREAU wrote: >> Hi, >> >> I'm facing an issue where I use an external oidc IdP (FranceConnect) for >> my users to log in. >> >> When trying to login with this provider, i have this error : >> >> {"status":"fail","message":"The following fields are missing or empty >> : nonce"} >> >> If i put, manually, &nonce=someRandomInt, in the URL, the process >> continues. >> >> Am i missing something in my Identity Provider configuration ? Is there >> a way to add a parameter when requesting the external provider ? >> >> >> Regards, >> >> Rapha?l HOAREAU. >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > From simonpayne58 at gmail.com Fri Jan 5 06:26:17 2018 From: simonpayne58 at gmail.com (Simon Payne) Date: Fri, 5 Jan 2018 11:26:17 +0000 Subject: [keycloak-user] cockroachdb In-Reply-To: <8bba78d6b9e6477d95113c7adb090337@DE35S004EXC1H.wp.corpintra.net> References: <8bba78d6b9e6477d95113c7adb090337@DE35S004EXC1H.wp.corpintra.net> Message-ID: thanks for the information, i've already identified the issues you mention in step 3 and have been overcoming in a similar manner, however, i wasn't aware that to 'fix' the select for update also meant breaking the locking functionality. do we know whether keycloak execute SELECT FOR UPDATE as part of use case invocation or only during the liquibase schema alterations? Simon On Fri, Jan 5, 2018 at 10:08 AM, wrote: > Hi Simon, > > we got that running - not in a production environment but as a demo. > > We had to: > (1) update the liquibase version used. The one keycloak uses generates > some SQL statements cockroachdb 1.0 does not support. > (2) patch the DefaultLiquibaseConnectionProvider in a way that no "SELECT > FOR UPDATE" is generated. This breaks the lock functionality, definitely > not recommended in an productive environment! > (see https://github.com/cockroachdb/cockroach/issues/6583) > (3) generate liquibase scripts cockroach is able to understand. The most > important thing is that a primary key has to be defined during table > creation. > To do so we applied all scripts to a postgres instance, generated a > changeset from this db via liquibase, rewrote it to be cockroach > compatible, applied it to a cockroach instance and filled the liquibase > changelog tables so that keycloak believes all changes are already applied. > An alternative approach is described here https://github.com/cloudtrust/ > keycloak-cockroach > > Would be great if one day cockroachdb was supported out of the box. > > Moritz Keppler > > Daimler TSS GmbH > Wilhelm-Runge-Stra?e 11 > 89081 Ulm/Germany > mailto:moritz.keppler at daimler.com > > http://www.daimler-tss.com > > Daimler TSS GmbH > Sitz und Registergericht/Domicile and Register Court: Ulm, > HRB-Nr./Commercial Register No.: 3844 Gesch?ftsf?hrung/Management: > Christoph R?ger (Vorsitzender/Chairperson), Steffen B?uerle > > -----Original Message----- > From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces@ > lists.jboss.org] On Behalf Of Simon Payne > Sent: Thursday, January 04, 2018 3:21 PM > To: keycloak-user > Subject: [keycloak-user] cockroachdb > > Hi, > > has anyone successfully managed to use cockroachdb with keycloak? > > if so, what steps were taken? > > thanks > > Simon. > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > If you are not the addressee, please inform us immediately that you have > received this e-mail by mistake, and delete it. We thank you for your > support. > > From aletundo at wikitolearn.org Fri Jan 5 06:48:38 2018 From: aletundo at wikitolearn.org (Alessandro Tundo) Date: Fri, 5 Jan 2018 12:48:38 +0100 Subject: [keycloak-user] Unable to register provider implementation: not a subtype exception Message-ID: Hi folks! Someone could help me out with this? Best regards, Alessandro 2017-12-20 16:52 GMT+01:00 Alessandro Tundo : > Hi folks! > > I followed the documentation for implementing and registering a SPI but > I'm not able to deploy it correctly. > > The raised exception is: > > *java.util.ServiceConfigurationError: > org.keycloak.credential.hash.PasswordHashProviderFactory: Provider > org.wikitolearn.keycloak.provider.MediaWikiBTypePasswordHashProviderFactory > not a subtype* > > I tried both registration ways but the outcome is the same. The .jar I'm > trying to deployt has the following structure: > > > - META-INF/services/org.keycloak.credential.hash. > PasswordHashProviderFactory > - org/wikitolearn/keycloak/provider/MediaWikiBTypePasswor > dHashProviderFactory.class > - org/wikitolearn/keycloak/provider/MediaWikiBTypePasswor > dHashProvider.class > > The factory and the provider implements respectively PasswordHashProviderFactory > and PasswordHashProvider. > > I would like also to point out that the SPI works correctly in my Keycloak > fork. But as you can imagine, a fork is not a good option. Especially when > are available more elegant ways to extend the software programatically > without a fork. > > I'm looking forward to receiving your reply asap. > > Thank you! > > Alessandro > From mposolda at redhat.com Fri Jan 5 07:54:05 2018 From: mposolda at redhat.com (Marek Posolda) Date: Fri, 5 Jan 2018 13:54:05 +0100 Subject: [keycloak-user] OpenID Connect IdP and nonce parameter In-Reply-To: References: <49fc1c6b-a2a4-282b-6d69-ac458734923f@worteks.com> <9c40afc7-bddd-3951-4d30-9f2bdfa1bc1d@redhat.com> Message-ID: Yes, so as I mentioned, it means that there is bug on their side as they claim the "nonce" field as mandatory even if it's not per specs. So I suggest to create JIRA on their side too. For our side, feel free to create JIRA to add "nonce", but it's not a bug, rather feature request. As we don't break specs anyhow. Marek On 05/01/18 11:34, Rapha?l HOAREAU wrote: > Marek, > > Thank you for the explanations. > > FranceConnect already seems to use Authorization Code flow, but > defines "nonce" as a mandatory field : > > https://partenaires.franceconnect.gouv.fr/fournisseur-service > > FR : "NONCE Champ obligatoire, g?n?r? al?atoirement par le FS que FC > renvoie tel quel dans la r?ponse ? l'appel ? /token, pour ?tre ensuite > v?rifi? par le FS. Il est utilis? pour emp?cher les attaques par rejeu" > > EN : "NONCE Mandatory field, ramdonly generated by FS (client) that FC > (FranceConnect) resend as-is in the request to /token, to be verified > by the FS. It is used to prevent replay attacks" > > I'll create a JIRA in Keycloak. > > Rapha?l. > > Le 04/01/2018 ? 22:06, Marek Posolda a ?crit : >> Yes, Keycloak doesn't add "nonce" to the requests to identity >> providers. But IMO that's not the Keycloak's fault that your scenario >> doesn't work because "nonce" is not required, but just "optional" per >> OIDC specification in Authorization Code flow. See [1] . >> >> Is FranceConnect using Authorization Code Flow or some other >> OIDC/OAuth2 flow? If it's using some other flow (EG. Implicit flow), >> is it possible to switch it to use Authorization Code flow instead? >> If it already uses Authorization Code flow, then it's mistake on >> their side as "nonce" is optional parameter per specs, so they >> shouldn't require it though. >> >> Still, you can maybe create JIRA in Keycloak for adding nonce. There >> shouldn't be any significant issue with adding it (besides the URL to >> identityProviders will be a bit longer). >> >> [1] http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest >> >> Marek >> >> >> On 04/01/18 15:59, Rapha?l HOAREAU wrote: >>> Hi, >>> >>> I'm facing an issue where I use an external oidc IdP (FranceConnect) >>> for >>> my users to log in. >>> >>> When trying to login with this provider, i have this error : >>> >>> {"status":"fail","message":"The following fields are missing or >>> empty : nonce"} >>> >>> If i put, manually, &nonce=someRandomInt, in the URL, the process >>> continues. >>> >>> Am i missing something in my Identity Provider configuration ? Is there >>> a way to add a parameter when requesting the external provider ? >>> >>> >>> Regards, >>> >>> Rapha?l HOAREAU. >>> >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > From juandiego83 at gmail.com Fri Jan 5 11:28:53 2018 From: juandiego83 at gmail.com (Juan Diego) Date: Fri, 5 Jan 2018 11:28:53 -0500 Subject: [keycloak-user] changing password not working with api Message-ID: Hi, I did some tests months ago, and I was pretty sure the following code worked. Now when I am trying to implement a password change it doesnt work. I am using basically the same way to change the last name of the users, and it works. I can see the last name change in the keycloak server. But when i try to login to the user that i just changed the password I have to use and the old password. Anyway this is my code: UserResource ur = kc.realm(realm).users().get(id); UserRepresentation user = ur.toRepresentation(); CredentialRepresentation credential = new CredentialRepresentation(); credential.setType(CredentialRepresentation.PASSWORD); credential.setValue(password); credential.setTemporary(false); user.setCredentials(asList(credential)); ur.update(user); From juandiego83 at gmail.com Fri Jan 5 11:47:24 2018 From: juandiego83 at gmail.com (Juan Diego) Date: Fri, 5 Jan 2018 11:47:24 -0500 Subject: [keycloak-user] changing password not working with api In-Reply-To: References: Message-ID: Nevermind, I am an idiot. I am using this now ur.resetPassword(credential); On Fri, Jan 5, 2018 at 11:28 AM, Juan Diego wrote: > Hi, > > I did some tests months ago, and I was pretty sure the following code > worked. Now when I am trying to implement a password change it doesnt > work. I am using basically the same way to change the last name of the > users, and it works. I can see the last name change in the keycloak > server. But when i try to login to the user that i just changed the > password I have to use and the old password. > > Anyway this is my code: > > > UserResource ur = kc.realm(realm).users().get(id); > UserRepresentation user = ur.toRepresentation(); > > CredentialRepresentation credential = new CredentialRepresentation(); > credential.setType(CredentialRepresentation.PASSWORD); > credential.setValue(password); > credential.setTemporary(false); > user.setCredentials(asList(credential)); > > ur.update(user); > From jonas.schoenenberger at gmail.com Fri Jan 5 13:30:42 2018 From: jonas.schoenenberger at gmail.com (=?UTF-8?Q?Jonas_Sch=C3=B6nenberger?=) Date: Fri, 5 Jan 2018 19:30:42 +0100 Subject: [keycloak-user] CORS in Keycloak 3.4 In-Reply-To: References: Message-ID: Hi Stian Thank you for your reply. Are you referring to the Web Origins in the realm config? They are only relevant for the client's Handling of CORS Requests and not keycloaks own responses/request handling - right? I don't have a problem on the clients but rather on keycloak itself - keycloak shall send/add CORS Headers on requests most likely like Miro mentioned in his blog article but it doesn't work for me: https://mirocupak.com/securing-web-applications-with-keycloak-and-cli/ (enable-cors). Any pointers as to how to activate that in a standalone instance for a realm or the whole instance? Thanks again Jonas On Fri, Jan 5, 2018 at 9:02 AM, Stian Thorgersen wrote: > https://github.com/keycloak/keycloak/tree/master/examples/cors > > On 4 January 2018 at 08:55, Jonas Sch?nenberger < > jonas.schoenenberger at gmail.com> wrote: > >> Hey there >> >> I?ve been trying to figure out how to enable CORS in the later versions of >> KeyCloak. I can?t seem to find a valid way to achieve this besides >> hardcoding response headers in the standalone.xml. I?m using a standalone >> deployment. >> I know the functionality to handle preflight and other CORS scenarios is >> there, so there must be surely a way to activate it? >> >> Could somebody enlighten me please? >> >> Thanks a lot >> Jonas >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > > From ogusakov at cisco.com Fri Jan 5 14:42:23 2018 From: ogusakov at cisco.com (Oleg Gusakov (ogusakov)) Date: Fri, 5 Jan 2018 19:42:23 +0000 Subject: [keycloak-user] login-status-iframe.html returning 403 with init parameters Message-ID: <89d03390ca4e4c06ae6188d1a46ca9d1@XCH-RCD-005.cisco.com> I am trying to use the keycloak js adapter to manage the OIDC session. I am able to load the login-status-iframe.html page by itself when not using any init parameters. However, when the init parameters are added: login-status-iframe.html/init?client_id=someclient&origin=https%3A%2F%2Flocalhost%3A8443, the iframe receives a 403 response. From diederen at nlcom.nl Mon Jan 8 06:03:53 2018 From: diederen at nlcom.nl (Robin Diederen) Date: Mon, 8 Jan 2018 11:03:53 +0000 Subject: [keycloak-user] KeyCloak and Azure Active Directory / response_type Message-ID: Hello all, I?m trying to make KeyCloak (3.4.0 Final) work with Microsoft Azure AD using the OpenID Connect protocol (OIDC). My goal is for KeyCloak to be an identity broker between a number of in-house clients and Azure AD as identity backend. After configuring the appropriate endpoints for OIDC / oAuth v2.0 and some clients, upon hitting my client with my browser, KeyCloak redirects me to the Microsoft login page. Logging in works fine and my client / app is correctly recognized by Microsoft. However, when redirected back to KeyCloak, I?m presented with an error. Upon further investigation I?ve noticed that KeyCloak reports this error in its logs: ?Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server.?. This seems to be related to the response_type attribute, which is to be set from KeyCloak upon calling the Microsoft login page. Up till now, I did not find any way to make KeyCloak include this parameter with the preffered value, being ?response_type=token_id?. KeyCloak however does include ?response_type=code?, yet Microsoft doesn?t seem to like this. So here?s my question: how can I instruct KeyCloak to include this parameter to make it work with AzureAD? I?ve tried a number of settings in the client page, such as implicit and standard flow enabed / disabled, however, to no avail. Any help is greatly appreciated. Best, Robin From thomas.darimont at googlemail.com Mon Jan 8 06:20:13 2018 From: thomas.darimont at googlemail.com (Thomas Darimont) Date: Mon, 8 Jan 2018 12:20:13 +0100 Subject: [keycloak-user] Forward Keycloak Events to Kafka Message-ID: Hello, just wanted to know if someone on this mailinglist has already built a keycloak extension that forwards Keycloak user / admin events to Kafka? Cheers, Thomas From benjamin.garcia at protonmail.com Mon Jan 8 08:21:13 2018 From: benjamin.garcia at protonmail.com (Benjamin garcia) Date: Mon, 08 Jan 2018 08:21:13 -0500 Subject: [keycloak-user] security question Message-ID: Hello, I would like to use keycloack on my architechture, but I have (maybe) an issue in my design : I have 3 applications : - angularjs apps for the frontend - a scalatra API to reponse to frontend throw http and which ask springboot app some datas, - a springboot app for crud request on databases. I would like to transfert bearer authentication from the front to springboot app throw scalatra API to ensure that request send on DB is from the right user. I don't really sure that's the right use case. Because, in my mind, If I use keycloack, it's to not modify some part of my code base with security knowledge. But in this use case, I'm mandatory to give jwt token on all my stak (which is not really cool). Does somebody kown if I can do that or if it exist a better way? Regards Benjamin Garcia From kevprice at redhat.com Mon Jan 8 08:54:41 2018 From: kevprice at redhat.com (Kevin Price) Date: Mon, 8 Jan 2018 14:54:41 +0100 Subject: [keycloak-user] CORS support Message-ID: <90B7A30E-74A0-4054-8D21-852B43069503@redhat.com> Hi everyone, I?m on the support team with the 3scale product and I?m currently writing a JS client for our Developer Portal to be used with RH SSO & our interactive documentation tool. So I have a question around supporting CORS on the keycloak server. I?m currently just running my key cloak instance as a native Java app server, is there any way to configure CORS either on the server level or realm level? Typically users would log into the portal to test their own application (client) credentials via the Swagger specification, however, this means every individual application stored in the Keycloak server needs to have the Web Origins field configured to allow requests from the developer portal domain. I would prefer to avoid this additional configuration. Apologies in advance if this is already covered in your documentation but I did take a look and I couldn?t find anything relevant. Appreciate any help on this. Regards, Kevin Price From pkboucher801 at gmail.com Mon Jan 8 10:25:32 2018 From: pkboucher801 at gmail.com (Peter K. Boucher) Date: Mon, 8 Jan 2018 10:25:32 -0500 Subject: [keycloak-user] Does Keycloak support a "Minimum password age"? Message-ID: <003101d38894$ecaaa4e0$c5ffeea0$@gmail.com> We have a customer requirement that users not be able to change their passwords more frequently than once per day. We are currently using Keycloak 3.1. Does any later version of Keycloak support (or plan to support) a "Minimum password age"? Thanks! From tahonen at redhat.com Mon Jan 8 12:43:10 2018 From: tahonen at redhat.com (Tero Ahonen) Date: Mon, 8 Jan 2018 19:43:10 +0200 Subject: [keycloak-user] CORS support In-Reply-To: <90B7A30E-74A0-4054-8D21-852B43069503@redhat.com> References: <90B7A30E-74A0-4054-8D21-852B43069503@redhat.com> Message-ID: <12490D40-FB79-4032-A63A-43DB945928DE@redhat.com> If you?re running keycloak on Wildfly, you can use undertow subsystem filter to write CORS headers to all request. Something like in this post https://forum.camunda.org/t/enable-cors-on-wildfly/673 .t > On 8 Jan 2018, at 15.54, Kevin Price wrote: > > Hi everyone, > > I?m on the support team with the 3scale product and I?m currently writing a JS client for our Developer Portal to be used with RH SSO & our interactive documentation tool. So I have a question around supporting CORS on the keycloak server. > > I?m currently just running my key cloak instance as a native Java app server, is there any way to configure CORS either on the server level or realm level? Typically users would log into the portal to test their own application (client) credentials via the Swagger specification, however, this means every individual application stored in the Keycloak server needs to have the Web Origins field configured to allow requests from the developer portal domain. I would prefer to avoid this additional configuration. > > Apologies in advance if this is already covered in your documentation but I did take a look and I couldn?t find anything relevant. > > Appreciate any help on this. > > Regards, > > Kevin Price > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From carreraariel at gmail.com Mon Jan 8 14:26:55 2018 From: carreraariel at gmail.com (Ariel Carrera) Date: Mon, 8 Jan 2018 16:26:55 -0300 Subject: [keycloak-user] [keycloak-dev] Trojan in Keycloak Javascript Adapter? In-Reply-To: References:

Message-ID: Checked with other computer (windows 10 + windows defender). keycloak-min.js is detected as virus from version 3.4.2 to 3.4.3 2018-01-03 17:44 GMT-03:00 Ramunas : > * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file > * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final" folder > with Windows Defender on Windows 10 - no issues found > * checked for Windows updates. New update "Definition Update for Windows > Defender Antivirus - KB2267602 (Definition 1.259.1141.0)" was found and > installed. > * scanned again. No issues found. > > Ram?nas > -- Ariel Carrera From carreraariel at gmail.com Mon Jan 8 14:56:18 2018 From: carreraariel at gmail.com (Ariel Carrera) Date: Mon, 8 Jan 2018 16:56:18 -0300 Subject: [keycloak-user] [keycloak-dev] Trojan in Keycloak Javascript Adapter? In-Reply-To: References:

Message-ID: Hi Stian, I checked differences in keycloak.min.js comparing version 3.4.1 to 3.4.2. I can't see a problem at first sight... but It's still a problem to see your antivirus alerting for a threat when your browser access to a page that uses "keycloak.min.js" or when your somebody get's a keycloak's distribution to be installed. Maybe this issue must to be in Jira. Last changes in javascript file can be the problem. Maybe function "processInit()" needs some changes. Regards, 2018-01-08 16:26 GMT-03:00 Ariel Carrera : > Checked with other computer (windows 10 + windows defender). > > keycloak-min.js is detected as virus from version 3.4.2 to 3.4.3 > > > 2018-01-03 17:44 GMT-03:00 Ramunas : > >> * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file >> * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final" folder >> with Windows Defender on Windows 10 - no issues found >> * checked for Windows updates. New update "Definition Update for Windows >> Defender Antivirus - KB2267602 (Definition 1.259.1141.0)" was found and >> installed. >> * scanned again. No issues found. >> >> Ram?nas >> > > > > -- > Ariel Carrera > -- Ariel Carrera From carreraariel at gmail.com Mon Jan 8 15:18:29 2018 From: carreraariel at gmail.com (Ariel Carrera) Date: Mon, 8 Jan 2018 17:18:29 -0300 Subject: [keycloak-user] [keycloak-dev] Trojan in Keycloak Javascript Adapter? In-Reply-To: References:

Message-ID: "when your somebody get's a keycloak's distribution to be installed" read like: "when someone gets Keycloak to be installed" xD 2018-01-08 16:56 GMT-03:00 Ariel Carrera : > Hi Stian, I checked differences in keycloak.min.js comparing version 3.4.1 > to 3.4.2. > I can't see a problem at first sight... but It's still a problem to see > your antivirus alerting for a threat when your browser access to a page > that uses "keycloak.min.js" or when your somebody get's a keycloak's > distribution to be installed. > > Maybe this issue must to be in Jira. > > Last changes in javascript file can be the problem. > > Maybe function "processInit()" needs some changes. > > Regards, > > 2018-01-08 16:26 GMT-03:00 Ariel Carrera : > >> Checked with other computer (windows 10 + windows defender). >> >> keycloak-min.js is detected as virus from version 3.4.2 to 3.4.3 >> >> >> 2018-01-03 17:44 GMT-03:00 Ramunas : >> >>> * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file >>> * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final" folder >>> with Windows Defender on Windows 10 - no issues found >>> * checked for Windows updates. New update "Definition Update for Windows >>> Defender Antivirus - KB2267602 (Definition 1.259.1141.0)" was found and >>> installed. >>> * scanned again. No issues found. >>> >>> Ram?nas >>> >> >> >> >> -- >> Ariel Carrera >> > > > > -- > Ariel Carrera > -- Ariel Carrera From alessandro.meyer at gmail.com Mon Jan 8 16:50:07 2018 From: alessandro.meyer at gmail.com (Alessandro Meyer) Date: Mon, 8 Jan 2018 22:50:07 +0100 Subject: [keycloak-user] CORS support In-Reply-To: <12490D40-FB79-4032-A63A-43DB945928DE@redhat.com> References: <90B7A30E-74A0-4054-8D21-852B43069503@redhat.com> <12490D40-FB79-4032-A63A-43DB945928DE@redhat.com> Message-ID: That's a very naive approach - and is not capable of preflight handling and neither flexible origin header-setting, just like the last comment says on the link. On Mon, Jan 8, 2018 at 6:43 PM, Tero Ahonen wrote: > If you?re running keycloak on Wildfly, you can use undertow subsystem > filter to write CORS headers to all request. Something like in this post > > https://forum.camunda.org/t/enable-cors-on-wildfly/673 > > > .t > > > On 8 Jan 2018, at 15.54, Kevin Price wrote: > > > > Hi everyone, > > > > I?m on the support team with the 3scale product and I?m currently > writing a JS client for our Developer Portal to be used with RH SSO & our > interactive documentation tool. So I have a question around supporting CORS > on the keycloak server. > > > > I?m currently just running my key cloak instance as a native Java app > server, is there any way to configure CORS either on the server level or > realm level? Typically users would log into the portal to test their own > application (client) credentials via the Swagger specification, however, > this means every individual application stored in the Keycloak server needs > to have the Web Origins field configured to allow requests from the > developer portal domain. I would prefer to avoid this additional > configuration. > > > > Apologies in advance if this is already covered in your documentation > but I did take a look and I couldn?t find anything relevant. > > > > Appreciate any help on this. > > > > Regards, > > > > Kevin Price > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user at lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From tahonen at redhat.com Tue Jan 9 01:00:07 2018 From: tahonen at redhat.com (Tero Ahonen) Date: Tue, 09 Jan 2018 06:00:07 +0000 Subject: [keycloak-user] CORS support In-Reply-To: References: <90B7A30E-74A0-4054-8D21-852B43069503@redhat.com> <12490D40-FB79-4032-A63A-43DB945928DE@redhat.com> Message-ID: Totally true, yet easy to get working. .t On Mon, 8 Jan 2018 at 23.50, Alessandro Meyer wrote: > That's a very naive approach - and is not capable of preflight handling > and neither flexible origin header-setting, just like the last comment says > on the link. > > On Mon, Jan 8, 2018 at 6:43 PM, Tero Ahonen wrote: > >> If you?re running keycloak on Wildfly, you can use undertow subsystem >> filter to write CORS headers to all request. Something like in this post >> >> https://forum.camunda.org/t/enable-cors-on-wildfly/673 >> >> >> .t >> >> > On 8 Jan 2018, at 15.54, Kevin Price wrote: >> > >> > Hi everyone, >> > >> > I?m on the support team with the 3scale product and I?m currently >> writing a JS client for our Developer Portal to be used with RH SSO & our >> interactive documentation tool. So I have a question around supporting CORS >> on the keycloak server. >> > >> > I?m currently just running my key cloak instance as a native Java app >> server, is there any way to configure CORS either on the server level or >> realm level? Typically users would log into the portal to test their own >> application (client) credentials via the Swagger specification, however, >> this means every individual application stored in the Keycloak server needs >> to have the Web Origins field configured to allow requests from the >> developer portal domain. I would prefer to avoid this additional >> configuration. >> > >> > Apologies in advance if this is already covered in your documentation >> but I did take a look and I couldn?t find anything relevant. >> > >> > Appreciate any help on this. >> > >> > Regards, >> > >> > Kevin Price >> > _______________________________________________ >> > keycloak-user mailing list >> > keycloak-user at lists.jboss.org >> > https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >> > > From alessandro.meyer at gmail.com Tue Jan 9 01:11:31 2018 From: alessandro.meyer at gmail.com (Alessandro Meyer) Date: Tue, 9 Jan 2018 07:11:31 +0100 Subject: [keycloak-user] CORS support In-Reply-To: References: <90B7A30E-74A0-4054-8D21-852B43069503@redhat.com> <12490D40-FB79-4032-A63A-43DB945928DE@redhat.com> Message-ID: Maybe a little to easy - it doesn't work for my cases at least. Especially considering Keycloak is capable on its own to do it, but very few seem to know how? http://lists.jboss.org/pipermail/keycloak-user/2018- January/012680.html On Tue, Jan 9, 2018 at 7:00 AM, Tero Ahonen wrote: > Totally true, yet easy to get working. > > .t > > On Mon, 8 Jan 2018 at 23.50, Alessandro Meyer > wrote: > >> That's a very naive approach - and is not capable of preflight handling >> and neither flexible origin header-setting, just like the last comment says >> on the link. >> >> On Mon, Jan 8, 2018 at 6:43 PM, Tero Ahonen wrote: >> >>> If you?re running keycloak on Wildfly, you can use undertow subsystem >>> filter to write CORS headers to all request. Something like in this post >>> >>> https://forum.camunda.org/t/enable-cors-on-wildfly/673 >>> >>> >>> .t >>> >>> > On 8 Jan 2018, at 15.54, Kevin Price wrote: >>> > >>> > Hi everyone, >>> > >>> > I?m on the support team with the 3scale product and I?m currently >>> writing a JS client for our Developer Portal to be used with RH SSO & our >>> interactive documentation tool. So I have a question around supporting CORS >>> on the keycloak server. >>> > >>> > I?m currently just running my key cloak instance as a native Java app >>> server, is there any way to configure CORS either on the server level or >>> realm level? Typically users would log into the portal to test their own >>> application (client) credentials via the Swagger specification, however, >>> this means every individual application stored in the Keycloak server needs >>> to have the Web Origins field configured to allow requests from the >>> developer portal domain. I would prefer to avoid this additional >>> configuration. >>> > >>> > Apologies in advance if this is already covered in your documentation >>> but I did take a look and I couldn?t find anything relevant. >>> > >>> > Appreciate any help on this. >>> > >>> > Regards, >>> > >>> > Kevin Price >>> > _______________________________________________ >>> > keycloak-user mailing list >>> > keycloak-user at lists.jboss.org >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >> >> From sthorger at redhat.com Tue Jan 9 02:14:22 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 9 Jan 2018 08:14:22 +0100 Subject: [keycloak-user] Does Keycloak support a "Minimum password age"? In-Reply-To: <003101d38894$ecaaa4e0$c5ffeea0$@gmail.com> References: <003101d38894$ecaaa4e0$c5ffeea0$@gmail.com> Message-ID: No, but you can implement your own custom policy On 8 Jan 2018 8:16 pm, "Peter K. Boucher" wrote: > We have a customer requirement that users not be able to change their > passwords more frequently than once per day. > > > > We are currently using Keycloak 3.1. Does any later version of Keycloak > support (or plan to support) a "Minimum password age"? > > > > Thanks! > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > From keycloak at frotscher.com Tue Jan 9 05:01:28 2018 From: keycloak at frotscher.com (Thilo Frotscher) Date: Tue, 9 Jan 2018 11:01:28 +0100 Subject: [keycloak-user] REGISTER event: firstName & lastName always NULL Message-ID: <3594b91b-a5dd-79fa-0bc5-212a9d8113f8@frotscher.com> Hi all, In our project there is a requirement to execute some actions after successful user registrations. I implemented an EventListenerProvider that listens to events of type REGISTER. The details of this event type only contain the "username" of the user that just registered, but first name and last name are missing. So I thought I could retrieve this information from the user storage. But no matter how I try to read the user information from the user storage, firstName and lastName are always null. Is this a bug or a feature? When manually logging on to the Admin Console, I can see that firstName and lastName have been correctly saved. But how can I programmatically retrieve the first name and last name of the user that just registered in my event listener? Sample code: public void onEvent(Event event) { if (!EventType.REGISTER.equals(event.getType())) { LOGGER.info("Ignoring event of type " + event.getType()); return; } String realmId = event.getRealmId(); RealmModel realm = session.realms().getRealm(realmId); String userId = event.getUserId(); Map details = event.getDetails(); String username = details.get("username"); printUser(session.users().getUserByUsername(username, realm)); printUser(session.userLocalStorage().getUserByUsername(username, realm)); printUser(session.userCache().getUserByUsername(username, realm)); printUser(session.userStorageManager().getUserByUsername(username, realm)); } private void printUser(UserModel user) { if (user==null) { LOGGER.info("User is null"); } else { LOGGER.info(user.getFirstName()); // always null LOGGER.info(user.getLastName()); // always null LOGGER.info(user.getId()); LOGGER.info(user.getEmail()); LOGGER.info(user.getUsername()); } } Actually, I believe firstName and lastName should be part of the event details in the first place... Thanks for your help! Cheers, Thilo From Tony.Harris at oneadvanced.com Tue Jan 9 05:01:16 2018 From: Tony.Harris at oneadvanced.com (Tony Harris) Date: Tue, 9 Jan 2018 10:01:16 +0000 Subject: [keycloak-user] Issue in Chrome and FF Message-ID: <843ed8be0aa24dab836f5604bbf0e845@SL1ACSEXCMB01.acsresource.com> After logging in to the admin Console in either Chrome or FF we are presented with a blank white screen and the following error in the browser console app.js:31 XHR failed loading: GET "https://xxxxxxxx.com/auth/admin/master/console/whoami". whoAmI @ app.js:31 app.js:31 GET https://xxxxxxxx.com/auth/admin/master/console/whoami net::ERR_CONNECTION_CLOSED app.js:76 Uncaught TypeError: error is not a function at app.js:76 at XMLHttpRequest.req.onreadystatechange (app.js:26) It ends up in the error handler section because the attempt to connect to the keycloak whoami end point fails with a 500 response, there is nothing in the JBoss logs. It looks very similar to the following Jira issue, but we do not end up in a redirect loop and we are not seeing the 401 Unauthorised. https://issues.jboss.org/browse/KEYCLOAK-4735 Interestingly, IE 11 gets a 200 response from the whoami end point. If we delete a recently created Realm then Chrome goes back to working, however the same realm created on another instance, it's created by a script so we know it's the same in both, of Keycloak has no issues. Other realms in this same Keycloak instance created via the script do not cause any issues. Has anyone seen this before> Server Info Server Version 3.1.0.Final Server Profile Community Server Time Tue Jan 09 09:56:53 UTC 2018 Server Uptime 11 days, 1 hour, 22 minutes, 39 seconds Memory Total Memory 455 MB Free Memory 251 MB (55%) Used Memory 204 MB System Current Working Directory /opt/jboss Java Version 1.8.0_121 Java Vendor Oracle Corporation Java Runtime OpenJDK Runtime Environment Java VM OpenJDK 64-Bit Server VM Java VM Version 25.121-b13 Java Home /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.121-0.b13.el7_3.x86_64/jre User Name jboss User Timezone UTC User Locale us_EN System Encoding ANSI_X3.4-1968 Operating System Linux 4.9.62-21.56.amzn1.x86_64 OS Architecture amd64 [cid:image012.png at 01D17AF7.D972DF70] Tony Harris Java Developer > A Sunday Times Top Track 250 Company 2016 > Proud to be a Patron of The Prince's Trust ________________________ Advanced Computer Software Group Ditton Park, Riding Court Road, Datchet, Berkshire, SL3 9LL t:08451 606 162 www.oneadvanced.com [cid:image018.png at 01D17AF7.D972DF70] [cid:image019.png at 01D17AF7.D972DF70] > A Sunday Times Top Track 250 Company 2015 > Ranked in UK's 50 fastest growing technology companies 2014 ***** Email confidentiality ***** This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. The dissemination, copying or distribution of this message, or related files, by anyone other than the intended recipient is strictly prohibited. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advanced Computer Software Group Limited. ***** Email monitoring ***** Advanced Computer Software Group Limited may monitor email traffic data and also the content of email for the purposes of security and staff training. ***** Email security ***** In keeping with good computing practice, the recipient of this email should ensure that it is virus-free. Advanced Computer Software Group Limited does not accept responsibility for any virus that may be transferred by way of this email. Email may be susceptible to data corruption, interception and/or unauthorised amendment. Advanced Computer Software Group Limited does not accept liability for any such corruption, interception or amendment or any consequences thereof. This email has been scanned for viruses by the Symantec Email Security.cloud service. Advanced Computer Software Group Limited Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire, SL3 9LL, UK Registered in England under number 5965280 ________________________________ Please consider the environment: Think before you print! This message has been scanned for malware by Websense. www.websense.com -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.png Type: image/png Size: 10312 bytes Desc: image001.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180109/007195bb/attachment-0003.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.png Type: image/png Size: 1482 bytes Desc: image002.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180109/007195bb/attachment-0004.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image003.png Type: image/png Size: 1610 bytes Desc: image003.png Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180109/007195bb/attachment-0005.png From sthorger at redhat.com Tue Jan 9 07:42:53 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 9 Jan 2018 13:42:53 +0100 Subject: [keycloak-user] [keycloak-dev] Trojan in Keycloak Javascript Adapter? In-Reply-To: References:

Message-ID: Please create an issue with the details. We'll need to figure out how to reproduce the issue though. Seemed like Ramunas had tried, but that Defender wasn't reporting anything for him. On 8 January 2018 at 21:18, Ariel Carrera wrote: > "when your somebody get's a keycloak's distribution to be installed" read > like: "when someone gets Keycloak to be installed" xD > > 2018-01-08 16:56 GMT-03:00 Ariel Carrera : > >> Hi Stian, I checked differences in keycloak.min.js comparing version >> 3.4.1 to 3.4.2. >> I can't see a problem at first sight... but It's still a problem to see >> your antivirus alerting for a threat when your browser access to a page >> that uses "keycloak.min.js" or when your somebody get's a keycloak's >> distribution to be installed. >> >> Maybe this issue must to be in Jira. >> >> Last changes in javascript file can be the problem. >> >> Maybe function "processInit()" needs some changes. >> >> Regards, >> >> 2018-01-08 16:26 GMT-03:00 Ariel Carrera : >> >>> Checked with other computer (windows 10 + windows defender). >>> >>> keycloak-min.js is detected as virus from version 3.4.2 to 3.4.3 >>> >>> >>> 2018-01-03 17:44 GMT-03:00 Ramunas : >>> >>>> * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file >>>> * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final" folder >>>> with Windows Defender on Windows 10 - no issues found >>>> * checked for Windows updates. New update "Definition Update for >>>> Windows Defender Antivirus - KB2267602 (Definition 1.259.1141.0)" was found >>>> and installed. >>>> * scanned again. No issues found. >>>> >>>> Ram?nas >>>> >>> >>> >>> >>> -- >>> Ariel Carrera >>> >> >> >> >> -- >> Ariel Carrera >> > > > > -- > Ariel Carrera > From bruno at abstractj.org Tue Jan 9 08:28:36 2018 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 09 Jan 2018 13:28:36 +0000 Subject: [keycloak-user] [keycloak-dev] Trojan in Keycloak Javascript Adapter? In-Reply-To: References:

Message-ID: So I don't have Windows 10, but I managed to run the VM from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/. After that I cloned the whole Keycloak repository https://github.com/keycloak/keycloak-js-bower. Nothing was found, please see the screenshot attached.[image: Screenshot from 2018-01-09 11-25-57.png] On Tue, Jan 9, 2018 at 10:46 AM Stian Thorgersen wrote: > Please create an issue with the details. We'll need to figure out how to > reproduce the issue though. Seemed like Ramunas had tried, but that > Defender wasn't reporting anything for him. > > On 8 January 2018 at 21:18, Ariel Carrera wrote: > > > "when your somebody get's a keycloak's distribution to be installed" > read > > like: "when someone gets Keycloak to be installed" xD > > > > 2018-01-08 16:56 GMT-03:00 Ariel Carrera : > > > >> Hi Stian, I checked differences in keycloak.min.js comparing version > >> 3.4.1 to 3.4.2. > >> I can't see a problem at first sight... but It's still a problem to see > >> your antivirus alerting for a threat when your browser access to a page > >> that uses "keycloak.min.js" or when your somebody get's a keycloak's > >> distribution to be installed. > >> > >> Maybe this issue must to be in Jira. > >> > >> Last changes in javascript file can be the problem. > >> > >> Maybe function "processInit()" needs some changes. > >> > >> Regards, > >> > >> 2018-01-08 16:26 GMT-03:00 Ariel Carrera : > >> > >>> Checked with other computer (windows 10 + windows defender). > >>> > >>> keycloak-min.js is detected as virus from version 3.4.2 to 3.4.3 > >>> > >>> > >>> 2018-01-03 17:44 GMT-03:00 Ramunas : > >>> > >>>> * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file > >>>> * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final" folder > >>>> with Windows Defender on Windows 10 - no issues found > >>>> * checked for Windows updates. New update "Definition Update for > >>>> Windows Defender Antivirus - KB2267602 (Definition 1.259.1141.0)" was > found > >>>> and installed. > >>>> * scanned again. No issues found. > >>>> > >>>> Ram?nas > >>>> > >>> > >>> > >>> > >>> -- > >>> Ariel Carrera > >>> > >> > >> > >> > >> -- > >> Ariel Carrera > >> > > > > > > > > -- > > Ariel Carrera > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user -------------- next part -------------- A non-text attachment was scrubbed... Name: Screenshot from 2018-01-09 11-25-57.png Type: image/png Size: 61682 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180109/cd1f76c9/attachment-0001.png From Pankaj.Mahajan at harbingergroup.com Tue Jan 9 08:50:57 2018 From: Pankaj.Mahajan at harbingergroup.com (Pankaj Mahajan) Date: Tue, 9 Jan 2018 13:50:57 +0000 Subject: [keycloak-user] Inter realm authentication Message-ID: Hi Team, Is it possible to authenticate client from one realm with the IDP of other realm? Like, we have a case where, we have Client-A in Realm-A and we have to authenticate it with IDP-I which is configured in Realm-B. Is it possible in Keycloak or we need to change our approach to achieve this? Thanks & regards, Pankaj Mahajan Sent from Mail for Windows 10 From kevin.berendsen at pharmapartners.nl Tue Jan 9 09:22:16 2018 From: kevin.berendsen at pharmapartners.nl (Kevin Berendsen) Date: Tue, 9 Jan 2018 14:22:16 +0000 Subject: [keycloak-user] Inter realm authentication In-Reply-To: References: Message-ID: <897d75e1afab43c4ad38fc2ad9049adb@PHINEAS.ppg.lan> Hi Pankaj, The realms are meant to be absolutely isolated. It's not possible to authenticate a user with an authenticator from another realm. Both realms should have the same authenticators configured then to accomplish what you wish. >> -----Original Message----- >> From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Pankaj Mahajan >> Sent: Tuesday, January 9, 2018 2:51 PM >> To: keycloak-user at lists.jboss.org >> Subject: [keycloak-user] Inter realm authentication >> >> Hi Team, >> >> Is it possible to authenticate client from one realm with the IDP of other realm? >> >> Like, we have a case where, we have Client-A in Realm-A and we have to authenticate it with IDP-I which is configured in Realm-B. >> >> Is it possible in Keycloak or we need to change our approach to achieve this? >> >> Thanks & regards, >> Pankaj Mahajan >> >> Sent from Mail for Windows 10 >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user From jcain at redhat.com Tue Jan 9 09:28:30 2018 From: jcain at redhat.com (Josh Cain) Date: Tue, 9 Jan 2018 08:28:30 -0600 Subject: [keycloak-user] Inter realm authentication In-Reply-To: References: Message-ID: <42ed9b39-69cb-8edc-6d52-ffebfaabb796@redhat.com> The only ways I know of to do so are through brokering. Once a brokered relationship is set up, you can either: - Have a button for "authenticate via Realm A" (or whatever text you need). Would require users to be smart enough to know they have a session/account established in the other realm. - Use the "try Realm A first" authentication option. Keycloak team might have more suggestions though. Josh Cain Senior Software Applications Engineer, RHCE Red Hat North America jcain at redhat.com IRC: jcain On 01/09/2018 07:50 AM, Pankaj Mahajan wrote: > Hi Team, > > Is it possible to authenticate client from one realm with the IDP of other realm? > > Like, we have a case where, we have Client-A in Realm-A and we have to authenticate it with IDP-I which is configured in Realm-B. > > Is it possible in Keycloak or we need to change our approach to achieve this? > > Thanks & regards, > Pankaj Mahajan > > Sent from Mail for Windows 10 > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180109/7413f286/attachment.bin From bruno at abstractj.org Tue Jan 9 09:50:26 2018 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 09 Jan 2018 14:50:26 +0000 Subject: [keycloak-user] [keycloak-dev] Trojan in Keycloak Javascript Adapter? In-Reply-To: References:

Message-ID: So I don't have Windows 10, but I managed to run a VM from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/. After that I cloned the whole Keycloak repository https://github.com/keycloak/keycloak-js-bower. Nothing was found, please see the screenshot: https://i.imgur.com/1NbFGrn.png. On Tue, Jan 9, 2018 at 10:46 AM Stian Thorgersen wrote: > Please create an issue with the details. We'll need to figure out how to > reproduce the issue though. Seemed like Ramunas had tried, but that > Defender wasn't reporting anything for him. > > On 8 January 2018 at 21:18, Ariel Carrera wrote: > > > "when your somebody get's a keycloak's distribution to be installed" > read > > like: "when someone gets Keycloak to be installed" xD > > > > 2018-01-08 16:56 GMT-03:00 Ariel Carrera : > > > >> Hi Stian, I checked differences in keycloak.min.js comparing version > >> 3.4.1 to 3.4.2. > >> I can't see a problem at first sight... but It's still a problem to see > >> your antivirus alerting for a threat when your browser access to a page > >> that uses "keycloak.min.js" or when your somebody get's a keycloak's > >> distribution to be installed. > >> > >> Maybe this issue must to be in Jira. > >> > >> Last changes in javascript file can be the problem. > >> > >> Maybe function "processInit()" needs some changes. > >> > >> Regards, > >> > >> 2018-01-08 16:26 GMT-03:00 Ariel Carrera : > >> > >>> Checked with other computer (windows 10 + windows defender). > >>> > >>> keycloak-min.js is detected as virus from version 3.4.2 to 3.4.3 > >>> > >>> > >>> 2018-01-03 17:44 GMT-03:00 Ramunas : > >>> > >>>> * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file > >>>> * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final" folder > >>>> with Windows Defender on Windows 10 - no issues found > >>>> * checked for Windows updates. New update "Definition Update for > >>>> Windows Defender Antivirus - KB2267602 (Definition 1.259.1141.0)" was > found > >>>> and installed. > >>>> * scanned again. No issues found. > >>>> > >>>> Ram?nas > >>>> > >>> > >>> > >>> > >>> -- > >>> Ariel Carrera > >>> > >> > >> > >> > >> -- > >> Ariel Carrera > >> > > > > > > > > -- > > Ariel Carrera > > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From carreraariel at gmail.com Tue Jan 9 10:47:35 2018 From: carreraariel at gmail.com (Ariel Carrera) Date: Tue, 9 Jan 2018 12:47:35 -0300 Subject: [keycloak-user] [keycloak-dev] Trojan in Keycloak Javascript Adapter? In-Reply-To: References:

Message-ID: I don't know why we have differents Windows Defender results... but it's Microsoft... Bruno, Is your Windows (inside VM) updated? What version is? Do you updated virus definitions too? I updated definitions but problem persists... Here is another screenshot: [image: Im?genes integradas 1] [image: Im?genes integradas 2] You can check my windows version in second screenshot. It is version 10.0.16299.192 (and it was tested in another machine with version ( 10.0.16299.125)). Recently, It was tested again with a third machine (at home) in another network / location / and installation. Same problem, virus detected. Maybe Microsoft has differents versions by location... I don't know... after update to last version, Windows Defender asked me to send the file to improve detection (I had not asked for this before). 2018-01-09 11:50 GMT-03:00 Bruno Oliveira : > So I don't have Windows 10, but I managed to run a VM from > https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/. > > After that I cloned the whole Keycloak repository https://github.com/ > keycloak/keycloak-js-bower. Nothing was found, please see the screenshot: > https://i.imgur.com/1NbFGrn.png. > > On Tue, Jan 9, 2018 at 10:46 AM Stian Thorgersen > wrote: > >> Please create an issue with the details. We'll need to figure out how to >> reproduce the issue though. Seemed like Ramunas had tried, but that >> Defender wasn't reporting anything for him. >> >> On 8 January 2018 at 21:18, Ariel Carrera wrote: >> >> > "when your somebody get's a keycloak's distribution to be installed" >> read >> > like: "when someone gets Keycloak to be installed" xD >> > >> > 2018-01-08 16:56 GMT-03:00 Ariel Carrera : >> > >> >> Hi Stian, I checked differences in keycloak.min.js comparing version >> >> 3.4.1 to 3.4.2. >> >> I can't see a problem at first sight... but It's still a problem to see >> >> your antivirus alerting for a threat when your browser access to a page >> >> that uses "keycloak.min.js" or when your somebody get's a keycloak's >> >> distribution to be installed. >> >> >> >> Maybe this issue must to be in Jira. >> >> >> >> Last changes in javascript file can be the problem. >> >> >> >> Maybe function "processInit()" needs some changes. >> >> >> >> Regards, >> >> >> >> 2018-01-08 16:26 GMT-03:00 Ariel Carrera : >> >> >> >>> Checked with other computer (windows 10 + windows defender). >> >>> >> >>> keycloak-min.js is detected as virus from version 3.4.2 to 3.4.3 >> >>> >> >>> >> >>> 2018-01-03 17:44 GMT-03:00 Ramunas : >> >>> >> >>>> * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file >> >>>> * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final" >> folder >> >>>> with Windows Defender on Windows 10 - no issues found >> >>>> * checked for Windows updates. New update "Definition Update for >> >>>> Windows Defender Antivirus - KB2267602 (Definition 1.259.1141.0)" >> was found >> >>>> and installed. >> >>>> * scanned again. No issues found. >> >>>> >> >>>> Ram?nas >> >>>> >> >>> >> >>> >> >>> >> >>> -- >> >>> Ariel Carrera >> >>> >> >> >> >> >> >> >> >> -- >> >> Ariel Carrera >> >> >> > >> > >> > >> > -- >> > Ariel Carrera >> > >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user at lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- Ariel Carrera -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 112492 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180109/c877f125/attachment-0002.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 39616 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180109/c877f125/attachment-0003.png From carreraariel at gmail.com Tue Jan 9 11:16:28 2018 From: carreraariel at gmail.com (Ariel Carrera) Date: Tue, 9 Jan 2018 13:16:28 -0300 Subject: [keycloak-user] [keycloak-dev] Trojan in Keycloak Javascript Adapter? In-Reply-To: References:

Message-ID: I created a Jira to track this problem: https://issues.jboss.org/browse/KEYCLOAK-6157 I tried with older 3.4.x versions and only happens with 3.4.2 and 3.4.3 I compared the minified files between version 3.4.1 and 3.4.2 and they have little differences between them but I can't see a threat in the code so I suspect that it is a false alarm but it still is a problem for users. I think that doing a rewrite of the function "processInit()" can helps to get off alerts when the file gets minified. 2018-01-09 12:47 GMT-03:00 Ariel Carrera : > I don't know why we have differents Windows Defender results... but it's > Microsoft... > > Bruno, Is your Windows (inside VM) updated? What version is? Do you > updated virus definitions too? > > I updated definitions but problem persists... Here is another screenshot: > [image: Im?genes integradas 1] > > > [image: Im?genes integradas 2] > > > You can check my windows version in second screenshot. It is version > 10.0.16299.192 (and it was tested in another machine with version ( > 10.0.16299.125)). > > Recently, It was tested again with a third machine (at home) in another > network / location / and installation. Same problem, virus detected. > > Maybe Microsoft has differents versions by location... I don't know... > after update to last version, Windows Defender asked me to send the file to > improve detection (I had not asked for this before). > > > > 2018-01-09 11:50 GMT-03:00 Bruno Oliveira : > >> So I don't have Windows 10, but I managed to run a VM from >> https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/. >> >> After that I cloned the whole Keycloak repository https://github.com/ >> keycloak/keycloak-js-bower. Nothing was found, please see the >> screenshot: https://i.imgur.com/1NbFGrn.png. >> >> On Tue, Jan 9, 2018 at 10:46 AM Stian Thorgersen >> wrote: >> >>> Please create an issue with the details. We'll need to figure out how to >>> reproduce the issue though. Seemed like Ramunas had tried, but that >>> Defender wasn't reporting anything for him. >>> >>> On 8 January 2018 at 21:18, Ariel Carrera >>> wrote: >>> >>> > "when your somebody get's a keycloak's distribution to be installed" >>> read >>> > like: "when someone gets Keycloak to be installed" xD >>> > >>> > 2018-01-08 16:56 GMT-03:00 Ariel Carrera : >>> > >>> >> Hi Stian, I checked differences in keycloak.min.js comparing version >>> >> 3.4.1 to 3.4.2. >>> >> I can't see a problem at first sight... but It's still a problem to >>> see >>> >> your antivirus alerting for a threat when your browser access to a >>> page >>> >> that uses "keycloak.min.js" or when your somebody get's a keycloak's >>> >> distribution to be installed. >>> >> >>> >> Maybe this issue must to be in Jira. >>> >> >>> >> Last changes in javascript file can be the problem. >>> >> >>> >> Maybe function "processInit()" needs some changes. >>> >> >>> >> Regards, >>> >> >>> >> 2018-01-08 16:26 GMT-03:00 Ariel Carrera : >>> >> >>> >>> Checked with other computer (windows 10 + windows defender). >>> >>> >>> >>> keycloak-min.js is detected as virus from version 3.4.2 to 3.4.3 >>> >>> >>> >>> >>> >>> 2018-01-03 17:44 GMT-03:00 Ramunas : >>> >>> >>> >>>> * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file >>> >>>> * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final" >>> folder >>> >>>> with Windows Defender on Windows 10 - no issues found >>> >>>> * checked for Windows updates. New update "Definition Update for >>> >>>> Windows Defender Antivirus - KB2267602 (Definition 1.259.1141.0)" >>> was found >>> >>>> and installed. >>> >>>> * scanned again. No issues found. >>> >>>> >>> >>>> Ram?nas >>> >>>> >>> >>> >>> >>> >>> >>> >>> >>> -- >>> >>> Ariel Carrera >>> >>> >>> >> >>> >> >>> >> >>> >> -- >>> >> Ariel Carrera >>> >> >>> > >>> > >>> > >>> > -- >>> > Ariel Carrera >>> > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > > -- > Ariel Carrera > -- Ariel Carrera -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 39616 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180109/3068e7b6/attachment-0002.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 112492 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180109/3068e7b6/attachment-0003.png From sthorger at redhat.com Tue Jan 9 13:55:34 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 9 Jan 2018 19:55:34 +0100 Subject: [keycloak-user] [keycloak-dev] Trojan in Keycloak Javascript Adapter? In-Reply-To: References:

Message-ID: We're not going to do anything unless someone else can confirm this. This is probably also something that you can report to Microsoft as they are reporting a false positive here, assuming you're not actually affected by a virus yourself. I've also tried Defender now, that makes 3 people that has tried to confirm this with no luck. On 9 January 2018 at 17:16, Ariel Carrera wrote: > I created a Jira to track this problem: > > https://issues.jboss.org/browse/KEYCLOAK-6157 > > I tried with older 3.4.x versions and only happens with 3.4.2 and 3.4.3 > > I compared the minified files between version 3.4.1 and 3.4.2 and they > have little differences between them but I can't see a threat in the code > so I suspect that it is a false alarm but it still is a problem for users. > > I think that doing a rewrite of the function "processInit()" can helps to > get off alerts when the file gets minified. > > > 2018-01-09 12:47 GMT-03:00 Ariel Carrera : > >> I don't know why we have differents Windows Defender results... but it's >> Microsoft... >> >> Bruno, Is your Windows (inside VM) updated? What version is? Do you >> updated virus definitions too? >> >> I updated definitions but problem persists... Here is another screenshot: >> [image: Im?genes integradas 1] >> >> >> [image: Im?genes integradas 2] >> >> >> You can check my windows version in second screenshot. It is version >> 10.0.16299.192 (and it was tested in another machine with version ( >> 10.0.16299.125)). >> >> Recently, It was tested again with a third machine (at home) in another >> network / location / and installation. Same problem, virus detected. >> >> Maybe Microsoft has differents versions by location... I don't know... >> after update to last version, Windows Defender asked me to send the file to >> improve detection (I had not asked for this before). >> >> >> >> 2018-01-09 11:50 GMT-03:00 Bruno Oliveira : >> >>> So I don't have Windows 10, but I managed to run a VM from >>> https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/. >>> >>> After that I cloned the whole Keycloak repository https://github.com/ >>> keycloak/keycloak-js-bower. Nothing was found, please see the >>> screenshot: https://i.imgur.com/1NbFGrn.png. >>> >>> On Tue, Jan 9, 2018 at 10:46 AM Stian Thorgersen >>> wrote: >>> >>>> Please create an issue with the details. We'll need to figure out how to >>>> reproduce the issue though. Seemed like Ramunas had tried, but that >>>> Defender wasn't reporting anything for him. >>>> >>>> On 8 January 2018 at 21:18, Ariel Carrera >>>> wrote: >>>> >>>> > "when your somebody get's a keycloak's distribution to be installed" >>>> read >>>> > like: "when someone gets Keycloak to be installed" xD >>>> > >>>> > 2018-01-08 16:56 GMT-03:00 Ariel Carrera : >>>> > >>>> >> Hi Stian, I checked differences in keycloak.min.js comparing version >>>> >> 3.4.1 to 3.4.2. >>>> >> I can't see a problem at first sight... but It's still a problem to >>>> see >>>> >> your antivirus alerting for a threat when your browser access to a >>>> page >>>> >> that uses "keycloak.min.js" or when your somebody get's a keycloak's >>>> >> distribution to be installed. >>>> >> >>>> >> Maybe this issue must to be in Jira. >>>> >> >>>> >> Last changes in javascript file can be the problem. >>>> >> >>>> >> Maybe function "processInit()" needs some changes. >>>> >> >>>> >> Regards, >>>> >> >>>> >> 2018-01-08 16:26 GMT-03:00 Ariel Carrera : >>>> >> >>>> >>> Checked with other computer (windows 10 + windows defender). >>>> >>> >>>> >>> keycloak-min.js is detected as virus from version 3.4.2 to 3.4.3 >>>> >>> >>>> >>> >>>> >>> 2018-01-03 17:44 GMT-03:00 Ramunas : >>>> >>> >>>> >>>> * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file >>>> >>>> * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final" >>>> folder >>>> >>>> with Windows Defender on Windows 10 - no issues found >>>> >>>> * checked for Windows updates. New update "Definition Update for >>>> >>>> Windows Defender Antivirus - KB2267602 (Definition 1.259.1141.0)" >>>> was found >>>> >>>> and installed. >>>> >>>> * scanned again. No issues found. >>>> >>>> >>>> >>>> Ram?nas >>>> >>>> >>>> >>> >>>> >>> >>>> >>> >>>> >>> -- >>>> >>> Ariel Carrera >>>> >>> >>>> >> >>>> >> >>>> >> >>>> >> -- >>>> >> Ariel Carrera >>>> >> >>>> > >>>> > >>>> > >>>> > -- >>>> > Ariel Carrera >>>> > >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user at lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> >>> >> >> >> -- >> Ariel Carrera >> > > > > -- > Ariel Carrera > -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 112492 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180109/f1e8886c/attachment-0002.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 39616 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180109/f1e8886c/attachment-0003.png From sthorger at redhat.com Tue Jan 9 13:58:06 2018 From: sthorger at redhat.com (Stian Thorgersen) Date: Tue, 9 Jan 2018 19:58:06 +0100 Subject: [keycloak-user] [keycloak-dev] Trojan in Keycloak Javascript Adapter? In-Reply-To: References:

Message-ID: Please report the files here https://www.microsoft.com/en-us/wdsi/filesubmission. On 9 January 2018 at 19:55, Stian Thorgersen wrote: > We're not going to do anything unless someone else can confirm this. This > is probably also something that you can report to Microsoft as they are > reporting a false positive here, assuming you're not actually affected by a > virus yourself. > > I've also tried Defender now, that makes 3 people that has tried to > confirm this with no luck. > > On 9 January 2018 at 17:16, Ariel Carrera wrote: > >> I created a Jira to track this problem: >> >> https://issues.jboss.org/browse/KEYCLOAK-6157 >> >> I tried with older 3.4.x versions and only happens with 3.4.2 and 3.4.3 >> >> I compared the minified files between version 3.4.1 and 3.4.2 and they >> have little differences between them but I can't see a threat in the code >> so I suspect that it is a false alarm but it still is a problem for users. >> >> I think that doing a rewrite of the function "processInit()" can helps to >> get off alerts when the file gets minified. >> >> >> 2018-01-09 12:47 GMT-03:00 Ariel Carrera : >> >>> I don't know why we have differents Windows Defender results... but it's >>> Microsoft... >>> >>> Bruno, Is your Windows (inside VM) updated? What version is? Do you >>> updated virus definitions too? >>> >>> I updated definitions but problem persists... Here is another screenshot: >>> [image: Im?genes integradas 1] >>> >>> >>> [image: Im?genes integradas 2] >>> >>> >>> You can check my windows version in second screenshot. It is version >>> 10.0.16299.192 (and it was tested in another machine with version ( >>> 10.0.16299.125)). >>> >>> Recently, It was tested again with a third machine (at home) in another >>> network / location / and installation. Same problem, virus detected. >>> >>> Maybe Microsoft has differents versions by location... I don't know... >>> after update to last version, Windows Defender asked me to send the file to >>> improve detection (I had not asked for this before). >>> >>> >>> >>> 2018-01-09 11:50 GMT-03:00 Bruno Oliveira : >>> >>>> So I don't have Windows 10, but I managed to run a VM from >>>> https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/. >>>> >>>> After that I cloned the whole Keycloak repository https://github.com/ >>>> keycloak/keycloak-js-bower. Nothing was found, please see the >>>> screenshot: https://i.imgur.com/1NbFGrn.png. >>>> >>>> On Tue, Jan 9, 2018 at 10:46 AM Stian Thorgersen >>>> wrote: >>>> >>>>> Please create an issue with the details. We'll need to figure out how >>>>> to >>>>> reproduce the issue though. Seemed like Ramunas had tried, but that >>>>> Defender wasn't reporting anything for him. >>>>> >>>>> On 8 January 2018 at 21:18, Ariel Carrera >>>>> wrote: >>>>> >>>>> > "when your somebody get's a keycloak's distribution to be >>>>> installed" read >>>>> > like: "when someone gets Keycloak to be installed" xD >>>>> > >>>>> > 2018-01-08 16:56 GMT-03:00 Ariel Carrera : >>>>> > >>>>> >> Hi Stian, I checked differences in keycloak.min.js comparing version >>>>> >> 3.4.1 to 3.4.2. >>>>> >> I can't see a problem at first sight... but It's still a problem to >>>>> see >>>>> >> your antivirus alerting for a threat when your browser access to a >>>>> page >>>>> >> that uses "keycloak.min.js" or when your somebody get's a keycloak's >>>>> >> distribution to be installed. >>>>> >> >>>>> >> Maybe this issue must to be in Jira. >>>>> >> >>>>> >> Last changes in javascript file can be the problem. >>>>> >> >>>>> >> Maybe function "processInit()" needs some changes. >>>>> >> >>>>> >> Regards, >>>>> >> >>>>> >> 2018-01-08 16:26 GMT-03:00 Ariel Carrera : >>>>> >> >>>>> >>> Checked with other computer (windows 10 + windows defender). >>>>> >>> >>>>> >>> keycloak-min.js is detected as virus from version 3.4.2 to 3.4.3 >>>>> >>> >>>>> >>> >>>>> >>> 2018-01-03 17:44 GMT-03:00 Ramunas : >>>>> >>> >>>>> >>>> * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file >>>>> >>>> * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final" >>>>> folder >>>>> >>>> with Windows Defender on Windows 10 - no issues found >>>>> >>>> * checked for Windows updates. New update "Definition Update for >>>>> >>>> Windows Defender Antivirus - KB2267602 (Definition 1.259.1141.0)" >>>>> was found >>>>> >>>> and installed. >>>>> >>>> * scanned again. No issues found. >>>>> >>>> >>>>> >>>> Ram?nas >>>>> >>>> >>>>> >>> >>>>> >>> >>>>> >>> >>>>> >>> -- >>>>> >>> Ariel Carrera >>>>> >>> >>>>> >> >>>>> >> >>>>> >> >>>>> >> -- >>>>> >> Ariel Carrera >>>>> >> >>>>> > >>>>> > >>>>> > >>>>> > -- >>>>> > Ariel Carrera >>>>> > >>>>> _______________________________________________ >>>>> keycloak-user mailing list >>>>> keycloak-user at lists.jboss.org >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>>> >>> >>> >>> -- >>> Ariel Carrera >>> >> >> >> >> -- >> Ariel Carrera >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 112492 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180109/78905c6a/attachment-0002.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 39616 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180109/78905c6a/attachment-0003.png From bruno at abstractj.org Tue Jan 9 14:10:49 2018 From: bruno at abstractj.org (Bruno Oliveira) Date: Tue, 09 Jan 2018 19:10:49 +0000 Subject: [keycloak-user] [keycloak-dev] Trojan in Keycloak Javascript Adapter? In-Reply-To: References:

Message-ID: Yes, everything is up to date. Like mentioned in my previous e-mail, I'm running Windows 10 VM from https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/. I strongly recommend you to do the same. It's always better to test things in a clean environment. On Tue, Jan 9, 2018 at 1:47 PM Ariel Carrera wrote: > I don't know why we have differents Windows Defender results... but it's > Microsoft... > > Bruno, Is your Windows (inside VM) updated? What version is? Do you > updated virus definitions too? > > I updated definitions but problem persists... Here is another screenshot: > [image: image.png] > > > [image: image.png] > > > You can check my windows version in second screenshot. It is version > 10.0.16299.192 (and it was tested in another machine with version ( > 10.0.16299.125)). > > Recently, It was tested again with a third machine (at home) in another > network / location / and installation. Same problem, virus detected. > > Maybe Microsoft has differents versions by location... I don't know... > after update to last version, Windows Defender asked me to send the file to > improve detection (I had not asked for this before). > > > > 2018-01-09 11:50 GMT-03:00 Bruno Oliveira : > >> So I don't have Windows 10, but I managed to run a VM from >> https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/. >> >> After that I cloned the whole Keycloak repository >> https://github.com/keycloak/keycloak-js-bower. Nothing was found, please >> see the screenshot: https://i.imgur.com/1NbFGrn.png. >> >> On Tue, Jan 9, 2018 at 10:46 AM Stian Thorgersen >> wrote: >> >>> Please create an issue with the details. We'll need to figure out how to >>> reproduce the issue though. Seemed like Ramunas had tried, but that >>> Defender wasn't reporting anything for him. >>> >>> On 8 January 2018 at 21:18, Ariel Carrera >>> wrote: >>> >>> > "when your somebody get's a keycloak's distribution to be installed" >>> read >>> > like: "when someone gets Keycloak to be installed" xD >>> > >>> > 2018-01-08 16:56 GMT-03:00 Ariel Carrera : >>> > >>> >> Hi Stian, I checked differences in keycloak.min.js comparing version >>> >> 3.4.1 to 3.4.2. >>> >> I can't see a problem at first sight... but It's still a problem to >>> see >>> >> your antivirus alerting for a threat when your browser access to a >>> page >>> >> that uses "keycloak.min.js" or when your somebody get's a keycloak's >>> >> distribution to be installed. >>> >> >>> >> Maybe this issue must to be in Jira. >>> >> >>> >> Last changes in javascript file can be the problem. >>> >> >>> >> Maybe function "processInit()" needs some changes. >>> >> >>> >> Regards, >>> >> >>> >> 2018-01-08 16:26 GMT-03:00 Ariel Carrera : >>> >> >>> >>> Checked with other computer (windows 10 + windows defender). >>> >>> >>> >>> keycloak-min.js is detected as virus from version 3.4.2 to 3.4.3 >>> >>> >>> >>> >>> >>> 2018-01-03 17:44 GMT-03:00 Ramunas : >>> >>> >>> >>>> * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file >>> >>>> * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final" >>> folder >>> >>>> with Windows Defender on Windows 10 - no issues found >>> >>>> * checked for Windows updates. New update "Definition Update for >>> >>>> Windows Defender Antivirus - KB2267602 (Definition 1.259.1141.0)" >>> was found >>> >>>> and installed. >>> >>>> * scanned again. No issues found. >>> >>>> >>> >>>> Ram?nas >>> >>>> >>> >>> >>> >>> >>> >>> >>> >>> -- >>> >>> Ariel Carrera >>> >>> >>> >> >>> >> >>> >> >>> >> -- >>> >> Ariel Carrera >>> >> >>> > >>> > >>> > >>> > -- >>> > Ariel Carrera >>> > >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user at lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >> >> > > > -- > Ariel Carrera > -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 112492 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180109/6f7cae18/attachment-0002.png -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 39616 bytes Desc: not available Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180109/6f7cae18/attachment-0003.png From MMcShea at idtus.com Tue Jan 9 14:48:05 2018 From: MMcShea at idtus.com (Matt McShea) Date: Tue, 9 Jan 2018 14:48:05 -0500 Subject: [keycloak-user] Help Needed on X509 Certificate Authentication with keycloak behind Nginx reverse proxy Message-ID: <97E0A24F0C2ECC4EACB65491D0CCDDB3348706C466@MX1.corp.idtus.com> Hello, I am running into the exact issue described in a previous thread, and was wondering if there have been any updates made in the recent releases that fix this issue. http://lists.jboss.org/pipermail/keycloak-user/2017-September/011905.html Like Thomas in that thread, everything works with the ngninx reverse proxy, but when I go through the proxy I'm unable to login. If I use the following line in my proxy configuration" proxy_set_header X-SSL-CERT $ssl_client_raw_cert", I just get a blank page with no html codes or anything. If I use $ssl_client_cert instead, I get redirected to the username/password login as if there wasn't a client certificate. I am currently using 3.1.0, but upgraded to Wildfly 11. Thanks, Matt McShea From mposolda at redhat.com Tue Jan 9 15:40:42 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 9 Jan 2018 21:40:42 +0100 Subject: [keycloak-user] Help Needed on X509 Certificate Authentication with keycloak behind Nginx reverse proxy In-Reply-To: <97E0A24F0C2ECC4EACB65491D0CCDDB3348706C466@MX1.corp.idtus.com> References: <97E0A24F0C2ECC4EACB65491D0CCDDB3348706C466@MX1.corp.idtus.com> Message-ID: By coincidence, I've just send PR for the documentation support around this: https://github.com/keycloak/keycloak-documentation/pull/287 In shortcut, we have builtin support when Keycloak is behind Apache reverse proxy or HAProxy. We didn't yet tried to test with Keycloak behind NGinx, but it's possible that one of the providers like "apache" or "haproxy" will work with nginx too. If it doesn't, you can investigate the reason and possibly send PR. Good luck, Marek On 09/01/18 20:48, Matt McShea wrote: > Hello, > > I am running into the exact issue described in a previous thread, and was wondering if there have been any updates made in the recent releases that fix this issue. > > http://lists.jboss.org/pipermail/keycloak-user/2017-September/011905.html > > Like Thomas in that thread, everything works with the ngninx reverse proxy, but when I go through the proxy I'm unable to login. > > If I use the following line in my proxy configuration" proxy_set_header X-SSL-CERT $ssl_client_raw_cert", I just get a blank page with no html codes or anything. > > If I use $ssl_client_cert instead, I get redirected to the username/password login as if there wasn't a client certificate. > > I am currently using 3.1.0, but upgraded to Wildfly 11. > > Thanks, > Matt McShea > > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From mposolda at redhat.com Tue Jan 9 15:47:14 2018 From: mposolda at redhat.com (Marek Posolda) Date: Tue, 9 Jan 2018 21:47:14 +0100 Subject: [keycloak-user] REGISTER event: firstName & lastName always NULL In-Reply-To: <3594b91b-a5dd-79fa-0bc5-212a9d8113f8@frotscher.com> References: <3594b91b-a5dd-79fa-0bc5-212a9d8113f8@frotscher.com> Message-ID: Not 100% sure, but I think that you're right and firstName and lastName are not available in the REGISTER event. That's because REGISTER event is triggered too early - at the stage when userModel doesn't yet have firstName and lastName properly set on it. I think there are some workarounds - for example there is LOGIN event, which is send right after the REGISTER. You can track LOGIN events, which were sent right after the REGISTER events. I think that firstName, lastName should be available in those LOGIN events. Marek On 09/01/18 11:01, Thilo Frotscher wrote: > Hi all, > > In our project there is a requirement to execute some actions after successful > user registrations. I implemented an EventListenerProvider that listens to events > of type REGISTER. The details of this event type only contain the "username" of > the user that just registered, but first name and last name are missing. > > So I thought I could retrieve this information from the user storage. But no > matter how I try to read the user information from the user storage, firstName > and lastName are always null. > > Is this a bug or a feature? When manually logging on to the Admin Console, > I can see that firstName and lastName have been correctly saved. But how > can I programmatically retrieve the first name and last name of the user > that just registered in my event listener? > > Sample code: > > public void onEvent(Event event) { > > if (!EventType.REGISTER.equals(event.getType())) { > LOGGER.info("Ignoring event of type " + event.getType()); > return; > } > > String realmId = event.getRealmId(); > RealmModel realm = session.realms().getRealm(realmId); > > String userId = event.getUserId(); > > Map details = event.getDetails(); > String username = details.get("username"); > > printUser(session.users().getUserByUsername(username, realm)); > printUser(session.userLocalStorage().getUserByUsername(username, realm)); > printUser(session.userCache().getUserByUsername(username, realm)); > printUser(session.userStorageManager().getUserByUsername(username, realm)); > > } > > private void printUser(UserModel user) { > if (user==null) { > LOGGER.info("User is null"); > } else { > LOGGER.info(user.getFirstName()); // always null > LOGGER.info(user.getLastName()); // always null > LOGGER.info(user.getId()); > LOGGER.info(user.getEmail()); > LOGGER.info(user.getUsername()); > } > } > > Actually, I believe firstName and lastName should be part of the event details > in the first place... > > Thanks for your help! > > Cheers, > Thilo > _______________________________________________ > keycloak-user mailing list > keycloak-user at lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user From noircc at gmail.com Wed Jan 10 07:29:52 2018 From: noircc at gmail.com (SW) Date: Wed, 10 Jan 2018 05:29:52 -0700 (MST) Subject: [keycloak-user] Backward-Compatibility of keycloak-admin-client-x.x.x.jar? Message-ID: <1515587392284-0.post@n6.nabble.com> First question: 1) Who is keeping the keycloak-admin-client-x.x.x.jar uptodate? 2) If a new version of keycloak is arriving will there ever be a new version of keycloak-admin-client.jar? 3) Can the newest keycloak-admin-client communicate with older versions of keycloak? regards && tia Sebastian -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From noircc at gmail.com Wed Jan 10 07:30:12 2018 From: noircc at gmail.com (SW) Date: Wed, 10 Jan 2018 05:30:12 -0700 (MST) Subject: [keycloak-user] Backward-Compatibility of keycloak-admin-client-x.x.x.jar? Message-ID: <1515587412588-0.post@n6.nabble.com> First question: 1) Who is keeping the keycloak-admin-client-x.x.x.jar uptodate? 2) If a new version of keycloak is arriving will there ever be a new version of keycloak-admin-client.jar? 3) Can the newest keycloak-admin-client communicate with older versions of keycloak? regards && tia Sebastian -- Sent from: http://keycloak-user.88327.x6.nabble.com/ From mstrukel at redhat.com Wed Jan 10 10:12:25 2018 From: mstrukel at redhat.com (Marko Strukelj) Date: Wed, 10 Jan 2018 16:12:25 +0100 Subject: [keycloak-user] Backward-Compatibility of keycloak-admin-client-x.x.x.jar? In-Reply-To: <1515587412588-0.post@n6.nabble.com> References: <1515587412588-0.post@n6.nabble.com> Message-ID: On Wed, Jan 10, 2018 at 1:30 PM, SW