From iali at an10.io  Sun Jul  1 20:54:45 2018
From: iali at an10.io (Irtiza Ali)
Date: Mon, 2 Jul 2018 05:54:45 +0500
Subject: [keycloak-user] subscription
Message-ID: <CAG3apS_62XScBkVeSA5nNWx=HSJr_T8MvUsQ=eFvF0LW_=BPuQ@mail.gmail.com>

iali at an10.io

From iali at an10.io  Sun Jul  1 21:02:25 2018
From: iali at an10.io (aliartiza75)
Date: Sun, 1 Jul 2018 18:02:25 -0700 (MST)
Subject: [keycloak-user] Keycloak access token validation using public key
Message-ID: <1530493345563-0.post@n6.nabble.com>

Hello everyone,

Is there a way to validate the access token using the public key?



--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From henning.waack at codecentric.de  Mon Jul  2 02:14:25 2018
From: henning.waack at codecentric.de (Henning Waack)
Date: Mon, 2 Jul 2018 08:14:25 +0200
Subject: [keycloak-user] Get all users for a given client with consent
In-Reply-To: <1530354650.18192.3.camel@acutus.pro>
References: <bcc581cc-8b71-40bb-94c1-8976111c58d1@Spark>
	<CAGqTYawY7YJtH76EK0rkWrNZog+ZbarqpTTx6etY2KX1BPiXQw@mail.gmail.com>
	<1530354650.18192.3.camel@acutus.pro>
Message-ID: <CAGqTYawFnOcVGtyg_xhb5ano9hV8aM1gwvVJmHY=vVz37HJMLQ@mail.gmail.com>

Thanks Dimitry, this is exactly what I am looking for! Will give it a try
and report my findings! Thanks especially for the list of examples and the
sample SQL Query!

Greetings

Henning

2018-06-30 12:30 GMT+02:00 Dmitry Telegin <dt at acutus.pro>:

> Hi Henning, sorry for late response,
>
> I assume that by "getting a list of all users with consent for a specific
> client" you mean exposing this list over REST API (correct me if I'm wrong).
>
> For this, you will need to implement a custom REST endpoint using Realm
> Resource SPI [1] that will execute a single JPA query:
>
> select consent from UserConsentEntity consent where consent.clientId = :clientId
>
>
> then convert the results to a list of UserConsentRepresentation's and
> return it. If you want to see the list in the admin GUI, you'll also have
> to implement a GUI theme.
>
> Please remember that by default custom REST resources are public, so
> you'll need to implement proper access control. Examples that might be
> helpful here:
> - examples/providers/rest: a minimal example of custom REST resource;
> - examples/providers/domain-extension: an advanced example that (among
> other) demonstrates interacting with the JPA layer; unfortunately, it is
> not maintained, and the authorization code is broken at the moment [2];
> - BeerCloak [3]: a more complete and complex example that is maintained
> and working. Currently, authorization is implemented in a pre-3.2.0 way
> (but should still work in 4.0.0). I'm going to port it to post-3.2.0 soon
> (that means, fine-grained permissions), so stay tuned;
> - examples/themes - if you're looking to extending the GUI.
>
> See also:
> org.keycloak.models.jpa.entities.UserConsentEntity
> org.keycloak.representations.idm.UserConsentRepresentation
> org.keycloak.services.resources.admin.UserResource::getConsents()
> org.keycloak.models.jpa.JpaUserProvider::getConsents()
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> <https://maps.google.com/?q=Pod+lipami+street+339/52,+130+00+Prague+3,+Czech+Republic&entry=gmail&source=g>
> + 42 (022) 888-30-71
> E-mail:  <info at acutus.pro> <info at acutus.pro>info at acutus.pro
>
> [1] https://www.keycloak.org/docs/latest/server_development/
> index.html#_extensions_rest
> [2] https://issues.jboss.org/browse/KEYCLOAK-5927
> [3] https://github.com/dteleguin/beercloak
>
> Hey guys, any input on this? Appreciate it! :)
>
> Thanks
>
> Henning
>
> 2018-06-25 13:35 GMT+02:00 Henning Waack <henning.waack at codecentric.de>:
>
> Hi.
>
> Is it possible to get a list of all users who have given their consent for
> a specific client? I am working with KC 4.0 (and Spring Boot 2.0).
>
> Thanks & greetings
>
> Henning
>
>
>
>
>


-- 


-----------

Henning Waack | IT Consultant


codecentric AG | Hochstra?e 11
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
|
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>

<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
Solingen
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
 |Deutschland
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>


tel: +49 (0)151 108 515 29

www.codecentric.de | blog.codecentric.de | www.meettheexperts.de

Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal

Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns
Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz

Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche
und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige
Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie
bitte sofort den Absender und l?schen Sie diese E-Mail und evtl.
beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen
evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist
nicht gestattet.

From thesofiane at gmail.com  Mon Jul  2 03:11:40 2018
From: thesofiane at gmail.com (So Be)
Date: Mon, 2 Jul 2018 09:11:40 +0200
Subject: [keycloak-user] How to specify local Gitlab HOST
Message-ID: <CACz=5knAr60SJCRmu_nYo_vu2gTdeQFM9e8i1m-Jf=WNuL7qmw@mail.gmail.com>

Hi,

I configured keycloak to work with our GITLAB instance but still
redirecting to the global gitlab.
In keycloak configuration page I see no entry about the url of gitlab.
How and where can I set up this?
I suppose through env variable.

Thank you.

Regards

Sofiane.

From kkcmadhu at yahoo.com  Mon Jul  2 03:19:45 2018
From: kkcmadhu at yahoo.com (Madhu)
Date: Mon, 2 Jul 2018 07:19:45 +0000 (UTC)
Subject: [keycloak-user] Enabling Identity provider alone
References: <602469538.1281007.1530515985637.ref@mail.yahoo.com>
Message-ID: <602469538.1281007.1530515985637@mail.yahoo.com>

Hi ,
I want to disable client, Realm management, Authentication and Roles and want to create a user who will be able to provide only Identity provider/broker integration.
I understand user needs to be in? manage-identity-providers?and manage-realm for doing this activity. But with manage realm user also has access to role creation,authenciation and realm setting tabs.?Any way to disable these, without going for customized themes or changing the FTL?
I am looking for authorization model based solution.
Regards,Madhu

From henning.waack at codecentric.de  Mon Jul  2 03:54:27 2018
From: henning.waack at codecentric.de (Henning Waack)
Date: Mon, 2 Jul 2018 09:54:27 +0200
Subject: [keycloak-user] Reverse Proxy issue
Message-ID: <CAGqTYawnZU=4iN5xbJ=40ZpR5Qjx2Tz+w7k5HDytbuXqH25C+Q@mail.gmail.com>

Hi.

Using KC 4.0.0 behind a Apache httpd proxy with SSL termination, I have the
issue that KC is return redirect URIs with http instead of https.

I have configure KC standalone.xml as follows:

<subsystem xmlns="urn:jboss:domain:undertow:4.0">
            <buffer-cache name="default"/>
            <server name="default-server">
                <!--<http-listener name="default" socket-binding="http"
redirect-socket="https-proxy" proxy-address-forwarding="true"
enable-http2="true"/>-->
                <http-listener name="default" socket-binding="http"
redirect-socket="https-proxy" proxy-address-forwarding="true"/>
                <https-listener name="https" socket-binding="https"
security-realm="ApplicationRealm" enable-http2="true"/>
                ....
</subsystem>
...
<socket-binding-group name="standard-sockets" default-interface="public"
port-offset="${jboss.socket.binding.port-offset:0}">
       ...
        <socket-binding name="http" port="${jboss.http.port:8080}"/>
        <socket-binding name="https" port="${jboss.https.port:8443}"/>
        <socket-binding name="https-proxy" port="443"/>
...
</socket-binding-group>

I have enabled the undertow request logging filter, thus seeing that the
X-Forwarded-Proto, -For and Host headers are correctly set, but KC is still
returning the wrong redirect location, using http instead of https:

2018-07-02 09:31:06,785 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2) there
was no code
2018-07-02 09:31:06,785 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2)
redirecting to auth server
2018-07-02 09:31:06,786 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2) callback
uri: https://nak.xxx.com/auskunftssystem/sso/login
2018-07-02 09:31:06,791 DEBUG
[org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter]
(default task-2) Auth outcome: NOT_ATTEMPTED
2018-07-02 09:31:06,792 DEBUG
[org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2) Sending
redirect to login page:
http://nak.xxx.com/auth/realms/NAK/protocol/openid-connect/auth?response_type=code&client_id=auskunftssystem&redirect_uri=https%3A%2F%2Fnak.xxx.com%2Fauskunftssystem%2Fsso%2Flogin&state=f9a80dfd-df35-4893-9009-513d4793c1d2&login=true&scope=openid
2018-07-02 09:31:06,796 DEBUG
[org.springframework.security.web.context.HttpSessionSecurityContextRepository]
(default task-2) SecurityContext is empty or contents are anonymous -
context will not be stored in HttpSession.
2018-07-02 09:31:06,796 DEBUG
[org.springframework.security.web.context.SecurityContextPersistenceFilter]
(default task-2) SecurityContextHolder now cleared, as request processing
completed
2018-07-02 09:31:06,802 INFO  [io.undertow.request.dump] (default task-2)
----------------------------REQUEST---------------------------
               URI=/auskunftssystem/sso/login
 characterEncoding=null
     contentLength=-1
       contentType=null
            cookie=JSESSIONID=zAbSKWq1wWtYZ1CBJ48iZ0s4Gfc42QHc6XKUv_VP.nak

cookie=OAuth_Token_Request_State=dacaf5e0-34fe-4efc-842f-405a3575a74f

header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
            header=Accept-Language=de,en-US;q=0.7,en;q=0.3
            header=Accept-Encoding=gzip, deflate, br
            header=DNT=1
            header=X-Forwarded-Server=nak.xxx.com,
p4FD27CDE.dip0.t-ipconnect.de
            header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13;
rv:60.0) Gecko/20100101 Firefox/60.0
            header=Connection=Keep-Alive
            header=X-Forwarded-Proto=https
            header=X-Forwarded-For=21.32.236.47, 10.10.66.56

header=Cookie=OAuth_Token_Request_State=dacaf5e0-34fe-4efc-842f-405a3575a74f;
JSESSIONID=zAbSKWq1wWtYZ1CBJ48iZ0s4Gfc42QHc6XKUv_VP.nak
            header=Upgrade-Insecure-Requests=1
            header=Host=nak.xxx.com
            header=X-Forwarded-Host=nak.xxx.com, nak.xxx.com
            locale=[de, en_US, en]
            method=GET
          protocol=HTTP/1.1
       queryString=
        remoteAddr=87.167.236.47:0
        remoteHost=87.167.236.47
            scheme=https
              host=nak.xxx.com
        serverPort=0
--------------------------RESPONSE--------------------------
     contentLength=-1
       contentType=null

cookie=OAuth_Token_Request_State=f9a80dfd-df35-4893-9009-513d4793c1d2;
domain=null; path=null
            header=Expires=0
            header=Cache-Control=no-cache, no-store, max-age=0,
must-revalidate

header=Set-Cookie=OAuth_Token_Request_State=f9a80dfd-df35-4893-9009-513d4793c1d2;
secure; HttpOnly
            header=X-XSS-Protection=1; mode=block
            header=Pragma=no-cache
            header=Location=
http://nak.xxx.com/auth/realms/NAK/protocol/openid-connect/auth?response_type=code&client_id=auskunftssystem&redirect_uri=https%3A%2F%2Fnak.xxx.com%2Fauskunftssystem%2Fsso%2Flogin&state=f9a80dfd-df35-4893-9009-513d4793c1d2&login=true&scope=openid
            header=X-Frame-Options=DENY
            header=Date=Mon, 02 Jul 2018 07:31:06 GMT
            header=Connection=keep-alive
            header=X-Content-Type-Options=nosniff
            header=Strict-Transport-Security=max-age=31536000 ;
includeSubDomains
            header=Transfer-Encoding=chunked
            status=302
==============================================================
2018-07-02 09:31:07,643 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-3) new
JtaTransactionWrapper

Any idea why KC is returning http instead of https? Am I still missing some
header?

Thanks & greetings

Henning

From shawn at victz.com  Mon Jul  2 04:23:17 2018
From: shawn at victz.com (Shawn Fu Sheng)
Date: Mon, 2 Jul 2018 16:23:17 +0800
Subject: [keycloak-user] KEYCLOAK-7237 : Redirect URI is adding port
	zero to the url
In-Reply-To: <E9E1D36C-B499-4663-9859-85560979F5D9@victz.com>
References: <6AF83FD5-8B8E-4E50-B3B7-66025C0B3A37@victz.com>
	<E9E1D36C-B499-4663-9859-85560979F5D9@victz.com>
Message-ID: <2A5ECE3F-3C61-4126-ACDB-CA2F159C848E@victz.com>

Dear team,

Just for your update, managed to work around this issue. Suspect the issue caused by apache reverse proxy.

Modified SSL require to none and it works ok now. 

Thanks and regards,
Shawn Fu Sheng

> On Jun 30, 2018, at 10:17 PM, Shawn Fu Sheng <shawn at victz.com> wrote:
> 
> 
> Dear keycloak team,
> 
> I encountered redirect_uri error. Found same issue logged at below JIRA, just want to check any work around? Anyone can help? Thank you in advance.
> 
> KEYCLOAK-7237
> 
> 2018-06-30 11:34:13,996 WARN  [org.keycloak.events] (default task-8) type=LOGIN_ERROR, realmId=Victz, clientId=portal, userId=null, ipAddress=175.156.168.158, error=invalid_redirect_uri, redirect_uri=https://www.mydomain.com:0/home
> 
> I am using apache http reverse proxy running on centos7, wildly 10, keycloak 3.4.3. has also tried in below environment but same error.
> 
> Tried in 
> wildly 10, wildly 11, jboss 7.1 
> Keycloak 3.4.3 as well as keycloak 4.0
> 
> Also tried shutdown apache http and access directly to http://www.mydomain.com:8080/home , but seems return_uri automatically been converted to https with port 0. 
> 
> Please see below standalone.xml, tried removed below config in red but no luck. 
> 
>         <subsystem xmlns="urn:jboss:domain:undertow:4.0">
>             <buffer-cache name="default"/>
>             <server name="default-server">
>                 <http-listener name="default" socket-binding="http" proxy-address-forwarding="true" enable-http2="true"/>
>                 <https-listener name="https" socket-binding="https" proxy-address-forwarding="true" security-realm="ApplicationRealm" enable-http2="true"/>
>                 <host name="default-host" alias="localhost">
>                     <location name="/" handler="welcome-content"/>
>                     <location name="/drive" handler="drive"/>
>                     <access-log pattern="%h %l %u %t &quot;%r&quot; %s %b &quot;%{i,Referer}&quot; &quot;%{i,User-Agent}&quot; &quot;%{i,COOKIE}&quot; &quot;%{o,SET-COOKIE}&quot; %S &quot;%I %T&quot;" prefix="access."/>
>                     <filter-ref name="server-header"/>
>                     <filter-ref name="x-powered-by-header"/>
>                     <http-invoker security-realm="ApplicationRealm"/>
>                 </host>
>                 <host name="mydomain1" alias="mydomain1.com,www.mydomain1.com" default-web-module=?mydomain-0.1.war">
>                     <location name="/drive" handler="drive?/>
>                     <filter-ref name="proxy-peer"/>
>                     <filter-ref name="request-dumper" priority="30"/>
>                 </host>
>                 <host name="mydomain2" alias="mydomain2.com,www.mydomain2.com" default-web-module="mydomain2-0.1.war">
>                     <location name="/drive" handler="drive"/>
>                     <filter-ref name="proxy-peer"/>
>                     <filter-ref name="request-dumper" priority="30"/>
>                 </host>
>                 <host name="mydomain3" alias="mydomain3.com,www.mydomain3.com" default-web-module="mydomain3-0.1.war">
>                     <location name="/drive" handler="drive"/>
>                     <filter-ref name="proxy-peer"/>
>                     <filter-ref name="request-dumper" priority="30"/>
>                 </host>
> 
>             </server>
>             <servlet-container name="default">
>                 <jsp-config/>
>                 <websockets/>
>             </servlet-container>
>             <handlers>
>                 <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
>                 <file name="drive" path="/app/drive"/>
>             </handlers>
>             <filters>
>                 <response-header name="server-header" header-name="Server" header-value="JBoss-EAP/7"/>
>                 <response-header name="x-powered-by-header" header-name="X-Powered-By" header-value="Undertow/1"/>
>                 <filter name="proxy-peer" class-name="io.undertow.server.handlers.ProxyPeerAddressHandler" module="io.undertow.core"/>
>                 <filter name="request-dumper" class-name="io.undertow.server.handlers.RequestDumpingHandler" module="io.undertow.core"/>
>             </filters>
>         </subsystem>
> 
> Rds,
> Shawn

From dt at acutus.pro  Mon Jul  2 04:34:52 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 02 Jul 2018 11:34:52 +0300
Subject: [keycloak-user] How to specify local Gitlab HOST
In-Reply-To: <CACz=5knAr60SJCRmu_nYo_vu2gTdeQFM9e8i1m-Jf=WNuL7qmw@mail.gmail.com>
References: <CACz=5knAr60SJCRmu_nYo_vu2gTdeQFM9e8i1m-Jf=WNuL7qmw@mail.gmail.com>
Message-ID: <1530520492.4481.3.camel@acutus.pro>

Sofiane,
Currently, GitLab URLs are hardcoded [1]. However, you can create your
own social identity provider with correct URLs, based on
GitLabIdentityProvider, compile it and deploy to your Keycloak
instance.See [2] for details on how to build and deploy custom
providers to Keycloak.
Cheers,Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+ 42 (022) 888-30-71
E-mail:?info at acutus.pro

[1] https://github.com/keycloak/keycloak/blob/master/services/src/main/
java/org/keycloak/social/gitlab/GitLabIdentityProvider.java#L48[2]
https://www.keycloak.org/docs/latest/server_development/index.html#_pro
viders
On Mon, 2018-07-02 at 09:11 +0200, So Be wrote:
> Hi,
> 
> I configured keycloak to work with our GITLAB instance but still
> redirecting to the global gitlab.
> In keycloak configuration page I see no entry about the url of
> gitlab.
> How and where can I set up this?
> I suppose through env variable.
> 
> Thank you.
> 
> Regards
> 
> Sofiane.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From slaskawi at redhat.com  Mon Jul  2 04:43:08 2018
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Mon, 2 Jul 2018 10:43:08 +0200
Subject: [keycloak-user] Keycloak on Kubernetes - HTTPS required
In-Reply-To: <CAF83W6Ja6NXa3809YCOV2LF9VdBfrbcCCXBBTZGmpXcgy4DQvA@mail.gmail.com>
References: <E56A33A0-1B28-4071-8BB9-42F10B41BE90@contoso.com>
	<CAA9R9O7oYziw1yDJ=8B8GCxK8yMdbVxarUi_iopyBTJGu6FTMw@mail.gmail.com>
	<CAF83W6KH0eDS_n2_QUgNF+qLOrMzRdxFi5W1LXmgPZFw0Lxzwg@mail.gmail.com>
	<CAA9R9O512KL=mh0eqQWjzqfv4kOH-Gr7evKi1L18Q4qTLv23Fw@mail.gmail.com>
	<CAF83W6Ja6NXa3809YCOV2LF9VdBfrbcCCXBBTZGmpXcgy4DQvA@mail.gmail.com>
Message-ID: <CAA9R9O4Z6c9W+a4JO_nO=WSMRUE5vRRiMnY71vAEzRqchLVbKA@mail.gmail.com>

I managed to play a bit with Ingress on my Minikube installation. A good
place to start is the latest Kubernetes Demo, which was implemented by
Stian [1].

Just a couple of observations:
- As ??????? mentioned, PROXY_ADDRESS_FORWARDING variable on the deployment
must be set to true. Otherwise you will get nasty invalid redirect messages
[2].
- Ingress Controller usually pick class A addresses. Therefore I recommend
setting "Require SSL" parameter on the realm to "external requests". This
shouldn't be mandatory but it expresses your intentions very well.
- Note that the Ingress points to a Service on port 8080. TLS termination
in handled by an Ingress here. That's why we are targeting port 8080 on the
service (http not https).
- The browser (or a client app) needs to trust the certificate used by the
Ingress. A side note - if you're using Java, perhaps you need to use a
Truststore or add a certificate to jre/lib/security/cacerts.

Thanks,
Sebastian

[1] https://github.com/stianst/demo-kubernetes
[2]
https://github.com/stianst/demo-kubernetes/blob/master/keycloak/keycloak.yaml#L39

On Tue, Jun 26, 2018 at 3:26 PM Meissa M'baye Sakho <msakho at redhat.com>
wrote:

> I have some additionnal input that could help;
> when I change my ingress configuration by switching from https service
> (exposed to port 8443)  to https (https), it works.
> The certificate is beeing presented.
> I'm getting a 502 bad gateway from the nginx otherwise.
> Maybe this will speaks to you.
>
>
> apiVersion: extensions/v1beta1
> kind: Ingress
> metadata:
>   namespace: opengie-proto
>   name: keycloak-opengie-proto-ssl
>   labels:
>     app: keycloak-opengie-proto
>   annotations:
>    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
>    nginx.ingress.kubernetes.io/auth-tls-secret: "opengie-tls-secret"
>    nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3"
>    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream:
> "true"
> spec:
>   rules:
>   - host: keycloak-opengie-ssl.proto.paas.eclair.local
>     http:
>       paths:
>       - path: /
>         backend:
>           serviceName: keycloak-opengie-proto
>           *servicePort: http  <------- this value works*
>
>   tls:
>    - hosts:
>      - keycloak-opengie-ssl.proto.paas.eclair.local
>
> 2018-06-26 13:53 GMT+02:00 Sebastian Laskawiec <slaskawi at redhat.com>:
>
>> Hey Meissa,
>>
>> The more I think about this issue, the more I'm convinced that disabling
>> SSL is the easiest approach. In most of the scenarios you're operating
>> within your own Namespace so you can trust it.
>>
>> Please give me some time to experiment with different options and
>> hopefully I will be able to give you some better guidance.
>>
>> Thanks,
>> Sebastian
>>
>> On Mon, Jun 25, 2018 at 5:04 PM Meissa M'baye Sakho <msakho at redhat.com>
>> wrote:
>>
>>> Sebastien,
>>> I'm trying to use Kubernetes TLS Client side authentication with
>>> keycloak ona cloud environment called Apprenda (based on kubernetes and
>>> docker).
>>>
>>> I can't manage to make it work and I don't know if the problem is from
>>> my ingress configuration or from the nginx configuration.
>>> In regard to the bug described below:
>>> https://github.com/kubernetes/ingress-nginx/issues/2287
>>> I seems like it's from the nginx configuration. But I'm not sure.
>>>
>>> My ingress configuration is the following:
>>>
>>> apiVersion: extensions/v1beta1
>>> kind: Ingress
>>> metadata:
>>>   namespace: opengie-proto
>>>   name: keycloak-opengie-proto-ssl
>>>   labels:
>>>     app: keycloak-opengie-proto
>>>   annotations:
>>>    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
>>>    nginx.ingress.kubernetes.io/auth-tls-secret: "opengie-tls-secret"
>>>    nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3"
>>>    nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream:
>>> "true"
>>> spec:
>>>   rules:
>>>   - host: keycloak-opengie-ssl.proto.paas.eclair.local
>>>     http:
>>>       paths:
>>>       - path: /
>>>         backend:
>>>           serviceName: keycloak-opengie-proto
>>>           servicePort: https
>>>   tls:
>>>    - hosts:
>>>      - keycloak-opengie-ssl.proto.paas.eclair.local
>>>
>>> Is there something strange that you're seeing in my configuration?
>>> Could you give me some hints in the nginx configuration that I have to
>>> pay attention?
>>> thanks,
>>> Meissa
>>>
>>>
>>> 2018-06-21 13:18 GMT+02:00 Sebastian Laskawiec <slaskawi at redhat.com>:
>>>
>>>> I'm an expert on Ingress (I usually work with Routes on OCP) but it
>>>> probably depends on the Ingress configuration.
>>>>
>>>> If I'm not mistaken, the default Ingress configuration terminates TLS
>>>> and
>>>> sends unencrypted traffic to the Pod. However, Keycloak expects TLS, not
>>>> unencrypted HTTP request.
>>>>
>>>> I think you have a couple of options how to solve it:
>>>> - Use Pass-through TLS termination (this simply forwards encrypted
>>>> (HTTPS)
>>>> traffic to the Pod, without termination). A similar configuration to
>>>> this
>>>> one:
>>>> https://github.com/kubernetes/ingress-nginx/issues/1947#issue-290639351
>>>> - Use a Load Balancer Service to access Keycloak (the final result will
>>>> be
>>>> the same as in the previous solution - a Pod will get HTTPS traffic)
>>>> - Turn "Require SLL" option in the "Realm Settings". But please
>>>> remember to
>>>> always use properly configured ingress in front of Keycloak. Otherwise
>>>> you
>>>> might compromise it!!!
>>>>
>>>> Thanks,
>>>> Sebastian
>>>>
>>>> On Wed, Jun 20, 2018 at 4:53 PM Pavlov, Yordan <yordan.pavlov at sap.com>
>>>> wrote:
>>>>
>>>> > Hi all,
>>>> >
>>>> > I?m evaluating Keycloak as IAM for one open source project [1], so
>>>> far,
>>>> > I?ve tested it successfully on a minikube (local) Kubernetes cluster
>>>> and I
>>>> > want to run it in on a real cluster.
>>>> >
>>>> > The real cluster (created by Gardener [2]) is running on AWS and the
>>>> > access to the Keycloak is exposed through an Ingress controller [3].
>>>> > We?ve also installed ?cert-manager? for automated certificates
>>>> management
>>>> > of Let?s Encrypt issued certificates.
>>>> >
>>>> > So far so good, but when I try to login to the ?Admin Console? I get
>>>> the
>>>> > following error:
>>>> > ?We're sorry... HTTPS required?
>>>> >
>>>> > In the logs of the pod, there is the following warning:
>>>> > ?WARN [org.keycloak.events] (default task-12) type=LOGIN_ERROR,
>>>> > realmId=master, clientId=null, userId=null, ipAddress=100.96.0.6,
>>>> > error=ssl_required?
>>>> >
>>>> > As far as I understand, the Let?s Encrypt certificated is trusted by
>>>> the
>>>> > browsers and it appears to be trusted by the OpenJDK also [4].
>>>> > Then what should be done in order to access the Admin Console?
>>>> >
>>>> > Last but not least, we are using jboss/keycloak:latest image (I know
>>>> that
>>>> > we should be using some stable version like 4.0.0, but it appears
>>>> that the
>>>> > issue is not related to the image version).
>>>> >
>>>> > Regards,
>>>> > Yordan Pavlov
>>>> >
>>>> > [1] ProMART: https://github.com/promart-io | https://www.promart.io/
>>>> > [2] Gardener: https://github.com/gardener
>>>> > [3] Keycloak:
>>>> >
>>>> https://kkk.ingress.promart.promart.shoot.canary.k8s-hana.ondemand.com
>>>> > [4] DST Root CA X3: https://bugs.openjdk.java.net/browse/JDK-8154757
>>>> >
>>>> > _______________________________________________
>>>> > keycloak-user mailing list
>>>> > keycloak-user at lists.jboss.org
>>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>>
>

From dt at acutus.pro  Mon Jul  2 04:55:13 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 02 Jul 2018 11:55:13 +0300
Subject: [keycloak-user] Get all users for a given client with consent
In-Reply-To: <CAGqTYawFnOcVGtyg_xhb5ano9hV8aM1gwvVJmHY=vVz37HJMLQ@mail.gmail.com>
References: <bcc581cc-8b71-40bb-94c1-8976111c58d1@Spark>
	<CAGqTYawY7YJtH76EK0rkWrNZog+ZbarqpTTx6etY2KX1BPiXQw@mail.gmail.com>
	<1530354650.18192.3.camel@acutus.pro>
	<CAGqTYawFnOcVGtyg_xhb5ano9hV8aM1gwvVJmHY=vVz37HJMLQ@mail.gmail.com>
Message-ID: <1530521713.4481.5.camel@acutus.pro>

Henning, you're welcome,

In fact, if you need only users (not consents) returned from the query,
you could use JPQL projection as follows:

select consent.user from UserConsentEntity consent where
consent.clientId = :clientId

Cheers,
Dmitry

On Mon, 2018-07-02 at 08:14 +0200, Henning Waack wrote:
> Thanks Dimitry, this is exactly what I am looking for! Will give it a
> try and report my findings! Thanks especially for the list of
> examples and the sample SQL Query!
> 
> Greetings
> 
> Henning
> 
> 2018-06-30 12:30 GMT+02:00 Dmitry Telegin <dt at acutus.pro>:
> > Hi Henning, sorry for late response,
> > 
> > I assume that by "getting a list of all users with consent for a
> > specific client" you mean exposing this list over REST API (correct
> > me if I'm wrong).
> > 
> > For this, you will need to implement a custom REST endpoint using
> > Realm Resource SPI [1] that will execute a single JPA query:
> > 
> > select consent from UserConsentEntity consent where
> > consent.clientId = :clientId
> > 
> > then convert the results to a list of UserConsentRepresentation's
> > and return it. If you want to see the list in the admin GUI, you'll
> > also have to implement a GUI theme.
> > 
> > Please remember that by default custom REST resources are public,
> > so you'll need to implement proper access control. Examples that
> > might be helpful here:
> > - examples/providers/rest: a minimal example of custom REST
> > resource;
> > - examples/providers/domain-extension: an advanced example that
> > (among other) demonstrates interacting with the JPA layer;
> > unfortunately, it is not maintained, and the authorization code is
> > broken at the moment [2];
> > - BeerCloak [3]: a more complete and complex example that is
> > maintained and working. Currently, authorization is implemented in
> > a pre-3.2.0 way (but should still work in 4.0.0). I'm going to port
> > it to post-3.2.0 soon (that means, fine-grained permissions), so
> > stay tuned;
> > - examples/themes - if you're looking to extending the GUI.
> > 
> > See also:
> > org.keycloak.models.jpa.entities.UserConsentEntity
> > org.keycloak.representations.idm.UserConsentRepresentation
> > org.keycloak.services.resources.admin.UserResource::getConsents()
> > org.keycloak.models.jpa.JpaUserProvider::getConsents()
> > 
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > + 42 (022) 888-30-71
> > E-mail:?info at acutus.pro
> > 
> > [1]
> > https://www.keycloak.org/docs/latest/server_development/index.html#
> > _extensions_rest
> > [2] https://issues.jboss.org/browse/KEYCLOAK-5927
> > [3] https://github.com/dteleguin/beercloak
> > 
> > > Hey guys, any input on this? Appreciate it! :)
> > > 
> > > Thanks
> > > 
> > > Henning
> > > 
> > > 2018-06-25 13:35 GMT+02:00 Henning Waack
> > > <henning.waack at codecentric.de>:
> > > 
> > > > Hi.
> > > > 
> > > > Is it possible to get a list of all users who have given their
> > > > consent for
> > > > a specific client? I am working with KC 4.0 (and Spring Boot
> > > > 2.0).
> > > > 
> > > > Thanks & greetings
> > > > 
> > > > Henning
> > > > 
> > > 
> > > 
> > > 
> 
> 
> 

From dt at acutus.pro  Mon Jul  2 04:58:20 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 02 Jul 2018 11:58:20 +0300
Subject: [keycloak-user] Reverse Proxy issue
In-Reply-To: <CAGqTYawnZU=4iN5xbJ=40ZpR5Qjx2Tz+w7k5HDytbuXqH25C+Q@mail.gmail.com>
References: <CAGqTYawnZU=4iN5xbJ=40ZpR5Qjx2Tz+w7k5HDytbuXqH25C+Q@mail.gmail.com>
Message-ID: <1530521900.4481.7.camel@acutus.pro>

Henning,

Could you please share your Apache mod_proxy related config directives?
Here's the config we're using:

ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto "https"

ProxyPass /auth http://localhost:8080/auth
ProxyPassReverse /auth http://localhost:8080/auth

Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+ 42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-07-02 at 09:54 +0200, Henning Waack wrote:
> Hi.
> 
> Using KC 4.0.0 behind a Apache httpd proxy with SSL termination, I
> have the
> issue that KC is return redirect URIs with http instead of https.
> 
> I have configure KC standalone.xml as follows:
> 
> <subsystem xmlns="urn:jboss:domain:undertow:4.0">
> ????????????<buffer-cache name="default"/>
> ????????????<server name="default-server">
> ????????????????<!--<http-listener name="default" socket-
> binding="http"
> redirect-socket="https-proxy" proxy-address-forwarding="true"
> enable-http2="true"/>-->
> ????????????????<http-listener name="default" socket-binding="http"
> redirect-socket="https-proxy" proxy-address-forwarding="true"/>
> ????????????????<https-listener name="https" socket-binding="https"
> security-realm="ApplicationRealm" enable-http2="true"/>
> ????????????????....
> </subsystem>
> ...
> <socket-binding-group name="standard-sockets" default-
> interface="public"
> port-offset="${jboss.socket.binding.port-offset:0}">
> ???????...
> ????????<socket-binding name="http" port="${jboss.http.port:8080}"/>
> ????????<socket-binding name="https"
> port="${jboss.https.port:8443}"/>
> ????????<socket-binding name="https-proxy" port="443"/>
> ...
> </socket-binding-group>
> 
> I have enabled the undertow request logging filter, thus seeing that
> the
> X-Forwarded-Proto, -For and Host headers are correctly set, but KC is
> still
> returning the wrong redirect location, using http instead of https:
> 
> 2018-07-02 09:31:06,785 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2)
> there
> was no code
> 2018-07-02 09:31:06,785 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2)
> redirecting to auth server
> 2018-07-02 09:31:06,786 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2)
> callback
> uri: https://nak.xxx.com/auskunftssystem/sso/login
> 2018-07-02 09:31:06,791 DEBUG
> [org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationPr
> ocessingFilter]
> (default task-2) Auth outcome: NOT_ATTEMPTED
> 2018-07-02 09:31:06,792 DEBUG
> [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2)
> Sending
> redirect to login page:
> http://nak.xxx.com/auth/realms/NAK/protocol/openid-connect/auth?respo
> nse_type=code&client_id=auskunftssystem&redirect_uri=https%3A%2F%2Fna
> k.xxx.com%2Fauskunftssystem%2Fsso%2Flogin&state=f9a80dfd-df35-4893-
> 9009-513d4793c1d2&login=true&scope=openid
> 2018-07-02 09:31:06,796 DEBUG
> [org.springframework.security.web.context.HttpSessionSecurityContextR
> epository]
> (default task-2) SecurityContext is empty or contents are anonymous -
> context will not be stored in HttpSession.
> 2018-07-02 09:31:06,796 DEBUG
> [org.springframework.security.web.context.SecurityContextPersistenceF
> ilter]
> (default task-2) SecurityContextHolder now cleared, as request
> processing
> completed
> 2018-07-02 09:31:06,802 INFO??[io.undertow.request.dump] (default
> task-2)
> ----------------------------REQUEST---------------------------
> ???????????????URI=/auskunftssystem/sso/login
> ?characterEncoding=null
> ?????contentLength=-1
> ???????contentType=null
> ????????????cookie=JSESSIONID=zAbSKWq1wWtYZ1CBJ48iZ0s4Gfc42QHc6XKUv_V
> P.nak
> 
> cookie=OAuth_Token_Request_State=dacaf5e0-34fe-4efc-842f-405a3575a74f
> 
> header=Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*
> /*;q=0.8
> ????????????header=Accept-Language=de,en-US;q=0.7,en;q=0.3
> ????????????header=Accept-Encoding=gzip, deflate, br
> ????????????header=DNT=1
> ????????????header=X-Forwarded-Server=nak.xxx.com,
> p4FD27CDE.dip0.t-ipconnect.de
> ????????????header=User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X
> 10.13;
> rv:60.0) Gecko/20100101 Firefox/60.0
> ????????????header=Connection=Keep-Alive
> ????????????header=X-Forwarded-Proto=https
> ????????????header=X-Forwarded-For=21.32.236.47, 10.10.66.56
> 
> header=Cookie=OAuth_Token_Request_State=dacaf5e0-34fe-4efc-842f-
> 405a3575a74f;
> JSESSIONID=zAbSKWq1wWtYZ1CBJ48iZ0s4Gfc42QHc6XKUv_VP.nak
> ????????????header=Upgrade-Insecure-Requests=1
> ????????????header=Host=nak.xxx.com
> ????????????header=X-Forwarded-Host=nak.xxx.com, nak.xxx.com
> ????????????locale=[de, en_US, en]
> ????????????method=GET
> ??????????protocol=HTTP/1.1
> ???????queryString=
> ????????remoteAddr=87.167.236.47:0
> ????????remoteHost=87.167.236.47
> ????????????scheme=https
> ??????????????host=nak.xxx.com
> ????????serverPort=0
> --------------------------RESPONSE--------------------------
> ?????contentLength=-1
> ???????contentType=null
> 
> cookie=OAuth_Token_Request_State=f9a80dfd-df35-4893-9009-
> 513d4793c1d2;
> domain=null; path=null
> ????????????header=Expires=0
> ????????????header=Cache-Control=no-cache, no-store, max-age=0,
> must-revalidate
> 
> header=Set-Cookie=OAuth_Token_Request_State=f9a80dfd-df35-4893-9009-
> 513d4793c1d2;
> secure; HttpOnly
> ????????????header=X-XSS-Protection=1; mode=block
> ????????????header=Pragma=no-cache
> ????????????header=Location=
> http://nak.xxx.com/auth/realms/NAK/protocol/openid-connect/auth?respo
> nse_type=code&client_id=auskunftssystem&redirect_uri=https%3A%2F%2Fna
> k.xxx.com%2Fauskunftssystem%2Fsso%2Flogin&state=f9a80dfd-df35-4893-
> 9009-513d4793c1d2&login=true&scope=openid
> ????????????header=X-Frame-Options=DENY
> ????????????header=Date=Mon, 02 Jul 2018 07:31:06 GMT
> ????????????header=Connection=keep-alive
> ????????????header=X-Content-Type-Options=nosniff
> ????????????header=Strict-Transport-Security=max-age=31536000 ;
> includeSubDomains
> ????????????header=Transfer-Encoding=chunked
> ????????????status=302
> ==============================================================
> 2018-07-02 09:31:07,643 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-3) new
> JtaTransactionWrapper
> 
> Any idea why KC is returning http instead of https? Am I still
> missing some
> header?
> 
> Thanks & greetings
> 
> Henning
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From shaik.salam at tcs.com  Mon Jul  2 05:04:31 2018
From: shaik.salam at tcs.com (Shaik Salam)
Date: Mon, 2 Jul 2018 14:34:31 +0530
Subject: [keycloak-user] Keycloak Server boot has failed in
 an	unrecoverable manner
In-Reply-To: <OFE723714B.A897DD5C-ON652582BB.0028C395-652582BB.0028C397@tcs.com>
References: <OFE723714B.A897DD5C-ON652582BB.0028C395-652582BB.0028C397@tcs.com>,
	<OF3F088DF5.D3793601-ON652582BB.0025593C-652582BB.0027E4CD@LocalDomain>
Message-ID: <OF61991E4C.00B7AFDC-ON652582BE.0031DA66-652582BE.0031DA68@tcs.com>

Hi,

I feel its known issue. Could you please respond anyone this.
Thanks for valuable time.

BR
Salam


-----keycloak-user-bounces at lists.jboss.org wrote: -----
To: keycloak-user at lists.jboss.org
From: Shaik Salam 
Sent by: keycloak-user-bounces at lists.jboss.org
Date: 06/29/2018 01:00PM
Cc: Murali Kottakota <murali.kottakota at tcs.com>
Subject: Re: [keycloak-user] Keycloak Server boot has failed in an	unrecoverable manner

Hi,



We have installed docker on linux operating system in vm and running keycloak server as container.

Tying to restart server(ex: ./bin.standalone.sh) but boot is failed due to following port conflicts.

Could you please let us know is any modifications needed on ports or interface's ip address for respective files(ex: standalone.xml,host.xml etc).

Please provide suitable solution and in which files modification needs to do, to rectify following errors and find log file for more information. 

Thanks in advance.




11:10:48,087 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-5) MSC000001: Failed to start service org.wildfly.undertow.listener.default: org.jboss.msc.service.StartException in service org.wildfly.undertow.listener.default: Address already in use /127.0.0.1:8080
        at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:179)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

  11:10:48,325 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-6) MSC000001: Failed to start service org.wildfly.management.http.extensible: org.jboss.msc.service.StartException in service org.wildfly.management.http.extensible: java.net.BindException: Address already in use /127.0.0.1:9990
        at org.jboss.as.server.mgmt.UndertowHttpManagementService.start(UndertowHttpManagementService.java:340)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)

11:10:48,388 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-6) MSC000001: Failed to start service org.wildfly.undertow.listener.https: org.jboss.msc.service.StartException in service org.wildfly.undertow.listener.https: Address already in use /127.0.0.1:8443
        at org.wildfly.extension.undertow.ListenerService.start(ListenerService.java:179)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
 failure description: {
    "WFLYCTL0080: Failed services" => {"org.wildfly.management.http.extensible" => "java.net.BindException: Address already in use /127.0.0.1:9990"},
    "WFLYCTL0288: One or more services were unable to start due to one or more indirect dependencies not being available." => {
        "Services that were unable to start:" => ["org.wildfly.management.http.extensible.shutdown"],
        "Services that may be the cause:" => ["jboss.remoting.remotingConnectorInfoService.http-remoting-connector"]
    }
}
11:10:49,024 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "keycloak-server.war")]) - failure description: {"WFLYCTL0288: One or more services were unable to start due to one or more indirect dependencies not being available." => {
    "Services that were unable to start:" => [
        "jboss.deployment.discovery.\"keycloak-server.war\"",
        "jboss.deployment.unit.\"keycloak-server.war\".component.\"com.sun.faces.config.ConfigureListener\".START",
        "jboss.deployment.unit.\"keycloak-server.war\".component.\"javax.faces.webapp.FacetTag\".START",
        "jboss.deployment.unit.\"keycloak-server.war\".component.\"javax.servlet.jsp.jstl.tlv.PermittedTaglibsTLV\".START",
        "jboss.deployment.unit.\"keycloak-server.war\".component.\"javax.servlet.jsp.jstl.tlv.ScriptFreeTLV\".START",
        "jboss.deployment.unit.\"keycloak-server.war\".component.\"org.jboss.resteasy.plugins.server.servlet.HttpServlet30Dispatcher\".START",
        "jboss.deployment.unit.\"keycloak-server.war\".component.\"org.keycloak.services.filters.KeycloakSessionServletFilter\".START",
        "jboss.deployment.unit.\"keycloak-server.war\".component.\"org.keycloak.services.listeners.KeycloakSessionDestroyListener\".START",
        "jboss.deployment.unit.\"keycloak-server.war\".deploymentCompleteService",
        "jboss.deployment.unit.\"keycloak-server.war\".ejb3.client-context.registration-service",
        "jboss.undertow.deployment.default-server.default-host./auth"
    ],
    "Services that may be the cause:" => ["jboss.remoting.remotingConnectorInfoService.http-remoting-connector"]
}}




BR

Salam

 
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From eivind at jotta.no  Mon Jul  2 05:18:45 2018
From: eivind at jotta.no (Eivind Larsen)
Date: Mon, 2 Jul 2018 05:18:45 -0400
Subject: [keycloak-user] Opening reset password link in a different browser
Message-ID: <CAF4REn4Le7fx5LpSVdQqMKKGtx8MOdgmY58NW31cyTbhiRR3Qg@mail.gmail.com>

Hi

We are running Keycloak 3.4.3.Final.
It seems that opening reset password link in a different browser than the
browser it was created in results in a 400 Bad request
with the message 'Login requester not enabled?, and renders the user unable
to reset credentials.

This is an issue, especially for users on mobile that often uses sandboxed
web views.

Are anyone else seeing this?
Is this a known issue?

Best regards,
Eivind Larsen

From iali at an10.io  Mon Jul  2 05:28:38 2018
From: iali at an10.io (aliartiza75)
Date: Mon, 2 Jul 2018 02:28:38 -0700 (MST)
Subject: [keycloak-user] grant_type is not provided in the POST request call
Message-ID: <1530523718822-0.post@n6.nabble.com>

Hello everyone,

I am trying to authenticate the user using this endpoint:
http://localhost:8080/auth/realms/nodejs-example/protocol/openid-connect/token

When I use the curl request:

/**** Request Example *****/    
curl  -d "client_secret=17823f90-c7c5-4f07-a78d-f7632a8dee16" -d
"client_id=nodejs-connect"   -d "username=XXX"   -d "password=XXX"   -d
"grant_type=password"  
"http://localhost:8080/auth/realms/nodejs-example/protocol/openid-connect/token"
I am able to authenticate the user and get the response in JSON format. 


But when I try to do the same thing using the node requestify module, it
raises the grant_type not provided issue:

/**** Code Example *****/    
    
    var requestify = require('requestify');
   
requestify.post('http://localhost:8080/auth/realms/nodejs-example/protocol/openid-connect/token',
{
        client_secret:'17823f90-c7c5-4f07-a78d-f7632a8dee16',
        client_id: 'nodejs-connect',
        username: 'XXX',
        password: 'XXX',
        grant_type: 'password'
    })
    .then(function(response) {
        console.log(response.getBody());
        
    }).catch((e) => {
        console.log(e);
    });

The same issue is also generated which I use postman to do perform the same
task.


Is this issue is related to keycloak or on my side.

Thankyou.




--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From dt at acutus.pro  Mon Jul  2 06:38:18 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 02 Jul 2018 13:38:18 +0300
Subject: [keycloak-user] Enabling Identity provider alone
In-Reply-To: <602469538.1281007.1530515985637@mail.yahoo.com>
References: <602469538.1281007.1530515985637.ref@mail.yahoo.com>
	<602469538.1281007.1530515985637@mail.yahoo.com>
Message-ID: <1530527898.4481.10.camel@acutus.pro>

Madhu,
I think that initially this was supposed to work without "manage-realm" 
role. If you grant a user "manage-identity-providers" role only, you'll
see a perfect picture in the GUI: just the "Identity providers"
section, and nothing more. However if you try to actually add a
provider, you'll get a 403 Forbidden upon a request to
/auth/admin/realms/$REALM/authentication/flows endpoint.
To render the identity provider creation form, the GUI indeed needs to
retrieve a list of authentication flows for the realm. Unfortunately,
in the REST resource it is hardcoded that the user needs to be checked
for "view-realm" role (see
org.keycloak.services.resources.admin.AuthenticationManagementResource:
:getFlows).
I think this is a perfect candidate for RFE, since "view-realm" is
indeed too wide for the flows endpoint. I'd suggest that the
restriction be changed to "view-realm OR manage-identity-providers".
You can create a JIRA issue for that, and at the moment resort to one
of the workarounds:- fix?AuthenticationManagementResource::getFlows
yourself and recompile Keycloak (easier to do, but harder to
maintain);- create a custom REST endpoint for flows with relaxed
permissions, then create a custom GUI theme to use that endpoint
instead of the standard one.
Please note that granting manage-realm + manage-identity-providers and
tweaking the GUI theme to exclude unwanted elements is generally a bad
idea, since a rogue user will still be able to directly invoke REST
endpoints to do some nasty stuff.
I'm not sure if authorization / fine-grained permissions are relevant
here, but let's see what Pedro Igor says on that.
Cheers,Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+ 42 (022) 888-30-71
E-mail:?info at acutus.pro

On Mon, 2018-07-02 at 07:19 +0000, Madhu wrote:
> Hi ,
> I want to disable client, Realm management, Authentication and Roles
> and want to create a user who will be able to provide only Identity
> provider/broker integration.
> I understand user needs to be in? manage-identity-providers?and
> manage-realm for doing this activity. But with manage realm user also
> has access to role creation,authenciation and realm setting tabs.?Any
> way to disable these, without going for customized themes or changing
> the FTL?
> I am looking for authorization model based solution.
> Regards,Madhu
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From kkcmadhu at yahoo.com  Mon Jul  2 07:42:34 2018
From: kkcmadhu at yahoo.com (Madhu)
Date: Mon, 2 Jul 2018 11:42:34 +0000 (UTC)
Subject: [keycloak-user] Enabling Identity provider alone
In-Reply-To: <1530527898.4481.10.camel@acutus.pro>
References: <602469538.1281007.1530515985637.ref@mail.yahoo.com>
	<602469538.1281007.1530515985637@mail.yahoo.com>
	<1530527898.4481.10.camel@acutus.pro>
Message-ID: <1326728223.1464638.1530531754249@mail.yahoo.com>

 Thanks Dmitry for quick response.
I have raised?[KEYCLOAK-7753] Need view/manage realm access for creating identity provider - JBoss Issue Tracker?for the same.

| 
| 
|  | 
[KEYCLOAK-7753] Need view/manage realm access for creating identity prov...


 |

 |

 |




Agree with you that disabling in Admin console ui, will not be? a great idea,? is there any standard practice /documentation for selectively restricting rest apis?As far as i read the documentation, the recommendation seems to be to customize rest endpoints are not deploy them at all..?
    On Monday, 2 July, 2018, 4:08:27 PM IST, Dmitry Telegin <dt at acutus.pro> wrote:  
 
 Madhu,
I think that initially this was supposed to work without "manage-realm" role. If you grant a user "manage-identity-providers" role only, you'll see a perfect picture in the GUI: just the "Identity providers" section, and nothing more. However if you try to actually add a provider, you'll get a 403 Forbidden upon a request to /auth/admin/realms/$REALM/authentication/flows endpoint.
To render the identity provider creation form, the GUI indeed needs to retrieve a list of authentication flows for the realm. Unfortunately, in the REST resource it is hardcoded that the user needs to be checked for "view-realm" role (see org.keycloak.services.resources.admin.AuthenticationManagementResource::getFlows).
I think this is a perfect candidate for RFE, since "view-realm" is indeed too wide for the flows endpoint. I'd suggest that the restriction be changed to "view-realm OR manage-identity-providers". You can create a JIRA issue for that, and at the moment resort to one of the workarounds:- fix?AuthenticationManagementResource::getFlows yourself and recompile Keycloak (easier to do, but harder to maintain);- create a custom REST endpoint for flows with relaxed permissions, then create a custom GUI theme to use that endpoint instead of the standard one.
Please note that granting manage-realm + manage-identity-providers and tweaking the GUI theme to exclude unwanted elements is generally a bad idea, since a rogue user will still be able to directly invoke REST endpoints to do some nasty stuff.
I'm not sure if authorization / fine-grained permissions are relevant here, but let's see what Pedro Igor says on that.
Cheers,Dmitry TeleginCTO, Acutus s.r.o.Keycloak Consulting and Training
Pod lipami street 339/52, 130 00 Prague 3, Czech Republic+ 42 (022) 888-30-71E-mail:?info at acutus.pro
On Mon, 2018-07-02 at 07:19 +0000, Madhu wrote:
Hi ,I want to disable client, Realm management, Authentication and Roles and want to create a user who will be able to provide only Identity provider/broker integration.I understand user needs to be in? manage-identity-providers?and manage-realm for doing this activity. But with manage realm user also has access to role creation,authenciation and realm setting tabs.?Any way to disable these, without going for customized themes or changing the FTL?I am looking for authorization model based solution.Regards,Madhu_______________________________________________keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
  

From noircc at gmail.com  Mon Jul  2 07:50:09 2018
From: noircc at gmail.com (SW)
Date: Mon, 2 Jul 2018 04:50:09 -0700 (MST)
Subject: [keycloak-user] SSL-Problem with KeycloakOIDCFilter when "Touching"
 WAR-File instead of restarting
Message-ID: <1530532209348-0.post@n6.nabble.com>

Good Day everyone,

well this is kind of a tricky problem, but maybe someone can help me.

I got two server-instances:

The fist instance is kind of a testing-stage and is secured by the
keycloak-oidc-filter, where  the keycloak-server is accessd with the help of
self-signed SSL-certificate 

The other one is kind of production and is secured by the
keycloak-oidc-filter, where  the keycloak-server is accessed by a bought
SSL-certificate 

Both of them work with the certificates. No Problem, but... when I wanna
reload some propertes and touch the production-war file per commandline. I
get following error:




So I need to restart the Production-Server to get this thing working again.
It seems to me that the KeycloakOIDC-Filter can't connect to my
HTTPS-Keycloak-Instance, the filter seems to go into an instable state, when
the touch occurs and the restart resets everything. 

The strange thing is that my test-server with the self-signed-certs doesn't
have the same problem. 


regards && tia
  Sebastian



--
Sent from: http://keycloak-user.88327.x6.nabble.com/

From corentin.dupont at gmail.com  Mon Jul  2 09:05:27 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Mon, 2 Jul 2018 15:05:27 +0200
Subject: [keycloak-user] NPE when requesting authorization
Message-ID: <CAEyhvmoAvPG3L0S=1SeA6hq1mDER_bu-CfpKfaMC64-yOQ4K7A@mail.gmail.com>

Hi guys,
I got this error when requesting authorization on a resource:

$ curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=Sensortest#sensors:view"

{"error":"server_error","error_description":"Unexpected error while
evaluating permissions"}

On the server side I get:

12:42:11,821 ERROR
[org.keycloak.authorization.authorization.AuthorizationTokenService]
(default task-16) Unexpected error while evaluating permissions:
java.lang.NullPointerException
  at
org.keycloak.authorization.util.Permissions.permits(Permissions.java:194)
  at
org.keycloak.authorization.authorization.AuthorizationTokenService.authorize(AuthorizationTokenService.java:173)
  at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissionGrant(TokenEndpoint.java:1124)
  at
org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(TokenEndpoint.java:190)
  at sun.reflect.GeneratedMethodAccessor449.invoke(Unknown Source)
  at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  at java.lang.reflect.Method.invoke(Method.java:498)


I got my token this way:
USERTOKEN=`curl -X POST  -H "Content-Type:
application/x-www-form-urlencoded" -d
'username=guest&password=guest&grant_type=password&client_id=api-server&client_secret=xxx'
"http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
jq .access_token -r`

This seems to happen for scope-based policies.

Cheers
Corentin

From Stefan.Wachter at gmx.de  Mon Jul  2 10:39:47 2018
From: Stefan.Wachter at gmx.de (Stefan Wachter)
Date: Mon, 2 Jul 2018 16:39:47 +0200
Subject: [keycloak-user] "My Resources" option missing in Account Management
	Interface
Message-ID: <trinity-de7b4d64-7603-49f3-a0e6-88078b41d7e3-1530542387663@3c-app-gmx-bs34>


From thesofiane at gmail.com  Mon Jul  2 11:15:39 2018
From: thesofiane at gmail.com (So Be)
Date: Mon, 2 Jul 2018 17:15:39 +0200
Subject: [keycloak-user] How to specify local Gitlab HOST
In-Reply-To: <1530520492.4481.3.camel@acutus.pro>
References: <CACz=5knAr60SJCRmu_nYo_vu2gTdeQFM9e8i1m-Jf=WNuL7qmw@mail.gmail.com>
	<1530520492.4481.3.camel@acutus.pro>
Message-ID: <CACz=5kmTK-yOzLB6Xanr3obESEkB=aVh9UTEriHJJCuYMDhysA@mail.gmail.com>

Thank you Dmitry!
I am running keycloak server in docker container.
How can I compile it again?

On Mon, Jul 2, 2018 at 10:34 AM, Dmitry Telegin <dt at acutus.pro> wrote:

> Sofiane,
>
> Currently, GitLab URLs are hardcoded [1]. However, you can create your own
> social identity provider with correct URLs, based on
> GitLabIdentityProvider, compile it and deploy to your Keycloak instance.
> See [2] for details on how to build and deploy custom providers to
> Keycloak.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> <https://maps.google.com/?q=Pod+lipami+street+339/52,+130+00+Prague+3,+Czech+Republic&entry=gmail&source=g>
> + 42 (022) 888-30-71
> E-mail:  <info at acutus.pro> <info at acutus.pro> <info at acutus.pro>
> info at acutus.pro
>
> [1] https://github.com/keycloak/keycloak/blob/master/services/
> src/main/java/org/keycloak/social/gitlab/GitLabIdentityProvider.java#L48
> [2] https://www.keycloak.org/docs/latest/server_development/
> index.html#_providers
>
> On Mon, 2018-07-02 at 09:11 +0200, So Be wrote:
>
> Hi,
>
> I configured keycloak to work with our GITLAB instance but still
> redirecting to the global gitlab.
> In keycloak configuration page I see no entry about the url of gitlab.
> How and where can I set up this?
> I suppose through env variable.
>
> Thank you.
>
> Regards
>
> Sofiane.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From romain.rhieu at gmail.com  Mon Jul  2 11:41:51 2018
From: romain.rhieu at gmail.com (Romain Rhieu)
Date: Mon, 2 Jul 2018 17:41:51 +0200
Subject: [keycloak-user] Simulate / call check-sso with curl
Message-ID: <CAFVxRYY6Sx1ebFwsZrMiAH9CL0EsRP3gNxCRTKPkXjDMkZGeVQ@mail.gmail.com>

Hi Christophe,

I have the same need.

Have you found a solution ?

I think that using OIDC specification
http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest should do
the trick.

Example :

http://localhost/auth/realms/master/protocol/openid-connect/auth?
response_mode=query&
response_type=code&
client_id=my-app&
prompt=none&
redirect_uri=http://local.my-app.fr&;
scope=openid&
nonce=032457f1-e946-46e4-87b1-cd1128e8dc70

What do you think about it ?

Thanks

From corentin.dupont at gmail.com  Mon Jul  2 11:43:29 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Mon, 2 Jul 2018 17:43:29 +0200
Subject: [keycloak-user] Retrieve all permissions
Message-ID: <CAEyhvmrgkE5y7Ah_hs5KJNzMqCxFhEvCMi70EkaP1Fj718tx_Q@mail.gmail.com>

Hi again,
with Keycloak 4, is there a way to retrieve all permissions (like with the
old entitlement API)?

From chris.savory at edlogics.com  Mon Jul  2 12:10:38 2018
From: chris.savory at edlogics.com (Chris Savory)
Date: Mon, 2 Jul 2018 16:10:38 +0000
Subject: [keycloak-user] Opening reset password link in a different
 browser
In-Reply-To: <CAF4REn4Le7fx5LpSVdQqMKKGtx8MOdgmY58NW31cyTbhiRR3Qg@mail.gmail.com>
References: <CAF4REn4Le7fx5LpSVdQqMKKGtx8MOdgmY58NW31cyTbhiRR3Qg@mail.gmail.com>
Message-ID: <179042D9-C3C5-4780-9B7C-80C2FF6F6777@edlogics.com>

Sounds similar to https://issues.jboss.org/browse/KEYCLOAK-7458

--
Christopher Savory

On 7/2/18, 4:18 AM, "keycloak-user-bounces at lists.jboss.org on behalf of Eivind Larsen" <keycloak-user-bounces at lists.jboss.org on behalf of eivind at jotta.no> wrote:

    Hi
    
    We are running Keycloak 3.4.3.Final.
    It seems that opening reset password link in a different browser than the
    browser it was created in results in a 400 Bad request
    with the message 'Login requester not enabled?, and renders the user unable
    to reset credentials.
    
    This is an issue, especially for users on mobile that often uses sandboxed
    web views.
    
    Are anyone else seeing this?
    Is this a known issue?
    
    Best regards,
    Eivind Larsen
    _______________________________________________
    keycloak-user mailing list
    keycloak-user at lists.jboss.org
    https://lists.jboss.org/mailman/listinfo/keycloak-user



From alvaro.abella at bluetab.net  Mon Jul  2 12:12:34 2018
From: alvaro.abella at bluetab.net (Alvaro Abella)
Date: Mon, 2 Jul 2018 18:12:34 +0200
Subject: [keycloak-user] Keycloak User Storage SPI with external data base
	based on Spring Security
Message-ID: <CALfT7wGW3KARXtS_tjw4R5HgwQn8oPhjy0hCy0yMLCD7qQvC9Q@mail.gmail.com>

Hi,
I followed this example https://github.com/keycloak/keycloak-quickstarts/
tree/latest/user-storage-jpa and I modified to connect with my Oracle
database after a little work with Jboss.
Now, I can view all users on my Keycloak admin panel, but I can't login
with them into his account because password are cyphered with Bcrypt.
How do you usually deal with this situations? Has anyone integrated a
Spring-Security-based database with keycloak?

Thanks!


-- 
*?lvaro Abella Gonz?lez*
[image: bluetab.net] <http://www.bluetab.net/>alvaro.abella at bluetab.net

From soumya.mishra at aktana.com  Mon Jul  2 13:29:07 2018
From: soumya.mishra at aktana.com (Soumya Mishra)
Date: Mon, 2 Jul 2018 10:29:07 -0700
Subject: [keycloak-user] Offline_access token expires or goes stale in
	random manner
Message-ID: <CAFdYJBBbcf5H6ELwQiKtxaYwWOek2PFQ1pHL86nUGpT1K9PsuA@mail.gmail.com>

Hello,

I had set offline access token for a lot of users at the same time.
Their Offline
Session Idle timeout has been set to a very high number so that it expires
rarely.

But I have noticed lately that some of the tokens are expiring in random
manner. No clue what's the problem and how can I debug. Can you throw some
light on what the problems might be?

I have a setup of 3 node keycloak instance talking to each other via
muticast protocol.

Regards,
Soumya

From dt at acutus.pro  Mon Jul  2 16:14:46 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 02 Jul 2018 23:14:46 +0300
Subject: [keycloak-user] Keycloak Server boot has failed in
	an	unrecoverable manner
In-Reply-To: <OF61991E4C.00B7AFDC-ON652582BE.0031DA66-652582BE.0031DA68@tcs.com>
References: <OFE723714B.A897DD5C-ON652582BB.0028C395-652582BB.0028C397@tcs.com>
	,
	<OF3F088DF5.D3793601-ON652582BB.0025593C-652582BB.0027E4CD@LocalDomain>
	<OF61991E4C.00B7AFDC-ON652582BE.0031DA66-652582BE.0031DA68@tcs.com>
Message-ID: <1530562486.19951.1.camel@acutus.pro>

Salam,

Running bin/standalone.sh doesn't restart server, it starts another
instance (which obviously fails to boot due to ports occupied by
previous instance). If you're using Docker, you can simply restart a
corresponding container.

Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+ 42 (022) 888-30-71
E-mail:?info at acutus.pro

On Mon, 2018-07-02 at 14:34 +0530, Shaik Salam wrote:
> Hi,
> 
> I feel its known issue. Could you please respond anyone this.
> Thanks for valuable time.
> 
> BR
> Salam
> 
> 
> -----keycloak-user-bounces at lists.jboss.org wrote: -----
> To: keycloak-user at lists.jboss.org
> From: Shaik Salam?
> Sent by: keycloak-user-bounces at lists.jboss.org
> Date: 06/29/2018 01:00PM
> Cc: Murali Kottakota <murali.kottakota at tcs.com>
> Subject: Re: [keycloak-user] Keycloak Server boot has failed in an	
> unrecoverable manner
> 
> Hi,
> 
> 
> 
> We have installed docker on linux operating system in vm and running
> keycloak server as container.
> 
> Tying to restart server(ex: ./bin.standalone.sh) but boot is failed
> due to following port conflicts.
> 
> Could you please let us know is any modifications needed on ports or
> interface's ip address for respective files(ex:
> standalone.xml,host.xml etc).
> 
> Please provide suitable solution and in which files modification
> needs to do, to rectify following errors and find log file for more
> information.?
> 
> Thanks in advance.
> 
> 
> 
> 
> 11:10:48,087 ERROR [org.jboss.msc.service.fail] (MSC service thread
> 1-5) MSC000001: Failed to start service
> org.wildfly.undertow.listener.default:
> org.jboss.msc.service.StartException in service
> org.wildfly.undertow.listener.default: Address already in use
> /127.0.0.1:8080
> ????????at
> org.wildfly.extension.undertow.ListenerService.start(ListenerService.
> java:179)
> ????????at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(Se
> rviceControllerImpl.java:2032)
> ????????at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceCont
> rollerImpl.java:1955)
> ????????at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
> java:1149)
> ????????at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
> .java:624)
> ????????at java.lang.Thread.run(Thread.java:748)
> 
> ? 11:10:48,325 ERROR [org.jboss.msc.service.fail] (MSC service thread
> 1-6) MSC000001: Failed to start service
> org.wildfly.management.http.extensible:
> org.jboss.msc.service.StartException in service
> org.wildfly.management.http.extensible: java.net.BindException:
> Address already in use /127.0.0.1:9990
> ????????at
> org.jboss.as.server.mgmt.UndertowHttpManagementService.start(Undertow
> HttpManagementService.java:340)
> ????????at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(Se
> rviceControllerImpl.java:2032)
> ????????at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceCont
> rollerImpl.java:1955)
> ????????at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
> java:1149)
> ????????at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
> .java:624)
> ????????at java.lang.Thread.run(Thread.java:748)
> 
> 11:10:48,388 ERROR [org.jboss.msc.service.fail] (MSC service thread
> 1-6) MSC000001: Failed to start service
> org.wildfly.undertow.listener.https:
> org.jboss.msc.service.StartException in service
> org.wildfly.undertow.listener.https: Address already in use
> /127.0.0.1:8443
> ????????at
> org.wildfly.extension.undertow.ListenerService.start(ListenerService.
> java:179)
> ????????at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(Se
> rviceControllerImpl.java:2032)
> ????????at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceCont
> rollerImpl.java:1955)
> ????????at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
> java:1149)
> ????????at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
> .java:624)
> ????????at java.lang.Thread.run(Thread.java:748)
> ?failure description: {
> ????"WFLYCTL0080: Failed services" =>
> {"org.wildfly.management.http.extensible" => "java.net.BindException:
> Address already in use /127.0.0.1:9990"},
> ????"WFLYCTL0288: One or more services were unable to start due to
> one or more indirect dependencies not being available." => {
> ????????"Services that were unable to start:" =>
> ["org.wildfly.management.http.extensible.shutdown"],
> ????????"Services that may be the cause:" =>
> ["jboss.remoting.remotingConnectorInfoService.http-remoting-
> connector"]
> ????}
> }
> 11:10:49,024 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed -
> address: ([("deployment" => "keycloak-server.war")]) - failure
> description: {"WFLYCTL0288: One or more services were unable to start
> due to one or more indirect dependencies not being available." => {
> ????"Services that were unable to start:" => [
> ????????"jboss.deployment.discovery.\"keycloak-server.war\"",
> ????????"jboss.deployment.unit.\"keycloak-
> server.war\".component.\"com.sun.faces.config.ConfigureListener\".STA
> RT",
> ????????"jboss.deployment.unit.\"keycloak-
> server.war\".component.\"javax.faces.webapp.FacetTag\".START",
> ????????"jboss.deployment.unit.\"keycloak-
> server.war\".component.\"javax.servlet.jsp.jstl.tlv.PermittedTaglibsT
> LV\".START",
> ????????"jboss.deployment.unit.\"keycloak-
> server.war\".component.\"javax.servlet.jsp.jstl.tlv.ScriptFreeTLV\".S
> TART",
> ????????"jboss.deployment.unit.\"keycloak-
> server.war\".component.\"org.jboss.resteasy.plugins.server.servlet.Ht
> tpServlet30Dispatcher\".START",
> ????????"jboss.deployment.unit.\"keycloak-
> server.war\".component.\"org.keycloak.services.filters.KeycloakSessio
> nServletFilter\".START",
> ????????"jboss.deployment.unit.\"keycloak-
> server.war\".component.\"org.keycloak.services.listeners.KeycloakSess
> ionDestroyListener\".START",
> ????????"jboss.deployment.unit.\"keycloak-
> server.war\".deploymentCompleteService",
> ????????"jboss.deployment.unit.\"keycloak-server.war\".ejb3.client-
> context.registration-service",
> ????????"jboss.undertow.deployment.default-server.default-host./auth"
> ????],
> ????"Services that may be the cause:" =>
> ["jboss.remoting.remotingConnectorInfoService.http-remoting-
> connector"]
> }}
> 
> 
> 
> 
> BR
> 
> Salam
> 
> ?
> =====-----=====-----=====
> Notice: The information contained in this e-mail
> message and/or attachments to it may contain?
> confidential or privileged information. If you are?
> not the intended recipient, any dissemination, use,?
> review, distribution, printing or copying of the?
> information contained in this e-mail message?
> and/or attachments to it are strictly prohibited. If?
> you have received this communication in error,?
> please notify us by reply e-mail or telephone and?
> immediately and permanently delete the message?
> and any attachments. Thank you
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Mon Jul  2 16:49:01 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 02 Jul 2018 23:49:01 +0300
Subject: [keycloak-user] Enabling Identity provider alone
In-Reply-To: <1326728223.1464638.1530531754249@mail.yahoo.com>
References: <602469538.1281007.1530515985637.ref@mail.yahoo.com>
	<602469538.1281007.1530515985637@mail.yahoo.com>
	<1530527898.4481.10.camel@acutus.pro>
	<1326728223.1464638.1530531754249@mail.yahoo.com>
Message-ID: <1530564541.19951.3.camel@acutus.pro>

Hi Madhu,

On Mon, 2018-07-02 at 11:42 +0000, Madhu wrote:

> Agree with you that disabling in Admin console ui, will not be? a
> great idea,? is there any standard practice /documentation for
> selectively restricting rest apis?

Not that I know of unfortunately. Access control to most APIs is role-
based, and the only way to restrict access is to not to grant
particular role to a user.

I was thinking about enabling authorization on security-admin-console
client, but my straightforward attempt failed - simply turning on
authorization results in an infinite loop and tons of 500 Internal
Server Errors. Our authorization guru is Pedro Igor Silva, I hope he
sheds some light on the situation.

> As far as i read the documentation, the recommendation seems to be to
> customize rest endpoints are not deploy them at all..?

Not sure if I got it right ("not to deploy them at all"), could you
point to the docs please?

Dmitry

> 
> On Monday, 2 July, 2018, 4:08:27 PM IST, Dmitry Telegin <dt at acutus.pr
> o> wrote:
> 
> 
> Madhu,
> 
> I think that initially this was supposed to work without "manage-
> realm" role. If you grant a user "manage-identity-providers" role
> only, you'll see a perfect picture in the GUI: just the "Identity
> providers" section, and nothing more. However if you try to actually
> add a provider, you'll get a 403 Forbidden upon a request to
> /auth/admin/realms/$REALM/authentication/flows endpoint.
> 
> To render the identity provider creation form, the GUI indeed needs
> to retrieve a list of authentication flows for the realm.
> Unfortunately, in the REST resource it is hardcoded that the user
> needs to be checked for "view-realm" role (see
> org.keycloak.services.resources.admin.AuthenticationManagementResourc
> e::getFlows).
> 
> I think this is a perfect candidate for RFE, since "view-realm" is
> indeed too wide for the flows endpoint. I'd suggest that the
> restriction be changed to "view-realm OR manage-identity-providers".
> You can create a JIRA issue for that, and at the moment resort to one
> of the workarounds:
> - fix?AuthenticationManagementResource::getFlows yourself and
> recompile Keycloak (easier to do, but harder to maintain);
> - create a custom REST endpoint for flows with relaxed permissions,
> then create a custom GUI theme to use that endpoint instead of the
> standard one.
> 
> Please note that granting manage-realm + manage-identity-providers
> and tweaking the GUI theme to exclude unwanted elements is generally
> a bad idea, since a rogue user will still be able to directly invoke
> REST endpoints to do some nasty stuff.
> 
> I'm not sure if authorization / fine-grained permissions are relevant
> here, but let's see what Pedro Igor says on that.
> 
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
> 
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> + 42 (022) 888-30-71
> E-mail:?info at acutus.pro
> 
> On Mon, 2018-07-02 at 07:19 +0000, Madhu wrote:
> > Hi ,
> > I want to disable client, Realm management, Authentication and
> > Roles and want to create a user who will be able to provide only
> > Identity provider/broker integration.
> > I understand user needs to be in? manage-identity-providers?and
> > manage-realm for doing this activity. But with manage realm user
> > also has access to role creation,authenciation and realm setting
> > tabs.?Any way to disable these, without going for customized themes
> > or changing the FTL?
> > I am looking for authorization model based solution.
> > Regards,Madhu
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Mon Jul  2 16:58:51 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 02 Jul 2018 23:58:51 +0300
Subject: [keycloak-user] How to specify local Gitlab HOST
In-Reply-To: <CACz=5kmTK-yOzLB6Xanr3obESEkB=aVh9UTEriHJJCuYMDhysA@mail.gmail.com>
References: <CACz=5knAr60SJCRmu_nYo_vu2gTdeQFM9e8i1m-Jf=WNuL7qmw@mail.gmail.com>
	<1530520492.4481.3.camel@acutus.pro>
	<CACz=5kmTK-yOzLB6Xanr3obESEkB=aVh9UTEriHJJCuYMDhysA@mail.gmail.com>
Message-ID: <1530565131.19951.5.camel@acutus.pro>

Hi,

On Mon, 2018-07-02 at 17:15 +0200, So Be wrote:
> Thank you Dmitry!

You're welcome :)

> I am running keycloak server in docker container.?
> How can I compile it again?

You needn't recompile the entire Keycloak. One of Keycloak's cool
features is that you can build your extension as a separate JAR and
deploy it to your Keycloak instance.

In your case, the JAR will contain just three files (factory class,
provider class, service descriptor). You'll then need to drop it to
$KEYCLOAK_HOME/standalone/deployments directory, and it will be picked
up by Keycloak. I suggest that you make this directory a Docker volume,
so that it would be persisted and accessible directly from the host.
This will also guarantee that your customization survives Keycloak
image upgrades.

Cheers,
Dmitry

> 
> On Mon, Jul 2, 2018 at 10:34 AM, Dmitry Telegin <dt at acutus.pro>
> wrote:
> > Sofiane,
> > 
> > Currently, GitLab URLs are hardcoded [1]. However, you can create
> > your own social identity provider with correct URLs, based on
> > GitLabIdentityProvider, compile it and deploy to your Keycloak
> > instance.
> > See [2] for details on how to build and deploy custom providers to
> > Keycloak.
> > 
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > + 42 (022) 888-30-71
> > E-mail:?info at acutus.pro
> > 
> > [1] https://github.com/keycloak/keycloak/blob/master/services/src/m
> > ain/java/org/keycloak/social/gitlab/GitLabIdentityProvider.java#L48
> > [2] https://www.keycloak.org/docs/latest/server_development/index.h
> > tml#_providers
> > 
> > On Mon, 2018-07-02 at 09:11 +0200, So Be wrote:
> > > Hi,
> > > 
> > > I configured keycloak to work with our GITLAB instance but still
> > > redirecting to the global gitlab.
> > > In keycloak configuration page I see no entry about the url of
> > > gitlab.
> > > How and where can I set up this?
> > > I suppose through env variable.
> > > 
> > > Thank you.
> > > 
> > > Regards
> > > 
> > > Sofiane.
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 

From dt at acutus.pro  Mon Jul  2 17:13:50 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 03 Jul 2018 00:13:50 +0300
Subject: [keycloak-user] Keycloak User Storage SPI with external data
 base based on Spring Security
In-Reply-To: <CALfT7wGW3KARXtS_tjw4R5HgwQn8oPhjy0hCy0yMLCD7qQvC9Q@mail.gmail.com>
References: <CALfT7wGW3KARXtS_tjw4R5HgwQn8oPhjy0hCy0yMLCD7qQvC9Q@mail.gmail.com>
Message-ID: <1530566030.19951.7.camel@acutus.pro>

Hi Alvaro,

In addition to user storage provider, you'll need to implement a
org.keycloak.credential.hash.PasswordHashProvider. Use
Pbkdf2PasswordHashProvider as a reference.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+ 42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-07-02 at 18:12 +0200, Alvaro Abella wrote:
> Hi,
> I followed this example https://github.com/keycloak/keycloak-quicksta
> rts/
> tree/latest/user-storage-jpa and I modified to connect with my Oracle
> database after a little work with Jboss.
> Now, I can view all users on my Keycloak admin panel, but I can't
> login
> with them into his account because password are cyphered with Bcrypt.
> How do you usually deal with this situations? Has anyone integrated a
> Spring-Security-based database with keycloak?
> 
> Thanks!
> 
> 

From eduard.matuszak at worldline.com  Tue Jul  3 04:03:54 2018
From: eduard.matuszak at worldline.com (Matuszak, Eduard)
Date: Tue, 3 Jul 2018 08:03:54 +0000
Subject: [keycloak-user] Download jks-file for a confidential client
Message-ID: <61D077C6283D454FAFD06F6AC4AB74D7382C5E4B@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>

Hello

I tried to get the jks-keystore file for a confidential client residing in a realm by utilizing the API

.. /certificates/jwt.credential/download

While generating and download via

../certificates/jwt.credential/generate-and-download

works fine getting a .jks-file of about 2 kb in size, the pure download afterwards gives also a .jks-file, but with only about 700 bytes in size. Both files are inspectable by keytool

keytool -list -keystore keycloak-testrealm-testclient-client.jks -storepass Pw_Kc_Str -v

, where the "generate-and-download"-file in addition gives a warning that a proprietary format is used.

It turnes out, that the creation of a token for the confidential client via the keystore-file fails with the tiny simply "dowloaded" .jks-file fails, whereas it works fine by taking the bigger "generate-and-download"ed jks-file.

My question is: Is this a bug, that ".. /certificates/jwt.credential/download" does not return the same (and proper) .jks-file than "../certificates/jwt.credential/generate-and-download" or is it possible to download the correct working .jks by other means? Inspection of Keycloak's class ClientAttributeCertificateResource did not give any suggestions to me.


Best regards , Eduard Matuszak


PS: My Keycloak version is 2.5.5

Attachment:

Here the test-bashscript I used


# -----------------------------------------------------------------------------------------------
# TEST SCRIPT
# Test if Keycloak store for client in a realm exists, create if not existing. Download in any case
# ------------------------------------------------------------------------------------------------

# TEST PARAMETERS
KEYCLOAK_HOST=<IP-address-ofKeycloak>
kcEndpoint="http://$KEYCLOAK_HOST:8080"
KEYCLOAK_ADMIN_PASSWORD=<kc_admin_password>
realmName=testrealm
clientName=testclient
kcFileNamePart=${realmName}
# TEST PARAMETERS END

echo "Getting an Access Token from Keycloak"
curl -s -D/tmp/http-result \
-d "username=admin" \
-d "password=$KEYCLOAK_ADMIN_PASSWORD" \
-d "grant_type=password" \
-d "client_id=admin-cli" \
$kcEndpoint/auth/realms/master/protocol/openid-connect/token \
| sed -n 's .*"access_token":"\([^"]*\)".* \1 p' > /tmp/kc-token
grep HTTP /tmp/http-result

#-----------------------------------------------
#Get clientId of ${clientName} if still existing
#-----------------------------------------------
echo "Get clientId of ${clientName} if still existing"
curlPath=$kcEndpoint/auth/admin/realms/${realmName}/clients
echo "using path $curlPath"
status=$(curl -s -o /dev/null \
-H "Authorization: Bearer $(</tmp/kc-token)" \
-H "Content-Type: application/json" \
-w '%{http_code}' $curlPath)
if [ $status -eq 200 ] ; then
    echo "Try to exctract clients from response..."
    clientId=$(curl $curlPath \
                -H "Authorization: Bearer $(</tmp/kc-token)" \
                -H "Content-Type: application/json" \
   | jq '.[] | select(.clientId == "'${clientName}'") | .id'  | cut -d'"' -f 2)
    echo "clientId: $clientId"
else
    echo "Error (HTTPStatus=$status): It seems that the Keycloak is not reachable via the provided path $curlPath"
    exit 1
fi


# ----------------------------------------------------------
# Keycloak > Try to download keystore file for ${clientName}
# ----------------------------------------------------------
echo "Keycloak > Try to get the keystore file for ${clientName}"
curlPath=$kcEndpoint/auth/admin/realms/${realmName}/clients/$clientId
curl -s -D/tmp/http-result \
-H "Authorization: Bearer $(</tmp/kc-token)" \
-H "Content-Type: application/json" \
-d '{"keyAlias": "'$clientName'", "realmAlias": "'$realmName'", "realmCertificate": false, "format": "JKS", "keyPassword": "Pw_Kc_Clnt", "storePassword":"Pw_Kc_Str"}' ${curlPath}/certificates/jwt.credential/download > /opt/ccp/auth/keycloak-${kcFileNamePart}-client.jks
grep HTTP /tmp/http-result
status404=$(grep HTTP /tmp/http-result | grep -c 404)
status200=$(grep HTTP /tmp/http-result | grep -c 200)
if [ $status404 -ne 0 ] ; then
                echo "No certificate created so far -> Keycloak > Generating ${clientName} client certificate and downloading keystore"
                curlPath=$kcEndpoint/auth/admin/realms/${realmName}/clients/$clientId
                curl -s -D/tmp/http-result \
                -H "Authorization: Bearer $(</tmp/kc-token)" \
                -H "Content-Type: application/json" \
                -d '{"keyAlias": "'$clientName'", "realmAlias": "'$realmName'", "realmCertificate": false, "format": "JKS", "keyPassword": "Pw_Kc_Clnt", "storePassword":"Pw_Kc_Str"}' ${curlPath}/certificates/jwt.credential/generate-and-download > /opt/ccp/auth/keycloak-${kcFileNamePart}-client.jks
                grep HTTP /tmp/http-result
else
    if [ $status200 -ne 0 ] ; then
                        echo "Keycloak > Try to download keystore file for ${clientName}"
                        curlPath=$kcEndpoint/auth/admin/realms/${realmName}/clients/$clientId
                        curl -s -D/tmp/http-result \
                        -H "Authorization: Bearer $(</tmp/kc-token)" \
                        -H "Content-Type: application/json" \
                        -d '{"keyAlias": "'$clientName'", "realmAlias": "'$realmName'", "realmCertificate": false, "format": "JKS", "keyPassword": "Pw_Kc_Clnt", "storePassword":"Pw_Kc_Str"}' ${curlPath}/certificates/jwt.credential/download > /opt/ccp/auth/keycloak-${kcFileNamePart}-client.jks
                        grep HTTP /tmp/http-result
                else
                        echo "Could not test for certificate existence for client ${clientName}"
        exit 1
    fi
fi






From federico at info.nl  Tue Jul  3 04:17:18 2018
From: federico at info.nl (Federico Navarro Polo - Info.nl)
Date: Tue, 3 Jul 2018 08:17:18 +0000
Subject: [keycloak-user] why where admin-cli scopes removed?
Message-ID: <AA53A81D-9F90-41B6-A478-D12572B4B10B@info.nl>

Hello,

We recently upgraded our Keycloak version to a more recent one, and found out that the scopes of admin-cli client were updated.

After looking in JIRA, I found this issue https://issues.jboss.org/browse/KEYCLOAK-5724 , which probably is the reason for it.

However, it?s not clear to me what was exactly the reason. Was it removed only because the token was growing too long, or were there any security concerns in regards to the client scope?



Met vriendelijke groet,

Federico Navarro

backend developer

federico at info.nl<mailto:federico at info.nl>  |  LinkedIn<https://www.linkedin.com/company/info-nl>  |  -<tel:+31205309161>

info.nl<http://www.info.nl/>

Sint Antoniesbreestraat 16  |  1011 HB Amsterdam  |  +31 (0)20 530 9100<tel:+31205309100>



From K.Buler at adbglobal.com  Tue Jul  3 04:27:32 2018
From: K.Buler at adbglobal.com (Karol Buler)
Date: Tue, 3 Jul 2018 10:27:32 +0200
Subject: [keycloak-user] x509 authentication - two fields
Message-ID: <43bee7ed-c039-c2a8-1827-093d34182897@adbglobal.com>

Hi Keycloaks :)

I want to use two fields from certificate in x509 authentication flow.
Is there any possibility to do that out of the box, or I have to
implement my own custom authentication mechanism using Authentication SPI?

Karol
[https://www.adbglobal.com/wp-content/uploads/adb.png]
adbglobal.com<https://www.adbglobal.com>
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED.
Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy<https://www.adbglobal.com/privacy-policy/> and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions.


From triton.oidc at gmail.com  Tue Jul  3 05:19:25 2018
From: triton.oidc at gmail.com (triton oidc)
Date: Tue, 3 Jul 2018 09:19:25 +0000
Subject: [keycloak-user] Create new authentication flow using kcadm in Docker
Message-ID: <CAGE7c6DO-iTJft5FgLeSU98G_d9b6C7KhMbrDFibXCxdOGFLUA@mail.gmail.com>

Hi,

i'm using a docker image, and in the build, i'd like to create a new flow.
However i could not find a way to do this in CLI
Doing it in the GUI is not really what i want

When i try
./kcadm.sh create authentication/flows
i get a
HTTP error - 415 Unsupported Media Type

Does this mean it's not possible ?
If so should a create a feature request ?
my company pay a lot of redhat support, so they could support this feature.

Thanks for any help

Amaury

From kkcmadhu at yahoo.com  Tue Jul  3 05:37:19 2018
From: kkcmadhu at yahoo.com (Madhu)
Date: Tue, 3 Jul 2018 09:37:19 +0000 (UTC)
Subject: [keycloak-user] Enabling Identity provider alone
In-Reply-To: <1530564541.19951.3.camel@acutus.pro>
References: <602469538.1281007.1530515985637.ref@mail.yahoo.com>
	<602469538.1281007.1530515985637@mail.yahoo.com>
	<1530527898.4481.10.camel@acutus.pro>
	<1326728223.1464638.1530531754249@mail.yahoo.com>
	<1530564541.19951.3.camel@acutus.pro>
Message-ID: <2023925640.1965513.1530610639827@mail.yahoo.com>

 
> Agree with you that disabling in Admin console ui, will not be? a
> great idea,? is there any standard practice /documentation for
> selectively restricting rest apis?

Not that I know of unfortunately. Access control to most APIs is role-
based, and the only way to restrict access is to not to grant
particular role to a user.

I was thinking about enabling authorization on security-admin-console
client, but my straightforward attempt failed - simply turning on
authorization results in an infinite loop and tons of 500 Internal
Server Errors. Our authorization guru is Pedro Igor Silva, I hope he
sheds some light on the situation.

> As far as i read the documentation, the recommendation seems to be to
> customize rest endpoints are not deploy them at all..?

>>Not sure if I got it right ("not to deploy them at all"), could you
>>point to the docs please?
<Madhu> Sorry My bad.. it was not document, but a user thread , refer?[keycloak-user] Limiting the admin REST API


| 
| 
|  | 
[keycloak-user] Limiting the admin REST API


 |

 |

 |





    On Tuesday, 3 July, 2018, 2:19:08 AM IST, Dmitry Telegin <dt at acutus.pro> wrote:  
 
 Hi Madhu,

On Mon, 2018-07-02 at 11:42 +0000, Madhu wrote:

> Agree with you that disabling in Admin console ui, will not be? a
> great idea,? is there any standard practice /documentation for
> selectively restricting rest apis?

Not that I know of unfortunately. Access control to most APIs is role-
based, and the only way to restrict access is to not to grant
particular role to a user.

I was thinking about enabling authorization on security-admin-console
client, but my straightforward attempt failed - simply turning on
authorization results in an infinite loop and tons of 500 Internal
Server Errors. Our authorization guru is Pedro Igor Silva, I hope he
sheds some light on the situation.

> As far as i read the documentation, the recommendation seems to be to
> customize rest endpoints are not deploy them at all..?

Not sure if I got it right ("not to deploy them at all"), could you
point to the docs please?

Dmitry

> 
> On Monday, 2 July, 2018, 4:08:27 PM IST, Dmitry Telegin <dt at acutus.pr
> o> wrote:
> 
> 
> Madhu,
> 
> I think that initially this was supposed to work without "manage-
> realm" role. If you grant a user "manage-identity-providers" role
> only, you'll see a perfect picture in the GUI: just the "Identity
> providers" section, and nothing more. However if you try to actually
> add a provider, you'll get a 403 Forbidden upon a request to
> /auth/admin/realms/$REALM/authentication/flows endpoint.
> 
> To render the identity provider creation form, the GUI indeed needs
> to retrieve a list of authentication flows for the realm.
> Unfortunately, in the REST resource it is hardcoded that the user
> needs to be checked for "view-realm" role (see
> org.keycloak.services.resources.admin.AuthenticationManagementResourc
> e::getFlows).
> 
> I think this is a perfect candidate for RFE, since "view-realm" is
> indeed too wide for the flows endpoint. I'd suggest that the
> restriction be changed to "view-realm OR manage-identity-providers".
> You can create a JIRA issue for that, and at the moment resort to one
> of the workarounds:
> - fix?AuthenticationManagementResource::getFlows yourself and
> recompile Keycloak (easier to do, but harder to maintain);
> - create a custom REST endpoint for flows with relaxed permissions,
> then create a custom GUI theme to use that endpoint instead of the
> standard one.
> 
> Please note that granting manage-realm + manage-identity-providers
> and tweaking the GUI theme to exclude unwanted elements is generally
> a bad idea, since a rogue user will still be able to directly invoke
> REST endpoints to do some nasty stuff.
> 
> I'm not sure if authorization / fine-grained permissions are relevant
> here, but let's see what Pedro Igor says on that.
> 
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
> 
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> + 42 (022) 888-30-71
> E-mail:?info at acutus.pro
> 
> On Mon, 2018-07-02 at 07:19 +0000, Madhu wrote:
> > Hi ,
> > I want to disable client, Realm management, Authentication and
> > Roles and want to create a user who will be able to provide only
> > Identity provider/broker integration.
> > I understand user needs to be in? manage-identity-providers?and
> > manage-realm for doing this activity. But with manage realm user
> > also has access to role creation,authenciation and realm setting
> > tabs.?Any way to disable these, without going for customized themes
> > or changing the FTL?
> > I am looking for authorization model based solution.
> > Regards,Madhu
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
  

From dt at acutus.pro  Tue Jul  3 07:09:21 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 03 Jul 2018 14:09:21 +0300
Subject: [keycloak-user] Create new authentication flow using kcadm in
 Docker
In-Reply-To: <CAGE7c6DO-iTJft5FgLeSU98G_d9b6C7KhMbrDFibXCxdOGFLUA@mail.gmail.com>
References: <CAGE7c6DO-iTJft5FgLeSU98G_d9b6C7KhMbrDFibXCxdOGFLUA@mail.gmail.com>
Message-ID: <1530616161.7608.1.camel@acutus.pro>

Hi,

To create a flow with kcadm, you need to provide the necessary fields:

./kcadm.sh create authentication/flows -s alias=foo -s
providerId=basic-flow -s topLevel=true
Created new flow with id 'dd756392-a1ec-4704-b134-713f47796418'

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+ 42 (022) 888-30-71
E-mail:?info at acutus.pro

> Hi,
> 
> i'm using a docker image, and in the build, i'd like to create a new
> flow.
> However i could not find a way to do this in CLI
> Doing it in the GUI is not really what i want
> 
> When i try
> ./kcadm.sh create authentication/flows
> i get a
> HTTP error - 415 Unsupported Media Type
> 
> Does this mean it's not possible ?
> If so should a create a feature request ?
> my company pay a lot of redhat support, so they could support this
> feature.
> 
> Thanks for any help
> 
> Amaury
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From psilva at redhat.com  Tue Jul  3 07:15:35 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 3 Jul 2018 08:15:35 -0300
Subject: [keycloak-user] Enabling Identity provider alone
In-Reply-To: <1530564541.19951.3.camel@acutus.pro>
References: <602469538.1281007.1530515985637.ref@mail.yahoo.com>
	<602469538.1281007.1530515985637@mail.yahoo.com>
	<1530527898.4481.10.camel@acutus.pro>
	<1326728223.1464638.1530531754249@mail.yahoo.com>
	<1530564541.19951.3.camel@acutus.pro>
Message-ID: <CAJrcDBeB8Z7dp8-A9TJpxAoyqt8At_cJDfJvPPnVy_cCY++YOA@mail.gmail.com>

On Mon, Jul 2, 2018 at 5:49 PM, Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Madhu,
>
> On Mon, 2018-07-02 at 11:42 +0000, Madhu wrote:
>
> > Agree with you that disabling in Admin console ui, will not be  a
> > great idea,  is there any standard practice /documentation for
> > selectively restricting rest apis?
>
> Not that I know of unfortunately. Access control to most APIs is role-
> based, and the only way to restrict access is to not to grant
> particular role to a user.
>
> I was thinking about enabling authorization on security-admin-console
> client, but my straightforward attempt failed - simply turning on
> authorization results in an infinite loop and tons of 500 Internal
> Server Errors. Our authorization guru is Pedro Igor Silva, I hope he
> sheds some light on the situation.
>

I was able to reproduce the issue. It happens because when obtaining client
config for admin console, the client manager is not properly initialized.
Created https://issues.jboss.org/browse/KEYCLOAK-7763.

Regarding enabling authz on security-admin-console. This won't work because
we also need changes to admin console/apis to enforce permission. I've
replied to another thread about fine-grained permissions in admin console
and rest apis. We are still using roles and we also lack specific
permissions for some parts of admin console/apis. That is something we are
planing to review and improve in the future.


>
> > As far as i read the documentation, the recommendation seems to be to
> > customize rest endpoints are not deploy them at all..
>
> Not sure if I got it right ("not to deploy them at all"), could you
> point to the docs please?
>
> Dmitry
>
> >
> > On Monday, 2 July, 2018, 4:08:27 PM IST, Dmitry Telegin <dt at acutus.pr
> > o> wrote:
> >
> >
> > Madhu,
> >
> > I think that initially this was supposed to work without "manage-
> > realm" role. If you grant a user "manage-identity-providers" role
> > only, you'll see a perfect picture in the GUI: just the "Identity
> > providers" section, and nothing more. However if you try to actually
> > add a provider, you'll get a 403 Forbidden upon a request to
> > /auth/admin/realms/$REALM/authentication/flows endpoint.
> >
> > To render the identity provider creation form, the GUI indeed needs
> > to retrieve a list of authentication flows for the realm.
> > Unfortunately, in the REST resource it is hardcoded that the user
> > needs to be checked for "view-realm" role (see
> > org.keycloak.services.resources.admin.AuthenticationManagementResourc
> > e::getFlows).
> >
> > I think this is a perfect candidate for RFE, since "view-realm" is
> > indeed too wide for the flows endpoint. I'd suggest that the
> > restriction be changed to "view-realm OR manage-identity-providers".
> > You can create a JIRA issue for that, and at the moment resort to one
> > of the workarounds:
> > - fix AuthenticationManagementResource::getFlows yourself and
> > recompile Keycloak (easier to do, but harder to maintain);
> > - create a custom REST endpoint for flows with relaxed permissions,
> > then create a custom GUI theme to use that endpoint instead of the
> > standard one.
> >
> > Please note that granting manage-realm + manage-identity-providers
> > and tweaking the GUI theme to exclude unwanted elements is generally
> > a bad idea, since a rogue user will still be able to directly invoke
> > REST endpoints to do some nasty stuff.
> >
> > I'm not sure if authorization / fine-grained permissions are relevant
> > here, but let's see what Pedro Igor says on that.
> >
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> >
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > + 42 (022) 888-30-71
> > E-mail: info at acutus.pro
> >
> > On Mon, 2018-07-02 at 07:19 +0000, Madhu wrote:
> > > Hi ,
> > > I want to disable client, Realm management, Authentication and
> > > Roles and want to create a user who will be able to provide only
> > > Identity provider/broker integration.
> > > I understand user needs to be in  manage-identity-providers and
> > > manage-realm for doing this activity. But with manage realm user
> > > also has access to role creation,authenciation and realm setting
> > > tabs. Any way to disable these, without going for customized themes
> > > or changing the FTL?
> > > I am looking for authorization model based solution.
> > > Regards,Madhu
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Tue Jul  3 07:19:26 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 3 Jul 2018 08:19:26 -0300
Subject: [keycloak-user] Retrieve all permissions
In-Reply-To: <CAEyhvmrgkE5y7Ah_hs5KJNzMqCxFhEvCMi70EkaP1Fj718tx_Q@mail.gmail.com>
References: <CAEyhvmrgkE5y7Ah_hs5KJNzMqCxFhEvCMi70EkaP1Fj718tx_Q@mail.gmail.com>
Message-ID: <CAJrcDBdRHgU9707sV3XDk=9Qpk4=x4+WCZ2Hd_OsCMYBj4p-mw@mail.gmail.com>

Hi,

See
https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions.
Second example.

Just send an authorization request to token endpoint with any "ticket" or
"permission".

On Mon, Jul 2, 2018 at 12:43 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi again,
> with Keycloak 4, is there a way to retrieve all permissions (like with the
> old entitlement API)?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Tue Jul  3 07:20:53 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 3 Jul 2018 08:20:53 -0300
Subject: [keycloak-user] "My Resources" option missing in Account
 Management Interface
In-Reply-To: <trinity-de7b4d64-7603-49f3-a0e6-88078b41d7e3-1530542387663@3c-app-gmx-bs34>
References: <trinity-de7b4d64-7603-49f3-a0e6-88078b41d7e3-1530542387663@3c-app-gmx-bs34>
Message-ID: <CAJrcDBcRksGAeRePT=f_eBgLknSdDDHz3uUR9_hHmLJhCpQkDA@mail.gmail.com>

I've updated docs to next release. You need to enable "User-Managed Access"
on "Realm Settings".

On Mon, Jul 2, 2018 at 11:39 AM, Stefan Wachter <Stefan.Wachter at gmx.de>
wrote:

>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Tue Jul  3 07:34:36 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 3 Jul 2018 08:34:36 -0300
Subject: [keycloak-user] NPE when requesting authorization
In-Reply-To: <CAEyhvmoAvPG3L0S=1SeA6hq1mDER_bu-CfpKfaMC64-yOQ4K7A@mail.gmail.com>
References: <CAEyhvmoAvPG3L0S=1SeA6hq1mDER_bu-CfpKfaMC64-yOQ4K7A@mail.gmail.com>
Message-ID: <CAJrcDBdxdZXH9q_Wri_e-HW-yYTWmekACbX4XKV+61B8LVDJ-A@mail.gmail.com>

Could you give export your authz settings ? I tried to reproduce the error
using a scope permission with no success.

On Mon, Jul 2, 2018 at 10:05 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi guys,
> I got this error when requesting authorization on a resource:
>
> $ curl -X POST
> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
> "Authorization: Bearer $USERTOKEN" -d
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&
> audience=api-server&permission=Sensortest#sensors:view"
>
> {"error":"server_error","error_description":"Unexpected error while
> evaluating permissions"}
>
> On the server side I get:
>
> 12:42:11,821 ERROR
> [org.keycloak.authorization.authorization.AuthorizationTokenService]
> (default task-16) Unexpected error while evaluating permissions:
> java.lang.NullPointerException
>   at
> org.keycloak.authorization.util.Permissions.permits(Permissions.java:194)
>   at
> org.keycloak.authorization.authorization.AuthorizationTokenService.
> authorize(AuthorizationTokenService.java:173)
>   at
> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.
> permissionGrant(TokenEndpoint.java:1124)
>   at
> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(
> TokenEndpoint.java:190)
>   at sun.reflect.GeneratedMethodAccessor449.invoke(Unknown Source)
>   at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
>   at java.lang.reflect.Method.invoke(Method.java:498)
>
>
> I got my token this way:
> USERTOKEN=`curl -X POST  -H "Content-Type:
> application/x-www-form-urlencoded" -d
> 'username=guest&password=guest&grant_type=password&
> client_id=api-server&client_secret=xxx'
> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
> jq .access_token -r`
>
> This seems to happen for scope-based policies.
>
> Cheers
> Corentin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From corentin.dupont at gmail.com  Tue Jul  3 08:06:22 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 3 Jul 2018 14:06:22 +0200
Subject: [keycloak-user] Retrieve all permissions
In-Reply-To: <CAJrcDBdRHgU9707sV3XDk=9Qpk4=x4+WCZ2Hd_OsCMYBj4p-mw@mail.gmail.com>
References: <CAEyhvmrgkE5y7Ah_hs5KJNzMqCxFhEvCMi70EkaP1Fj718tx_Q@mail.gmail.com>
	<CAJrcDBdRHgU9707sV3XDk=9Qpk4=x4+WCZ2Hd_OsCMYBj4p-mw@mail.gmail.com>
Message-ID: <CAEyhvmrK_LNBBdkmBZ9wByyrUKDjWeLz3PHb=za0S3C3Th63Mw@mail.gmail.com>

Thanks,
it worked when specifying also the audience with the client name:

curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=myclient"

On Tue, Jul 3, 2018 at 1:19 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> See https://www.keycloak.org/docs/latest/authorization_
> services/index.html#_service_obtaining_permissions. Second example.
>
> Just send an authorization request to token endpoint with any "ticket" or
> "permission".
>
> On Mon, Jul 2, 2018 at 12:43 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Hi again,
>> with Keycloak 4, is there a way to retrieve all permissions (like with the
>> old entitlement API)?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From psilva at redhat.com  Tue Jul  3 08:15:57 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 3 Jul 2018 09:15:57 -0300
Subject: [keycloak-user] NPE when requesting authorization
In-Reply-To: <CAEyhvmoAvPG3L0S=1SeA6hq1mDER_bu-CfpKfaMC64-yOQ4K7A@mail.gmail.com>
References: <CAEyhvmoAvPG3L0S=1SeA6hq1mDER_bu-CfpKfaMC64-yOQ4K7A@mail.gmail.com>
Message-ID: <CAJrcDBegHN3SWsFXcMuygDOeWd+yZONkwcVa7tW3BPSV3koF4w@mail.gmail.com>

OK. Found the issue. Will fix it. Problem is that Sensortest does not exist
and program enters in a state that a resource-less permission causes that
error.

On Mon, Jul 2, 2018 at 10:05 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi guys,
> I got this error when requesting authorization on a resource:
>
> $ curl -X POST
> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
> "Authorization: Bearer $USERTOKEN" -d
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&
> audience=api-server&permission=Sensortest#sensors:view"
>
> {"error":"server_error","error_description":"Unexpected error while
> evaluating permissions"}
>
> On the server side I get:
>
> 12:42:11,821 ERROR
> [org.keycloak.authorization.authorization.AuthorizationTokenService]
> (default task-16) Unexpected error while evaluating permissions:
> java.lang.NullPointerException
>   at
> org.keycloak.authorization.util.Permissions.permits(Permissions.java:194)
>   at
> org.keycloak.authorization.authorization.AuthorizationTokenService.
> authorize(AuthorizationTokenService.java:173)
>   at
> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.
> permissionGrant(TokenEndpoint.java:1124)
>   at
> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGrantRequest(
> TokenEndpoint.java:190)
>   at sun.reflect.GeneratedMethodAccessor449.invoke(Unknown Source)
>   at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
>   at java.lang.reflect.Method.invoke(Method.java:498)
>
>
> I got my token this way:
> USERTOKEN=`curl -X POST  -H "Content-Type:
> application/x-www-form-urlencoded" -d
> 'username=guest&password=guest&grant_type=password&
> client_id=api-server&client_secret=xxx'
> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
> jq .access_token -r`
>
> This seems to happen for scope-based policies.
>
> Cheers
> Corentin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Tue Jul  3 08:20:57 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 3 Jul 2018 09:20:57 -0300
Subject: [keycloak-user] Retrieve all permissions
In-Reply-To: <CAEyhvmrK_LNBBdkmBZ9wByyrUKDjWeLz3PHb=za0S3C3Th63Mw@mail.gmail.com>
References: <CAEyhvmrgkE5y7Ah_hs5KJNzMqCxFhEvCMi70EkaP1Fj718tx_Q@mail.gmail.com>
	<CAJrcDBdRHgU9707sV3XDk=9Qpk4=x4+WCZ2Hd_OsCMYBj4p-mw@mail.gmail.com>
	<CAEyhvmrK_LNBBdkmBZ9wByyrUKDjWeLz3PHb=za0S3C3Th63Mw@mail.gmail.com>
Message-ID: <CAJrcDBf+uoW=r4=Ee+hWnJG6UDcFW7JJ-fVk--3fCW9hERjOZQ@mail.gmail.com>

Yeah, for "entitlements" you need to send audience ... otherwise, we don't
know which RS you are trying to obtain permissions from ...

On Tue, Jul 3, 2018 at 9:06 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Thanks,
> it worked when specifying also the audience with the client name:
>
> curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-
> connect/token -H "Authorization: Bearer $USERTOKEN" -d
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=myclient"
>
> On Tue, Jul 3, 2018 at 1:19 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hi,
>>
>> See https://www.keycloak.org/docs/latest/authorization_servi
>> ces/index.html#_service_obtaining_permissions. Second example.
>>
>> Just send an authorization request to token endpoint with any "ticket" or
>> "permission".
>>
>> On Mon, Jul 2, 2018 at 12:43 PM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi again,
>>> with Keycloak 4, is there a way to retrieve all permissions (like with
>>> the
>>> old entitlement API)?
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From corentin.dupont at gmail.com  Tue Jul  3 09:39:21 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 3 Jul 2018 15:39:21 +0200
Subject: [keycloak-user] NPE when requesting authorization
In-Reply-To: <CAJrcDBegHN3SWsFXcMuygDOeWd+yZONkwcVa7tW3BPSV3koF4w@mail.gmail.com>
References: <CAEyhvmoAvPG3L0S=1SeA6hq1mDER_bu-CfpKfaMC64-yOQ4K7A@mail.gmail.com>
	<CAJrcDBegHN3SWsFXcMuygDOeWd+yZONkwcVa7tW3BPSV3koF4w@mail.gmail.com>
Message-ID: <CAEyhvmq5WwATLsKZgCStQ6_8xKadZHwd+frZdthG3vVa+SZ5DQ@mail.gmail.com>

Yes, I see that this error happens when the resource does not exists.
However, with my user "guest", it happens all the time, even when the
resource does exist...

On Tue, Jul 3, 2018 at 2:15 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> OK. Found the issue. Will fix it. Problem is that Sensortest does not
> exist and program enters in a state that a resource-less permission causes
> that error.
>
> On Mon, Jul 2, 2018 at 10:05 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Hi guys,
>> I got this error when requesting authorization on a resource:
>>
>> $ curl -X POST
>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
>> "Authorization: Bearer $USERTOKEN" -d
>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
>> ence=api-server&permission=Sensortest#sensors:view"
>>
>> {"error":"server_error","error_description":"Unexpected error while
>> evaluating permissions"}
>>
>> On the server side I get:
>>
>> 12:42:11,821 ERROR
>> [org.keycloak.authorization.authorization.AuthorizationTokenService]
>> (default task-16) Unexpected error while evaluating permissions:
>> java.lang.NullPointerException
>>   at
>> org.keycloak.authorization.util.Permissions.permits(Permissions.java:194)
>>   at
>> org.keycloak.authorization.authorization.AuthorizationTokenS
>> ervice.authorize(AuthorizationTokenService.java:173)
>>   at
>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissio
>> nGrant(TokenEndpoint.java:1124)
>>   at
>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGr
>> antRequest(TokenEndpoint.java:190)
>>   at sun.reflect.GeneratedMethodAccessor449.invoke(Unknown Source)
>>   at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>> thodAccessorImpl.java:43)
>>   at java.lang.reflect.Method.invoke(Method.java:498)
>>
>>
>> I got my token this way:
>> USERTOKEN=`curl -X POST  -H "Content-Type:
>> application/x-www-form-urlencoded" -d
>> 'username=guest&password=guest&grant_type=password&client_
>> id=api-server&client_secret=xxx'
>> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>> |
>> jq .access_token -r`
>>
>> This seems to happen for scope-based policies.
>>
>> Cheers
>> Corentin
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From alvaro.abella at bluetab.net  Tue Jul  3 10:33:55 2018
From: alvaro.abella at bluetab.net (Alvaro Abella)
Date: Tue, 3 Jul 2018 16:33:55 +0200
Subject: [keycloak-user] Keycloak User Storage SPI with external data
 base based on Spring Security
In-Reply-To: <1530566030.19951.7.camel@acutus.pro>
References: <CALfT7wGW3KARXtS_tjw4R5HgwQn8oPhjy0hCy0yMLCD7qQvC9Q@mail.gmail.com>
	<1530566030.19951.7.camel@acutus.pro>
Message-ID: <CALfT7wHkPQRbyaoOatM-O8EpLn6BLBJsv+XM++53cjS6t3ZTHA@mail.gmail.com>

Thanks Dmitry for your orientation.

I found this project https://github.com/leroyguillaume/keycloak-bcrypt
looking about PasswordHashProvider.
I'm a little lost about how to configure my User Storage SPI to connect
with my database. The first approach is trying to use BCryp to cipher the
password and compare it with the password stored on the database, but I
don't know the salt. I'm trying to discover how Spring Security works.

The only way that I found to connect with an user from this data base, is
to change password from keycloak, and then due the password is stored in
plain text, I can login successfully.

Thanks!

On Mon, Jul 2, 2018 at 11:13 PM, Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Alvaro,
>
> In addition to user storage provider, you'll need to implement a
> org.keycloak.credential.hash.PasswordHashProvider. Use
> Pbkdf2PasswordHashProvider as a reference.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> + 42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Mon, 2018-07-02 at 18:12 +0200, Alvaro Abella wrote:
> > Hi,
> > I followed this example https://github.com/keycloak/keycloak-quicksta
> > rts/
> > tree/latest/user-storage-jpa and I modified to connect with my Oracle
> > database after a little work with Jboss.
> > Now, I can view all users on my Keycloak admin panel, but I can't
> > login
> > with them into his account because password are cyphered with Bcrypt.
> > How do you usually deal with this situations? Has anyone integrated a
> > Spring-Security-based database with keycloak?
> >
> > Thanks!
> >
> >
>



-- 
*?lvaro Abella Gonz?lez*
[image: bluetab.net] <http://www.bluetab.net/>alvaro.abella at bluetab.net

From hylton.peimer at datos-health.com  Tue Jul  3 10:40:19 2018
From: hylton.peimer at datos-health.com (Hylton Peimer)
Date: Tue, 3 Jul 2018 17:40:19 +0300
Subject: [keycloak-user] SAML setup
Message-ID: <CACGrZetN2CfkU9CxXLTeu8tv4yvsG0rp=JAMXD04QLdXJLpkjg@mail.gmail.com>

I have an application connected to Keycloak using the Spring Boot adaptor.
There is a client with Open-Id Connect protocol, and the login page is
displayed in Keycloak and everything works.

Recently I've been trying to add SAML support, and make my application an
SP. I've done the following with two different IDPs, but neither works:

1) Create a new client for SAML and import the IDP metadata
2) SSO to the application with a POST binding

I get the following lines in the Keycloak docker container log:

14:33:42,922 WARN  [org.keycloak.protocol.saml.SamlService] (default
task-2) Unknown saml response.
14:33:42,923 WARN  [org.keycloak.events] (default task-2)
type=LOGOUT_ERROR, realmId=myrealm, clientId=null, userId=null,
ipAddress=80.176.43.230, error=invalid_token

How can I debug this?

Hylton

From ntle at castortech.com  Tue Jul  3 10:54:54 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Tue, 3 Jul 2018 10:54:54 -0400
Subject: [keycloak-user] keycloak-adapter-core-4.0.0.Final: Invalid version
 of org.apache.httpcore imported
Message-ID: <CAJVRZt-Big+UKJ9FPURJwNOHsfa-e1WHQp4zdT8XQ80tdbxokQ@mail.gmail.com>

Hello,

I'm trying to add keycloak adapter to OSGI container Felix using bnd, but I
got error when resolving dependency:

Resolution failed. Capabilities satisfying the following requirements could
not be found:
    [<<INITIAL>>]
      ? osgi.identity: (osgi.identity=org.keycloak.keycloak-pax-web-jetty94)
          ? [org.keycloak.keycloak-pax-web-jetty94 version=4.0.0.Final]
              ? osgi.wiring.package:
(&(osgi.wiring.package=org.keycloak.adapters.jetty)(version>=4.0.0.Final))
                  ? [org.keycloak.keycloak-jetty94-adapter
version=4.0.0.Final]
                      ? osgi.wiring.package:
(&(osgi.wiring.package=org.keycloak.adapters)(version>=4.0.0.Final))
                          ? [org.keycloak.keycloak-adapter-core
version=4.0.0.Final]
                              ? osgi.wiring.package:
(&(osgi.wiring.package=org.apache.http)(version>=4.5.2))

?Opening up manifest of keycloak-adapter-core-4.0.0.Final.jar i found this
in Import-Packages section: org.apache.http;version="4.5.2"

As i understand org.apache.http is found in
org.apache.httpcomponents:httpcore-osgi, this bundle has max version at
4.4.10 as of today on Maven central. So this requirement will never be
resolved by bnd.

I also looked at the  keycloak-adapter-core-4.0.0.Final.pom and found the
import of all org.apache.http.* require the same version:
org.apache.http.*;version=${apache.httpcomponents.version},
this is wrong because org.apache.http is provided in both
apache.httpcomponents.httpclient
and  apache.httpcomponents.httpcore.

Could anyone verify if this is a build issue and apply a fix?

Thank you

Thai Le

From psilva at redhat.com  Tue Jul  3 11:00:42 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 3 Jul 2018 12:00:42 -0300
Subject: [keycloak-user] NPE when requesting authorization
In-Reply-To: <CAEyhvmq5WwATLsKZgCStQ6_8xKadZHwd+frZdthG3vVa+SZ5DQ@mail.gmail.com>
References: <CAEyhvmoAvPG3L0S=1SeA6hq1mDER_bu-CfpKfaMC64-yOQ4K7A@mail.gmail.com>
	<CAJrcDBegHN3SWsFXcMuygDOeWd+yZONkwcVa7tW3BPSV3koF4w@mail.gmail.com>
	<CAEyhvmq5WwATLsKZgCStQ6_8xKadZHwd+frZdthG3vVa+SZ5DQ@mail.gmail.com>
Message-ID: <CAJrcDBdN_tT=Xre1dzWVmhaXazEJVr7u5wMdBD4LugqSHu77Xw@mail.gmail.com>

It should be fixed now in master and available in next release.
https://github.com/keycloak/keycloak/pull/5346.

Thanks !

On Tue, Jul 3, 2018 at 10:39 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Yes, I see that this error happens when the resource does not exists.
> However, with my user "guest", it happens all the time, even when the
> resource does exist...
>
> On Tue, Jul 3, 2018 at 2:15 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> OK. Found the issue. Will fix it. Problem is that Sensortest does not
>> exist and program enters in a state that a resource-less permission causes
>> that error.
>>
>> On Mon, Jul 2, 2018 at 10:05 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi guys,
>>> I got this error when requesting authorization on a resource:
>>>
>>> $ curl -X POST
>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>>> -H
>>> "Authorization: Bearer $USERTOKEN" -d
>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
>>> ence=api-server&permission=Sensortest#sensors:view"
>>>
>>> {"error":"server_error","error_description":"Unexpected error while
>>> evaluating permissions"}
>>>
>>> On the server side I get:
>>>
>>> 12:42:11,821 ERROR
>>> [org.keycloak.authorization.authorization.AuthorizationTokenService]
>>> (default task-16) Unexpected error while evaluating permissions:
>>> java.lang.NullPointerException
>>>   at
>>> org.keycloak.authorization.util.Permissions.permits(Permissi
>>> ons.java:194)
>>>   at
>>> org.keycloak.authorization.authorization.AuthorizationTokenS
>>> ervice.authorize(AuthorizationTokenService.java:173)
>>>   at
>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissio
>>> nGrant(TokenEndpoint.java:1124)
>>>   at
>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGr
>>> antRequest(TokenEndpoint.java:190)
>>>   at sun.reflect.GeneratedMethodAccessor449.invoke(Unknown Source)
>>>   at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>> thodAccessorImpl.java:43)
>>>   at java.lang.reflect.Method.invoke(Method.java:498)
>>>
>>>
>>> I got my token this way:
>>> USERTOKEN=`curl -X POST  -H "Content-Type:
>>> application/x-www-form-urlencoded" -d
>>> 'username=guest&password=guest&grant_type=password&client_id
>>> =api-server&client_secret=xxx'
>>> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>>> |
>>> jq .access_token -r`
>>>
>>> This seems to happen for scope-based policies.
>>>
>>> Cheers
>>> Corentin
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From triton.oidc at gmail.com  Tue Jul  3 11:37:31 2018
From: triton.oidc at gmail.com (triton oidc)
Date: Tue, 3 Jul 2018 15:37:31 +0000
Subject: [keycloak-user] Create new authentication flow using kcadm in
	Docker
In-Reply-To: <1530616161.7608.1.camel@acutus.pro>
References: <CAGE7c6DO-iTJft5FgLeSU98G_d9b6C7KhMbrDFibXCxdOGFLUA@mail.gmail.com>
	<1530616161.7608.1.camel@acutus.pro>
Message-ID: <CAGE7c6B7OJXccJE05KYF4uR-wcdvG1GY68VbEL+HL+X3aKPfzA@mail.gmail.com>

Thanks a lot for your answer,

and apologies for my lack of search.

I'm having another issue, i can't add an execution to the newly created flow

I can create one in the GUI, retrieve it using the get feature
./kcadm.sh get authentication/flows/dummy-auth/executions -r apprentice
{
  "id" : "cbe89904-c746-48fb-8b44-40d16859765b",
  "requirement" : "DISABLED",
  "displayName" : "Testsuite Dummy Pass Thru",
  "requirementChoices" : [ "REQUIRED" ],
  "configurable" : false,
  "providerId" : "testsuite-dummy-passthrough",
  "level" : 0,
  "index" : 0
}

However, i tried saving the output as a json (removing the ID in the Json,
and the execution in the GUI)

./kcadm.sh create authentication/flows/dummy-auth/executions -r apprentice
-f myjson.json
./kcadm.sh create authentication/flows/[my-object-ID]/executions -r
apprentice -f myjson.json

i get an
HTTP error - 405 Method Not Allowed

I'm guessing i'm not using the correct create syntax, but i didn't found
the example in the documentation
<https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/admin-cli.adoc>
Does someone have a working example ?
If i manage to find the answer i'll reply in the mailling list

Thanks



On Tue, Jul 3, 2018 at 11:09 AM, Dmitry Telegin <dt at acutus.pro> wrote:

> Hi,
>
> To create a flow with kcadm, you need to provide the necessary fields:
>
> ./kcadm.sh create authentication/flows -s alias=foo -s
> providerId=basic-flow -s topLevel=true
> Created new flow with id 'dd756392-a1ec-4704-b134-713f47796418'
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> <https://maps.google.com/?q=Pod+lipami+street+339/52,+130+00+Prague+3,+Czech+Republic&entry=gmail&source=g>
> + 42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> Hi,
>
> i'm using a docker image, and in the build, i'd like to create a new flow.
> However i could not find a way to do this in CLI
> Doing it in the GUI is not really what i want
>
> When i try
> ./kcadm.sh create authentication/flows
> i get a
> HTTP error - 415 Unsupported Media Type
>
> Does this mean it's not possible ?
> If so should a create a feature request ?
> my company pay a lot of redhat support, so they could support this feature.
>
> Thanks for any help
>
> Amaury
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From vandana0242 at gmail.com  Tue Jul  3 12:18:15 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Tue, 3 Jul 2018 11:18:15 -0500
Subject: [keycloak-user] what is the infinite loop of urls in keycloak SSO
	configuration
Message-ID: <CAL_K0ey2ypij8d3F03A68UzHMda6ife15rWzPtN4T6tRtUySew@mail.gmail.com>

what is the infinite loop  of urls  in keycloak SSO  configuration

found that word  from  below  keycloak conversation :

http://keycloak-user.88327.x6.nabble.com/keycloak-user-Keycloak-amp-Okta-td2803.html




Thanks,
Vandana

From vandana0242 at gmail.com  Tue Jul  3 12:24:03 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Tue, 3 Jul 2018 11:24:03 -0500
Subject: [keycloak-user] Need help on keycloak SSO configuration
Message-ID: <CAL_K0ex4oO=f6+UDkLn=f0v8Req3HjZpg2=8PvgVrxmx+xYYXg@mail.gmail.com>

 Hello All,

Its been long time almost  spent 4 months , I was  trying to configure
single  sign on for an application  which  is deployed on Wildfly server
Our env is wildfly 11 final , using keycloak final 4.0.0.0. Till now I did
not able to reach the goal

I need  help for the  followin configuration . Especially from the  step 6
to 11

1. Set up a client for your application in Keycloak

2. Set up a broker in Keycloak that points to Okta and sets that as the
automatic delegate.  This means no keycloak login screen would be shown and
it would delegate directly to Okta for authentication.

3. Log into Okta

4. Get to Okta app screen.

5. Click on app link

6. App redirects to Keycloak for authentication

7. Keycloak redirects automatically to Okta

8. Okta sees you are already logged in

9. Redirects back to Keycloak

10. Creates SAML assertion or OIDC token for client

11. Redirects back to app.

Thanks,
Vandana

From Andrew.Schaar at bluestembrands.com  Tue Jul  3 17:23:10 2018
From: Andrew.Schaar at bluestembrands.com (Schaar, Andrew)
Date: Tue, 3 Jul 2018 21:23:10 +0000
Subject: [keycloak-user] Authorization header from third party site
Message-ID: <16C6B689-17F3-4C66-BD3A-0EC4125EC1E9@bluestembrands.com>

Hello,

We are receiving authorization headers from a third party that links to our site. The endpoint being hit is not secured via spring security, however because an authorization header is on the request KeycloakAuthenticationProcessingFilter.java is attempting to authenticate the request.

The result is a VerificationException from AdapterRSATokenVerifier and subsequently a 401 and a poor user experience. I am wondering if you have any advice regarding the scenario where an invalid authorization header is received when requesting unsecured endpoints.

We are using the Keycloak spring security adapter 3.4.2.Final

Thanks!
Andrew


From h2-wada at nri.co.jp  Wed Jul  4 00:13:52 2018
From: h2-wada at nri.co.jp (Hiroyuki Wada)
Date: Wed, 4 Jul 2018 13:13:52 +0900
Subject: [keycloak-user] How to check permission when issuing token
Message-ID: <5B3C4980.9020406@nri.co.jp>

Hi,

Our customer has a requirement that they want to check whether the authenticated user has sufficient
permission to access the service(RP) when issuing token.
I came up with an idea using custom protocol mapper which checks the assigned roles as follows:

https://gist.github.com/wadahiro/b777c49b61766c8f634981756aedffaa

By using this mapper, token endpoint returns 403 Forbidden error if the authenticated user
doesn't have sufficient role.
Is this a good way? Or is there a better way to do it?

Best Regards

-- 
Hiroyuki Wada
Nomura Research Institute, Ltd.


From miguel.sanz at kairosds.com  Wed Jul  4 02:26:33 2018
From: miguel.sanz at kairosds.com (Miguel Sanz)
Date: Wed, 4 Jul 2018 08:26:33 +0200
Subject: [keycloak-user] Access token in account management console
Message-ID: <CAFHOfHizjbgMHMXbKo8pcN7VwT90wL9_y2HzR=FWCHFq+GtxLQ@mail.gmail.com>

Hi everyone,

I need to receive from the back the access token in account.ftl template. I
know that I don?t have the access token because I am inside Keycloak. But
when you enter in admin console, keycloak.js is used and you can access to
the access token in the code.

Do you have any suggestion to retrieve the access token in the code of
account management console?

Also, I have tried to use the keycloak-preview code in Angular 2, but when
I try to change the password it returns a 400 error.

Thank you very much.

-- 
[image: Kair?s Digital Solutions] <http://www.kairosds.com> [image: Miguel
Sanz Mart?n]
Full-stack Developer
*Kair?s Digital Solutions*
Castellana 43 - WeWork, Madrid 28046 <https://goo.gl/maps/rXYrLwh5s6t>
https://www.kairosds.com/

*Nota legal*: Este mensaje y cualquier archivo adjunto est? destinado
?nicamente a quien se dirige y es confidencial. Si usted ha recibido este
mensaje por error, comun?queselo al remitente y b?rrelo inmediatamente. La
utilizaci?n, revelaci?n y/o reproducci?n del mensaje puede constituir un
delito.

*Protecci?n de Datos - Responsable: KAIROS DIGITAL ANALITYCS AND BIG DATA
SOLUTIONS, S.L.**Finalidad.* Env?o de informaci?n, respuesta a consultas y
contactos gen?ricos, mientras dure nuestra relaci?n y tengamos su
consentimiento. *Destinatarios.* No se ceder?n datos a terceros salvo
obligaci?n legal. *Derechos.* Puede ejercer los derechos de acceso,
rectificaci?n, supresi?n y oposici?n, limitar el tratamiento de sus datos,
o directamente oponerse al tratamiento, o ejercer el derecho a la
portabilidad de los mismos. Todo ello, mediante escrito, acompa?ado de
copia de documento oficial que le identifique, dirigido al RESPONSABLE. En
caso de disconformidad con el tratamiento, tambi?n tiene derecho a
presentar una reclamaci?n ante la Agencia Espa?ola de Protecci?n de Datos.
Tambi?n podr? oponerse a nuestros env?os de comunicaciones comerciales
(Art.21.2 de la LSSI) a trav?s de la siguiente direcci?n de correo
electr?nico: info at kairosds.com

-- 


Nota legal: Este mensaje y cualquier archivo adjunto est? destinado 
?nicamente a quien se dirige y es confidencial. Si usted ha recibido este 
mensaje por error, comun?queselo al remitente y b?rrelo inmediatamente. La 
utilizaci?n, revelaci?n y/o reproducci?n del mensaje puede constituir un 
delito.

Protecci?n de Datos - Responsable: KAIROS DIGITAL ANALITYCS AND 
BIG DATA SOLUTIONS, S.L.Finalidad.?Env?o de informaci?n, respuesta a 
consultas y contactos gen?ricos, mientras dure nuestra relaci?n y tengamos 
su consentimiento.?Destinatarios.?No se ceder?n datos a terceros salvo 
obligaci?n legal.?Derechos.?Puede ejercer los derechos de acceso, 
rectificaci?n, supresi?n y oposici?n, limitar el tratamiento de sus datos, 
o directamente oponerse al tratamiento, o ejercer el derecho a la 
portabilidad de los mismos. Todo ello, mediante escrito, acompa?ado de 
copia de documento oficial que le identifique, dirigido al RESPONSABLE. En 
caso de disconformidad con el tratamiento, tambi?n tiene derecho a 
presentar una reclamaci?n ante la Agencia Espa?ola de Protecci?n de Datos. 
Tambi?n podr? oponerse a nuestros env?os de comunicaciones comerciales 
(Art.21.2 de la LSSI) a trav?s de la siguiente direcci?n de correo 
electr?nico:?info at kairosds.com <mailto:info at kairosds.com>

From gambol99 at gmail.com  Wed Jul  4 05:58:05 2018
From: gambol99 at gmail.com (gambol)
Date: Wed, 4 Jul 2018 10:58:05 +0100
Subject: [keycloak-user] Revocation Policy
Message-ID: <CA+AP+fPBHe5j49wECfhd8bO146dLSu4jB-FK=cyJiJO4Tkf1eA@mail.gmail.com>

Hiya

In regard to revocation policies or the ability to revoke access tokens.
Does keycloak only provide this feature as a push model? ... Glancing at
documentation and a quick google the implementation seems to be a back
channel callback to the url with I guess some verifiable payload? .. Is
there any other means to request this information .. I can't see anything
in the rest api but essentially I'd like periodically check if any tokens
has been revoked.

Rohith

From pritiguleria10 at gmail.com  Wed Jul  4 06:47:10 2018
From: pritiguleria10 at gmail.com (priti guleria)
Date: Wed, 4 Jul 2018 16:17:10 +0530
Subject: [keycloak-user] Same user exists in both broker and identity
	provider
Message-ID: <CADFbsZLsaifDNJhh84mvVDgSxYMn32GxZ1hoaSedD_4wsj1BpQ@mail.gmail.com>

Hi,

We are currently working on keycloak as SSO solution,  where keycloak will
act as identity broker.

My use case is as below
 - User 1 is present in keycloak broker and user 1 is also present in
identity provider .
- But in identity provider user 1 does not have username assosiated with
that ,instead it has employeeid attribute as unique key.

Now my goal is to identify if user already present in broker keycloak and I
tries to login through Identity provider it should identify it as existing
account and merge both the accounts.
 (Currently since identity provider does not have username for user 1 it is
not able to identify in broker as existing account).

Is there any configuration which can tell keycloak broker to check for
employeeid attribute and not username for existing account ?

Thanks,
Priti

From slaskawi at redhat.com  Wed Jul  4 07:40:58 2018
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Wed, 4 Jul 2018 13:40:58 +0200
Subject: [keycloak-user] SAML Advice assertion with signature
In-Reply-To: <12CA6AFF-159E-4DBD-97DE-52838E47E96E@first8.nl>
References: <12CA6AFF-159E-4DBD-97DE-52838E47E96E@first8.nl>
Message-ID: <CAA9R9O4BOFG_i-E3+SuOHvBKOG5AyFxdA-6ESUJ302=SYo3xGQ@mail.gmail.com>

Hey Arjan,

Long time no see! I hope you're well!

More comment inlined.

Thanks,
Sebastian

On Thu, Jun 28, 2018 at 4:53 PM Arjan Lamers <a.lamers at first8.nl> wrote:

> Hi,
>
> We are running KeyCloak 3.4.3-Final for a client  and are running into
> trouble with an identity provider (the dutch eHerkenning) that is using
> SAML Advice tags.
>
> We were running an older version of KeyCloak and recently that identity
> provider started to use <saml:Advice> tags in their responses. We found
> https://issues.jboss.org/browse/KEYCLOAK-5644, adding support for the
> Advice tag and that made us upgrade to 3.4.3. However, this patch does not
> seem to be complete.
>
> The patch there ignores the Advice tag when parsing the document. This is
> fine. However, in our case, the Advice contains two Assertions, both of
> which are signed (have a Signature tag). The document verification seems to
> also validate these signatures. This is a problem, since we do not have the
> keys for these advices, hence the validation fails.
>
> We have been advised to fully ignore the Advice tag, including the
> underlying signatures. I am not a SAML expert but that feels a bit wrong.
> Any thoughts on that?
>

Perhaps Hynek or Stian could correct me here but the spec says the `Advice`
elements can be completely ignored:

"The <Advice> element contains any additional information that the SAML
authority wishes to provide.
This information MAY be ignored by applications without affecting either
the semantics or the validity of
the assertion."

[1] Page 26
https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf


>
> However, if we do want to go down this road, we would probably patch this
> in
>
>  org.keycloak.saml.processing.core.util.XMLSignatureUtil.validate(Document
> signedDoc, final KeyLocator locator)
> by skipping over nodes that have an ?Advice? parent.
>

This situation seems to be very tricky here. Looking through the spec I
found that `Advice` tags need to be validated using lax XML validation
(just as a reminder, lax validation doesn't fail if the schema is not
found) [2]:

"<Advice> and AdviceType: In addition to SAML-native elements, allows
elements from other
namespaces with lax schema validation processing."

There's also a note on signature verification [3]:

"The SAML assertion MAY be signed, which provides both
authentication of the issuer and integrity protection.
If such a signature is used, then the <ds:Signature> element MUST be
present, and a relying party
MUST verify that the signature is valid (that is, that the assertion has
not been tampered with) in
accordance with [XMLSig]. If it is invalid, then the relying party MUST NOT
rely on the contents of the
assertion. If it is valid, then the relying party SHOULD evaluate the
signature to determine the identity and
appropriateness of the issuer and may continue to process the assertion in
accordance with this
specification and as it deems appropriate (for example, evaluating
conditions, advice, following profile specific
rules, and so on)."

So to sum it up:

   - Advice tag can be ignored completely
   - Advice tag needs only lax validation, so it just needs to be a well
   formed XML, and that's basically it.
   - If a verifier finds a signature, it needs to validate it. If the
   signature doesn't pass the validation, we can not rely on the assertion.

>From this point, I guess patching the SignatureUtil to skip verification of
signatures located in `Advice` element, seems not to violate anything.
That's what we should do in my opinion.

[2] Page 75
https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
[3] Page 16
https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf


>
> Would that be an appropriate approach? Would you be interested in such a
> patch?
>

Yes, definitely! Let's start with a patch for master branch and later on,
we could cherry-pick it to 3.x if needed.


>
>
> Met vriendelijke groet,
>
> Arjan Lamers
> Software Architect
> +31 (0)6 23 82 24 05
>
>
>
> a.lamers at first8.nl
> https://www.first8.nl <http://www.first8.nl/>
> Linkedin https://www.linkedin.com/in/arjanl <
> https://www.linkedin.com/in/profiel-id>
> Kerkenbos 1059b
> 6546 BB Nijmegen
>
> Bekijk hier de algemene voorwaarden van Conclusion <
> https://www.conclusion.nl/kleine-lettertjes/algemene-voorwaarden>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From Ori.Doolman at amdocs.com  Wed Jul  4 07:47:54 2018
From: Ori.Doolman at amdocs.com (Ori Doolman)
Date: Wed, 4 Jul 2018 11:47:54 +0000
Subject: [keycloak-user] customizing OIDC refresh token flow
Message-ID: <F12603E320A90546946D142FB805B94601735B6900@ILRAADAGBE1.corp.amdocs.com>

Hi,

I'm looking for a way to customize the OIDC token endpoint:
In OICD code flow, when getting a new access token using a refresh token, I want to call an external system and update a user attribute, such that the attribute value will be mapped to an attribute of the returned JWT access token.

I think the relevant source code is here, but I didn't see a way to customize it using an SPI:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java


The reason I need it is because we are working with an external identity provider, which returns an access token to us which is valid for only 15 minutes.
The external access token is mapped to our JWT once the user logs in (we customized the authentication flow).
Now I need a way that my JWT will always contain a valid external access token.
Therefore, I thought we can fetch a new external access token every time we refresh our JWT.

Or is there a better way to accomplish that?


Thanks,

Ori Doolman
Lead Software Architect
Amdocs Optima


This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,

you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>

From corentin.dupont at gmail.com  Wed Jul  4 07:54:41 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Wed, 4 Jul 2018 13:54:41 +0200
Subject: [keycloak-user] resource set filter
Message-ID: <CAEyhvmrHU53iGggNH9DAtEq=obPQ1O-K3ZyAy9cWkNPiHfcSig@mail.gmail.com>

Hi,
It seems the resource set filter was removed from Keycloak 4?
I noticed this line was removed from the doc:

List resource set descriptions using a filter: GET
/resource_set?filter=${filter}

Now the GET /resource_set only returns the list of resource ids, which is
not so useful.
How to get a resource id from its name?

From psilva at redhat.com  Wed Jul  4 08:02:15 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 4 Jul 2018 09:02:15 -0300
Subject: [keycloak-user] resource set filter
In-Reply-To: <CAEyhvmrHU53iGggNH9DAtEq=obPQ1O-K3ZyAy9cWkNPiHfcSig@mail.gmail.com>
References: <CAEyhvmrHU53iGggNH9DAtEq=obPQ1O-K3ZyAy9cWkNPiHfcSig@mail.gmail.com>
Message-ID: <CAJrcDBfCA0Ma1JSC8PUv6-aow-owkTD=DvJ=YNXiEgV73KgzdQ@mail.gmail.com>

Please, see this
https://github.com/keycloak/keycloak-documentation/blob/master/authorization_services/topics/service-protection-resources-api-papi.adoc.
It will be available in the next release.

Regards.
Pedro Igor

On Wed, Jul 4, 2018 at 8:54 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi,
> It seems the resource set filter was removed from Keycloak 4?
> I noticed this line was removed from the doc:
>
> List resource set descriptions using a filter: GET
> /resource_set?filter=${filter}
>
> Now the GET /resource_set only returns the list of resource ids, which is
> not so useful.
> How to get a resource id from its name?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From corentin.dupont at gmail.com  Wed Jul  4 08:16:44 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Wed, 4 Jul 2018 14:16:44 +0200
Subject: [keycloak-user] resource set filter
In-Reply-To: <CAJrcDBfCA0Ma1JSC8PUv6-aow-owkTD=DvJ=YNXiEgV73KgzdQ@mail.gmail.com>
References: <CAEyhvmrHU53iGggNH9DAtEq=obPQ1O-K3ZyAy9cWkNPiHfcSig@mail.gmail.com>
	<CAJrcDBfCA0Ma1JSC8PUv6-aow-owkTD=DvJ=YNXiEgV73KgzdQ@mail.gmail.com>
Message-ID: <CAEyhvmptzBC7heT_rTo0+hfbm9SYD5vZ5dMGdHsS-TSf0DF8TA@mail.gmail.com>

Oh, thanks that's great!
So, when is the next release? :))

On Wed, Jul 4, 2018 at 2:02 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Please, see this https://github.com/keycloak/keycloak-
> documentation/blob/master/authorization_services/topics/
> service-protection-resources-api-papi.adoc. It will be available in the
> next release.
>
> Regards.
> Pedro Igor
>
> On Wed, Jul 4, 2018 at 8:54 AM, Corentin Dupont <corentin.dupont at gmail.com
> > wrote:
>
>> Hi,
>> It seems the resource set filter was removed from Keycloak 4?
>> I noticed this line was removed from the doc:
>>
>> List resource set descriptions using a filter: GET
>> /resource_set?filter=${filter}
>>
>> Now the GET /resource_set only returns the list of resource ids, which is
>> not so useful.
>> How to get a resource id from its name?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From corentin.dupont at gmail.com  Wed Jul  4 08:31:42 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Wed, 4 Jul 2018 14:31:42 +0200
Subject: [keycloak-user] NPE when requesting authorization
In-Reply-To: <CAJrcDBdN_tT=Xre1dzWVmhaXazEJVr7u5wMdBD4LugqSHu77Xw@mail.gmail.com>
References: <CAEyhvmoAvPG3L0S=1SeA6hq1mDER_bu-CfpKfaMC64-yOQ4K7A@mail.gmail.com>
	<CAJrcDBegHN3SWsFXcMuygDOeWd+yZONkwcVa7tW3BPSV3koF4w@mail.gmail.com>
	<CAEyhvmq5WwATLsKZgCStQ6_8xKadZHwd+frZdthG3vVa+SZ5DQ@mail.gmail.com>
	<CAJrcDBdN_tT=Xre1dzWVmhaXazEJVr7u5wMdBD4LugqSHu77Xw@mail.gmail.com>
Message-ID: <CAEyhvmoMFdWg8z5g2BFzdK4Py-iwU6ZPrxUrcALsC-+yUL7+NQ@mail.gmail.com>

I have another weird behavior (with github HEAD).
When requesting a permission on a non existing resource, I still get a
token.
This token contains all the permissions.
Is it correct? Shouldn't it be 404 or something?


$ USERTOKEN=`curl -X POST  -H "Content-Type:
application/x-www-form-urlencoded" -d
'username=xx&password=xx&grant_type=password&client_id=api-server&client_secret=xxx'
"http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
jq .access_token -r`

$ curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=not_exist#sensors:view"

{"upgraded":false,"access_token":"eyJhbGciOiJSUzI......





On Tue, Jul 3, 2018 at 5:00 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> It should be fixed now in master and available in next release.
> https://github.com/keycloak/keycloak/pull/5346.
>
> Thanks !
>
> On Tue, Jul 3, 2018 at 10:39 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Yes, I see that this error happens when the resource does not exists.
>> However, with my user "guest", it happens all the time, even when the
>> resource does exist...
>>
>> On Tue, Jul 3, 2018 at 2:15 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> OK. Found the issue. Will fix it. Problem is that Sensortest does not
>>> exist and program enters in a state that a resource-less permission causes
>>> that error.
>>>
>>> On Mon, Jul 2, 2018 at 10:05 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Hi guys,
>>>> I got this error when requesting authorization on a resource:
>>>>
>>>> $ curl -X POST
>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>>>> -H
>>>> "Authorization: Bearer $USERTOKEN" -d
>>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
>>>> ence=api-server&permission=Sensortest#sensors:view"
>>>>
>>>> {"error":"server_error","error_description":"Unexpected error while
>>>> evaluating permissions"}
>>>>
>>>> On the server side I get:
>>>>
>>>> 12:42:11,821 ERROR
>>>> [org.keycloak.authorization.authorization.AuthorizationTokenService]
>>>> (default task-16) Unexpected error while evaluating permissions:
>>>> java.lang.NullPointerException
>>>>   at
>>>> org.keycloak.authorization.util.Permissions.permits(Permissi
>>>> ons.java:194)
>>>>   at
>>>> org.keycloak.authorization.authorization.AuthorizationTokenS
>>>> ervice.authorize(AuthorizationTokenService.java:173)
>>>>   at
>>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissio
>>>> nGrant(TokenEndpoint.java:1124)
>>>>   at
>>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGr
>>>> antRequest(TokenEndpoint.java:190)
>>>>   at sun.reflect.GeneratedMethodAccessor449.invoke(Unknown Source)
>>>>   at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>>> thodAccessorImpl.java:43)
>>>>   at java.lang.reflect.Method.invoke(Method.java:498)
>>>>
>>>>
>>>> I got my token this way:
>>>> USERTOKEN=`curl -X POST  -H "Content-Type:
>>>> application/x-www-form-urlencoded" -d
>>>> 'username=guest&password=guest&grant_type=password&client_id
>>>> =api-server&client_secret=xxx'
>>>> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>>>> |
>>>> jq .access_token -r`
>>>>
>>>> This seems to happen for scope-based policies.
>>>>
>>>> Cheers
>>>> Corentin
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>

From corentin.dupont at gmail.com  Wed Jul  4 08:38:42 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Wed, 4 Jul 2018 14:38:42 +0200
Subject: [keycloak-user] Failed to evaluate permissions with javascript
Message-ID: <CAEyhvmo5mf_SwHCZC5axBpGp13ZoOyEN=oY58T1XLfQDVxwzbA@mail.gmail.com>

Hi again,
I use a small javascript policy:

var context = $evaluation.getContext();
var permission = $evaluation.getPermission();
var identity = context.getIdentity();
if (identity.id == permission.getResource().getOwner()) {
    $evaluation.grant();
}


But this gets me an error:

Unexpected error while evaluating permissions: java.lang.RuntimeException:
Failed to evaluate permissions
   at
org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator$1.onError(IterablePermissionEvaluator.java:66)
   at
org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:54)
   at
org.keycloak.authorization.permission.evaluator.IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:63)
   at
org.keycloak.authorization.authorization.AuthorizationTokenService.evaluatePermissions(AuthorizationTokenService.java:208)
...
Caused by: org.keycloak.scripting.ScriptExecutionException: Could not
execute script 'Resource owner' problem was: TypeError: null has no such
function "getOwner" in <eval> at line number 4
    at
org.keycloak.scripting.AbstractEvaluatableScriptAdapter.evalUnchecked(AbstractEvaluatableScriptAdapter.java:64)
    at
org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval(AbstractEvaluatableScriptAdapter.java:30)


I noticed this happens only with scope-based policies, so maybe it's the
same problem than before?

From psilva at redhat.com  Wed Jul  4 08:55:58 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 4 Jul 2018 09:55:58 -0300
Subject: [keycloak-user] NPE when requesting authorization
In-Reply-To: <CAEyhvmoMFdWg8z5g2BFzdK4Py-iwU6ZPrxUrcALsC-+yUL7+NQ@mail.gmail.com>
References: <CAEyhvmoAvPG3L0S=1SeA6hq1mDER_bu-CfpKfaMC64-yOQ4K7A@mail.gmail.com>
	<CAJrcDBegHN3SWsFXcMuygDOeWd+yZONkwcVa7tW3BPSV3koF4w@mail.gmail.com>
	<CAEyhvmq5WwATLsKZgCStQ6_8xKadZHwd+frZdthG3vVa+SZ5DQ@mail.gmail.com>
	<CAJrcDBdN_tT=Xre1dzWVmhaXazEJVr7u5wMdBD4LugqSHu77Xw@mail.gmail.com>
	<CAEyhvmoMFdWg8z5g2BFzdK4Py-iwU6ZPrxUrcALsC-+yUL7+NQ@mail.gmail.com>
Message-ID: <CAJrcDBdTEND=vaQMF-kg+T0VJZ-n-L1Kba95rf+FkYxLgmn_3w@mail.gmail.com>

Yes it should. Will check this out.

On Wed, Jul 4, 2018 at 9:31 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> I have another weird behavior (with github HEAD).
> When requesting a permission on a non existing resource, I still get a
> token.
> This token contains all the permissions.
> Is it correct? Shouldn't it be 404 or something?
>
>
> $ USERTOKEN=`curl -X POST  -H "Content-Type: application/x-www-form-urlencoded"
> -d 'username=xx&password=xx&grant_type=password&client_id=api-server&client_secret=xxx'
> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
> | jq .access_token -r`
>
> $ curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-
> connect/token -H "Authorization: Bearer $USERTOKEN" -d
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&
> audience=api-server&permission=not_exist#sensors:view"
>
> {"upgraded":false,"access_token":"eyJhbGciOiJSUzI......
>
>
>
>
>
> On Tue, Jul 3, 2018 at 5:00 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> It should be fixed now in master and available in next release.
>> https://github.com/keycloak/keycloak/pull/5346.
>>
>> Thanks !
>>
>> On Tue, Jul 3, 2018 at 10:39 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Yes, I see that this error happens when the resource does not exists.
>>> However, with my user "guest", it happens all the time, even when the
>>> resource does exist...
>>>
>>> On Tue, Jul 3, 2018 at 2:15 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> OK. Found the issue. Will fix it. Problem is that Sensortest does not
>>>> exist and program enters in a state that a resource-less permission causes
>>>> that error.
>>>>
>>>> On Mon, Jul 2, 2018 at 10:05 AM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Hi guys,
>>>>> I got this error when requesting authorization on a resource:
>>>>>
>>>>> $ curl -X POST
>>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>>>>> -H
>>>>> "Authorization: Bearer $USERTOKEN" -d
>>>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
>>>>> ence=api-server&permission=Sensortest#sensors:view"
>>>>>
>>>>> {"error":"server_error","error_description":"Unexpected error while
>>>>> evaluating permissions"}
>>>>>
>>>>> On the server side I get:
>>>>>
>>>>> 12:42:11,821 ERROR
>>>>> [org.keycloak.authorization.authorization.AuthorizationTokenService]
>>>>> (default task-16) Unexpected error while evaluating permissions:
>>>>> java.lang.NullPointerException
>>>>>   at
>>>>> org.keycloak.authorization.util.Permissions.permits(Permissi
>>>>> ons.java:194)
>>>>>   at
>>>>> org.keycloak.authorization.authorization.AuthorizationTokenS
>>>>> ervice.authorize(AuthorizationTokenService.java:173)
>>>>>   at
>>>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissio
>>>>> nGrant(TokenEndpoint.java:1124)
>>>>>   at
>>>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGr
>>>>> antRequest(TokenEndpoint.java:190)
>>>>>   at sun.reflect.GeneratedMethodAccessor449.invoke(Unknown Source)
>>>>>   at
>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>>>> thodAccessorImpl.java:43)
>>>>>   at java.lang.reflect.Method.invoke(Method.java:498)
>>>>>
>>>>>
>>>>> I got my token this way:
>>>>> USERTOKEN=`curl -X POST  -H "Content-Type:
>>>>> application/x-www-form-urlencoded" -d
>>>>> 'username=guest&password=guest&grant_type=password&client_id
>>>>> =api-server&client_secret=xxx'
>>>>> "http://localhost:8080/auth/realms/waziup/protocol/openid-co
>>>>> nnect/token" |
>>>>> jq .access_token -r`
>>>>>
>>>>> This seems to happen for scope-based policies.
>>>>>
>>>>> Cheers
>>>>> Corentin
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>

From psilva at redhat.com  Wed Jul  4 08:56:11 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 4 Jul 2018 09:56:11 -0300
Subject: [keycloak-user] resource set filter
In-Reply-To: <CAEyhvmptzBC7heT_rTo0+hfbm9SYD5vZ5dMGdHsS-TSf0DF8TA@mail.gmail.com>
References: <CAEyhvmrHU53iGggNH9DAtEq=obPQ1O-K3ZyAy9cWkNPiHfcSig@mail.gmail.com>
	<CAJrcDBfCA0Ma1JSC8PUv6-aow-owkTD=DvJ=YNXiEgV73KgzdQ@mail.gmail.com>
	<CAEyhvmptzBC7heT_rTo0+hfbm9SYD5vZ5dMGdHsS-TSf0DF8TA@mail.gmail.com>
Message-ID: <CAJrcDBeSoTMzJ4=1KT=GOzXnM3zgMDOjXFkfQkkSXEr3h7aPwA@mail.gmail.com>

This week ...

On Wed, Jul 4, 2018 at 9:16 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Oh, thanks that's great!
> So, when is the next release? :))
>
> On Wed, Jul 4, 2018 at 2:02 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Please, see this https://github.com/keycloak/keycloak-documentation/
>> blob/master/authorization_services/topics/service-
>> protection-resources-api-papi.adoc. It will be available in the next
>> release.
>>
>> Regards.
>> Pedro Igor
>>
>> On Wed, Jul 4, 2018 at 8:54 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi,
>>> It seems the resource set filter was removed from Keycloak 4?
>>> I noticed this line was removed from the doc:
>>>
>>> List resource set descriptions using a filter: GET
>>> /resource_set?filter=${filter}
>>>
>>> Now the GET /resource_set only returns the list of resource ids, which is
>>> not so useful.
>>> How to get a resource id from its name?
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From psilva at redhat.com  Wed Jul  4 09:07:30 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 4 Jul 2018 10:07:30 -0300
Subject: [keycloak-user] Failed to evaluate permissions with javascript
In-Reply-To: <CAEyhvmo5mf_SwHCZC5axBpGp13ZoOyEN=oY58T1XLfQDVxwzbA@mail.gmail.com>
References: <CAEyhvmo5mf_SwHCZC5axBpGp13ZoOyEN=oY58T1XLfQDVxwzbA@mail.gmail.com>
Message-ID: <CAJrcDBcZgJvkWKKRVDvQfB_msCKtCa59kG1BEJG2EJ05owCxGQ@mail.gmail.com>

This is because the permission is not for the resource (it does not exist)
but for scopes. So resource is null.

On Wed, Jul 4, 2018 at 9:38 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi again,
> I use a small javascript policy:
>
> var context = $evaluation.getContext();
> var permission = $evaluation.getPermission();
> var identity = context.getIdentity();
> if (identity.id == permission.getResource().getOwner()) {
>     $evaluation.grant();
> }
>
>
> But this gets me an error:
>
> Unexpected error while evaluating permissions: java.lang.RuntimeException:
> Failed to evaluate permissions
>    at
> org.keycloak.authorization.permission.evaluator.
> IterablePermissionEvaluator$1.onError(IterablePermissionEvaluator.java:66)
>    at
> org.keycloak.authorization.permission.evaluator.
> IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:54)
>    at
> org.keycloak.authorization.permission.evaluator.
> IterablePermissionEvaluator.evaluate(IterablePermissionEvaluator.java:63)
>    at
> org.keycloak.authorization.authorization.AuthorizationTokenService.
> evaluatePermissions(AuthorizationTokenService.java:208)
> ...
> Caused by: org.keycloak.scripting.ScriptExecutionException: Could not
> execute script 'Resource owner' problem was: TypeError: null has no such
> function "getOwner" in <eval> at line number 4
>     at
> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.evalUnchecked(
> AbstractEvaluatableScriptAdapter.java:64)
>     at
> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval(
> AbstractEvaluatableScriptAdapter.java:30)
>
>
> I noticed this happens only with scope-based policies, so maybe it's the
> same problem than before?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Wed Jul  4 09:08:06 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 4 Jul 2018 10:08:06 -0300
Subject: [keycloak-user] NPE when requesting authorization
In-Reply-To: <CAJrcDBdTEND=vaQMF-kg+T0VJZ-n-L1Kba95rf+FkYxLgmn_3w@mail.gmail.com>
References: <CAEyhvmoAvPG3L0S=1SeA6hq1mDER_bu-CfpKfaMC64-yOQ4K7A@mail.gmail.com>
	<CAJrcDBegHN3SWsFXcMuygDOeWd+yZONkwcVa7tW3BPSV3koF4w@mail.gmail.com>
	<CAEyhvmq5WwATLsKZgCStQ6_8xKadZHwd+frZdthG3vVa+SZ5DQ@mail.gmail.com>
	<CAJrcDBdN_tT=Xre1dzWVmhaXazEJVr7u5wMdBD4LugqSHu77Xw@mail.gmail.com>
	<CAEyhvmoMFdWg8z5g2BFzdK4Py-iwU6ZPrxUrcALsC-+yUL7+NQ@mail.gmail.com>
	<CAJrcDBdTEND=vaQMF-kg+T0VJZ-n-L1Kba95rf+FkYxLgmn_3w@mail.gmail.com>
Message-ID: <CAJrcDBfxrLbnpvuwi=77s_suk_rk3tPOEeWvJY55LR-juVqQQQ@mail.gmail.com>

Actually, the permissions you got were related with "scope:view". Could you
confirm ?

On Wed, Jul 4, 2018 at 9:55 AM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Yes it should. Will check this out.
>
>
> On Wed, Jul 4, 2018 at 9:31 AM, Corentin Dupont <corentin.dupont at gmail.com
> > wrote:
>
>> I have another weird behavior (with github HEAD).
>> When requesting a permission on a non existing resource, I still get a
>> token.
>> This token contains all the permissions.
>> Is it correct? Shouldn't it be 404 or something?
>>
>>
>> $ USERTOKEN=`curl -X POST  -H "Content-Type:
>> application/x-www-form-urlencoded" -d 'username=xx&password=xx&grant
>> _type=password&client_id=api-server&client_secret=xxx' "
>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>> | jq .access_token -r`
>>
>> $ curl -X POST http://localhost:8080/auth/rea
>> lms/waziup/protocol/openid-connect/token -H "Authorization: Bearer
>> $USERTOKEN" -d "grant_type=urn:ietf:params:oa
>> uth:grant-type:uma-ticket&audience=api-server&permission=
>> not_exist#sensors:view"
>>
>> {"upgraded":false,"access_token":"eyJhbGciOiJSUzI......
>>
>>
>>
>>
>>
>> On Tue, Jul 3, 2018 at 5:00 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> It should be fixed now in master and available in next release.
>>> https://github.com/keycloak/keycloak/pull/5346.
>>>
>>> Thanks !
>>>
>>> On Tue, Jul 3, 2018 at 10:39 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Yes, I see that this error happens when the resource does not exists.
>>>> However, with my user "guest", it happens all the time, even when the
>>>> resource does exist...
>>>>
>>>> On Tue, Jul 3, 2018 at 2:15 PM, Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> OK. Found the issue. Will fix it. Problem is that Sensortest does not
>>>>> exist and program enters in a state that a resource-less permission causes
>>>>> that error.
>>>>>
>>>>> On Mon, Jul 2, 2018 at 10:05 AM, Corentin Dupont <
>>>>> corentin.dupont at gmail.com> wrote:
>>>>>
>>>>>> Hi guys,
>>>>>> I got this error when requesting authorization on a resource:
>>>>>>
>>>>>> $ curl -X POST
>>>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-con
>>>>>> nect/token -H
>>>>>> "Authorization: Bearer $USERTOKEN" -d
>>>>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
>>>>>> ence=api-server&permission=Sensortest#sensors:view"
>>>>>>
>>>>>> {"error":"server_error","error_description":"Unexpected error while
>>>>>> evaluating permissions"}
>>>>>>
>>>>>> On the server side I get:
>>>>>>
>>>>>> 12:42:11,821 ERROR
>>>>>> [org.keycloak.authorization.authorization.AuthorizationTokenService]
>>>>>> (default task-16) Unexpected error while evaluating permissions:
>>>>>> java.lang.NullPointerException
>>>>>>   at
>>>>>> org.keycloak.authorization.util.Permissions.permits(Permissi
>>>>>> ons.java:194)
>>>>>>   at
>>>>>> org.keycloak.authorization.authorization.AuthorizationTokenS
>>>>>> ervice.authorize(AuthorizationTokenService.java:173)
>>>>>>   at
>>>>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissio
>>>>>> nGrant(TokenEndpoint.java:1124)
>>>>>>   at
>>>>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGr
>>>>>> antRequest(TokenEndpoint.java:190)
>>>>>>   at sun.reflect.GeneratedMethodAccessor449.invoke(Unknown Source)
>>>>>>   at
>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>>>>> thodAccessorImpl.java:43)
>>>>>>   at java.lang.reflect.Method.invoke(Method.java:498)
>>>>>>
>>>>>>
>>>>>> I got my token this way:
>>>>>> USERTOKEN=`curl -X POST  -H "Content-Type:
>>>>>> application/x-www-form-urlencoded" -d
>>>>>> 'username=guest&password=guest&grant_type=password&client_id
>>>>>> =api-server&client_secret=xxx'
>>>>>> "http://localhost:8080/auth/realms/waziup/protocol/openid-co
>>>>>> nnect/token" |
>>>>>> jq .access_token -r`
>>>>>>
>>>>>> This seems to happen for scope-based policies.
>>>>>>
>>>>>> Cheers
>>>>>> Corentin
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

From corentin.dupont at gmail.com  Wed Jul  4 09:09:40 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Wed, 4 Jul 2018 15:09:40 +0200
Subject: [keycloak-user] NPE when requesting authorization
In-Reply-To: <CAJrcDBfxrLbnpvuwi=77s_suk_rk3tPOEeWvJY55LR-juVqQQQ@mail.gmail.com>
References: <CAEyhvmoAvPG3L0S=1SeA6hq1mDER_bu-CfpKfaMC64-yOQ4K7A@mail.gmail.com>
	<CAJrcDBegHN3SWsFXcMuygDOeWd+yZONkwcVa7tW3BPSV3koF4w@mail.gmail.com>
	<CAEyhvmq5WwATLsKZgCStQ6_8xKadZHwd+frZdthG3vVa+SZ5DQ@mail.gmail.com>
	<CAJrcDBdN_tT=Xre1dzWVmhaXazEJVr7u5wMdBD4LugqSHu77Xw@mail.gmail.com>
	<CAEyhvmoMFdWg8z5g2BFzdK4Py-iwU6ZPrxUrcALsC-+yUL7+NQ@mail.gmail.com>
	<CAJrcDBdTEND=vaQMF-kg+T0VJZ-n-L1Kba95rf+FkYxLgmn_3w@mail.gmail.com>
	<CAJrcDBfxrLbnpvuwi=77s_suk_rk3tPOEeWvJY55LR-juVqQQQ@mail.gmail.com>
Message-ID: <CAEyhvmqiTdWawSVmCA7h8DNAsJws1ZxgXvL3WkCt_i=Dns0WWw@mail.gmail.com>

Yes, exactly.

On Wed, Jul 4, 2018 at 3:08 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Actually, the permissions you got were related with "scope:view". Could
> you confirm ?
>
> On Wed, Jul 4, 2018 at 9:55 AM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Yes it should. Will check this out.
>>
>>
>> On Wed, Jul 4, 2018 at 9:31 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> I have another weird behavior (with github HEAD).
>>> When requesting a permission on a non existing resource, I still get a
>>> token.
>>> This token contains all the permissions.
>>> Is it correct? Shouldn't it be 404 or something?
>>>
>>>
>>> $ USERTOKEN=`curl -X POST  -H "Content-Type:
>>> application/x-www-form-urlencoded" -d 'username=xx&password=xx&grant
>>> _type=password&client_id=api-server&client_secret=xxx' "
>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>>> | jq .access_token -r`
>>>
>>> $ curl -X POST http://localhost:8080/auth/rea
>>> lms/waziup/protocol/openid-connect/token -H "Authorization: Bearer
>>> $USERTOKEN" -d "grant_type=urn:ietf:params:oa
>>> uth:grant-type:uma-ticket&audience=api-server&permission=not
>>> _exist#sensors:view"
>>>
>>> {"upgraded":false,"access_token":"eyJhbGciOiJSUzI......
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Jul 3, 2018 at 5:00 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> It should be fixed now in master and available in next release.
>>>> https://github.com/keycloak/keycloak/pull/5346.
>>>>
>>>> Thanks !
>>>>
>>>> On Tue, Jul 3, 2018 at 10:39 AM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Yes, I see that this error happens when the resource does not exists.
>>>>> However, with my user "guest", it happens all the time, even when the
>>>>> resource does exist...
>>>>>
>>>>> On Tue, Jul 3, 2018 at 2:15 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> OK. Found the issue. Will fix it. Problem is that Sensortest does not
>>>>>> exist and program enters in a state that a resource-less permission causes
>>>>>> that error.
>>>>>>
>>>>>> On Mon, Jul 2, 2018 at 10:05 AM, Corentin Dupont <
>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>
>>>>>>> Hi guys,
>>>>>>> I got this error when requesting authorization on a resource:
>>>>>>>
>>>>>>> $ curl -X POST
>>>>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-con
>>>>>>> nect/token -H
>>>>>>> "Authorization: Bearer $USERTOKEN" -d
>>>>>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
>>>>>>> ence=api-server&permission=Sensortest#sensors:view"
>>>>>>>
>>>>>>> {"error":"server_error","error_description":"Unexpected error while
>>>>>>> evaluating permissions"}
>>>>>>>
>>>>>>> On the server side I get:
>>>>>>>
>>>>>>> 12:42:11,821 ERROR
>>>>>>> [org.keycloak.authorization.authorization.AuthorizationTokenService]
>>>>>>> (default task-16) Unexpected error while evaluating permissions:
>>>>>>> java.lang.NullPointerException
>>>>>>>   at
>>>>>>> org.keycloak.authorization.util.Permissions.permits(Permissi
>>>>>>> ons.java:194)
>>>>>>>   at
>>>>>>> org.keycloak.authorization.authorization.AuthorizationTokenS
>>>>>>> ervice.authorize(AuthorizationTokenService.java:173)
>>>>>>>   at
>>>>>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.permissio
>>>>>>> nGrant(TokenEndpoint.java:1124)
>>>>>>>   at
>>>>>>> org.keycloak.protocol.oidc.endpoints.TokenEndpoint.processGr
>>>>>>> antRequest(TokenEndpoint.java:190)
>>>>>>>   at sun.reflect.GeneratedMethodAccessor449.invoke(Unknown Source)
>>>>>>>   at
>>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
>>>>>>> thodAccessorImpl.java:43)
>>>>>>>   at java.lang.reflect.Method.invoke(Method.java:498)
>>>>>>>
>>>>>>>
>>>>>>> I got my token this way:
>>>>>>> USERTOKEN=`curl -X POST  -H "Content-Type:
>>>>>>> application/x-www-form-urlencoded" -d
>>>>>>> 'username=guest&password=guest&grant_type=password&client_id
>>>>>>> =api-server&client_secret=xxx'
>>>>>>> "http://localhost:8080/auth/realms/waziup/protocol/openid-co
>>>>>>> nnect/token" |
>>>>>>> jq .access_token -r`
>>>>>>>
>>>>>>> This seems to happen for scope-based policies.
>>>>>>>
>>>>>>> Cheers
>>>>>>> Corentin
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

From corentin.dupont at gmail.com  Wed Jul  4 09:16:52 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Wed, 4 Jul 2018 15:16:52 +0200
Subject: [keycloak-user] Failed to evaluate permissions with javascript
In-Reply-To: <CAJrcDBcZgJvkWKKRVDvQfB_msCKtCa59kG1BEJG2EJ05owCxGQ@mail.gmail.com>
References: <CAEyhvmo5mf_SwHCZC5axBpGp13ZoOyEN=oY58T1XLfQDVxwzbA@mail.gmail.com>
	<CAJrcDBcZgJvkWKKRVDvQfB_msCKtCa59kG1BEJG2EJ05owCxGQ@mail.gmail.com>
Message-ID: <CAEyhvmpcPBLD9h+3kv1rdcF8k9Lp7i+mPu++E5fCScfDiAFyvA@mail.gmail.com>

So how to retrieve the resource associated with this request?

For instance I want to delete a sensor named MySensorsXXX:

curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=MySensorsXXX#sensors:delete"

I have a scope-based policy, where I check if you are owner.



On Wed, Jul 4, 2018 at 3:07 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> This is because the permission is not for the resource (it does not exist)
> but for scopes. So resource is null.
>
> On Wed, Jul 4, 2018 at 9:38 AM, Corentin Dupont <corentin.dupont at gmail.com
> > wrote:
>
>> Hi again,
>> I use a small javascript policy:
>>
>> var context = $evaluation.getContext();
>> var permission = $evaluation.getPermission();
>> var identity = context.getIdentity();
>> if (identity.id == permission.getResource().getOwner()) {
>>     $evaluation.grant();
>> }
>>
>>
>> But this gets me an error:
>>
>> Unexpected error while evaluating permissions: java.lang.RuntimeException:
>> Failed to evaluate permissions
>>    at
>> org.keycloak.authorization.permission.evaluator.IterablePerm
>> issionEvaluator$1.onError(IterablePermissionEvaluator.java:66)
>>    at
>> org.keycloak.authorization.permission.evaluator.IterablePerm
>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:54)
>>    at
>> org.keycloak.authorization.permission.evaluator.IterablePerm
>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:63)
>>    at
>> org.keycloak.authorization.authorization.AuthorizationTokenS
>> ervice.evaluatePermissions(AuthorizationTokenService.java:208)
>> ...
>> Caused by: org.keycloak.scripting.ScriptExecutionException: Could not
>> execute script 'Resource owner' problem was: TypeError: null has no such
>> function "getOwner" in <eval> at line number 4
>>     at
>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.
>> evalUnchecked(AbstractEvaluatableScriptAdapter.java:64)
>>     at
>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.
>> eval(AbstractEvaluatableScriptAdapter.java:30)
>>
>>
>> I noticed this happens only with scope-based policies, so maybe it's the
>> same problem than before?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From psilva at redhat.com  Wed Jul  4 09:28:49 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 4 Jul 2018 10:28:49 -0300
Subject: [keycloak-user] Failed to evaluate permissions with javascript
In-Reply-To: <CAEyhvmpcPBLD9h+3kv1rdcF8k9Lp7i+mPu++E5fCScfDiAFyvA@mail.gmail.com>
References: <CAEyhvmo5mf_SwHCZC5axBpGp13ZoOyEN=oY58T1XLfQDVxwzbA@mail.gmail.com>
	<CAJrcDBcZgJvkWKKRVDvQfB_msCKtCa59kG1BEJG2EJ05owCxGQ@mail.gmail.com>
	<CAEyhvmpcPBLD9h+3kv1rdcF8k9Lp7i+mPu++E5fCScfDiAFyvA@mail.gmail.com>
Message-ID: <CAJrcDBcKWga3-KNgogBynpV8tXf6ELDS0RZX6nPupjObve8jDg@mail.gmail.com>

Could you deny if requested permission is not for a resource ? Or do you
want to have permissions for each resource associated with that scope ?

On Wed, Jul 4, 2018 at 10:16 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> So how to retrieve the resource associated with this request?
>
> For instance I want to delete a sensor named MySensorsXXX:
>
> curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-
> connect/token -H "Authorization: Bearer $USERTOKEN" -d
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&
> audience=api-server&permission=MySensorsXXX#sensors:delete"
>
> I have a scope-based policy, where I check if you are owner.
>
>
>
> On Wed, Jul 4, 2018 at 3:07 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> This is because the permission is not for the resource (it does not
>> exist) but for scopes. So resource is null.
>>
>> On Wed, Jul 4, 2018 at 9:38 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi again,
>>> I use a small javascript policy:
>>>
>>> var context = $evaluation.getContext();
>>> var permission = $evaluation.getPermission();
>>> var identity = context.getIdentity();
>>> if (identity.id == permission.getResource().getOwner()) {
>>>     $evaluation.grant();
>>> }
>>>
>>>
>>> But this gets me an error:
>>>
>>> Unexpected error while evaluating permissions:
>>> java.lang.RuntimeException:
>>> Failed to evaluate permissions
>>>    at
>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>> issionEvaluator$1.onError(IterablePermissionEvaluator.java:66)
>>>    at
>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:54)
>>>    at
>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:63)
>>>    at
>>> org.keycloak.authorization.authorization.AuthorizationTokenS
>>> ervice.evaluatePermissions(AuthorizationTokenService.java:208)
>>> ...
>>> Caused by: org.keycloak.scripting.ScriptExecutionException: Could not
>>> execute script 'Resource owner' problem was: TypeError: null has no such
>>> function "getOwner" in <eval> at line number 4
>>>     at
>>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval
>>> Unchecked(AbstractEvaluatableScriptAdapter.java:64)
>>>     at
>>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval
>>> (AbstractEvaluatableScriptAdapter.java:30)
>>>
>>>
>>> I noticed this happens only with scope-based policies, so maybe it's the
>>> same problem than before?
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From corentin.dupont at gmail.com  Wed Jul  4 10:07:05 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Wed, 4 Jul 2018 16:07:05 +0200
Subject: [keycloak-user] Failed to evaluate permissions with javascript
In-Reply-To: <CAJrcDBcKWga3-KNgogBynpV8tXf6ELDS0RZX6nPupjObve8jDg@mail.gmail.com>
References: <CAEyhvmo5mf_SwHCZC5axBpGp13ZoOyEN=oY58T1XLfQDVxwzbA@mail.gmail.com>
	<CAJrcDBcZgJvkWKKRVDvQfB_msCKtCa59kG1BEJG2EJ05owCxGQ@mail.gmail.com>
	<CAEyhvmpcPBLD9h+3kv1rdcF8k9Lp7i+mPu++E5fCScfDiAFyvA@mail.gmail.com>
	<CAJrcDBcKWga3-KNgogBynpV8tXf6ELDS0RZX6nPupjObve8jDg@mail.gmail.com>
Message-ID: <CAEyhvmpn20Gn0Mstwa1-4Ceyqx4mRhrM6UMb7FKJDiBeLRWacQ@mail.gmail.com>

Yes I want to have permissions for each resource associated with that scope.
Basically, I have:

Resource:
-------------
name: MySensorsXXX
scope: [sensors:update, sensors:delete]

Policy:
---------
name: Resource owner
type: javascript

Permission:
--------------
name: Delete Sensor
type: scope-based
Scopes: [sensors:delete]
Apply Policy: Resource owner

Based on this setting, I want to ask Keycloak if I can delete a particular
sensor, named MySensorsXXX.
Keycloak should approve only if I'm owner.
Is it the correct way to do it?








On Wed, Jul 4, 2018 at 3:28 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Could you deny if requested permission is not for a resource ? Or do you
> want to have permissions for each resource associated with that scope ?
>
> On Wed, Jul 4, 2018 at 10:16 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> So how to retrieve the resource associated with this request?
>>
>> For instance I want to delete a sensor named MySensorsXXX:
>>
>> curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-con
>> nect/token -H "Authorization: Bearer $USERTOKEN" -d
>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
>> ence=api-server&permission=MySensorsXXX#sensors:delete"
>>
>> I have a scope-based policy, where I check if you are owner.
>>
>>
>>
>> On Wed, Jul 4, 2018 at 3:07 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> This is because the permission is not for the resource (it does not
>>> exist) but for scopes. So resource is null.
>>>
>>> On Wed, Jul 4, 2018 at 9:38 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Hi again,
>>>> I use a small javascript policy:
>>>>
>>>> var context = $evaluation.getContext();
>>>> var permission = $evaluation.getPermission();
>>>> var identity = context.getIdentity();
>>>> if (identity.id == permission.getResource().getOwner()) {
>>>>     $evaluation.grant();
>>>> }
>>>>
>>>>
>>>> But this gets me an error:
>>>>
>>>> Unexpected error while evaluating permissions:
>>>> java.lang.RuntimeException:
>>>> Failed to evaluate permissions
>>>>    at
>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>> issionEvaluator$1.onError(IterablePermissionEvaluator.java:66)
>>>>    at
>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:54)
>>>>    at
>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:63)
>>>>    at
>>>> org.keycloak.authorization.authorization.AuthorizationTokenS
>>>> ervice.evaluatePermissions(AuthorizationTokenService.java:208)
>>>> ...
>>>> Caused by: org.keycloak.scripting.ScriptExecutionException: Could not
>>>> execute script 'Resource owner' problem was: TypeError: null has no such
>>>> function "getOwner" in <eval> at line number 4
>>>>     at
>>>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval
>>>> Unchecked(AbstractEvaluatableScriptAdapter.java:64)
>>>>     at
>>>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval
>>>> (AbstractEvaluatableScriptAdapter.java:30)
>>>>
>>>>
>>>> I noticed this happens only with scope-based policies, so maybe it's the
>>>> same problem than before?
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>

From psilva at redhat.com  Wed Jul  4 10:12:40 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 4 Jul 2018 11:12:40 -0300
Subject: [keycloak-user] Failed to evaluate permissions with javascript
In-Reply-To: <CAEyhvmpn20Gn0Mstwa1-4Ceyqx4mRhrM6UMb7FKJDiBeLRWacQ@mail.gmail.com>
References: <CAEyhvmo5mf_SwHCZC5axBpGp13ZoOyEN=oY58T1XLfQDVxwzbA@mail.gmail.com>
	<CAJrcDBcZgJvkWKKRVDvQfB_msCKtCa59kG1BEJG2EJ05owCxGQ@mail.gmail.com>
	<CAEyhvmpcPBLD9h+3kv1rdcF8k9Lp7i+mPu++E5fCScfDiAFyvA@mail.gmail.com>
	<CAJrcDBcKWga3-KNgogBynpV8tXf6ELDS0RZX6nPupjObve8jDg@mail.gmail.com>
	<CAEyhvmpn20Gn0Mstwa1-4Ceyqx4mRhrM6UMb7FKJDiBeLRWacQ@mail.gmail.com>
Message-ID: <CAJrcDBeo+bn41jU-O7b3vH-ic=3huzLnn4Avs_sHQGhwwvVtZA@mail.gmail.com>

Yeah it is fine, and if you ask permissions for MySensorsXXX (considering
resource exists) you should get a null reference in your JS policy.

On Wed, Jul 4, 2018 at 11:07 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Yes I want to have permissions for each resource associated with that
> scope.
> Basically, I have:
>
> Resource:
> -------------
> name: MySensorsXXX
> scope: [sensors:update, sensors:delete]
>
> Policy:
> ---------
> name: Resource owner
> type: javascript
>
> Permission:
> --------------
> name: Delete Sensor
> type: scope-based
> Scopes: [sensors:delete]
> Apply Policy: Resource owner
>
> Based on this setting, I want to ask Keycloak if I can delete a particular
> sensor, named MySensorsXXX.
> Keycloak should approve only if I'm owner.
> Is it the correct way to do it?
>
>
>
>
>
>
>
>
> On Wed, Jul 4, 2018 at 3:28 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Could you deny if requested permission is not for a resource ? Or do you
>> want to have permissions for each resource associated with that scope ?
>>
>> On Wed, Jul 4, 2018 at 10:16 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> So how to retrieve the resource associated with this request?
>>>
>>> For instance I want to delete a sensor named MySensorsXXX:
>>>
>>> curl -X POST http://localhost:8080/auth/rea
>>> lms/waziup/protocol/openid-connect/token -H "Authorization: Bearer
>>> $USERTOKEN" -d "grant_type=urn:ietf:params:oa
>>> uth:grant-type:uma-ticket&audience=api-server&permission=MyS
>>> ensorsXXX#sensors:delete"
>>>
>>> I have a scope-based policy, where I check if you are owner.
>>>
>>>
>>>
>>> On Wed, Jul 4, 2018 at 3:07 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> This is because the permission is not for the resource (it does not
>>>> exist) but for scopes. So resource is null.
>>>>
>>>> On Wed, Jul 4, 2018 at 9:38 AM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Hi again,
>>>>> I use a small javascript policy:
>>>>>
>>>>> var context = $evaluation.getContext();
>>>>> var permission = $evaluation.getPermission();
>>>>> var identity = context.getIdentity();
>>>>> if (identity.id == permission.getResource().getOwner()) {
>>>>>     $evaluation.grant();
>>>>> }
>>>>>
>>>>>
>>>>> But this gets me an error:
>>>>>
>>>>> Unexpected error while evaluating permissions:
>>>>> java.lang.RuntimeException:
>>>>> Failed to evaluate permissions
>>>>>    at
>>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>>> issionEvaluator$1.onError(IterablePermissionEvaluator.java:66)
>>>>>    at
>>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:54)
>>>>>    at
>>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:63)
>>>>>    at
>>>>> org.keycloak.authorization.authorization.AuthorizationTokenS
>>>>> ervice.evaluatePermissions(AuthorizationTokenService.java:208)
>>>>> ...
>>>>> Caused by: org.keycloak.scripting.ScriptExecutionException: Could not
>>>>> execute script 'Resource owner' problem was: TypeError: null has no
>>>>> such
>>>>> function "getOwner" in <eval> at line number 4
>>>>>     at
>>>>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval
>>>>> Unchecked(AbstractEvaluatableScriptAdapter.java:64)
>>>>>     at
>>>>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval
>>>>> (AbstractEvaluatableScriptAdapter.java:30)
>>>>>
>>>>>
>>>>> I noticed this happens only with scope-based policies, so maybe it's
>>>>> the
>>>>> same problem than before?
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>

From psilva at redhat.com  Wed Jul  4 10:13:20 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 4 Jul 2018 11:13:20 -0300
Subject: [keycloak-user] Failed to evaluate permissions with javascript
In-Reply-To: <CAJrcDBeo+bn41jU-O7b3vH-ic=3huzLnn4Avs_sHQGhwwvVtZA@mail.gmail.com>
References: <CAEyhvmo5mf_SwHCZC5axBpGp13ZoOyEN=oY58T1XLfQDVxwzbA@mail.gmail.com>
	<CAJrcDBcZgJvkWKKRVDvQfB_msCKtCa59kG1BEJG2EJ05owCxGQ@mail.gmail.com>
	<CAEyhvmpcPBLD9h+3kv1rdcF8k9Lp7i+mPu++E5fCScfDiAFyvA@mail.gmail.com>
	<CAJrcDBcKWga3-KNgogBynpV8tXf6ELDS0RZX6nPupjObve8jDg@mail.gmail.com>
	<CAEyhvmpn20Gn0Mstwa1-4Ceyqx4mRhrM6UMb7FKJDiBeLRWacQ@mail.gmail.com>
	<CAJrcDBeo+bn41jU-O7b3vH-ic=3huzLnn4Avs_sHQGhwwvVtZA@mail.gmail.com>
Message-ID: <CAJrcDBcUU5YzUmg3YMAefqBZOmrQLQHcW+0SbaLRjdKBz4YuuA@mail.gmail.com>

Sorry, should *not* get a null reference ...

On Wed, Jul 4, 2018 at 11:12 AM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Yeah it is fine, and if you ask permissions for MySensorsXXX (considering
> resource exists) you should get a null reference in your JS policy.
>
> On Wed, Jul 4, 2018 at 11:07 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Yes I want to have permissions for each resource associated with that
>> scope.
>> Basically, I have:
>>
>> Resource:
>> -------------
>> name: MySensorsXXX
>> scope: [sensors:update, sensors:delete]
>>
>> Policy:
>> ---------
>> name: Resource owner
>> type: javascript
>>
>> Permission:
>> --------------
>> name: Delete Sensor
>> type: scope-based
>> Scopes: [sensors:delete]
>> Apply Policy: Resource owner
>>
>> Based on this setting, I want to ask Keycloak if I can delete a
>> particular sensor, named MySensorsXXX.
>> Keycloak should approve only if I'm owner.
>> Is it the correct way to do it?
>>
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Jul 4, 2018 at 3:28 PM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Could you deny if requested permission is not for a resource ? Or do you
>>> want to have permissions for each resource associated with that scope ?
>>>
>>> On Wed, Jul 4, 2018 at 10:16 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> So how to retrieve the resource associated with this request?
>>>>
>>>> For instance I want to delete a sensor named MySensorsXXX:
>>>>
>>>> curl -X POST http://localhost:8080/auth/rea
>>>> lms/waziup/protocol/openid-connect/token -H "Authorization: Bearer
>>>> $USERTOKEN" -d "grant_type=urn:ietf:params:oa
>>>> uth:grant-type:uma-ticket&audience=api-server&permission=MyS
>>>> ensorsXXX#sensors:delete"
>>>>
>>>> I have a scope-based policy, where I check if you are owner.
>>>>
>>>>
>>>>
>>>> On Wed, Jul 4, 2018 at 3:07 PM, Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> This is because the permission is not for the resource (it does not
>>>>> exist) but for scopes. So resource is null.
>>>>>
>>>>> On Wed, Jul 4, 2018 at 9:38 AM, Corentin Dupont <
>>>>> corentin.dupont at gmail.com> wrote:
>>>>>
>>>>>> Hi again,
>>>>>> I use a small javascript policy:
>>>>>>
>>>>>> var context = $evaluation.getContext();
>>>>>> var permission = $evaluation.getPermission();
>>>>>> var identity = context.getIdentity();
>>>>>> if (identity.id == permission.getResource().getOwner()) {
>>>>>>     $evaluation.grant();
>>>>>> }
>>>>>>
>>>>>>
>>>>>> But this gets me an error:
>>>>>>
>>>>>> Unexpected error while evaluating permissions:
>>>>>> java.lang.RuntimeException:
>>>>>> Failed to evaluate permissions
>>>>>>    at
>>>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>>>> issionEvaluator$1.onError(IterablePermissionEvaluator.java:66)
>>>>>>    at
>>>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>>>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:54)
>>>>>>    at
>>>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>>>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:63)
>>>>>>    at
>>>>>> org.keycloak.authorization.authorization.AuthorizationTokenS
>>>>>> ervice.evaluatePermissions(AuthorizationTokenService.java:208)
>>>>>> ...
>>>>>> Caused by: org.keycloak.scripting.ScriptExecutionException: Could not
>>>>>> execute script 'Resource owner' problem was: TypeError: null has no
>>>>>> such
>>>>>> function "getOwner" in <eval> at line number 4
>>>>>>     at
>>>>>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval
>>>>>> Unchecked(AbstractEvaluatableScriptAdapter.java:64)
>>>>>>     at
>>>>>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval
>>>>>> (AbstractEvaluatableScriptAdapter.java:30)
>>>>>>
>>>>>>
>>>>>> I noticed this happens only with scope-based policies, so maybe it's
>>>>>> the
>>>>>> same problem than before?
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>

From tech at psynd.net  Wed Jul  4 11:14:14 2018
From: tech at psynd.net (Tech)
Date: Wed, 4 Jul 2018 17:14:14 +0200
Subject: [keycloak-user] Alternative authentication flows
Message-ID: <0569d7f7-d14d-0cf2-a538-3eaffc4f0c39@psynd.net>

Dear experts,

we are working with Keycloak 4.0.0.

We want to implement the following authentication workflow:


1) Mandatory User/Password

2) If User/Password corrected then mandatory one between

2.1) Google Authenticator

2.2) Another factor of authentication


We are only able to make the first challenge mandatory, while we are not 
able to choose the second mandatory option.

If we set them as Required will be chosen both in sequence ("Google 
Authenticator" AND "Other factor"), while we cannot choose "Google 
Authenticator" OR "Other factor".

Could you please advise?

Thanks


From mposolda at redhat.com  Wed Jul  4 16:06:19 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 4 Jul 2018 22:06:19 +0200
Subject: [keycloak-user] Keycloak 4.1.0.Final released!
Message-ID: <c8ac3eb2-80d9-6da0-3800-91aeb316f563@redhat.com>

See details on the blog: 
http://blog.keycloak.org/2018/07/keycloak-410final-released.html


From dt at acutus.pro  Wed Jul  4 21:52:20 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Thu, 05 Jul 2018 04:52:20 +0300
Subject: [keycloak-user] Multiple logins from different IPs
In-Reply-To: <CAP4t54E+i8dX_e8d9o2mAGRxU48vcDNoc5g=jxZ-iOWiSrcMPA@mail.gmail.com>
References: <CAP4t54E+i8dX_e8d9o2mAGRxU48vcDNoc5g=jxZ-iOWiSrcMPA@mail.gmail.com>
Message-ID: <1530755540.22015.1.camel@acutus.pro>

Hi Eric, sorry for not having answered earlier,

AFAIK this hasn't been implemented OOTB, even no relevant and active
JIRA issue for that. So at the moment there's only one option, that is
to implement custom authenticator.

There's the official example of custom authenticator at
examples/providers/authenticator under the source tree. In your
authenticator, you will be able to obtain active user sessions from the
org.keycloak.authentication.AuthenticationFlowContext like this:

context.getSession().sessions().getUserSessions(realm, user);

I'd also suggest that you read the Server Installation Guide [1],
especially the sections related to sticky sessions and Infinispan
caches, for better understanding how sessions work in clustered
environment.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+ 42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2018-06-27 at 20:21 -0400, Eric Dill wrote:
> Hi,
> 
> Searching through the mailing list, the docs and JIRA, I've been able
> to
> find some previous conversations on the mailing list
> <http://lists.jboss.org/pipermail/keycloak-user/2017-March/010059.htm
> l> and
> a closed Jira ticket <https://issues.jboss.org/browse/KEYCLOAK-4611>
> around
> the same user being able to simultaneously be logged in from two (or
> more)
> different IP addresses. The comment last year was
> 
> > We don't have this supported OOTB, but likely we should as it's
> > quite
> 
> popular use-case though
> 
> It's been a bit over a year since that was posted to the mailing
> list. I
> wonder if this capability is now supported out of the box?
> 
> The other piece of advice last year was that
> 
> > For now, you will need to implement custom Authenticator
> 
> If this capability does not exist out of the box, are there any
> available
> examples of doing this as a plug-in?
> 
> Thanks for the great project :-D
> 
> Best,
> 
> Eric
> 

From dt at acutus.pro  Wed Jul  4 22:08:42 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Thu, 05 Jul 2018 05:08:42 +0300
Subject: [keycloak-user] Enabling Identity provider alone
In-Reply-To: <CAJrcDBeB8Z7dp8-A9TJpxAoyqt8At_cJDfJvPPnVy_cCY++YOA@mail.gmail.com>
References: <602469538.1281007.1530515985637.ref@mail.yahoo.com>
	<602469538.1281007.1530515985637@mail.yahoo.com>
	<1530527898.4481.10.camel@acutus.pro>
	<1326728223.1464638.1530531754249@mail.yahoo.com>
	<1530564541.19951.3.camel@acutus.pro>
	<CAJrcDBeB8Z7dp8-A9TJpxAoyqt8At_cJDfJvPPnVy_cCY++YOA@mail.gmail.com>
Message-ID: <1530756522.22015.3.camel@acutus.pro>

Hi Pedro,

> Regarding enabling authz on security-admin-console. This won't work
> because we also need changes to admin console/apis to enforce
> permission. I've replied to another thread about fine-grained
> permissions in admin console and rest apis. 

Could you please point to the message? this is of big interest for me,
thx

> We are still using roles and we also lack specific permissions for
> some parts of admin console/apis. That is something we are planing to
> review and improve in the future.

Good to hear that. Seems like this should be a popular feature, since
only for the last couple of weeks the guys have asked for help with
similar problems. See the message from Waldemar [1], he is looking for
a way to selectively allow a user access to roles without granting the
"manage-realm" role. Any ideas? I've yet come up with either creating a
custom REST endpoint, or introducing "{view,manage}-roles" in Keycloak
and waiting for next release...

Cheers,
Dmitry

[1] http://lists.jboss.org/pipermail/keycloak-user/2018-June/014307.htm
l

> ?
> > > As far as i read the documentation, the recommendation seems to
> > be to
> > > customize rest endpoints are not deploy them at all..?
> > 
> > Not sure if I got it right ("not to deploy them at all"), could you
> > point to the docs please?
> > 
> > Dmitry
> > 
> > >?
> > > On Monday, 2 July, 2018, 4:08:27 PM IST, Dmitry Telegin <dt at acutu
> > s.pr
> > > o> wrote:
> > >?
> > >?
> > > Madhu,
> > >?
> > > I think that initially this was supposed to work without "manage-
> > > realm" role. If you grant a user "manage-identity-providers" role
> > > only, you'll see a perfect picture in the GUI: just the "Identity
> > > providers" section, and nothing more. However if you try to
> > actually
> > > add a provider, you'll get a 403 Forbidden upon a request to
> > > /auth/admin/realms/$REALM/authentication/flows endpoint.
> > >?
> > > To render the identity provider creation form, the GUI indeed
> > needs
> > > to retrieve a list of authentication flows for the realm.
> > > Unfortunately, in the REST resource it is hardcoded that the user
> > > needs to be checked for "view-realm" role (see
> > >
> > org.keycloak.services.resources.admin.AuthenticationManagementResou
> > rc
> > > e::getFlows).
> > >?
> > > I think this is a perfect candidate for RFE, since "view-realm"
> > is
> > > indeed too wide for the flows endpoint. I'd suggest that the
> > > restriction be changed to "view-realm OR manage-identity-
> > providers".
> > > You can create a JIRA issue for that, and at the moment resort to
> > one
> > > of the workarounds:
> > > - fix?AuthenticationManagementResource::getFlows yourself and
> > > recompile Keycloak (easier to do, but harder to maintain);
> > > - create a custom REST endpoint for flows with relaxed
> > permissions,
> > > then create a custom GUI theme to use that endpoint instead of
> > the
> > > standard one.
> > >?
> > > Please note that granting manage-realm + manage-identity-
> > providers
> > > and tweaking the GUI theme to exclude unwanted elements is
> > generally
> > > a bad idea, since a rogue user will still be able to directly
> > invoke
> > > REST endpoints to do some nasty stuff.
> > >?
> > > I'm not sure if authorization / fine-grained permissions are
> > relevant
> > > here, but let's see what Pedro Igor says on that.
> > >?
> > > Cheers,
> > > Dmitry Telegin
> > > CTO, Acutus s.r.o.
> > > Keycloak Consulting and Training
> > >?
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > + 42 (022) 888-30-71
> > > E-mail:?info at acutus.pro
> > >?
> > > On Mon, 2018-07-02 at 07:19 +0000, Madhu wrote:
> > > > Hi ,
> > > > I want to disable client, Realm management, Authentication and
> > > > Roles and want to create a user who will be able to provide
> > only
> > > > Identity provider/broker integration.
> > > > I understand user needs to be in? manage-identity-providers?and
> > > > manage-realm for doing this activity. But with manage realm
> > user
> > > > also has access to role creation,authenciation and realm
> > setting
> > > > tabs.?Any way to disable these, without going for customized
> > themes
> > > > or changing the FTL?
> > > > I am looking for authorization model based solution.
> > > > Regards,Madhu
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
> 

From dt at acutus.pro  Wed Jul  4 22:15:59 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Thu, 05 Jul 2018 05:15:59 +0300
Subject: [keycloak-user] Keycloak User Storage SPI with external data
 base based on Spring Security
In-Reply-To: <CALfT7wHkPQRbyaoOatM-O8EpLn6BLBJsv+XM++53cjS6t3ZTHA@mail.gmail.com>
References: <CALfT7wGW3KARXtS_tjw4R5HgwQn8oPhjy0hCy0yMLCD7qQvC9Q@mail.gmail.com>
	<1530566030.19951.7.camel@acutus.pro>
	<CALfT7wHkPQRbyaoOatM-O8EpLn6BLBJsv+XM++53cjS6t3ZTHA@mail.gmail.com>
Message-ID: <1530756959.22015.5.camel@acutus.pro>

Hi Alvaro,

Two suggestions here:?install keycloak-bcrypt, create a test realm,
change password hashing algorithm to bcrypt (Authentication -> Password
policy -> Add policy... -> Hashing algorithm -> Policy Value = bcrypt),
create a user, set a password, then look into the "credential" DB table
and see what's been created. How does it compare to what you have in
Spring Security DB?

Next, you can write Guillaume (the author of keycloak-bcrypt), his
email is in the sources (pro.guillaume.leroy at gmail.com). Most likely he
has created this project for the purposes similar to yours.

Cheers,
Dmitry

On Tue, 2018-07-03 at 16:33 +0200, Alvaro Abella wrote:
> Thanks Dmitry for your orientation.
> 
> I found this project?https://github.com/leroyguillaume/keycloak-bcryp
> t looking about PasswordHashProvider.?
> I'm a little lost about how to configure my User Storage SPI to
> connect with my database. The first approach is trying to use BCryp
> to cipher the password and compare it with the password stored on the
> database, but I don't know the salt. I'm trying to discover how
> Spring Security works.?
> 
> The only way that I found to connect with an user from this data
> base, is to change password from keycloak, and then due the password
> is stored in plain text, I can login successfully.?
> 
> Thanks!
> 
> On Mon, Jul 2, 2018 at 11:13 PM, Dmitry Telegin <dt at acutus.pro>
> wrote:
> > Hi Alvaro,
> > 
> > In addition to user storage provider, you'll need to implement a
> > org.keycloak.credential.hash.PasswordHashProvider. Use
> > Pbkdf2PasswordHashProvider as a reference.
> > 
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > + 42 (022) 888-30-71
> > E-mail: info at acutus.pro
> > 
> > On Mon, 2018-07-02 at 18:12 +0200, Alvaro Abella wrote:
> > > Hi,
> > > I followed this example https://github.com/keycloak/keycloak-quic
> > ksta
> > > rts/
> > > tree/latest/user-storage-jpa and I modified to connect with my
> > Oracle
> > > database after a little work with Jboss.
> > > Now, I can view all users on my Keycloak admin panel, but I can't
> > > login
> > > with them into his account because password are cyphered with
> > Bcrypt.
> > > How do you usually deal with this situations? Has anyone
> > integrated a
> > > Spring-Security-based database with keycloak?
> > >?
> > > Thanks!
> > >?
> > >?
> > 
> 
> 
> 
> --?
> ?lvaro Abella Gonz?lez
> alvaro.abella at bluetab.net

From dt at acutus.pro  Wed Jul  4 22:33:51 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Thu, 05 Jul 2018 05:33:51 +0300
Subject: [keycloak-user] keycloak-adapter-core-4.0.0.Final: Invalid
 version of org.apache.httpcore imported
In-Reply-To: <CAJVRZt-Big+UKJ9FPURJwNOHsfa-e1WHQp4zdT8XQ80tdbxokQ@mail.gmail.com>
References: <CAJVRZt-Big+UKJ9FPURJwNOHsfa-e1WHQp4zdT8XQ80tdbxokQ@mail.gmail.com>
Message-ID: <1530758031.22015.7.camel@acutus.pro>

Hi Thai,
Believe it or not, but I've stumbled upon exactly the same issue just a
couple of days ago. TL;DR: install org.keycloak:keycloak-osgi-
thirdparty bundle.
(non-TL;DR) Just like you, I'm experimenting with Keycloak and OSGi.
The difference is, I'm trying to deploy to Felix keycloak-servlet-
filter-adapter (the one that is truly generic and not tied to Pax Web).
The ultimate goal is to integrate Keycloak with Apache Sling. Just FYI,
I'll be doing a talk about it at adaptTo()'2018 (see my announcement on
keycloak-dev from June 12 and the discussion below that post, you may
find some interesting info).
The org.apache.http;version="4.5.2" dependency is indeed bogus, and I'm
going to write to keycloak-dev about it in a couple of days (and also
about some other problems that arose with the adapter on Felix), so
stay tuned. The dependency is however provided by keycloak-osgi-
thirdparty bundle, so you could use it as a workaround. The keycloak-
osgi-thirdparty was created to bundle the deps that didn't have OSGi
metadata at that time. Today, all of the above 3rd-party deps are
available as OSGi bundles, so I'd speculate that keycloak-osgi-
thirdparty can be deprecated.
If possible, please let me know of your progress with OSGi adapter on
Felix, since my case is closely related to yours. I hope we can help
each other here.
Cheers,Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+ 42 (022) 888-30-71E-mail:?info at acutus.pro
On Tue, 2018-07-03 at 10:54 -0400, Nhut Thai Le wrote:
> Hello,
> 
> I'm trying to add keycloak adapter to OSGI container Felix using bnd,
> but I
> got error when resolving dependency:
> 
> Resolution failed. Capabilities satisfying the following requirements
> could
> not be found:
> ????[<<INITIAL>>]
> ??????? osgi.identity: (osgi.identity=org.keycloak.keycloak-pax-web-
> jetty94)
> ??????????? [org.keycloak.keycloak-pax-web-jetty94
> version=4.0.0.Final]
> ??????????????? osgi.wiring.package:
> (&(osgi.wiring.package=org.keycloak.adapters.jetty)(version>=4.0.0.Fi
> nal))
> ??????????????????? [org.keycloak.keycloak-jetty94-adapter
> version=4.0.0.Final]
> ??????????????????????? osgi.wiring.package:
> (&(osgi.wiring.package=org.keycloak.adapters)(version>=4.0.0.Final))
> ??????????????????????????? [org.keycloak.keycloak-adapter-core
> version=4.0.0.Final]
> ??????????????????????????????? osgi.wiring.package:
> (&(osgi.wiring.package=org.apache.http)(version>=4.5.2))
> 
> Opening up manifest of keycloak-adapter-core-4.0.0.Final.jar i found
> this
> in Import-Packages section: org.apache.http;version="4.5.2"
> 
> As i understand org.apache.http is found in
> org.apache.httpcomponents:httpcore-osgi, this bundle has max version
> at
> 4.4.10 as of today on Maven central. So this requirement will never
> be
> resolved by bnd.
> 
> I also looked at the??keycloak-adapter-core-4.0.0.Final.pom and found
> the
> import of all org.apache.http.* require the same version:
> org.apache.http.*;version=${apache.httpcomponents.version},
> this is wrong because org.apache.http is provided in both
> apache.httpcomponents.httpclient
> and??apache.httpcomponents.httpcore.
> 
> Could anyone verify if this is a build issue and apply a fix?
> 
> Thank you
> 
> Thai Le
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Thu Jul  5 00:24:04 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Thu, 05 Jul 2018 07:24:04 +0300
Subject: [keycloak-user] Create new authentication flow using kcadm in
 Docker
In-Reply-To: <CAGE7c6B7OJXccJE05KYF4uR-wcdvG1GY68VbEL+HL+X3aKPfzA@mail.gmail.com>
References: <CAGE7c6DO-iTJft5FgLeSU98G_d9b6C7KhMbrDFibXCxdOGFLUA@mail.gmail.com>
	<1530616161.7608.1.camel@acutus.pro>
	<CAGE7c6B7OJXccJE05KYF4uR-wcdvG1GY68VbEL+HL+X3aKPfzA@mail.gmail.com>
Message-ID: <1530764644.25131.1.camel@acutus.pro>

Hi,

Don't blame yourself - this topic indeed could have been documented
better. Despite the endpoints being documented more or less, you need
to find the correct parameters yourself. This is how I do it:
- log into the Admin GUI;
- open Network console (F12 -> Network in bot Firefox and Chrome);
- perform the desired action;
- look for a POST request and inspect its URL and body.

Thus, to add an execution to an existing flow, you'll need to do the
following:

./kcadm.sh create authentication/flows/foo/executions/execution -s
provider=reset-credentials-choose-user

Cheers,
Dmitry

On Tue, 2018-07-03 at 15:37 +0000, triton oidc wrote:
> Thanks a lot for your answer,
> 
> and apologies for my lack of search.
> 
> I'm having another issue, i can't add an execution to the newly
> created flow
> 
> I can create one in the GUI, retrieve it using the get feature
> ./kcadm.sh get authentication/flows/dummy-auth/executions -r
> apprentice
> {
> ? "id" : "cbe89904-c746-48fb-8b44-40d16859765b",
> ? "requirement" : "DISABLED",
> ? "displayName" : "Testsuite Dummy Pass Thru",
> ? "requirementChoices" : [ "REQUIRED" ],
> ? "configurable" : false,
> ? "providerId" : "testsuite-dummy-passthrough",
> ? "level" : 0,
> ? "index" : 0
> }
> 
> However, i tried saving the output as a json (removing the ID in the
> Json, and the execution in the GUI)
> 
> ./kcadm.sh create authentication/flows/dummy-auth/executions -r
> apprentice -f myjson.json
> ./kcadm.sh create authentication/flows/[my-object-ID]/executions -r
> apprentice -f myjson.json
> 
> i get an
> HTTP error - 405 Method Not Allowed
> 
> I'm guessing i'm not using the correct create syntax, but i didn't
> found the example in the documentation
> Does someone have a working example ?
> If i manage to find the answer i'll reply in the mailling list
> 
> Thanks
> 
> 
> 
> On Tue, Jul 3, 2018 at 11:09 AM, Dmitry Telegin <dt at acutus.pro>
> wrote:
> > Hi,
> > 
> > To create a flow with kcadm, you need to provide the necessary
> > fields:
> > 
> > ./kcadm.sh create authentication/flows -s alias=foo -s
> > providerId=basic-flow -s topLevel=true
> > Created new flow with id 'dd756392-a1ec-4704-b134-713f47796418'
> > 
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > + 42 (022) 888-30-71
> > E-mail:?info at acutus.pro
> > 
> > > Hi,
> > > 
> > > i'm using a docker image, and in the build, i'd like to create a
> > > new flow.
> > > However i could not find a way to do this in CLI
> > > Doing it in the GUI is not really what i want
> > > 
> > > When i try
> > > ./kcadm.sh create authentication/flows
> > > i get a
> > > HTTP error - 415 Unsupported Media Type
> > > 
> > > Does this mean it's not possible ?
> > > If so should a create a feature request ?
> > > my company pay a lot of redhat support, so they could support
> > > this feature.
> > > 
> > > Thanks for any help
> > > 
> > > Amaury
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 

From dt at acutus.pro  Thu Jul  5 00:30:05 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Thu, 05 Jul 2018 07:30:05 +0300
Subject: [keycloak-user] customizing OIDC refresh token flow
In-Reply-To: <F12603E320A90546946D142FB805B94601735B6900@ILRAADAGBE1.corp.amdocs.com>
References: <F12603E320A90546946D142FB805B94601735B6900@ILRAADAGBE1.corp.amdocs.com>
Message-ID: <1530765005.25131.3.camel@acutus.pro>

Hi Ori,

AFAIK at the moment there are no extension points to hook into the
token refresh process. I'd suggest the following:

- if your JS frontend allows for alternate OIDC URLs, you could
implement a custom token endpoint by extending TokenEndpoint and adding
your logic;
- you could also try creating custom protocol mapper. Start with
creating a dummy one and test if it is indeed invoked upon token
refresh.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+ 42 (022) 888-30-71
E-mail:?info at acutus.pro

On Wed, 2018-07-04 at 11:47 +0000, Ori Doolman wrote:
> Hi,
> 
> I'm looking for a way to customize the OIDC token endpoint:
> In OICD code flow, when getting a new access token using a refresh
> token, I want to call an external system and update a user attribute,
> such that the attribute value will be mapped to an attribute of the
> returned JWT access token.
> 
> I think the relevant source code is here, but I didn't see a way to
> customize it using an SPI:
> https://github.com/keycloak/keycloak/blob/master/services/src/main/ja
> va/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java
> 
> 
> The reason I need it is because we are working with an external
> identity provider, which returns an access token to us which is valid
> for only 15 minutes.
> The external access token is mapped to our JWT once the user logs in
> (we customized the authentication flow).
> Now I need a way that my JWT will always contain a valid external
> access token.
> Therefore, I thought we can fetch a new external access token every
> time we refresh our JWT.
> 
> Or is there a better way to accomplish that?
> 
> 
> Thanks,
> 
> Ori Doolman
> Lead Software Architect
> Amdocs Optima
> 
> 
> This message and the information contained herein is proprietary and
> confidential and subject to the Amdocs policy statement,
> 
> you may review at https://www.amdocs.com/about/email-disclaimer
> <https://www.amdocs.com/about/email-disclaimer>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From pritiguleria10 at gmail.com  Thu Jul  5 01:52:45 2018
From: pritiguleria10 at gmail.com (priti guleria)
Date: Thu, 5 Jul 2018 11:22:45 +0530
Subject: [keycloak-user] Same user exists in both broker and identity
	provider
In-Reply-To: <CADFbsZLsaifDNJhh84mvVDgSxYMn32GxZ1hoaSedD_4wsj1BpQ@mail.gmail.com>
References: <CADFbsZLsaifDNJhh84mvVDgSxYMn32GxZ1hoaSedD_4wsj1BpQ@mail.gmail.com>
Message-ID: <CADFbsZKrdp-sLN=OHRTRToCqp0uQ66r93K9p2nz_hwgp_+yf-A@mail.gmail.com>

Any pointers to this will be really helpful.

Thanks,
Priti

On Wed, Jul 4, 2018 at 4:17 PM priti guleria <pritiguleria10 at gmail.com>
wrote:

> Hi,
>
> We are currently working on keycloak as SSO solution,  where keycloak will
> act as identity broker.
>
> My use case is as below
>  - User 1 is present in keycloak broker and user 1 is also present in
> identity provider .
> - But in identity provider user 1 does not have username assosiated with
> that ,instead it has employeeid attribute as unique key.
>
> Now my goal is to identify if user already present in broker keycloak and
> I tries to login through Identity provider it should identify it as
> existing account and merge both the accounts.
>  (Currently since identity provider does not have username for user 1 it
> is not able to identify in broker as existing account).
>
> Is there any configuration which can tell keycloak broker to check for
> employeeid attribute and not username for existing account ?
>
> Thanks,
> Priti
>
>
>
>

From a.lamers at first8.nl  Thu Jul  5 02:32:23 2018
From: a.lamers at first8.nl (Arjan Lamers)
Date: Thu, 5 Jul 2018 08:32:23 +0200
Subject: [keycloak-user] SAML Advice assertion with signature
In-Reply-To: <CAA9R9O4BOFG_i-E3+SuOHvBKOG5AyFxdA-6ESUJ302=SYo3xGQ@mail.gmail.com>
References: <12CA6AFF-159E-4DBD-97DE-52838E47E96E@first8.nl>
	<CAA9R9O4BOFG_i-E3+SuOHvBKOG5AyFxdA-6ESUJ302=SYo3xGQ@mail.gmail.com>
Message-ID: <11655751-BC80-464A-AD7F-A02D3F99E03B@first8.nl>

Hi Sebastian,

Nice to meet again! ;) Everything well, here! How?s life over there?

Wrt our issue: currently we managed to get the X.509?s of the missing signatures so the issue is (fortunately) less urgent. 

We are using a custom extension to the SAML provider to support eHerkenning since KeyCloak seems to make some assumptions that do not hold (e.g. entityId is based on the uri). I?ll try to make some time in the next weeks to see if I can offer some patches in this area, or if we can share the eHerkenning stuff in some other way as well. 

(FYI: eHerkenning is a Dutch company identification provider and is part of the European eIDAS scheme. May thus be interesting to support out of the box for Keycloak.)

Kind regards,
Arjan 


> On 04-07-2018, at 13:40, Sebastian Laskawiec <slaskawi at redhat.com> wrote:
> 
> Hey Arjan,
> 
> Long time no see! I hope you're well!
> 
> More comment inlined.
> 
> Thanks,
> Sebastian
> 
> On Thu, Jun 28, 2018 at 4:53 PM Arjan Lamers <a.lamers at first8.nl <mailto:a.lamers at first8.nl>> wrote:
> Hi,
> 
> We are running KeyCloak 3.4.3-Final for a client  and are running into trouble with an identity provider (the dutch eHerkenning) that is using SAML Advice tags.
> 
> We were running an older version of KeyCloak and recently that identity provider started to use <saml:Advice> tags in their responses. We found https://issues.jboss.org/browse/KEYCLOAK-5644 <https://issues.jboss.org/browse/KEYCLOAK-5644>, adding support for the Advice tag and that made us upgrade to 3.4.3. However, this patch does not seem to be complete.
> 
> The patch there ignores the Advice tag when parsing the document. This is fine. However, in our case, the Advice contains two Assertions, both of which are signed (have a Signature tag). The document verification seems to also validate these signatures. This is a problem, since we do not have the keys for these advices, hence the validation fails. 
> 
> We have been advised to fully ignore the Advice tag, including the underlying signatures. I am not a SAML expert but that feels a bit wrong. Any thoughts on that?
> 
> Perhaps Hynek or Stian could correct me here but the spec says the `Advice` elements can be completely ignored:
> 
> "The <Advice> element contains any additional information that the SAML authority wishes to provide.
> This information MAY be ignored by applications without affecting either the semantics or the validity of
> the assertion."
> 
> [1] Page 26 https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf <https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf>
>  
> 
> However, if we do want to go down this road, we would probably patch this in
>          org.keycloak.saml.processing.core.util.XMLSignatureUtil.validate(Document signedDoc, final KeyLocator locator)
> by skipping over nodes that have an ?Advice? parent. 
> 
> This situation seems to be very tricky here. Looking through the spec I found that `Advice` tags need to be validated using lax XML validation (just as a reminder, lax validation doesn't fail if the schema is not found) [2]:
> 
> "<Advice> and AdviceType: In addition to SAML-native elements, allows elements from other
> namespaces with lax schema validation processing."
> 
> There's also a note on signature verification [3]:
> 
> "The SAML assertion MAY be signed, which provides both
> authentication of the issuer and integrity protection.
> If such a signature is used, then the <ds:Signature> element MUST be present, and a relying party
> MUST verify that the signature is valid (that is, that the assertion has not been tampered with) in
> accordance with [XMLSig]. If it is invalid, then the relying party MUST NOT rely on the contents of the
> assertion. If it is valid, then the relying party SHOULD evaluate the signature to determine the identity and
> appropriateness of the issuer and may continue to process the assertion in accordance with this
> specification and as it deems appropriate (for example, evaluating conditions, advice, following profile specific
> rules, and so on)."
> 
> So to sum it up:
> Advice tag can be ignored completely
> Advice tag needs only lax validation, so it just needs to be a well formed XML, and that's basically it.
> If a verifier finds a signature, it needs to validate it. If the signature doesn't pass the validation, we can not rely on the assertion.
> From this point, I guess patching the SignatureUtil to skip verification of signatures located in `Advice` element, seems not to violate anything. That's what we should do in my opinion.
> 
> [2] Page 75 https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf <https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf>
> [3] Page 16 https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf <https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf>
>  
> 
> Would that be an appropriate approach? Would you be interested in such a patch?
> 
> Yes, definitely! Let's start with a patch for master branch and later on, we could cherry-pick it to 3.x if needed.
>  
> 
> 
> Met vriendelijke groet,
> 
> Arjan Lamers
> Software Architect
> +31 (0)6 23 82 24 05
> 
> 
> 
> a.lamers at first8.nl <mailto:a.lamers at first8.nl>
> https://www.first8.nl <https://www.first8.nl/> <http://www.first8.nl/ <http://www.first8.nl/>>
> Linkedin https://www.linkedin.com/in/arjanl <https://www.linkedin.com/in/arjanl> <https://www.linkedin.com/in/profiel-id <https://www.linkedin.com/in/profiel-id>>
> Kerkenbos 1059b
> 6546 BB Nijmegen
> 
> Bekijk hier de algemene voorwaarden van Conclusion <https://www.conclusion.nl/kleine-lettertjes/algemene-voorwaarden <https://www.conclusion.nl/kleine-lettertjes/algemene-voorwaarden>>
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
Met vriendelijke groet,

Arjan Lamers
Software Architect
+31 (0)6 23 82 24 05



a.lamers at first8.nl
https://www.first8.nl <http://www.first8.nl/>
Linkedin https://www.linkedin.com/in/arjanl <https://www.linkedin.com/in/profiel-id>
Kerkenbos 1059b
6546 BB Nijmegen

Bekijk hier de algemene voorwaarden van Conclusion <https://www.conclusion.nl/kleine-lettertjes/algemene-voorwaarden>



From kkcmadhu at yahoo.com  Thu Jul  5 02:59:46 2018
From: kkcmadhu at yahoo.com (Madhu)
Date: Thu, 5 Jul 2018 06:59:46 +0000 (UTC)
Subject: [keycloak-user] how to clone a realm?
References: <1257478819.2963880.1530773986575.ref@mail.yahoo.com>
Message-ID: <1257478819.2963880.1530773986575@mail.yahoo.com>


 Hi,
I am using keycloak for a multi tenant/multi realm scenario.
In all my realms the clients/roles/password policies/groups/authentication/token settings etc are same.
So my idea is to create a template realm and clone it to a new realm every time i want to provision a new tenant.
I tried using the import/export option, but was not successful. I even tried remvoign all the ids /container id fields from the exported json and changed the realm namesand was unsuccessful again.
Any idea how to clone a realm?
Looks like import/export was built for replicating/duplicating the data in another keycloak/database instance, and not suitable for cloning /creating a new realm.
Any idea how i can create a new realm with defined set of clients, user policies, mappers, authentication settings, flows, token settings and roles?
Regards,Madhu

From romain.rhieu at gmail.com  Thu Jul  5 03:26:48 2018
From: romain.rhieu at gmail.com (Romain Rhieu)
Date: Thu, 5 Jul 2018 09:26:48 +0200
Subject: [keycloak-user]  Best way to do SSO
Message-ID: <CAFVxRYbF2vojT=vQ4qb=A0VL3Ud8QeLiCtnM-Cd_HB6OLYBwsA@mail.gmail.com>

Hi,

I am currently working on setting up keycloak to manage the authentication
and authorization of a huge application pool.

I have a series of applications that have both public and protected areas.
So, I need to be able to identify a user that lands on a public url in
order to show personalized content.

Google offers similar functionality :
- Go to https://mail.google.com
- Login
- Then go to https://www.youtube.com
- You see personalized content on a page that is obviously public.

I'm wondering about the best way to do SSO. Reading the documentation, I
see two hypotheses:

1/ *Use Keycloak as basis*

Keycloak has to be customized in order so the session cookie becomes
available to whole domain (.example.com instead of keycloak.example.com)

Applications must store cookie value in session and deal with session
management.

However, I read in the documentation that I should not rely on this cookie
directly because its format can change and it?s also associated with the
URL of the Keycloak server, not my application.



2/ U*se JS adapter to use "check-sso" feature*

At each request on my application, when the page is loading, I call the
function "check-sso". If the user is already authenticated to Keycloak, I
refresh the page and create a user session on my application.

Do you think these hypothesis are good ?

Do you know a better way to do SSO?

Thanks in advance

From slaskawi at redhat.com  Thu Jul  5 03:31:27 2018
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Thu, 5 Jul 2018 09:31:27 +0200
Subject: [keycloak-user] how to clone a realm?
In-Reply-To: <1257478819.2963880.1530773986575@mail.yahoo.com>
References: <1257478819.2963880.1530773986575.ref@mail.yahoo.com>
	<1257478819.2963880.1530773986575@mail.yahoo.com>
Message-ID: <CAA9R9O4K3H7qrST0LmCPXx_1mc2hegH3+eWDbW32NW7Zt1JWEw@mail.gmail.com>

Hey Madhu,

How about using import/export functionality [1] (with some manual editing
or sed/awk magic?

Thanks,
Sebastian

[1]
https://www.keycloak.org/docs/latest/server_admin/index.html#_export_import

On Thu, Jul 5, 2018 at 9:06 AM Madhu <kkcmadhu at yahoo.com> wrote:

>
>  Hi,
> I am using keycloak for a multi tenant/multi realm scenario.
> In all my realms the clients/roles/password
> policies/groups/authentication/token settings etc are same.
> So my idea is to create a template realm and clone it to a new realm every
> time i want to provision a new tenant.
> I tried using the import/export option, but was not successful. I even
> tried remvoign all the ids /container id fields from the exported json and
> changed the realm namesand was unsuccessful again.
> Any idea how to clone a realm?
> Looks like import/export was built for replicating/duplicating the data in
> another keycloak/database instance, and not suitable for cloning /creating
> a new realm.
> Any idea how i can create a new realm with defined set of clients, user
> policies, mappers, authentication settings, flows, token settings and roles?
> Regards,Madhu
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From slaskawi at redhat.com  Thu Jul  5 03:49:58 2018
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Thu, 5 Jul 2018 09:49:58 +0200
Subject: [keycloak-user] SAML Advice assertion with signature
In-Reply-To: <11655751-BC80-464A-AD7F-A02D3F99E03B@first8.nl>
References: <12CA6AFF-159E-4DBD-97DE-52838E47E96E@first8.nl>
	<CAA9R9O4BOFG_i-E3+SuOHvBKOG5AyFxdA-6ESUJ302=SYo3xGQ@mail.gmail.com>
	<11655751-BC80-464A-AD7F-A02D3F99E03B@first8.nl>
Message-ID: <CAA9R9O6-d3t1mkwjgWpXsES9kzx8UU3p7n2rFPsWJGv8q+tLGw@mail.gmail.com>

Sounds great Arjan!

Feel free to ping me in case you hit any problems :)

On Thu, Jul 5, 2018 at 8:39 AM Arjan Lamers <a.lamers at first8.nl> wrote:

> Hi Sebastian,
>
> Nice to meet again! ;) Everything well, here! How?s life over there?
>
> Wrt our issue: currently we managed to get the X.509?s of the missing
> signatures so the issue is (fortunately) less urgent.
>
> We are using a custom extension to the SAML provider to support
> eHerkenning since KeyCloak seems to make some assumptions that do not hold
> (e.g. entityId is based on the uri). I?ll try to make some time in the next
> weeks to see if I can offer some patches in this area, or if we can share
> the eHerkenning stuff in some other way as well.
>
> (FYI: eHerkenning is a Dutch company identification provider and is part
> of the European eIDAS scheme. May thus be interesting to support out of the
> box for Keycloak.)
>
> Kind regards,
> Arjan
>
>
> On 04-07-2018, at 13:40, Sebastian Laskawiec <slaskawi at redhat.com> wrote:
>
> Hey Arjan,
>
> Long time no see! I hope you're well!
>
> More comment inlined.
>
> Thanks,
> Sebastian
>
> On Thu, Jun 28, 2018 at 4:53 PM Arjan Lamers <a.lamers at first8.nl> wrote:
>
>> Hi,
>>
>> We are running KeyCloak 3.4.3-Final for a client  and are running into
>> trouble with an identity provider (the dutch eHerkenning) that is using
>> SAML Advice tags.
>>
>> We were running an older version of KeyCloak and recently that identity
>> provider started to use <saml:Advice> tags in their responses. We found
>> https://issues.jboss.org/browse/KEYCLOAK-5644, adding support for the
>> Advice tag and that made us upgrade to 3.4.3. However, this patch does not
>> seem to be complete.
>>
>> The patch there ignores the Advice tag when parsing the document. This is
>> fine. However, in our case, the Advice contains two Assertions, both of
>> which are signed (have a Signature tag). The document verification seems to
>> also validate these signatures. This is a problem, since we do not have the
>> keys for these advices, hence the validation fails.
>>
>> We have been advised to fully ignore the Advice tag, including the
>> underlying signatures. I am not a SAML expert but that feels a bit wrong.
>> Any thoughts on that?
>>
>
> Perhaps Hynek or Stian could correct me here but the spec says the
> `Advice` elements can be completely ignored:
>
> "The <Advice> element contains any additional information that the SAML
> authority wishes to provide.
> This information MAY be ignored by applications without affecting either
> the semantics or the validity of
> the assertion."
>
> [1] Page 26
> https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
>
>
>>
>> However, if we do want to go down this road, we would probably patch this
>> in
>>
>>  org.keycloak.saml.processing.core.util.XMLSignatureUtil.validate(Document
>> signedDoc, final KeyLocator locator)
>> by skipping over nodes that have an ?Advice? parent.
>>
>
> This situation seems to be very tricky here. Looking through the spec I
> found that `Advice` tags need to be validated using lax XML validation
> (just as a reminder, lax validation doesn't fail if the schema is not
> found) [2]:
>
> "<Advice> and AdviceType: In addition to SAML-native elements, allows
> elements from other
> namespaces with lax schema validation processing."
>
> There's also a note on signature verification [3]:
>
> "The SAML assertion MAY be signed, which provides both
> authentication of the issuer and integrity protection.
> If such a signature is used, then the <ds:Signature> element MUST be
> present, and a relying party
> MUST verify that the signature is valid (that is, that the assertion has
> not been tampered with) in
> accordance with [XMLSig]. If it is invalid, then the relying party MUST
> NOT rely on the contents of the
> assertion. If it is valid, then the relying party SHOULD evaluate the
> signature to determine the identity and
> appropriateness of the issuer and may continue to process the assertion in
> accordance with this
> specification and as it deems appropriate (for example, evaluating
> conditions, advice, following profile specific
> rules, and so on)."
>
> So to sum it up:
>
>    - Advice tag can be ignored completely
>    - Advice tag needs only lax validation, so it just needs to be a well
>    formed XML, and that's basically it.
>    - If a verifier finds a signature, it needs to validate it. If the
>    signature doesn't pass the validation, we can not rely on the assertion.
>
> From this point, I guess patching the SignatureUtil to skip verification
> of signatures located in `Advice` element, seems not to violate anything.
> That's what we should do in my opinion.
>
> [2] Page 75
> https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
> [3] Page 16
> https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
>
>
>>
>> Would that be an appropriate approach? Would you be interested in such a
>> patch?
>>
>
> Yes, definitely! Let's start with a patch for master branch and later on,
> we could cherry-pick it to 3.x if needed.
>
>
>>
>>
>> Met vriendelijke groet,
>>
>> Arjan Lamers
>> Software Architect
>> +31 (0)6 23 82 24 05
>>
>>
>>
>> a.lamers at first8.nl
>> https://www.first8.nl <http://www.first8.nl/>
>> Linkedin https://www.linkedin.com/in/arjanl <
>> https://www.linkedin.com/in/profiel-id>
>> Kerkenbos 1059b
>> <https://maps.google.com/?q=Kerkenbos+1059b+6546+BB+Nijmegen&entry=gmail&source=g>
>> 6546 BB Nijmegen
>> <https://maps.google.com/?q=Kerkenbos+1059b+6546+BB+Nijmegen&entry=gmail&source=g>
>>
>> Bekijk hier de algemene voorwaarden van Conclusion <
>> https://www.conclusion.nl/kleine-lettertjes/algemene-voorwaarden>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> Met vriendelijke groet,
>
> Arjan Lamers
>
> Software Architect
>
> +31 (0)6 23 82 24 05
>
>
> a.lamers at first8.nl
>
> https://www.first8.nl <http://www.first8.nl>
>
> Linkedin https://www.linkedin.com/in/arjanl
> <https://www.linkedin.com/in/profiel-id>
>
> Kerkenbos 1059b
> <https://maps.google.com/?q=Kerkenbos+1059b+%0D%0A+6546+BB+Nijmegen&entry=gmail&source=g>
>
> 6546 BB Nijmegen
> <https://maps.google.com/?q=Kerkenbos+1059b+%0D%0A+6546+BB+Nijmegen&entry=gmail&source=g>
>
> Bekijk hier de algemene voorwaarden van Conclusion
> <https://www.conclusion.nl/kleine-lettertjes/algemene-voorwaarden>
>
> <https://maps.google.com/?q=Kerkenbos+1059b+%0D%0A+6546+BB+Nijmegen&entry=gmail&source=g>
>
>

From dt at acutus.pro  Thu Jul  5 05:06:08 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Thu, 05 Jul 2018 12:06:08 +0300
Subject: [keycloak-user] how to clone a realm?
In-Reply-To: <1257478819.2963880.1530773986575@mail.yahoo.com>
References: <1257478819.2963880.1530773986575.ref@mail.yahoo.com>
	<1257478819.2963880.1530773986575@mail.yahoo.com>
Message-ID: <1530781568.10477.3.camel@acutus.pro>

Hi Madhu,
I would (as usual) suggest creating Keycloak extension for that, like
custom REST endpoint with optional GUI extensions. From my experience,
I'd say it shouldn't be that hard. You will get rid of the roundabout
with importing-exporting data (which will become extremely painful as
the data volume grows); additionally, you'll be able to precisely
control the data you'll be copying.
Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+ 42 (022) 888-30-71
E-mail:?info at acutus.pro

> ?Hi,
> I am using keycloak for a multi tenant/multi realm scenario.
> In all my realms the clients/roles/password
> policies/groups/authentication/token settings etc are same.
> So my idea is to create a template realm and clone it to a new realm
> every time i want to provision a new tenant.
> I tried using the import/export option, but was not successful. I
> even tried remvoign all the ids /container id fields from the
> exported json and changed the realm namesand was unsuccessful again.
> Any idea how to clone a realm?
> Looks like import/export was built for replicating/duplicating the
> data in another keycloak/database instance, and not suitable for
> cloning /creating a new realm.
> Any idea how i can create a new realm with defined set of clients,
> user policies, mappers, authentication settings, flows, token
> settings and roles?
> Regards,Madhu
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From corentin.dupont at gmail.com  Thu Jul  5 05:10:06 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Thu, 5 Jul 2018 11:10:06 +0200
Subject: [keycloak-user] Failed to evaluate permissions with javascript
In-Reply-To: <CAJrcDBcUU5YzUmg3YMAefqBZOmrQLQHcW+0SbaLRjdKBz4YuuA@mail.gmail.com>
References: <CAEyhvmo5mf_SwHCZC5axBpGp13ZoOyEN=oY58T1XLfQDVxwzbA@mail.gmail.com>
	<CAJrcDBcZgJvkWKKRVDvQfB_msCKtCa59kG1BEJG2EJ05owCxGQ@mail.gmail.com>
	<CAEyhvmpcPBLD9h+3kv1rdcF8k9Lp7i+mPu++E5fCScfDiAFyvA@mail.gmail.com>
	<CAJrcDBcKWga3-KNgogBynpV8tXf6ELDS0RZX6nPupjObve8jDg@mail.gmail.com>
	<CAEyhvmpn20Gn0Mstwa1-4Ceyqx4mRhrM6UMb7FKJDiBeLRWacQ@mail.gmail.com>
	<CAJrcDBeo+bn41jU-O7b3vH-ic=3huzLnn4Avs_sHQGhwwvVtZA@mail.gmail.com>
	<CAJrcDBcUU5YzUmg3YMAefqBZOmrQLQHcW+0SbaLRjdKBz4YuuA@mail.gmail.com>
Message-ID: <CAEyhvmqhU1tbMSf+fGjAeHOFN2c93-jg8wvzUuTpP7VhTC5F4A@mail.gmail.com>

I created the corresponding Jira here:
https://issues.jboss.org/browse/KEYCLOAK-7781?filter=-2

On Wed, Jul 4, 2018 at 4:13 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Sorry, should *not* get a null reference ...
>
> On Wed, Jul 4, 2018 at 11:12 AM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Yeah it is fine, and if you ask permissions for MySensorsXXX (considering
>> resource exists) you should get a null reference in your JS policy.
>>
>> On Wed, Jul 4, 2018 at 11:07 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Yes I want to have permissions for each resource associated with that
>>> scope.
>>> Basically, I have:
>>>
>>> Resource:
>>> -------------
>>> name: MySensorsXXX
>>> scope: [sensors:update, sensors:delete]
>>>
>>> Policy:
>>> ---------
>>> name: Resource owner
>>> type: javascript
>>>
>>> Permission:
>>> --------------
>>> name: Delete Sensor
>>> type: scope-based
>>> Scopes: [sensors:delete]
>>> Apply Policy: Resource owner
>>>
>>> Based on this setting, I want to ask Keycloak if I can delete a
>>> particular sensor, named MySensorsXXX.
>>> Keycloak should approve only if I'm owner.
>>> Is it the correct way to do it?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Wed, Jul 4, 2018 at 3:28 PM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Could you deny if requested permission is not for a resource ? Or do
>>>> you want to have permissions for each resource associated with that scope ?
>>>>
>>>> On Wed, Jul 4, 2018 at 10:16 AM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> So how to retrieve the resource associated with this request?
>>>>>
>>>>> For instance I want to delete a sensor named MySensorsXXX:
>>>>>
>>>>> curl -X POST http://localhost:8080/auth/rea
>>>>> lms/waziup/protocol/openid-connect/token -H "Authorization: Bearer
>>>>> $USERTOKEN" -d "grant_type=urn:ietf:params:oa
>>>>> uth:grant-type:uma-ticket&audience=api-server&permission=MyS
>>>>> ensorsXXX#sensors:delete"
>>>>>
>>>>> I have a scope-based policy, where I check if you are owner.
>>>>>
>>>>>
>>>>>
>>>>> On Wed, Jul 4, 2018 at 3:07 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> This is because the permission is not for the resource (it does not
>>>>>> exist) but for scopes. So resource is null.
>>>>>>
>>>>>> On Wed, Jul 4, 2018 at 9:38 AM, Corentin Dupont <
>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>
>>>>>>> Hi again,
>>>>>>> I use a small javascript policy:
>>>>>>>
>>>>>>> var context = $evaluation.getContext();
>>>>>>> var permission = $evaluation.getPermission();
>>>>>>> var identity = context.getIdentity();
>>>>>>> if (identity.id == permission.getResource().getOwner()) {
>>>>>>>     $evaluation.grant();
>>>>>>> }
>>>>>>>
>>>>>>>
>>>>>>> But this gets me an error:
>>>>>>>
>>>>>>> Unexpected error while evaluating permissions:
>>>>>>> java.lang.RuntimeException:
>>>>>>> Failed to evaluate permissions
>>>>>>>    at
>>>>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>>>>> issionEvaluator$1.onError(IterablePermissionEvaluator.java:66)
>>>>>>>    at
>>>>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>>>>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:54)
>>>>>>>    at
>>>>>>> org.keycloak.authorization.permission.evaluator.IterablePerm
>>>>>>> issionEvaluator.evaluate(IterablePermissionEvaluator.java:63)
>>>>>>>    at
>>>>>>> org.keycloak.authorization.authorization.AuthorizationTokenS
>>>>>>> ervice.evaluatePermissions(AuthorizationTokenService.java:208)
>>>>>>> ...
>>>>>>> Caused by: org.keycloak.scripting.ScriptExecutionException: Could
>>>>>>> not
>>>>>>> execute script 'Resource owner' problem was: TypeError: null has no
>>>>>>> such
>>>>>>> function "getOwner" in <eval> at line number 4
>>>>>>>     at
>>>>>>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval
>>>>>>> Unchecked(AbstractEvaluatableScriptAdapter.java:64)
>>>>>>>     at
>>>>>>> org.keycloak.scripting.AbstractEvaluatableScriptAdapter.eval
>>>>>>> (AbstractEvaluatableScriptAdapter.java:30)
>>>>>>>
>>>>>>>
>>>>>>> I noticed this happens only with scope-based policies, so maybe it's
>>>>>>> the
>>>>>>> same problem than before?
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

From hongliu at bondlinc.com  Thu Jul  5 05:37:53 2018
From: hongliu at bondlinc.com (Hongliu Zou)
Date: Thu, 5 Jul 2018 17:37:53 +0800
Subject: [keycloak-user] how to clone a realm?
In-Reply-To: <CAA9R9O4K3H7qrST0LmCPXx_1mc2hegH3+eWDbW32NW7Zt1JWEw@mail.gmail.com>
References: <1257478819.2963880.1530773986575.ref@mail.yahoo.com>
	<1257478819.2963880.1530773986575@mail.yahoo.com>
	<CAA9R9O4K3H7qrST0LmCPXx_1mc2hegH3+eWDbW32NW7Zt1JWEw@mail.gmail.com>
Message-ID: <CACTSkAXZb0A4u+q-TH53txRaKE_fQLJ7RSDLycL1dqLN3uRyrQ@mail.gmail.com>

Hi Madhu

I am facing same issue when try to duplicate realm from file by two simple
steps below
- Export from keyclock A to a file
- Import realm from the file to keycloak B

Error from keyclock log is

org.h2.jdbc.JdbcSQLException: Unique index or primary key violation

After manually change all ids to different value in the file, I can import
now. Maybe write a script to process id to plus 1 for all ids is better. It
looks like export function of keyclock to handle this case is better. Need
input from keycloak experts. :)

Thanks
Hongliu

On Thu, Jul 5, 2018 at 3:31 PM, Sebastian Laskawiec <slaskawi at redhat.com>
wrote:

> Hey Madhu,
>
> How about using import/export functionality [1] (with some manual editing
> or sed/awk magic?
>
> Thanks,
> Sebastian
>
> [1]
> https://www.keycloak.org/docs/latest/server_admin/index.
> html#_export_import
>
> On Thu, Jul 5, 2018 at 9:06 AM Madhu <kkcmadhu at yahoo.com> wrote:
>
> >
> >  Hi,
> > I am using keycloak for a multi tenant/multi realm scenario.
> > In all my realms the clients/roles/password
> > policies/groups/authentication/token settings etc are same.
> > So my idea is to create a template realm and clone it to a new realm
> every
> > time i want to provision a new tenant.
> > I tried using the import/export option, but was not successful. I even
> > tried remvoign all the ids /container id fields from the exported json
> and
> > changed the realm namesand was unsuccessful again.
> > Any idea how to clone a realm?
> > Looks like import/export was built for replicating/duplicating the data
> in
> > another keycloak/database instance, and not suitable for cloning
> /creating
> > a new realm.
> > Any idea how i can create a new realm with defined set of clients, user
> > policies, mappers, authentication settings, flows, token settings and
> roles?
> > Regards,Madhu
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From tech at psynd.net  Thu Jul  5 05:51:34 2018
From: tech at psynd.net (Tech)
Date: Thu, 5 Jul 2018 11:51:34 +0200
Subject: [keycloak-user] Alternative authentication flows
In-Reply-To: <0569d7f7-d14d-0cf2-a538-3eaffc4f0c39@psynd.net>
References: <0569d7f7-d14d-0cf2-a538-3eaffc4f0c39@psynd.net>
Message-ID: <adcd440e-3070-73b4-1495-b2eedc6623aa@psynd.net>

Hello,

we are still struggling with this challenge, could you please advice?

Thanks




On 04.07.18 17:14, Tech wrote:
> Dear experts,
>
> we are working with Keycloak 4.0.0.
>
> We want to implement the following authentication workflow:
>
>
> 1) Mandatory User/Password
>
> 2) If User/Password corrected then mandatory one between
>
> 2.1) Google Authenticator
>
> 2.2) Another factor of authentication
>
>
> We are only able to make the first challenge mandatory, while we are not
> able to choose the second mandatory option.
>
> If we set them as Required will be chosen both in sequence ("Google
> Authenticator" AND "Other factor"), while we cannot choose "Google
> Authenticator" OR "Other factor".
>
> Could you please advise?
>
> Thanks
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From scoady at redhat.com  Thu Jul  5 07:12:57 2018
From: scoady at redhat.com (Stephen Coady)
Date: Thu, 5 Jul 2018 12:12:57 +0100
Subject: [keycloak-user] SSO with Keycloak JS and Cordova adapter
Message-ID: <CAC6LUPubDV-ndmJk451bsXp=DbaNptYeQzYgqf0Zw3_=U=8SyA@mail.gmail.com>

Hi,

We have multiple apps (Native and Hybrid) using Keycloak and the single
sign on feature. It is currently working for all but Cordova. I am
wondering does the cordova adapter within Keycloak-js currently support
single sign on in the same way the default adapter does? From my initial
experiments it looks like it doesn't and the inappbrowser plugin may be to
blame. Is there a way around this?

At the moment it looks like my only option would be to use the default
adapter in my cordova application, but this brings other complications -
such as a fragmented auth process.

Thanks,
Stephen

-- 

STEPHEN COADY

ASSOCIATE SOFTWARE ENGINEER

Red Hat

<https://www.redhat.com/>

Communications House, Cork Road

Waterford City, Ireland X91NY33

scoady at redhat.com    IM: scoady
<https://red.ht/sig>

From steve.munene at atlancis.com  Thu Jul  5 08:00:41 2018
From: steve.munene at atlancis.com (Steve Munene)
Date: Thu, 5 Jul 2018 12:00:41 +0000
Subject: [keycloak-user] Keycloak username attribute
Message-ID: <DB4PR07MB377F57642E92075F1915F89FD400@DB4PR07MB377.eurprd07.prod.outlook.com>

Hi, what is the saml user attribute used by keycloak in the saml response.

I keep getting this when after login from cloudstack
<loginresponse cloud-stack-version="4.10.0.0<http://4.10.0.0>">
<errorcode>531</errorcode>
<errortext>
Failed to find admin configured username attribute in the SAML Response. Please ask your administrator to check SAML user attribute name.
</errortext>
</loginresponse>

From pnalyvayko at agi.com  Thu Jul  5 10:06:59 2018
From: pnalyvayko at agi.com (Nalyvayko, Peter)
Date: Thu, 5 Jul 2018 14:06:59 +0000
Subject: [keycloak-user] x509 authentication - two fields
In-Reply-To: <43bee7ed-c039-c2a8-1827-093d34182897@adbglobal.com>
References: <43bee7ed-c039-c2a8-1827-093d34182897@adbglobal.com>
Message-ID: <BL0PR07MB394090DD6859CB89151C95B4DA400@BL0PR07MB3940.namprd07.prod.outlook.com>

Hello Karol,

If I understand you correctly, your question is about using composite keys to match the user identity against an x509 client cert. Composite keys are not currently supported, AFAIK

--Peter

________________________________________
From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of Karol Buler [K.Buler at adbglobal.com]
Sent: Tuesday, July 3, 2018 4:27 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] x509 authentication - two fields

Hi Keycloaks :)

I want to use two fields from certificate in x509 authentication flow.
Is there any possibility to do that out of the box, or I have to
implement my own custom authentication mechanism using Authentication SPI?

Karol
[https://www.adbglobal.com/wp-content/uploads/adb.png]
adbglobal.com<https://www.adbglobal.com>
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED.
Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy<https://www.adbglobal.com/privacy-policy/> and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions.

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From ntle at castortech.com  Thu Jul  5 11:38:56 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Thu, 5 Jul 2018 11:38:56 -0400
Subject: [keycloak-user] admin-client binary and dependencies
Message-ID: <CAJVRZt-nYwquzFdRagyVvV5MfbEFdsSONFtuW-5W49C4NJAckw@mail.gmail.com>

Hello,

Where can i get the binaries of the admin-client and its dependency for KC
4.0.0.Final? I added the following jars from mavencentral  to my package:
javax.ws.rs-api,\
org.jboss.resteasy:resteasy-jackson2-provider,\
org.jboss.resteasy:resteasy-jaxrs,\
org.apache.commons.lang3,\
org.keycloak:keycloak-admin-client,\
org.keycloak.keycloak-core,\
org.jboss.resteasy:resteasy-client,\
org.jboss.resteasy:resteasy-multipart-provider,\
org.jboss.resteasy:resteasy-jaxb-provider,\
org.eclipse.equinox.supplement,\
com.castortech.iris.security;version=latest,\
org.keycloak:keycloak-server-spi-private,\
org.keycloak:keycloak-server-spi,\
org.keycloak.keycloak-common,\
org.eclipse.emf.common,\
javax.annotation-api,\
com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider

-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From ntle at castortech.com  Thu Jul  5 11:42:00 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Thu, 5 Jul 2018 11:42:00 -0400
Subject: [keycloak-user] admin-client binary and dependencies
Message-ID: <CAJVRZt-K0sbhKiH+gT51Y7O24ComsppJ84bcbpCX0W8n6_fwhg@mail.gmail.com>

 Hello,

Where can i get the binaries of the admin-client and its dependency for KC
4.0.0.Final? I added the following jars from mavencentral  to my package:
javax.ws.rs-api,\
org.jboss.resteasy:resteasy-jackson2-provider,\
org.jboss.resteasy:resteasy-jaxrs,\
org.apache.commons.lang3,\
org.keycloak:keycloak-admin-client,\
org.keycloak.keycloak-core,\
org.jboss.resteasy:resteasy-client,\
org.jboss.resteasy:resteasy-multipart-provider,\
org.jboss.resteasy:resteasy-jaxb-provider,\
org.eclipse.equinox.supplement,\
com.castortech.iris.security;version=latest,\
org.keycloak:keycloak-server-spi-private,\
org.keycloak:keycloak-server-spi,\
org.keycloak.keycloak-common,\
org.eclipse.emf.common,\
javax.annotation-api,\
com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider

But i still get error:
?javax.ws.rs.ProcessingException: RESTEASY003215: could not find writer for
content-type application/x-www-form-urlencoded type: javax.ws.rs.core.Form$1

When calling .realms().findAll()

Thai?

-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From vandana0242 at gmail.com  Thu Jul  5 12:05:36 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Thu, 5 Jul 2018 11:05:36 -0500
Subject: [keycloak-user] Where we can configure the application url for
	single sign on configuration
Message-ID: <CAL_K0eybVLU0id0Y0+Yxkjpywnt1QqCcFSCxN4Z9+=bF0gT5aQ@mail.gmail.com>

Hello


Where exactly we can  configure  the application url  for  single sign on
configuration  by using keycloak, Wildfly , External IDP .


Thanks,
Vandana

From iali at an10.io  Thu Jul  5 12:08:00 2018
From: iali at an10.io (Irtiza Ali)
Date: Thu, 5 Jul 2018 21:08:00 +0500
Subject: [keycloak-user] Where we can configure the application url for
 single sign on configuration
In-Reply-To: <CAL_K0eybVLU0id0Y0+Yxkjpywnt1QqCcFSCxN4Z9+=bF0gT5aQ@mail.gmail.com>
References: <CAL_K0eybVLU0id0Y0+Yxkjpywnt1QqCcFSCxN4Z9+=bF0gT5aQ@mail.gmail.com>
Message-ID: <CAG3apS8TAwD2vT1tJJW6559E-zGNVs=wSNC2DVLPXEtF7pBhOg@mail.gmail.com>

Hello vandan

I have configured the application url in the clients configuratins
dashboard.

Irtiza Ali

On Thu, 5 Jul 2018, 21:06 vandana thota, <vandana0242 at gmail.com> wrote:

> Hello
>
>
> Where exactly we can  configure  the application url  for  single sign on
> configuration  by using keycloak, Wildfly , External IDP .
>
>
> Thanks,
> Vandana
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From ebenzacar at gmail.com  Thu Jul  5 12:27:22 2018
From: ebenzacar at gmail.com (Eric B)
Date: Thu, 5 Jul 2018 12:27:22 -0400
Subject: [keycloak-user] Backchannel logout on session-timeout?
Message-ID: <CA+T+PjGnBzi0R+XCrHhmO+7p4oz+dQV67O7Vb97k5_FPm29GMA@mail.gmail.com>

I'm using Keycloak 3.4.3 and have my java client configured for backchannel
logout.   It works fine if I logout from within the Keycloak user
interface.  But I was also expecting it to work if the KC user session died
due to idle timeout or max session life.  But in both session expiration
cases, the backchannel logout is not triggered.

Is this a bug in KC, or simply not a use-case that is supported?  Or is
this a configuration issue with my KC install?

Thanks,

Eric

From vandana0242 at gmail.com  Thu Jul  5 12:28:13 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Thu, 5 Jul 2018 11:28:13 -0500
Subject: [keycloak-user] Where we can configure the application url for
 single sign on configuration
In-Reply-To: <CAG3apS8TAwD2vT1tJJW6559E-zGNVs=wSNC2DVLPXEtF7pBhOg@mail.gmail.com>
References: <CAL_K0eybVLU0id0Y0+Yxkjpywnt1QqCcFSCxN4Z9+=bF0gT5aQ@mail.gmail.com>
	<CAG3apS8TAwD2vT1tJJW6559E-zGNVs=wSNC2DVLPXEtF7pBhOg@mail.gmail.com>
Message-ID: <CAL_K0ezahzcYANcspc_71zrDaN_zsHYakg0yPcUuwmfnxL-7dg@mail.gmail.com>

May I know  the flow of that tab  to reach out .

or send  any screen shot

On Thu, Jul 5, 2018 at 11:08 AM Irtiza Ali <iali at an10.io> wrote:

> Hello vandan
>
> I have configured the application url in the clients configuratins
> dashboard.
>
> Irtiza Ali
>
> On Thu, 5 Jul 2018, 21:06 vandana thota, <vandana0242 at gmail.com> wrote:
>
>> Hello
>>
>>
>> Where exactly we can  configure  the application url  for  single sign on
>> configuration  by using keycloak, Wildfly , External IDP .
>>
>>
>> Thanks,
>> Vandana
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From jmorales at redhat.com  Thu Jul  5 13:52:36 2018
From: jmorales at redhat.com (Jorge Morales Pou)
Date: Thu, 5 Jul 2018 19:52:36 +0200
Subject: [keycloak-user] Fwd: Trying to create a user in a realm I get 405
	response
In-Reply-To: <CAMz5fLcrjKjq_NBnv+8Qq=Lx2LLnUhOaC_ZyO-SRQk=vRHpUgA@mail.gmail.com>
References: <CAMz5fLcrjKjq_NBnv+8Qq=Lx2LLnUhOaC_ZyO-SRQk=vRHpUgA@mail.gmail.com>
Message-ID: <CAMz5fLcJqX1+FFfOrMM4xrgXBNmeDefS5Xf5OUJb6tJLQric1Q@mail.gmail.com>

Hi,
I'm deploying Che on OpenShift and I was trying to pre-create some users in
Keycloak.
This Che and Keycloak are deployed using Ansible, and so far so good. I'm
using the templates from github.com/eclipse/che.

This deployment comes preconfigured with a che realm as well as the ability
to change the master realm admin's username and password, which I do, for
security reasons, but the che realm don't allow me to change the
username/password for the admin, so those default to admin/admin (as of
now).

The problem comes when I try to create a user via rest.

I have the following 2 ansible tasks (they are easily understood):

- name: get auth token from keycloak
uri:
url: http://keycloak-{{ project_name }}.{{ apps_hostname_suffix
}}/auth/realms/che/protocol/openid-connect/token
method: POST
body: "username=admin&password=admin&grant_type=password&client_id=admin-cli
"
status_code: 200
headers:
Content-Type: "application/x-www-form-urlencoded"
status_code: 200
register: access_token_result

- set_fact:
access_token_bearer: "{{ access_token_result.json |
json_query('access_token') }}"

- name: Pre-create {{ che_generate_user_count }} users in che realm with
format ({{ che_generate_user_format }})
uri:
url: http://che-{{ project_name }}.{{ apps_hostname_suffix
}}/admin/realms/che/users
method: POST
body: "{{ lookup('template','che-user.json.j2') }}"
body_format: json
status_code: 204
headers:
Authorization: "Bearer {{ access_token_bearer }}"
vars:
username: "{{ item }}"
first_name: "User"
last_name: "{{ item }}"
email: "{{ item }}@none.com"
password: "{{ che_generate_user_password }}"
with_sequence: start={{ che_generate_user_count|int if
che_generate_user_count|int < 1 else 1}} end={{ che_generate_user_count }}
format={{ che_generate_user_format }}
when: che_generate_user_count|int > 0

And the che-user.json that I use for the request is this:
{
"username": "{{ username }}",
"enabled": "true",
"firstName": "{{ first_name }}",
"lastName": "{{ last_name }}",
"email": "{{ email }}",
"credentials": [
{
"type": "password",
"value": "{{ password }}"
}
]
}


Everything looks perfectly configured on my end, and I've tried using curl
as seen in many documentation to troubleshoot but with same error.

I get a 405, POST method not allowed.

This is the verbose stack of the request, which has all the valuable info
(host-name is changed):

------------------------------------------------
failed: [localhost] (item=user1) => {
    "changed": false,
    "connection": "close",
    "content": "<!doctype html><html lang=\"en\"><head><title>HTTP Status
405 ? Method Not Allowed</title><style type=\"text/css\">h1
{font-family:Tahoma,Arial,sans-serif;color:white;
background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,
sans-serif;color:white;background-color:#525D76;font-size:16px;} h3
{font-family:Tahoma,Arial,sans-serif;color:white;
background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,
sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,
sans-serif;color:white;background-color:#525D76;} p
{font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}
a {color:black;} a.name {color:black;} .line {height:1px;background-color:#
525D76;border:none;}</style></head><body><h1>HTTP Status 405 ? Method Not
Allowed</h1><hr class=\"line\" /><p><b>Type</b> Status
Report</p><p><b>Message</b> HTTP method POST is not supported by this
URL</p><p><b>Description</b> The method received in the request-line is
known by the origin server but not supported by the target resource.</p><hr
class=\"line\" /><h3>Apache Tomcat/8.5.23</h3></body></html>",
    "content_language": "en",
    "content_length": "1117",
    "content_type": "text/html;charset=utf-8",
    "date": "Thu, 05 Jul 2018 17:12:32 GMT",
    "invocation": {
        "module_args": {
            "attributes": null,
            "backup": null,
            "body": {
                "credentials": [
                    {
                        "type": "password",
                        "value": "password"
                    }
                ],
                "email": "user1 at none.com",
                "enabled": "true",
                "firstName": "User",
                "lastName": "user1",
                "username": "user1"
            },
            "body_format": "json",
            "client_cert": null,
            "client_key": null,
            "content": null,
            "creates": null,
            "delimiter": null,
            "dest": null,
            "directory_mode": null,
            "follow": false,
            "follow_redirects": "safe",
            "force": false,
            "force_basic_auth": false,
            "group": null,
            "headers": {
                "Authorization": "Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
AiSldUIiwia2lkIiA6ICJlMjNGc3kzRlI5dnRUZms3TGlkX1lQOGU0cDNoY0
psM20wQTRnckIzNnJJIn0.eyJqdGkiOiIzYjkyZTUxZi1iZTc0LT
QwODItYmFjZS01YjAwNTA0MWE2YmIiLCJleHAiOjE1MzA4MTEwNTEsIm5iZi
I6MCwiaWF0IjoxNTMwODEwNzUxLCJpc3MiOiJodHRwOi8va2V5Y2xvYWstc3
RhcnRlci13b3Jrc2hvcC1hcGItdGVzdC5hcHBzLm9zZXZnLm9wZW5zaGlmdH
dvcmtzaG9wLmNvbS9hdXRoL3JlYWxtcy9jaGUiLCJhdWQiOiJhZG1pbi1jbG
kiLCJzdWIiOiJiMDdlM2E1OC1lZDUwLTRhNmUtYmUxNy1mY2Y0OWZmOGIyND
IiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJhdXRoX3RpbW
UiOjAsInNlc3Npb25fc3RhdGUiOiI1MGRhMGJiNy0zOTc3LTQzMjQtOWY2OS
03NjkzNmEwZGIzMmMiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbXS
wicmVzb3VyY2VfYWNjZXNzIjp7fSwibmFtZSI6IkFkbWluIEFkbWluIiwicH
JlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4iLCJnaXZlbl9uYW1lIjoiQWRtaW
4iLCJmYW1pbHlfbmFtZSI6IkFkbWluIiwiZW1haWwiOiJhZG1pbkBhZG1pbi5jb20ifQ.DTjDZ_
Kx9QMDcLqMRtGir5PwzOhXEBc3-jg3vZgToooKfvC1b1Kw1DSHCM1hJuwriw-
dBp2dQMAk2CjwwFNNb2lKFVxCGvmk4KQLRG3giv_BHQcoeFZ-Ol7sQJvFL-
V-XyAV6KWO9a0WPai6C6hkHw37Ksp_klzk89jAoSSxrtOJ8zUOjzxT_
XS99cwj6NYNJnyTczppAMB14Nm8-a9gexDnUqUmOlifFCyH7i2Fyrk2pnT
GFEFjB92QCUWJEXpFOKdx9-IGi7y8ywRH7a9R-dcuOb1_Mx6Xbi79qjfow6EKJYDAjNupKOUfOO
qNFscgwR6kUdbsEfRr3JCmmTL8cw",
                "Content-Type": "application/json"
            },
            "http_agent": "ansible-httpget",
            "method": "POST",
            "mode": null,
            "owner": null,
            "regexp": null,
            "remote_src": null,
            "removes": null,
            "return_content": false,
            "selevel": null,
            "serole": null,
            "setype": null,
            "seuser": null,
            "src": null,
            "status_code": [
                "204"
            ],
            "timeout": 30,
            "unsafe_writes": null,
            "url": "http://che-starter-workshop-apb-test.apps.mydomain.com/
auth/realms/che/users",
            "url_password": null,
            "url_username": null,
            "use_proxy": true,
            "validate_certs": true
        }
    },
    "item": "user1",
    "msg": "Status code was 405 and not [204]: HTTP Error 405: ",
    "redirected": false,
    "set_cookie": "688655d95dc9dee6e6f6057ef3239223=
5aac40b93e1fbe870f8d213baa7a4c7a; path=/; HttpOnly",
    "status": 405,
    "url": "http://che-starter-workshop-apb-test.apps.osevg.
openshiftworkshop.com/auth/realms/che/users"
}
------------------------------------------------


Anyone can provide some insight into what I'm doing wrong? Is it the
request or is it the che realm configuration
<https://github.com/eclipse/che/blob/master/dockerfiles/init/modules/keycloak/templates/che-realm.json.erb>
or the client in the realm
<https://github.com/eclipse/che/blob/master/dockerfiles/init/modules/keycloak/templates/che-users-0.json.erb>
used to get the token?

Cheers,

*Jorge Morales*
Red Hat <https://www.openshift.com/>
<https://www.openshift.com/>
OpenShift <https://www.openshift.com> Developer Advocate
?
http://jorgemoral.es/

| @jorgemoralespou <https://twitter.com/jorgemoralespou>

From vandana0242 at gmail.com  Thu Jul  5 13:56:35 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Thu, 5 Jul 2018 12:56:35 -0500
Subject: [keycloak-user] Where we can configure the application url for
 single sign on configuration
In-Reply-To: <CAL_K0ezahzcYANcspc_71zrDaN_zsHYakg0yPcUuwmfnxL-7dg@mail.gmail.com>
References: <CAL_K0eybVLU0id0Y0+Yxkjpywnt1QqCcFSCxN4Z9+=bF0gT5aQ@mail.gmail.com>
	<CAG3apS8TAwD2vT1tJJW6559E-zGNVs=wSNC2DVLPXEtF7pBhOg@mail.gmail.com>
	<CAL_K0ezahzcYANcspc_71zrDaN_zsHYakg0yPcUuwmfnxL-7dg@mail.gmail.com>
Message-ID: <CAL_K0exFKOC9RBHw7i9GvWGYPoDLR-=RFso4uX-3r=zErFm0Sw@mail.gmail.com>

Hello

Can you  let me know  where  exactly  you have configured app url  in
keycloak .

I have seen  Client  tab in keycloak  and  there are many fields after I
click that Client tab  so  under which  one we  have  to configure the app
url .

Thanks,
Vandana

On Thu, Jul 5, 2018 at 11:28 AM vandana thota <vandana0242 at gmail.com> wrote:

> May I know  the flow of that tab  to reach out .
>
> or send  any screen shot
>
> On Thu, Jul 5, 2018 at 11:08 AM Irtiza Ali <iali at an10.io> wrote:
>
>> Hello vandan
>>
>> I have configured the application url in the clients configuratins
>> dashboard.
>>
>> Irtiza Ali
>>
>> On Thu, 5 Jul 2018, 21:06 vandana thota, <vandana0242 at gmail.com> wrote:
>>
>>> Hello
>>>
>>>
>>> Where exactly we can  configure  the application url  for  single sign on
>>> configuration  by using keycloak, Wildfly , External IDP .
>>>
>>>
>>> Thanks,
>>> Vandana
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>

From psilva at redhat.com  Thu Jul  5 14:30:23 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 5 Jul 2018 15:30:23 -0300
Subject: [keycloak-user] Fwd: Trying to create a user in a realm I get
	405 response
In-Reply-To: <CAMz5fLcJqX1+FFfOrMM4xrgXBNmeDefS5Xf5OUJb6tJLQric1Q@mail.gmail.com>
References: <CAMz5fLcrjKjq_NBnv+8Qq=Lx2LLnUhOaC_ZyO-SRQk=vRHpUgA@mail.gmail.com>
	<CAMz5fLcJqX1+FFfOrMM4xrgXBNmeDefS5Xf5OUJb6tJLQric1Q@mail.gmail.com>
Message-ID: <CAJrcDBeinTEueY1kUdFY7zoQcWD-ghf5rTFhq5S6Y8ZL8OBWFg@mail.gmail.com>

What if you set Content-Type: "application/json" to the request definition ?

On Thu, Jul 5, 2018 at 2:52 PM, Jorge Morales Pou <jmorales at redhat.com>
wrote:

> Hi,
> I'm deploying Che on OpenShift and I was trying to pre-create some users in
> Keycloak.
> This Che and Keycloak are deployed using Ansible, and so far so good. I'm
> using the templates from github.com/eclipse/che.
>
> This deployment comes preconfigured with a che realm as well as the ability
> to change the master realm admin's username and password, which I do, for
> security reasons, but the che realm don't allow me to change the
> username/password for the admin, so those default to admin/admin (as of
> now).
>
> The problem comes when I try to create a user via rest.
>
> I have the following 2 ansible tasks (they are easily understood):
>
> - name: get auth token from keycloak
> uri:
> url: http://keycloak-{{ project_name }}.{{ apps_hostname_suffix
> }}/auth/realms/che/protocol/openid-connect/token
> method: POST
> body: "username=admin&password=admin&grant_type=password&
> client_id=admin-cli
> "
> status_code: 200
> headers:
> Content-Type: "application/x-www-form-urlencoded"
> status_code: 200
> register: access_token_result
>
> - set_fact:
> access_token_bearer: "{{ access_token_result.json |
> json_query('access_token') }}"
>
> - name: Pre-create {{ che_generate_user_count }} users in che realm with
> format ({{ che_generate_user_format }})
> uri:
> url: http://che-{{ project_name }}.{{ apps_hostname_suffix
> }}/admin/realms/che/users
> method: POST
> body: "{{ lookup('template','che-user.json.j2') }}"
> body_format: json
> status_code: 204
> headers:
> Authorization: "Bearer {{ access_token_bearer }}"
> vars:
> username: "{{ item }}"
> first_name: "User"
> last_name: "{{ item }}"
> email: "{{ item }}@none.com"
> password: "{{ che_generate_user_password }}"
> with_sequence: start={{ che_generate_user_count|int if
> che_generate_user_count|int < 1 else 1}} end={{ che_generate_user_count }}
> format={{ che_generate_user_format }}
> when: che_generate_user_count|int > 0
>
> And the che-user.json that I use for the request is this:
> {
> "username": "{{ username }}",
> "enabled": "true",
> "firstName": "{{ first_name }}",
> "lastName": "{{ last_name }}",
> "email": "{{ email }}",
> "credentials": [
> {
> "type": "password",
> "value": "{{ password }}"
> }
> ]
> }
>
>
> Everything looks perfectly configured on my end, and I've tried using curl
> as seen in many documentation to troubleshoot but with same error.
>
> I get a 405, POST method not allowed.
>
> This is the verbose stack of the request, which has all the valuable info
> (host-name is changed):
>
> ------------------------------------------------
> failed: [localhost] (item=user1) => {
>     "changed": false,
>     "connection": "close",
>     "content": "<!doctype html><html lang=\"en\"><head><title>HTTP Status
> 405 ? Method Not Allowed</title><style type=\"text/css\">h1
> {font-family:Tahoma,Arial,sans-serif;color:white;
> background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,
> sans-serif;color:white;background-color:#525D76;font-size:16px;} h3
> {font-family:Tahoma,Arial,sans-serif;color:white;
> background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,
> sans-serif;color:black;background-color:white;} b
> {font-family:Tahoma,Arial,
> sans-serif;color:white;background-color:#525D76;} p
> {font-family:Tahoma,Arial,sans-serif;background:white;
> color:black;font-size:12px;}
> a {color:black;} a.name {color:black;} .line
> {height:1px;background-color:#
> 525D76;border:none;}</style></head><body><h1>HTTP Status 405 ? Method Not
> Allowed</h1><hr class=\"line\" /><p><b>Type</b> Status
> Report</p><p><b>Message</b> HTTP method POST is not supported by this
> URL</p><p><b>Description</b> The method received in the request-line is
> known by the origin server but not supported by the target resource.</p><hr
> class=\"line\" /><h3>Apache Tomcat/8.5.23</h3></body></html>",
>     "content_language": "en",
>     "content_length": "1117",
>     "content_type": "text/html;charset=utf-8",
>     "date": "Thu, 05 Jul 2018 17:12:32 GMT",
>     "invocation": {
>         "module_args": {
>             "attributes": null,
>             "backup": null,
>             "body": {
>                 "credentials": [
>                     {
>                         "type": "password",
>                         "value": "password"
>                     }
>                 ],
>                 "email": "user1 at none.com",
>                 "enabled": "true",
>                 "firstName": "User",
>                 "lastName": "user1",
>                 "username": "user1"
>             },
>             "body_format": "json",
>             "client_cert": null,
>             "client_key": null,
>             "content": null,
>             "creates": null,
>             "delimiter": null,
>             "dest": null,
>             "directory_mode": null,
>             "follow": false,
>             "follow_redirects": "safe",
>             "force": false,
>             "force_basic_auth": false,
>             "group": null,
>             "headers": {
>                 "Authorization": "Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
> AiSldUIiwia2lkIiA6ICJlMjNGc3kzRlI5dnRUZms3TGlkX1lQOGU0cDNoY0
> psM20wQTRnckIzNnJJIn0.eyJqdGkiOiIzYjkyZTUxZi1iZTc0LT
> QwODItYmFjZS01YjAwNTA0MWE2YmIiLCJleHAiOjE1MzA4MTEwNTEsIm5iZi
> I6MCwiaWF0IjoxNTMwODEwNzUxLCJpc3MiOiJodHRwOi8va2V5Y2xvYWstc3
> RhcnRlci13b3Jrc2hvcC1hcGItdGVzdC5hcHBzLm9zZXZnLm9wZW5zaGlmdH
> dvcmtzaG9wLmNvbS9hdXRoL3JlYWxtcy9jaGUiLCJhdWQiOiJhZG1pbi1jbG
> kiLCJzdWIiOiJiMDdlM2E1OC1lZDUwLTRhNmUtYmUxNy1mY2Y0OWZmOGIyND
> IiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJhdXRoX3RpbW
> UiOjAsInNlc3Npb25fc3RhdGUiOiI1MGRhMGJiNy0zOTc3LTQzMjQtOWY2OS
> 03NjkzNmEwZGIzMmMiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbXS
> wicmVzb3VyY2VfYWNjZXNzIjp7fSwibmFtZSI6IkFkbWluIEFkbWluIiwicH
> JlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4iLCJnaXZlbl9uYW1lIjoiQWRtaW
> 4iLCJmYW1pbHlfbmFtZSI6IkFkbWluIiwiZW1haWwiOiJhZG1pbkBhZG1pbi
> 5jb20ifQ.DTjDZ_
> Kx9QMDcLqMRtGir5PwzOhXEBc3-jg3vZgToooKfvC1b1Kw1DSHCM1hJuwriw-
> dBp2dQMAk2CjwwFNNb2lKFVxCGvmk4KQLRG3giv_BHQcoeFZ-Ol7sQJvFL-
> V-XyAV6KWO9a0WPai6C6hkHw37Ksp_klzk89jAoSSxrtOJ8zUOjzxT_
> XS99cwj6NYNJnyTczppAMB14Nm8-a9gexDnUqUmOlifFCyH7i2Fyrk2pnT
> GFEFjB92QCUWJEXpFOKdx9-IGi7y8ywRH7a9R-dcuOb1_
> Mx6Xbi79qjfow6EKJYDAjNupKOUfOO
> qNFscgwR6kUdbsEfRr3JCmmTL8cw",
>                 "Content-Type": "application/json"
>             },
>             "http_agent": "ansible-httpget",
>             "method": "POST",
>             "mode": null,
>             "owner": null,
>             "regexp": null,
>             "remote_src": null,
>             "removes": null,
>             "return_content": false,
>             "selevel": null,
>             "serole": null,
>             "setype": null,
>             "seuser": null,
>             "src": null,
>             "status_code": [
>                 "204"
>             ],
>             "timeout": 30,
>             "unsafe_writes": null,
>             "url": "http://che-starter-workshop-
> apb-test.apps.mydomain.com/
> auth/realms/che/users",
>             "url_password": null,
>             "url_username": null,
>             "use_proxy": true,
>             "validate_certs": true
>         }
>     },
>     "item": "user1",
>     "msg": "Status code was 405 and not [204]: HTTP Error 405: ",
>     "redirected": false,
>     "set_cookie": "688655d95dc9dee6e6f6057ef3239223=
> 5aac40b93e1fbe870f8d213baa7a4c7a; path=/; HttpOnly",
>     "status": 405,
>     "url": "http://che-starter-workshop-apb-test.apps.osevg.
> openshiftworkshop.com/auth/realms/che/users"
> }
> ------------------------------------------------
>
>
> Anyone can provide some insight into what I'm doing wrong? Is it the
> request or is it the che realm configuration
> <https://github.com/eclipse/che/blob/master/dockerfiles/
> init/modules/keycloak/templates/che-realm.json.erb>
> or the client in the realm
> <https://github.com/eclipse/che/blob/master/dockerfiles/
> init/modules/keycloak/templates/che-users-0.json.erb>
> used to get the token?
>
> Cheers,
>
> *Jorge Morales*
> Red Hat <https://www.openshift.com/>
> <https://www.openshift.com/>
> OpenShift <https://www.openshift.com> Developer Advocate
> ?
> http://jorgemoral.es/
>
> | @jorgemoralespou <https://twitter.com/jorgemoralespou>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From jmorales at redhat.com  Thu Jul  5 15:03:48 2018
From: jmorales at redhat.com (Jorge Morales Pou)
Date: Thu, 5 Jul 2018 21:03:48 +0200
Subject: [keycloak-user] Fwd: Trying to create a user in a realm I get
	405 response
In-Reply-To: <CAJrcDBeinTEueY1kUdFY7zoQcWD-ghf5rTFhq5S6Y8ZL8OBWFg@mail.gmail.com>
References: <CAMz5fLcrjKjq_NBnv+8Qq=Lx2LLnUhOaC_ZyO-SRQk=vRHpUgA@mail.gmail.com>
	<CAMz5fLcJqX1+FFfOrMM4xrgXBNmeDefS5Xf5OUJb6tJLQric1Q@mail.gmail.com>
	<CAJrcDBeinTEueY1kUdFY7zoQcWD-ghf5rTFhq5S6Y8ZL8OBWFg@mail.gmail.com>
Message-ID: <CAMz5fLfg1EAvsb_Jg0fx06ggOH92MyD+zedybD6rrOC5_jggug@mail.gmail.com>

It's there, in the headers you can see it set.
The first ansible call uses form-urlencode, but the second, the one
failing, sets the content type as json.

Jorge

Any typo was my phone

El jue., 5 jul. 2018 20:30, Pedro Igor Silva <psilva at redhat.com> escribi?:

> What if you set Content-Type: "application/json" to the request
> definition ?
>
> On Thu, Jul 5, 2018 at 2:52 PM, Jorge Morales Pou <jmorales at redhat.com>
> wrote:
>
>> Hi,
>> I'm deploying Che on OpenShift and I was trying to pre-create some users
>> in
>> Keycloak.
>> This Che and Keycloak are deployed using Ansible, and so far so good. I'm
>> using the templates from github.com/eclipse/che.
>>
>> This deployment comes preconfigured with a che realm as well as the
>> ability
>> to change the master realm admin's username and password, which I do, for
>> security reasons, but the che realm don't allow me to change the
>> username/password for the admin, so those default to admin/admin (as of
>> now).
>>
>> The problem comes when I try to create a user via rest.
>>
>> I have the following 2 ansible tasks (they are easily understood):
>>
>> - name: get auth token from keycloak
>> uri:
>> url: http://keycloak-{{ project_name }}.{{ apps_hostname_suffix
>> }}/auth/realms/che/protocol/openid-connect/token
>> method: POST
>> body:
>> "username=admin&password=admin&grant_type=password&client_id=admin-cli
>> "
>> status_code: 200
>> headers:
>> Content-Type: "application/x-www-form-urlencoded"
>> status_code: 200
>> register: access_token_result
>>
>> - set_fact:
>> access_token_bearer: "{{ access_token_result.json |
>> json_query('access_token') }}"
>>
>> - name: Pre-create {{ che_generate_user_count }} users in che realm with
>> format ({{ che_generate_user_format }})
>> uri:
>> url: http://che-{{ project_name }}.{{ apps_hostname_suffix
>> }}/admin/realms/che/users
>> method: POST
>> body: "{{ lookup('template','che-user.json.j2') }}"
>> body_format: json
>> status_code: 204
>> headers:
>> Authorization: "Bearer {{ access_token_bearer }}"
>> vars:
>> username: "{{ item }}"
>> first_name: "User"
>> last_name: "{{ item }}"
>> email: "{{ item }}@none.com"
>> password: "{{ che_generate_user_password }}"
>> with_sequence: start={{ che_generate_user_count|int if
>> che_generate_user_count|int < 1 else 1}} end={{ che_generate_user_count }}
>> format={{ che_generate_user_format }}
>> when: che_generate_user_count|int > 0
>>
>> And the che-user.json that I use for the request is this:
>> {
>> "username": "{{ username }}",
>> "enabled": "true",
>> "firstName": "{{ first_name }}",
>> "lastName": "{{ last_name }}",
>> "email": "{{ email }}",
>> "credentials": [
>> {
>> "type": "password",
>> "value": "{{ password }}"
>> }
>> ]
>> }
>>
>>
>> Everything looks perfectly configured on my end, and I've tried using curl
>> as seen in many documentation to troubleshoot but with same error.
>>
>> I get a 405, POST method not allowed.
>>
>> This is the verbose stack of the request, which has all the valuable info
>> (host-name is changed):
>>
>> ------------------------------------------------
>> failed: [localhost] (item=user1) => {
>>     "changed": false,
>>     "connection": "close",
>>     "content": "<!doctype html><html lang=\"en\"><head><title>HTTP Status
>> 405 ? Method Not Allowed</title><style type=\"text/css\">h1
>> {font-family:Tahoma,Arial,sans-serif;color:white;
>> background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,
>> sans-serif;color:white;background-color:#525D76;font-size:16px;} h3
>> {font-family:Tahoma,Arial,sans-serif;color:white;
>> background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,
>> sans-serif;color:black;background-color:white;} b
>> {font-family:Tahoma,Arial,
>> sans-serif;color:white;background-color:#525D76;} p
>>
>> {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}
>> a {color:black;} a.name {color:black;} .line
>> {height:1px;background-color:#
>> 525D76;border:none;}</style></head><body><h1>HTTP Status 405 ? Method Not
>> Allowed</h1><hr class=\"line\" /><p><b>Type</b> Status
>> Report</p><p><b>Message</b> HTTP method POST is not supported by this
>> URL</p><p><b>Description</b> The method received in the request-line is
>> known by the origin server but not supported by the target
>> resource.</p><hr
>> class=\"line\" /><h3>Apache Tomcat/8.5.23</h3></body></html>",
>>     "content_language": "en",
>>     "content_length": "1117",
>>     "content_type": "text/html;charset=utf-8",
>>     "date": "Thu, 05 Jul 2018 17:12:32 GMT",
>>     "invocation": {
>>         "module_args": {
>>             "attributes": null,
>>             "backup": null,
>>             "body": {
>>                 "credentials": [
>>                     {
>>                         "type": "password",
>>                         "value": "password"
>>                     }
>>                 ],
>>                 "email": "user1 at none.com",
>>                 "enabled": "true",
>>                 "firstName": "User",
>>                 "lastName": "user1",
>>                 "username": "user1"
>>             },
>>             "body_format": "json",
>>             "client_cert": null,
>>             "client_key": null,
>>             "content": null,
>>             "creates": null,
>>             "delimiter": null,
>>             "dest": null,
>>             "directory_mode": null,
>>             "follow": false,
>>             "follow_redirects": "safe",
>>             "force": false,
>>             "force_basic_auth": false,
>>             "group": null,
>>             "headers": {
>>                 "Authorization": "Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOi
>> AiSldUIiwia2lkIiA6ICJlMjNGc3kzRlI5dnRUZms3TGlkX1lQOGU0cDNoY0
>> psM20wQTRnckIzNnJJIn0.eyJqdGkiOiIzYjkyZTUxZi1iZTc0LT
>> QwODItYmFjZS01YjAwNTA0MWE2YmIiLCJleHAiOjE1MzA4MTEwNTEsIm5iZi
>> I6MCwiaWF0IjoxNTMwODEwNzUxLCJpc3MiOiJodHRwOi8va2V5Y2xvYWstc3
>> RhcnRlci13b3Jrc2hvcC1hcGItdGVzdC5hcHBzLm9zZXZnLm9wZW5zaGlmdH
>> dvcmtzaG9wLmNvbS9hdXRoL3JlYWxtcy9jaGUiLCJhdWQiOiJhZG1pbi1jbG
>> kiLCJzdWIiOiJiMDdlM2E1OC1lZDUwLTRhNmUtYmUxNy1mY2Y0OWZmOGIyND
>> IiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJhZG1pbi1jbGkiLCJhdXRoX3RpbW
>> UiOjAsInNlc3Npb25fc3RhdGUiOiI1MGRhMGJiNy0zOTc3LTQzMjQtOWY2OS
>> 03NjkzNmEwZGIzMmMiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbXS
>> wicmVzb3VyY2VfYWNjZXNzIjp7fSwibmFtZSI6IkFkbWluIEFkbWluIiwicH
>> JlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4iLCJnaXZlbl9uYW1lIjoiQWRtaW
>>
>> 4iLCJmYW1pbHlfbmFtZSI6IkFkbWluIiwiZW1haWwiOiJhZG1pbkBhZG1pbi5jb20ifQ.DTjDZ_
>> Kx9QMDcLqMRtGir5PwzOhXEBc3-jg3vZgToooKfvC1b1Kw1DSHCM1hJuwriw-
>> dBp2dQMAk2CjwwFNNb2lKFVxCGvmk4KQLRG3giv_BHQcoeFZ-Ol7sQJvFL-
>> V-XyAV6KWO9a0WPai6C6hkHw37Ksp_klzk89jAoSSxrtOJ8zUOjzxT_
>> XS99cwj6NYNJnyTczppAMB14Nm8-a9gexDnUqUmOlifFCyH7i2Fyrk2pnT
>>
>> GFEFjB92QCUWJEXpFOKdx9-IGi7y8ywRH7a9R-dcuOb1_Mx6Xbi79qjfow6EKJYDAjNupKOUfOO
>> qNFscgwR6kUdbsEfRr3JCmmTL8cw",
>>                 "Content-Type": "application/json"
>>             },
>>             "http_agent": "ansible-httpget",
>>             "method": "POST",
>>             "mode": null,
>>             "owner": null,
>>             "regexp": null,
>>             "remote_src": null,
>>             "removes": null,
>>             "return_content": false,
>>             "selevel": null,
>>             "serole": null,
>>             "setype": null,
>>             "seuser": null,
>>             "src": null,
>>             "status_code": [
>>                 "204"
>>             ],
>>             "timeout": 30,
>>             "unsafe_writes": null,
>>             "url": "
>> http://che-starter-workshop-apb-test.apps.mydomain.com/
>> auth/realms/che/users
>> <http://che-starter-workshop-apb-test.apps.mydomain.com/auth/realms/che/users>
>> ",
>>             "url_password": null,
>>             "url_username": null,
>>             "use_proxy": true,
>>             "validate_certs": true
>>         }
>>     },
>>     "item": "user1",
>>     "msg": "Status code was 405 and not [204]: HTTP Error 405: ",
>>     "redirected": false,
>>     "set_cookie": "688655d95dc9dee6e6f6057ef3239223=
>> 5aac40b93e1fbe870f8d213baa7a4c7a; path=/; HttpOnly",
>>     "status": 405,
>>     "url": "http://che-starter-workshop-apb-test.apps.osevg.
>> openshiftworkshop.com/auth/realms/che/users"
>> }
>> ------------------------------------------------
>>
>>
>> Anyone can provide some insight into what I'm doing wrong? Is it the
>> request or is it the che realm configuration
>> <
>> https://github.com/eclipse/che/blob/master/dockerfiles/init/modules/keycloak/templates/che-realm.json.erb
>> >
>> or the client in the realm
>> <
>> https://github.com/eclipse/che/blob/master/dockerfiles/init/modules/keycloak/templates/che-users-0.json.erb
>> >
>> used to get the token?
>>
>> Cheers,
>>
>> *Jorge Morales*
>> Red Hat <https://www.openshift.com/>
>> <https://www.openshift.com/>
>> OpenShift <https://www.openshift.com> Developer Advocate
>> ?
>> http://jorgemoral.es/
>>
>> | @jorgemoralespou <https://twitter.com/jorgemoralespou>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From caiyegui at gmail.com  Thu Jul  5 15:57:18 2018
From: caiyegui at gmail.com (Yegui Cai)
Date: Thu, 5 Jul 2018 15:57:18 -0400
Subject: [keycloak-user] Adding a new admin API as a Rest resource SPI
Message-ID: <CAJYMFR5dmC-nK3r4B12rHn6nqOomzfxd-F4Mw98RCEF9qLLHCA@mail.gmail.com>

Hi.



Would it be possible to add an admin rest API via building a SPI? If so,
any doc/resource I should check? I played with the REST resource SPI under
example directory. However, it is not protected yet. What mechanism can I
take to protect the newly added API?



Thanks!

Yegui

From dt at acutus.pro  Fri Jul  6 03:01:40 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Fri, 06 Jul 2018 10:01:40 +0300
Subject: [keycloak-user] admin-client binary and dependencies
In-Reply-To: <CAJVRZt-K0sbhKiH+gT51Y7O24ComsppJ84bcbpCX0W8n6_fwhg@mail.gmail.com>
References: <CAJVRZt-K0sbhKiH+gT51Y7O24ComsppJ84bcbpCX0W8n6_fwhg@mail.gmail.com>
Message-ID: <1530860500.8747.1.camel@acutus.pro>

Hi Thai,

Is this correct that you're on OSGi? In non-OSGi environments, it's
sufficient to declare org.keycloak:keycloak-admin-client only, it
should pull the rest (see examples/admin-client).

Dmitry

On Thu, 2018-07-05 at 11:42 -0400, Nhut Thai Le wrote:
> ?Hello,
> 
> Where can i get the binaries of the admin-client and its dependency
> for KC
> 4.0.0.Final? I added the following jars from mavencentral??to my
> package:
> javax.ws.rs-api,\
> org.jboss.resteasy:resteasy-jackson2-provider,\
> org.jboss.resteasy:resteasy-jaxrs,\
> org.apache.commons.lang3,\
> org.keycloak:keycloak-admin-client,\
> org.keycloak.keycloak-core,\
> org.jboss.resteasy:resteasy-client,\
> org.jboss.resteasy:resteasy-multipart-provider,\
> org.jboss.resteasy:resteasy-jaxb-provider,\
> org.eclipse.equinox.supplement,\
> com.castortech.iris.security;version=latest,\
> org.keycloak:keycloak-server-spi-private,\
> org.keycloak:keycloak-server-spi,\
> org.keycloak.keycloak-common,\
> org.eclipse.emf.common,\
> javax.annotation-api,\
> com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider
> 
> But i still get error:
> javax.ws.rs.ProcessingException: RESTEASY003215: could not find
> writer for
> content-type application/x-www-form-urlencoded type:
> javax.ws.rs.core.Form$1
> 
> When calling .realms().findAll()
> 
> Thai
> 

From dt at acutus.pro  Fri Jul  6 03:27:08 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Fri, 06 Jul 2018 10:27:08 +0300
Subject: [keycloak-user] Adding a new admin API as a Rest resource SPI
In-Reply-To: <CAJYMFR5dmC-nK3r4B12rHn6nqOomzfxd-F4Mw98RCEF9qLLHCA@mail.gmail.com>
References: <CAJYMFR5dmC-nK3r4B12rHn6nqOomzfxd-F4Mw98RCEF9qLLHCA@mail.gmail.com>
Message-ID: <1530862028.8747.3.camel@acutus.pro>

Hi Yegui,

Please take a look at BeerCloak:
https://github.com/dteleguin/beercloak

This all is in fact a long story; the talks about the hypothetical
Realm Admin Resource SPI have been circulating for years, but
unfortunately we haven't come up with anything yet [1]. At the moment,
the techniques for building protected REST resources (and more) have
been collected and published as BeerCloak.

In BeerCloak, the resource is protected with custom roles. If you're ok
with the built-in roles, your code will be much simpler.

Feel free to ask me any questions regarding BeerCloak. Also I'm
planning to port BeerCloak to the new technique introduced in Keycloak
3.2.0, so the could would become simpler. Stay tuned!

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+ 42 (022) 888-30-71E-mail:?info at acutus.pro

[1] http://lists.jboss.org/pipermail/keycloak-dev/2017-July/009648.html

On Thu, 2018-07-05 at 15:57 -0400, Yegui Cai wrote:
> Hi.
> 
> 
> 
> Would it be possible to add an admin rest API via building a SPI? If
> so,
> any doc/resource I should check? I played with the REST resource SPI
> under
> example directory. However, it is not protected yet. What mechanism
> can I
> take to protect the newly added API?
> 
> 
> 
> Thanks!
> 
> Yegui
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From lemso at free.fr  Fri Jul  6 04:30:24 2018
From: lemso at free.fr (=?UTF-8?Q?Lamine_L=C3=A9o_Keita?=)
Date: Fri, 6 Jul 2018 10:30:24 +0200
Subject: [keycloak-user] Launch Keycloak SPI as module with external
	dependencies
Message-ID: <CALBYMMJBoMaGDm_XQxhy0_jir5mBK7VQ24btEWupcZEZq_7U=g@mail.gmail.com>

Hi,

I've build an authentication SPI which I deploy with a jar file with no
problem by copying it to $KEYCLOAK_HOME/providers/ directory.

I needed external dependencies so I made some change to my application and
 external dependencies are not found ...

The documentation does not really explain this case.

Can someone help me on how to build a jar with all external dependencies to
deploy it plz?

I tried to use jar-with-dependencies plugin but this does not work too...
Because my below file is not included in the jar...

services >   org.keycloak.authentication.AuthenticatorFactory

Here is the plugin references :
  <plugin>

        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-assembly-plugin</artifactId>
        <version>2.4.1</version>
        <configuration>
            <descriptorRefs>
                <descriptorRef>jar-with-dependencies</descriptorRef>
            </descriptorRefs>
        </configuration>
        <executions>
            <execution>
                <id>make-assembly</id>
                <phase>package</phase>
                <goals>
                    <goal>single</goal>
                </goals>
            </execution>
        </executions>
    </plugin>
</plugins>


BR,
Lamine

From nicolas.gillet at market-ip.com  Fri Jul  6 05:10:28 2018
From: nicolas.gillet at market-ip.com (Nicolas Gillet)
Date: Fri, 6 Jul 2018 09:10:28 +0000
Subject: [keycloak-user] View-users permissions only view some users
Message-ID: <AM4PR0501MB277045200EF76FD371DED08AC1470@AM4PR0501MB2770.eurprd05.prod.outlook.com>

Hello,

Is it possible to grant a user the permission to view only some (not all) users of the realm ?
Same question about being allowed to impersonate only the user he is allowed to see ?

Thank for any help :-)

Nicolas GILLET

From clehingue at gmail.com  Fri Jul  6 05:21:24 2018
From: clehingue at gmail.com (Christophe Lehingue)
Date: Fri, 6 Jul 2018 11:21:24 +0200
Subject: [keycloak-user] How to configure keycloak for native application
	mobile
Message-ID: <CADf9yZNL82im-XZv-RGj--WxC8+h+zThDOHMOq9NTQm0BHSZBQ@mail.gmail.com>

Hello,


I use keycloak for authentication via a website: it's ok.

On the other hand, how to configure keycloak so that it is exploitable
for native mobile applications?
Thank you for your attention,

Regards,

Christophe













*==== IN frenchBonjour,J'utilise keycloak pour l'authentification via
un site web : c'est ok.Par contre, comment configurer keycloak afin
que ce soit exploitable pour des applications mobiles natives ?Merci
de votre attention,Cordialement,Christophe*

From dt at acutus.pro  Fri Jul  6 05:32:39 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Fri, 06 Jul 2018 12:32:39 +0300
Subject: [keycloak-user] Launch Keycloak SPI as module with external
 dependencies
In-Reply-To: <CALBYMMJBoMaGDm_XQxhy0_jir5mBK7VQ24btEWupcZEZq_7U=g@mail.gmail.com>
References: <CALBYMMJBoMaGDm_XQxhy0_jir5mBK7VQ24btEWupcZEZq_7U=g@mail.gmail.com>
Message-ID: <1530869559.8747.7.camel@acutus.pro>

Hi,

Basically, you've got two options here:

1) deploy all your dependencies as JBoss/Wildfly modules, e.g. using
jboss-cli.sh. This is the example of adding PostgreSQL JDBC driver:

module add --name=org.postgresql --resources=/path/to/postgresql-
42.1.1.jar --dependencies=javax.api,javax.transaction.api

You will need to substitute name, path to JAR and dependencies for each
module you'll be deploying.

2) deploy your provider as an EAR with dependencies inside. See BeerClo
ak to find out how to do it. beercloak-core is an (almost) dummy
dependency for the demo purposes; beercloak-module is the provider
proper; beercloak-ear is the EAR packaging project. You will have to
edit src/main/application/META-INF/jboss-deployment-structure.xml
inside your EAR project to reflect your actual dependencies and
module/package names.

Feel free to ask any questions regarding BeerCloak.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-07-06 at 10:30 +0200, Lamine L?o Keita wrote:
> Hi,
> 
> I've build an authentication SPI which I deploy with a jar file with
> no
> problem by copying it to $KEYCLOAK_HOME/providers/ directory.
> 
> I needed external dependencies so I made some change to my
> application and
> ?external dependencies are not found ...
> 
> The documentation does not really explain this case.
> 
> Can someone help me on how to build a jar with all external
> dependencies to
> deploy it plz?
> 
> I tried to use jar-with-dependencies plugin but this does not work
> too...
> Because my below file is not included in the jar...
> 
> services >???org.keycloak.authentication.AuthenticatorFactory
> 
> Here is the plugin references :
> ? <plugin>
> 
> ????????<groupId>org.apache.maven.plugins</groupId>
> ????????<artifactId>maven-assembly-plugin</artifactId>
> ????????<version>2.4.1</version>
> ????????<configuration>
> ????????????<descriptorRefs>
> ????????????????<descriptorRef>jar-with-dependencies</descriptorRef>
> ????????????</descriptorRefs>
> ????????</configuration>
> ????????<executions>
> ????????????<execution>
> ????????????????<id>make-assembly</id>
> ????????????????<phase>package</phase>
> ????????????????<goals>
> ????????????????????<goal>single</goal>
> ????????????????</goals>
> ????????????</execution>
> ????????</executions>
> ????</plugin>
> </plugins>
> 
> 
> BR,
> Lamine
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From lrozenblyum at gmail.com  Fri Jul  6 05:37:25 2018
From: lrozenblyum at gmail.com (Leonid Rozenblyum)
Date: Fri, 6 Jul 2018 12:37:25 +0300
Subject: [keycloak-user] Keycloak persistence - PostgreSQL schema?
Message-ID: <CANZPfwQ=qBDZEvCnsE7iFPPH_Q=MyXky_is-z8SDK7WJBruc1A@mail.gmail.com>

Hello.
I would like to integrate keycloak with db storage in an existing
PostgreSQL database (however in a separate keycloak-specific schema).

I tried to:
1) import the keycloak db creation sql script into the db and modifying
public. -> keycloak. (so all schema references point there) + places where
the unqualified access was used: added the schema prefix
2) provde 'current_schema' jdbc driver option

However this didn't work and keycloak still complained that the db should
be properly created.

Does keycloak support PostgreSQL schemas? Maybe something more should be
configured?
Thanks in advance for advice.

From dt at acutus.pro  Fri Jul  6 05:38:42 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Fri, 06 Jul 2018 12:38:42 +0300
Subject: [keycloak-user] Launch Keycloak SPI as module with external
 dependencies
In-Reply-To: <CALBYMMJBoMaGDm_XQxhy0_jir5mBK7VQ24btEWupcZEZq_7U=g@mail.gmail.com>
References: <CALBYMMJBoMaGDm_XQxhy0_jir5mBK7VQ24btEWupcZEZq_7U=g@mail.gmail.com>
Message-ID: <1530869922.8747.9.camel@acutus.pro>

On Fri, 2018-07-06 at 10:30 +0200, Lamine L?o Keita wrote:
> Hi,
> 
> I've build an authentication SPI which I deploy with a jar file with
> no
> problem by copying it to $KEYCLOAK_HOME/providers/ directory.

By the way, this method (copying to "providers" directory) has been
deprecated, and the directory has been removed from recent KC versions.
 You should either deploy your provider as a module, or just drop it to
standalone/deployments for hot deployment (however with some
restrictions). See [1] for more details.

Dmitry

[1] https://www.keycloak.org/docs/latest/server_development/index.html#
registering-provider-implementations

> 
> I needed external dependencies so I made some change to my
> application and
> ?external dependencies are not found ...
> 
> The documentation does not really explain this case.
> 
> Can someone help me on how to build a jar with all external
> dependencies to
> deploy it plz?
> 
> I tried to use jar-with-dependencies plugin but this does not work
> too...
> Because my below file is not included in the jar...
> 
> services >???org.keycloak.authentication.AuthenticatorFactory
> 
> Here is the plugin references :
> ? <plugin>
> 
> ????????<groupId>org.apache.maven.plugins</groupId>
> ????????<artifactId>maven-assembly-plugin</artifactId>
> ????????<version>2.4.1</version>
> ????????<configuration>
> ????????????<descriptorRefs>
> ????????????????<descriptorRef>jar-with-dependencies</descriptorRef>
> ????????????</descriptorRefs>
> ????????</configuration>
> ????????<executions>
> ????????????<execution>
> ????????????????<id>make-assembly</id>
> ????????????????<phase>package</phase>
> ????????????????<goals>
> ????????????????????<goal>single</goal>
> ????????????????</goals>
> ????????????</execution>
> ????????</executions>
> ????</plugin>
> </plugins>
> 
> 
> BR,
> Lamine
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Fri Jul  6 05:56:20 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Fri, 06 Jul 2018 12:56:20 +0300
Subject: [keycloak-user] Keycloak persistence - PostgreSQL schema?
In-Reply-To: <CANZPfwQ=qBDZEvCnsE7iFPPH_Q=MyXky_is-z8SDK7WJBruc1A@mail.gmail.com>
References: <CANZPfwQ=qBDZEvCnsE7iFPPH_Q=MyXky_is-z8SDK7WJBruc1A@mail.gmail.com>
Message-ID: <1530870980.8747.11.camel@acutus.pro>

Hi Leonid,

Could you please try the "schema" property in Keycloak database config?

https://www.keycloak.org/docs/latest/server_installation/index.html#dat
abase-configuration

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-07-06 at 12:37 +0300, Leonid Rozenblyum wrote:
> Hello.
> I would like to integrate keycloak with db storage in an existing
> PostgreSQL database (however in a separate keycloak-specific schema).
> 
> I tried to:
> 1) import the keycloak db creation sql script into the db and
> modifying
> public. -> keycloak. (so all schema references point there) + places
> where
> the unqualified access was used: added the schema prefix
> 2) provde 'current_schema' jdbc driver option
> 
> However this didn't work and keycloak still complained that the db
> should
> be properly created.
> 
> Does keycloak support PostgreSQL schemas? Maybe something more should
> be
> configured?
> Thanks in advance for advice.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From kkcmadhu at yahoo.com  Fri Jul  6 05:59:17 2018
From: kkcmadhu at yahoo.com (Madhu)
Date: Fri, 6 Jul 2018 09:59:17 +0000 (UTC)
Subject: [keycloak-user] how to clone a realm?
In-Reply-To: <CACTSkAXZb0A4u+q-TH53txRaKE_fQLJ7RSDLycL1dqLN3uRyrQ@mail.gmail.com>
References: <1257478819.2963880.1530773986575.ref@mail.yahoo.com>
	<1257478819.2963880.1530773986575@mail.yahoo.com>
	<CAA9R9O4K3H7qrST0LmCPXx_1mc2hegH3+eWDbW32NW7Zt1JWEw@mail.gmail.com>
	<CACTSkAXZb0A4u+q-TH53txRaKE_fQLJ7RSDLycL1dqLN3uRyrQ@mail.gmail.com>
Message-ID: <426472698.7745.1530871157187@mail.yahoo.com>


I removed all the IDs and let keycloak auto generated the IDs, it worked.. but my concern now is for child entities,i.e. the one's with "container-id" tags, for those we still need to define/generate unique keys manually..Madhu
Sent from Yahoo Mail on Android 
 
  On Thu, 5 Jul 2018 at 3:07 PM, Hongliu Zou<hongliu at bondlinc.com> wrote:   Hi Madhu
I am facing same issue when try to duplicate realm from file by two simple steps below- Export from keyclock A to a file- Import realm from the file to keycloak B
Error from keyclock log is?
org.h2.jdbc.JdbcSQLException: Unique index or primary key violation

After manually change all ids to different value in the file, I can import now. Maybe write a script to process id to plus 1 for all ids is better. It looks like export function of keyclock to handle this case is better. Need input from keycloak experts. :)
ThanksHongliu?
On Thu, Jul 5, 2018 at 3:31 PM, Sebastian Laskawiec <slaskawi at redhat.com> wrote:

Hey Madhu,

How about using import/export functionality [1] (with some manual editing
or sed/awk magic?

Thanks,
Sebastian

[1]
https://www.keycloak.org/docs/ latest/server_admin/index. html#_export_import

On Thu, Jul 5, 2018 at 9:06 AM Madhu <kkcmadhu at yahoo.com> wrote:

>
>? Hi,
> I am using keycloak for a multi tenant/multi realm scenario.
> In all my realms the clients/roles/password
> policies/groups/ authentication/token settings etc are same.
> So my idea is to create a template realm and clone it to a new realm every
> time i want to provision a new tenant.
> I tried using the import/export option, but was not successful. I even
> tried remvoign all the ids /container id fields from the exported json and
> changed the realm namesand was unsuccessful again.
> Any idea how to clone a realm?
> Looks like import/export was built for replicating/duplicating the data in
> another keycloak/database instance, and not suitable for cloning /creating
> a new realm.
> Any idea how i can create a new realm with defined set of clients, user
> policies, mappers, authentication settings, flows, token settings and roles?
> Regards,Madhu
> ______________________________ _________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/ mailman/listinfo/keycloak-user
>
______________________________ _________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/ mailman/listinfo/keycloak-user


  

From lrozenblyum at gmail.com  Fri Jul  6 06:16:36 2018
From: lrozenblyum at gmail.com (Leonid Rozenblyum)
Date: Fri, 6 Jul 2018 13:16:36 +0300
Subject: [keycloak-user] Keycloak persistence - PostgreSQL schema?
In-Reply-To: <1530870980.8747.11.camel@acutus.pro>
References: <CANZPfwQ=qBDZEvCnsE7iFPPH_Q=MyXky_is-z8SDK7WJBruc1A@mail.gmail.com>
	<1530870980.8747.11.camel@acutus.pro>
Message-ID: <CANZPfwShPeYXmVijQvmv6_yQyERmvBh4N=GcdY2tGH3aoFHGqQ@mail.gmail.com>

Thank you! Yes, it works.

On Fri, Jul 6, 2018 at 12:56 PM Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Leonid,
>
> Could you please try the "schema" property in Keycloak database config?
>
>
> https://www.keycloak.org/docs/latest/server_installation/index.html#database-configuration
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Fri, 2018-07-06 at 12:37 +0300, Leonid Rozenblyum wrote:
>
> Hello.
> I would like to integrate keycloak with db storage in an existing
> PostgreSQL database (however in a separate keycloak-specific schema).
>
> I tried to:
> 1) import the keycloak db creation sql script into the db and modifying
> public. -> keycloak. (so all schema references point there) + places where
> the unqualified access was used: added the schema prefix
> 2) provde 'current_schema' jdbc driver option
>
> However this didn't work and keycloak still complained that the db should
> be properly created.
>
> Does keycloak support PostgreSQL schemas? Maybe something more should be
> configured?
> Thanks in advance for advice.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From torsten.juergeleit at gmail.com  Fri Jul  6 08:04:10 2018
From: torsten.juergeleit at gmail.com (Torsten Juergeleit)
Date: Fri, 6 Jul 2018 14:04:10 +0200
Subject: [keycloak-user] How to keep users from updating their account
	details in admin client?
Message-ID: <CAJ0c46+Dg4ebKeL8S0GpGwrBipFWLkPOd+x=mKAE4V6fdg=nGQ@mail.gmail.com>

 Hi everyone,

we have the requirement, that the users are not able to change their
account details (email, first name, last name) in Keycloak's account
client. We need read-only access to the admin client, so removing the admin
client from the realm is not an option.

Is there any way to achieve this other than blocking any post to
"/auth/realms/<realm>/account/" in our reverse proxy?

Cheers,
Torsten

From corentin.dupont at gmail.com  Fri Jul  6 08:48:00 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Fri, 6 Jul 2018 14:48:00 +0200
Subject: [keycloak-user] Resource attributes with API
Message-ID: <CAEyhvmq6rYHSoHEQGOBrgYYLZcXGwJksBzGCaV3nX5zcJDmsWw@mail.gmail.com>

Hello,
I'm trying to experiment with resource attributes...
However I don't find it in the doc (yet).
Creating attributes like this seems to work:

curl -X POST "
http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" -H
"Authorization: Bearer $CLIENTTOKEN" -H "Content-Type: application/json" -d
'{"name":"Sensortest3", "attributes":{"isPrivate": ["true"]}}'

However, I'm not sure about the Javascript policy:

var context = $evaluation.getContext();
var permission = $evaluation.getPermission();
var identity = context.getIdentity();
if (permission.getResource().getAttributes().containsValue('isPrivate',
'false')) {
   $evaluation.grant();
}

Thanks!!

From psilva at redhat.com  Fri Jul  6 09:23:31 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 6 Jul 2018 10:23:31 -0300
Subject: [keycloak-user] Resource attributes with API
In-Reply-To: <CAEyhvmq6rYHSoHEQGOBrgYYLZcXGwJksBzGCaV3nX5zcJDmsWw@mail.gmail.com>
References: <CAEyhvmq6rYHSoHEQGOBrgYYLZcXGwJksBzGCaV3nX5zcJDmsWw@mail.gmail.com>
Message-ID: <CAJrcDBdqSPjor+274ndSiid3jTorNOqSMdytP7vdwbiZdN3=wg@mail.gmail.com>

Will add some examples to docs. The 'getResource().getAttributes()' returns
a map. Here is an example
https://github.com/pedroigor/keycloak/blob/49407c2e4f870659e1d5a00c7fd6cf1fbd16f8de/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/authz/PolicyEvaluationTest.java#L601
.

On Fri, Jul 6, 2018 at 9:48 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hello,
> I'm trying to experiment with resource attributes...
> However I don't find it in the doc (yet).
> Creating attributes like this seems to work:
>
> curl -X POST "
> http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" -H
> "Authorization: Bearer $CLIENTTOKEN" -H "Content-Type: application/json" -d
> '{"name":"Sensortest3", "attributes":{"isPrivate": ["true"]}}'
>
> However, I'm not sure about the Javascript policy:
>
> var context = $evaluation.getContext();
> var permission = $evaluation.getPermission();
> var identity = context.getIdentity();
> if (permission.getResource().getAttributes().containsValue('isPrivate',
> 'false')) {
>    $evaluation.grant();
> }
>
> Thanks!!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From lists at stefan-hesse.net  Fri Jul  6 10:00:09 2018
From: lists at stefan-hesse.net (Stefan Hesse)
Date: Fri, 6 Jul 2018 16:00:09 +0200
Subject: [keycloak-user] Implementing a global admin role
Message-ID: <31d22145-8d68-c2a3-8452-d4768f773e05@stefan-hesse.net>

Hello,

I am trying to implement some kind of global admin role that grants
access rights to all scopes within a resource.

What I did is the following:

- Defined a permission with a group policy on the resource (Admin)

- Defined a permission with a user policy on one specific scope e.g.
view. (normal user)

The problem that arises is, while evaluating the polices, the global
group policy always overwrites the decision from the group policy.
Therefore the user will always be denied access, even though one
permission grants access.

Can I change this behavior to make the accumulated result "PERMIT"
instead of "DENY"?

Best Regards

Stefan


From vandana0242 at gmail.com  Fri Jul  6 11:44:12 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Fri, 6 Jul 2018 10:44:12 -0500
Subject: [keycloak-user] keycloak and External IDP
Message-ID: <CAL_K0ezWPrTS8rB_Agt-f9Ma8=qWySbfyGMvT+PsdahFZzhAtw@mail.gmail.com>

Hello Friends,

I'm trying to  configure the Single Sign on for the application which We
deployed on wildfly instance by using keycloak and external Identity
provider (OKTA)

In  first screen shot entered  into external IDP  with  the credentials
and clicked on the app  which we configured  in IDP  and  it re-directing
to sorry page of keycloak.
Instead of sorry page  what needs to be  come there ?
is that 1 application which we deployed  on wildfly instance  or anything
else to be show up there ?  and  how to make it possible to show what ever
the desired thing to be .

Can any one able  to figure it out  why its showing this .

Also  we are using keycloak final 4.0.0.0 and wildfly 11 final  .

PFA.

Thanks,
Vandana
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sampleapp1.PNG
Type: image/png
Size: 26328 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180706/cb9cbd52/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sampleapp2.PNG
Type: image/png
Size: 83330 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180706/cb9cbd52/attachment-0003.png 

From d.weirshousky at xsb.com  Fri Jul  6 12:10:34 2018
From: d.weirshousky at xsb.com (Drew Weirshousky)
Date: Fri, 6 Jul 2018 11:10:34 -0500 (CDT)
Subject: [keycloak-user] keycloak and External IDP
In-Reply-To: <CAL_K0ezWPrTS8rB_Agt-f9Ma8=qWySbfyGMvT+PsdahFZzhAtw@mail.gmail.com>
References: <CAL_K0ezWPrTS8rB_Agt-f9Ma8=qWySbfyGMvT+PsdahFZzhAtw@mail.gmail.com>
Message-ID: <1278596536.95367246.1530893434813.JavaMail.zimbra@xsb.com>

Hi,
  You need to include your configuration info from Okta and Keycloak for the application in Okta and the IDP in Keycloak.  You probably have the wrong value for one of the URLs in the Okta application.

Drew

----- Original Message -----
From: "vandana thota" <vandana0242 at gmail.com>
To: "keycloak-user" <keycloak-user at lists.jboss.org>
Sent: Friday, July 6, 2018 11:44:12 AM
Subject: [keycloak-user] keycloak and External IDP

Hello Friends,

I'm trying to  configure the Single Sign on for the application which We
deployed on wildfly instance by using keycloak and external Identity
provider (OKTA)

In  first screen shot entered  into external IDP  with  the credentials
and clicked on the app  which we configured  in IDP  and  it re-directing
to sorry page of keycloak.
Instead of sorry page  what needs to be  come there ?
is that 1 application which we deployed  on wildfly instance  or anything
else to be show up there ?  and  how to make it possible to show what ever
the desired thing to be .

Can any one able  to figure it out  why its showing this .

Also  we are using keycloak final 4.0.0.0 and wildfly 11 final  .

PFA.

Thanks,
Vandana

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

From vandana0242 at gmail.com  Fri Jul  6 12:21:36 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Fri, 6 Jul 2018 11:21:36 -0500
Subject: [keycloak-user] keycloak and External IDP
In-Reply-To: <1278596536.95367246.1530893434813.JavaMail.zimbra@xsb.com>
References: <CAL_K0ezWPrTS8rB_Agt-f9Ma8=qWySbfyGMvT+PsdahFZzhAtw@mail.gmail.com>
	<1278596536.95367246.1530893434813.JavaMail.zimbra@xsb.com>
Message-ID: <CAL_K0ezwj5q9xc2DoLJ8k9UF9V6cXvOqJqT-RmqsbHqwsRBxFQ@mail.gmail.com>

Thanks!

I have  configured  below in okta  :

Single sign on url : http://
/auth/realms/master/broker/samlsample/endpoint


Requestable sso urls  :  http://
 /auth/realms/master/broker/samlsample/endpoint

Where  both the above urls  I have mentioned same.

Audience URI SP  Enityt ID  :  http://
 /auth/realms/sample-app

For all  urls hostname:portnumber are same.

hostname and port number is the where keycloak  is running .

I did not mention anywhere  app url  in okta
But I do mentioned the app url  in keycloak

At which  part I'm missing  any idea ?

On Fri, Jul 6, 2018 at 11:10 AM Drew Weirshousky <d.weirshousky at xsb.com>
wrote:

> Hi,
>   You need to include your configuration info from Okta and Keycloak for
> the application in Okta and the IDP in Keycloak.  You probably have the
> wrong value for one of the URLs in the Okta application.
>
> Drew
>
> ----- Original Message -----
> From: "vandana thota" <vandana0242 at gmail.com>
> To: "keycloak-user" <keycloak-user at lists.jboss.org>
> Sent: Friday, July 6, 2018 11:44:12 AM
> Subject: [keycloak-user] keycloak and External IDP
>
> Hello Friends,
>
> I'm trying to  configure the Single Sign on for the application which We
> deployed on wildfly instance by using keycloak and external Identity
> provider (OKTA)
>
> In  first screen shot entered  into external IDP  with  the credentials
> and clicked on the app  which we configured  in IDP  and  it re-directing
> to sorry page of keycloak.
> Instead of sorry page  what needs to be  come there ?
> is that 1 application which we deployed  on wildfly instance  or anything
> else to be show up there ?  and  how to make it possible to show what ever
> the desired thing to be .
>
> Can any one able  to figure it out  why its showing this .
>
> Also  we are using keycloak final 4.0.0.0 and wildfly 11 final  .
>
> PFA.
>
> Thanks,
> Vandana
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From ntle at castortech.com  Fri Jul  6 13:36:20 2018
From: ntle at castortech.com (Nhut Thai Le)
Date: Fri, 6 Jul 2018 13:36:20 -0400
Subject: [keycloak-user] admin-client binary and dependencies
In-Reply-To: <1530860500.8747.1.camel@acutus.pro>
References: <CAJVRZt-K0sbhKiH+gT51Y7O24ComsppJ84bcbpCX0W8n6_fwhg@mail.gmail.com>
	<1530860500.8747.1.camel@acutus.pro>
Message-ID: <CAJVRZt8pdAeq4gnDFe92b+8sNj1STyvsODtOXMLzvEbpb0OSOw@mail.gmail.com>

Hi Dmitri,

You are correct, i'm in OSGI env. I found that the resteasy-jaxrs and the
other resteasy providers (jaxb, jackson2) are using service loader to read
the providers declaration in META-INF/services but these files are skipped
in OSGI so i had to copy them to my bundle and require a service loader
mediator to load them. Ref:
https://blog.osgi.org/2013/02/javautilserviceloader-in-osgi.html

In a non OSGI env, i'm not sure if requiring keycloak-admin-client only
will pull all resteasy providers and its dependency (fasterxml.*) so it's
still good to know what should be a complete hard/soft set of dependencies
of admin-client.

Thank you

Thai

On Fri, Jul 6, 2018 at 3:01 AM, Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Thai,
>
> Is this correct that you're on OSGi? In non-OSGi environments, it's
> sufficient to declare org.keycloak:keycloak-admin-client only, it
> should pull the rest (see examples/admin-client).
>
> Dmitry
>
> On Thu, 2018-07-05 at 11:42 -0400, Nhut Thai Le wrote:
> >  Hello,
> >
> > Where can i get the binaries of the admin-client and its dependency
> > for KC
> > 4.0.0.Final? I added the following jars from mavencentral  to my
> > package:
> > javax.ws.rs-api,\
> > org.jboss.resteasy:resteasy-jackson2-provider,\
> > org.jboss.resteasy:resteasy-jaxrs,\
> > org.apache.commons.lang3,\
> > org.keycloak:keycloak-admin-client,\
> > org.keycloak.keycloak-core,\
> > org.jboss.resteasy:resteasy-client,\
> > org.jboss.resteasy:resteasy-multipart-provider,\
> > org.jboss.resteasy:resteasy-jaxb-provider,\
> > org.eclipse.equinox.supplement,\
> > com.castortech.iris.security;version=latest,\
> > org.keycloak:keycloak-server-spi-private,\
> > org.keycloak:keycloak-server-spi,\
> > org.keycloak.keycloak-common,\
> > org.eclipse.emf.common,\
> > javax.annotation-api,\
> > com.fasterxml.jackson.jaxrs.jackson-jaxrs-json-provider
> >
> > But i still get error:
> > javax.ws.rs.ProcessingException: RESTEASY003215: could not find
> > writer for
> > content-type application/x-www-form-urlencoded type:
> > javax.ws.rs.core.Form$1
> >
> > When calling .realms().findAll()
> >
> > Thai
> >
>



-- 
Castor Technologies Inc
460 rue St-Catherine St Ouest, Suite 613
Montr?al, Qu?bec H3B-1A7
(514) 360-7208 o
(514) 798-2044 f
ntle at castortech.com
www.castortech.com

CONFIDENTIALITY NOTICE: The information contained in this e-mail is
confidential and may be proprietary information intended only for the use
of the individual or entity to whom it is addressed. If the reader of this
message is not the intended recipient, you are hereby notified that any
viewing, dissemination, distribution, disclosure, copy or use of the
information contained in this e-mail message is strictly prohibited. If you
have received and/or are viewing this e-mail in error, please immediately
notify the sender by reply e-mail, and delete it from your system without
reading, forwarding, copying or saving in any manner. Thank you.
AVIS DE CONFIDENTIALITE: L?information contenue dans ce message est
confidentiel, peut ?tre prot?g? par le secret professionnel et est r?serv?
? l'usage exclusif du destinataire. Toute autre personne est par les
pr?sentes avis?e qu'il lui est strictement interdit de diffuser, distribuer
ou reproduire ce message. Si vous avez re?u cette communication par erreur,
veuillez la d?truire imm?diatement et en aviser l'exp?diteur. Merci.

From caiyegui at gmail.com  Fri Jul  6 14:50:42 2018
From: caiyegui at gmail.com (Yegui Cai)
Date: Fri, 6 Jul 2018 14:50:42 -0400
Subject: [keycloak-user] Read and Write Theme to a DB
Message-ID: <CAJYMFR6+H+eY96k0npkZqYqAA9MwGYdi6LZqfaY19akvHdsYug@mail.gmail.com>

Hi.

Would it be possible to store themes in a DB?

Thanks,
Yegui

From vandana0242 at gmail.com  Fri Jul  6 15:13:52 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Fri, 6 Jul 2018 14:13:52 -0500
Subject: [keycloak-user] the redirect URL of keycloak throwing error
Message-ID: <CAL_K0exTfHZscr-kUEM3V3RJOFB0U2RtAdtsJiY+Zo1MDHACmA@mail.gmail.com>

Hello

When I added the SAML indentity provider and take the redirect URL ( we can
not able to edit it except the alias name )  and put it in browser its
showing we are sorry error  on keycloak page ?

May I know  why  its showing that sorry page on keycloak ?


PFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ID1.PNG
Type: image/png
Size: 45245 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180706/cee23b5a/attachment-0003.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ID2.PNG
Type: image/png
Size: 58181 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180706/cee23b5a/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: IDP3.PNG
Type: image/png
Size: 64006 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180706/cee23b5a/attachment-0005.png 

From corentin.dupont at gmail.com  Fri Jul  6 15:40:01 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Fri, 6 Jul 2018 21:40:01 +0200
Subject: [keycloak-user] UMA2: share with all users
Message-ID: <CAEyhvmr-32+yYCn+xtm-YFJdAzvWT7ZodSKbW0riST5S=t_X2A@mail.gmail.com>

Hello,
Is there a way to share resources with all users?
Or to share with groups?
In my use case, I need to start with "open" situations, where resources are
accessible.
Some users can choose to restrict access to the resource, though.
I was thinking of using a "isPrivate" attribute to my resource, with
default to false.
But maybe it's possible to use UMA instead: start with resource shared with
all users, and let the users reset the sharings...

From michael.hunziker at youengineering.com  Sat Jul  7 03:44:24 2018
From: michael.hunziker at youengineering.com (Michael Hunziker)
Date: Sat, 7 Jul 2018 09:44:24 +0200
Subject: [keycloak-user] EventListenerProvider that removes an existing
 offline session/token Posteingang x Benachrichtigungen x
Message-ID: <CACyh6O2REP52knhtMFUXrGO_T+cr+MGR1GM8B_wvmcn=rwJssw@mail.gmail.com>

Hi everyone!

I need some advice in implementing an EventListenerProvider that makes sure
that there is only one offline session/token per user (as soon as the user
logs in on another device the provider should make sure that the other
session/token is deleted).

I would expect that calling
"userSessionProvider.removeOfflineUserSession(realmModel, userSession);"
should be enough in the code below... But it does not delete anything in
"OFFLINE_CLIENT_SESSION" and "OFFLINE_USER_SESSION".
Am I missing something? Is this even doable?

Cheers Michael


    @Override
    public void onEvent(Event event) {
        final String realmId = event.getRealmId();
        final String userId = event.getUserId();
        final EventType eventType = event.getType();

        if (isRelevantEvent(realmId, eventType) && userId != null) {
            RealmModel realmModel = realmProvider.getRealm(realmId);
            UserModel userModel = session.users().getUserById(userId,
realmModel);
            final UserSessionProvider userSessionProvider =
session.sessions();
            final List<UserSessionModel> userSessions =
userSessionProvider.getOfflineUserSessions(realmModel, userModel);
            userSessions.stream()
                    .filter(userSession ->
!userSession.getId().equals(event.getSessionId()))
                    .forEach(userSession -> {
                        log.warn("Removing already existing offline user
session {}", userSession.getId());

userSessionProvider.removeOfflineUserSession(realmModel, userSession);
                    });
        }
    }

    private boolean isRelevantEvent(final String realmId, final EventType
eventType) {
        return eventType != null && eventType == EventType.LOGIN &&
                realmId != null && realmId.equals(MY_REALM);
    }

From rafaelweingartner at gmail.com  Sat Jul  7 08:09:18 2018
From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=)
Date: Sat, 7 Jul 2018 09:09:18 -0300
Subject: [keycloak-user] Configuring Keycloak in Standalone Clustered Mode
Message-ID: <CAG97radnLkBE34oVG2qYyT9GLjhfRfD7jGqFr7w_3LjnnNWQGQ@mail.gmail.com>

Hello Keycloak communities,

I am configuring Keycloak for production, and we will need to use it in a
clustered fashion. I have read about the two possible deployment scenarios
?Standalone clustered mode?  and ?domain clustered mode?.  It seems that
the ?Standalone clustered mode?  is the simpler one. Also, we will be using
Docker to deploy Keycloak. Therefore, we will not have the burden of
managing configuration files manually. The update (configurations and/or
Keycloak versions) should always be a matter of stopping and starting a new
version of the Docker container.

I have one doubt though. It seems pretty magical that to configure Keycloak
in HA mode I only need to use ?standalone-ha.xml?. How does the discovery
process of nodes happen? I mean, are the replicates communicating with each
other directly, or is everything via a shared database? Do I need to expose
some specific port from my Keycloaks replicas to the network? Or only the
standard 443/80 is enough?

Thanks in advance for your help ;)

--
Rafael Weing?rtner

From ionel.gardais at tech-advantage.com  Sat Jul  7 10:46:51 2018
From: ionel.gardais at tech-advantage.com (GARDAIS Ionel)
Date: Sat, 7 Jul 2018 16:46:51 +0200 (CEST)
Subject: [keycloak-user] Upgrade from 4.0.0 to 4.1.0 : invalid redirect_uri
Message-ID: <58050269.283557.1530974811037.JavaMail.zimbra@tech-advantage.com>

Hi, 

I tried to upgrade from 4.0.0 to 4.1.0 but it resulted in an error page about redirect_uri. 
I've previously upgraded from 3.4.3 to 4.0.0 without issue. 

Any tips ? 

Regards, 
Ionel 

--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301

From corentin.dupont at gmail.com  Sat Jul  7 11:01:27 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Sat, 7 Jul 2018 17:01:27 +0200
Subject: [keycloak-user] Permanent API key?
Message-ID: <CAEyhvmryevcshSLZse7DaFXy=wLe1sV2EvonB=HfsAURepnhbw@mail.gmail.com>

Hi guys,
Is it possible to have a permanent access token, or API key, that I can
store on the client of my API?
Or maybe I need to store my login/password on the client and retrieve a
normal access token from the device?
in my use case, I have remote devices writing to my API. Those devices are
not easy to update.

I see that some services uses an API key, passed as a query string, that
seems to be permanent.
For example ThingSpeak:
https://it.mathworks.com/help/thingspeak/channel-settings.html#keys

Is this possible with Keycloak? I.e. permanently granting access to some
device?

From ionel.gardais at tech-advantage.com  Sat Jul  7 12:16:49 2018
From: ionel.gardais at tech-advantage.com (GARDAIS Ionel)
Date: Sat, 7 Jul 2018 18:16:49 +0200 (CEST)
Subject: [keycloak-user] Upgrade from 4.0.0 to 4.1.0 : invalid
 redirect_uri
In-Reply-To: <58050269.283557.1530974811037.JavaMail.zimbra@tech-advantage.com>
References: <58050269.283557.1530974811037.JavaMail.zimbra@tech-advantage.com>
Message-ID: <1168007564.284226.1530980209871.JavaMail.zimbra@tech-advantage.com>

Well, tried again after two rollbacks and all went well.

-- 
Ionel GARDAIS
Tech'Advantage CIO - IT Team manager

----- Mail original -----
De: "Ionel GARDAIS" <ionel.gardais at tech-advantage.com>
?: "keycloak-user" <keycloak-user at lists.jboss.org>
Envoy?: Samedi 7 Juillet 2018 16:46:51
Objet: [FGTSPAM] [keycloak-user] Upgrade from 4.0.0 to 4.1.0 : invalid redirect_uri

Hi, 

I tried to upgrade from 4.0.0 to 4.1.0 but it resulted in an error page about redirect_uri. 
I've previously upgraded from 3.4.3 to 4.0.0 without issue. 

Any tips ? 

Regards, 
Ionel 

--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
--
232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON
Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301



From matthiasmueller07 at web.de  Sun Jul  8 05:25:57 2018
From: matthiasmueller07 at web.de (=?UTF-8?Q?=22Matthias_M=C3=BCller=22?=)
Date: Sun, 8 Jul 2018 11:25:57 +0200
Subject: [keycloak-user] Kerberos Authentication
Message-ID: <trinity-18f90c28-74ae-413a-a24b-ef046a74e7d3-1531041957713@3c-app-webde-bap27>

Hello Keycloak Users,

I configured Kerberos in Keycloak (newest version) and all seems fine. When I activate it in the Authentication flow section the following error is shown on the login page:

"Kerberos is not set up. You cannot login."

There is no log entry or something else, nothing. I also searched for this message but no solution. It is not clear, why it is not working. Does anyone have an idea? Thanks

From matthiasmueller07 at web.de  Sun Jul  8 07:34:12 2018
From: matthiasmueller07 at web.de (=?UTF-8?Q?=22Matthias_M=C3=BCller=22?=)
Date: Sun, 8 Jul 2018 13:34:12 +0200
Subject: [keycloak-user] User Attributes
Message-ID: <trinity-513785bc-41a6-4c50-b54f-e3caf9b5cb31-1531049652650@3c-app-webde-bap45>

Hello Keycloak Community,

I created some further attributes in the ldap federation. When the user is new, all fields are filled correct. For existing users after a login, the attributes are not created.

Is there a way, to sync all new attributes also for existing users? I am not sure, if the function "sync changed users" in the ldap federation section will also create new attributes. Thanks

From iali at an10.io  Sun Jul  8 09:38:41 2018
From: iali at an10.io (Irtiza Ali)
Date: Sun, 8 Jul 2018 18:38:41 +0500
Subject: [keycloak-user] grant_type not provided issue in
Message-ID: <CAG3apS9g9MH8ojPm0cxHeUjVDs42=wqnX4rj3Kefz+=nUNs0MA@mail.gmail.com>

Hello everyone,

I have a node application, I am implementing SSO for it, I am
authenticating users using keycloak endpoint given below:

http://localhost:8080/auth/realms/nodejs-example/protocol/openid-connect/token

I am able to authenticate the user using the curl request but unable to do
it by using postman and the code given below:


var requestify = require('requestify');

requestify.post('
http://localhost:8080/auth/realms/nodejs-example/protocol/openid-connect/token',
{
client_secret:'17823f90-c7c5-4f07-a78d-f7632a8dee16',
client_id: 'nodejs-connect',
username: 'ali123',
password: '321ssg123',
grant_type: 'password'
}).then(function(response) {
console.log(response.getBody());
.catch(function(response) {
console.log(response);
});


it always given me this error, grant_type node provided.


Thanks in advance!

IA

From jochen at jochen.org  Sun Jul  8 13:32:44 2018
From: jochen at jochen.org (Jochen Hein)
Date: Sun, 08 Jul 2018 19:32:44 +0200
Subject: [keycloak-user] Kerberos Authentication
In-Reply-To: <trinity-18f90c28-74ae-413a-a24b-ef046a74e7d3-1531041957713@3c-app-webde-bap27>
	("Matthias \=\?utf-8\?Q\?M\=C3\=BCller\=22's\?\= message of "Sun,
	8 Jul 2018 11:25:57 +0200")
References: <trinity-18f90c28-74ae-413a-a24b-ef046a74e7d3-1531041957713@3c-app-webde-bap27>
Message-ID: <83o9fhfxab.fsf@jochen.org>

"Matthias M?ller" <matthiasmueller07 at web.de> writes:

> I configured Kerberos in Keycloak (newest version) and all seems
> fine. When I activate it in the Authentication flow section the
> following error is shown on the login page:
>
> "Kerberos is not set up. You cannot login."

This is most likely a missing keytab.  How did you create the keytab,
where is it stored and is it accessible for keycloak?

> There is no log entry or something else, nothing. I also searched for
> this message but no solution. It is not clear, why it is not
> working. Does anyone have an idea? Thanks

Enable debug in the kerberos konfiguration and have a look at
log/server.log.

Jochen

-- 
This space is intentionally left blank.

From matthiasmueller07 at web.de  Mon Jul  9 02:14:43 2018
From: matthiasmueller07 at web.de (=?UTF-8?Q?=22Matthias_M=C3=BCller=22?=)
Date: Mon, 9 Jul 2018 08:14:43 +0200
Subject: [keycloak-user] Kerberos Authentication
In-Reply-To: <83k1q5fpv5.fsf@jochen.org>
References: <trinity-18f90c28-74ae-413a-a24b-ef046a74e7d3-1531041957713@3c-app-webde-bap27>
	<83o9fhfxab.fsf@jochen.org>
	<trinity-e55e46c9-c801-4ef8-8984-2fbc7398b359-1531075579400@3c-app-webde-bs21>
	<83k1q5fpv5.fsf@jochen.org>
Message-ID: <trinity-480dcf9b-8e38-4702-80aa-c42cabdb84d1-1531116883615@3c-app-webde-bs08>

I added the necessary fields in the ldap configuration before.
?
Realm: local.domain
Principal: HTTP/server.name at local.domain
Keytab: /etc/keytab/servername.keytab
?
local.domain and server.name are place holder for the original settings.
?
The following message is shown with kinit and kvno:
kinit: Preauthentication failed while getting initial credentials
No credentials cache found (filename: /tmp/krb5cc_0) while getting client principal name
?
When I read the keytab file with klist the output is:
0 01/01/1970 00:00:00 HTTP/server.name at local.domain (aes256-cts-hmac-sha1-96)
?
Related to the log:
No entry is shown in this case. Only when I deactivate kerberos the normals logs are shown for example wrong user.
?
Thanks
?

Gesendet:?Sonntag, 08. Juli 2018 um 22:13 Uhr
Von:?"Jochen Hein" <jochen at jochen.org>
An:?"Matthias M?ller" <matthiasmueller07 at web.de>
Betreff:?Re: Aw: Re: [keycloak-user] Kerberos Authentication
"Matthias M?ller" <matthiasmueller07 at web.de> writes:

> The keytab file was generated by the server tools on a Windows Server (Active directory).
> I saved the keytab in /etc/keytab/ folder, user is the same as keykloak.

Did you add the keytab and Principal to the LDAP configuration?
Can you "kinit -kt /etc/keytab/keycloak.keytab HTTP/<yourhost>"?
Ist "kvno HTTP/<yourhost>" valid (same as on Kerberos server)?

> The debug option is enabled but no server.log exists. In console.log
> nothing related to Kerberos appears.

Can you show the log? Please move the discussion back to the list.

Jochen

--
This space is intentionally left blank.


From nils.wild at sinnovate.de  Mon Jul  9 07:13:00 2018
From: nils.wild at sinnovate.de (Nils Wild)
Date: Mon, 9 Jul 2018 13:13:00 +0200
Subject: [keycloak-user] realm-management policies not affecting
	admin-console
Message-ID: <c8838c03-a360-bb0f-89bb-ebdf48167c49@sinnovate.de>

Hi,

i think i got somthing wrong how policies are supposed to work in 
Keycloak 4.1.0.Final

I tried to configure a support group that has access to a certain group 
of customers but not all so i created a new_user_group and a 
support_group (this group has real-management roles to view and manage 
users so i can see those admin-console menus) and added policies, such 
that the support_group can only see and manage that group and users of 
that new_user_group but not those of old_user_group. Unfortunatly after 
logging in with a user of support_group i can see all users and groups 
not only those of the new_user_group when clicking "view all users".

I already used the Authorization Evaluator of the realm-management 
client. The funny thing is that if i choose the new user of the 
support_group and the old_user_group resource with view scope it 
correctly determines that access should be denied.

Am I missing something? Maybe the problem is that the new_support_group 
does have realm-management roles like view-users? But if i remove those 
roles i am not able to see any menu.

Nils


From psilva at redhat.com  Mon Jul  9 07:50:38 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 9 Jul 2018 08:50:38 -0300
Subject: [keycloak-user] realm-management policies not affecting
	admin-console
In-Reply-To: <c8838c03-a360-bb0f-89bb-ebdf48167c49@sinnovate.de>
References: <c8838c03-a360-bb0f-89bb-ebdf48167c49@sinnovate.de>
Message-ID: <CAJrcDBcK5yG27Hfr1Vt7wPCcU-yZ6cLiwMQNYzr2YYYVxFuP1g@mail.gmail.com>

Hi,

If you assign *query-users* role to "new_support_group", make the user a
member of "new_support_group", enable permissions to "new_user_group" and
configure the "manage" permission, you should be able to restrict the users
that the user is allowed to see.

Regards.
Pedro Igor

On Mon, Jul 9, 2018 at 8:13 AM, Nils Wild <nils.wild at sinnovate.de> wrote:

> Hi,
>
> i think i got somthing wrong how policies are supposed to work in
> Keycloak 4.1.0.Final
>
> I tried to configure a support group that has access to a certain group
> of customers but not all so i created a new_user_group and a
> support_group (this group has real-management roles to view and manage
> users so i can see those admin-console menus) and added policies, such
> that the support_group can only see and manage that group and users of
> that new_user_group but not those of old_user_group. Unfortunatly after
> logging in with a user of support_group i can see all users and groups
> not only those of the new_user_group when clicking "view all users".
>
> I already used the Authorization Evaluator of the realm-management
> client. The funny thing is that if i choose the new user of the
> support_group and the old_user_group resource with view scope it
> correctly determines that access should be denied.
>
> Am I missing something? Maybe the problem is that the new_support_group
> does have realm-management roles like view-users? But if i remove those
> roles i am not able to see any menu.
>
> Nils
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From corentin.dupont at gmail.com  Mon Jul  9 09:03:04 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Mon, 9 Jul 2018 15:03:04 +0200
Subject: [keycloak-user] Resource quotas
Message-ID: <CAEyhvmovFGyFXzzF4gVF6_VWTQYXdb4MRtdCgRmdu3c90_h3ew@mail.gmail.com>

Hi guys,
is there any way to do resource quota with Keycloak? I.e. max number of
resource created, max number of request per hour...
Keycloak could return a 403 (or another code) on an authorization request
with exceeded quota...

From daicy_duarte00 at hotmail.com  Mon Jul  9 09:28:32 2018
From: daicy_duarte00 at hotmail.com (Daicy Duarte)
Date: Mon, 9 Jul 2018 13:28:32 +0000
Subject: [keycloak-user] Implement the disableCredentialType function in
 account management console
Message-ID: <BY2PR20MB02136FF3EF0310FF0CA26696F5440@BY2PR20MB0213.namprd20.prod.outlook.com>

Hi!

Is it possible to implement the disableCredentialType function in account management console (account.ftl)?

To make it easy for the user delete their registered U2F device and thus be able to register another one when log in.

Best regards,

From ryans at jlab.org  Mon Jul  9 11:10:17 2018
From: ryans at jlab.org (Ryan Slominski)
Date: Mon, 9 Jul 2018 11:10:17 -0400 (EDT)
Subject: [keycloak-user] Custom Authenticator and NoClassDefFoundError
Message-ID: <228796994.4906007.1531149017215.JavaMail.zimbra@jlab.org>

Hi Keycloak Users,

I'm attempting to create a custom authenticator by following the org.keycloak.examples.authenticator secret question example and https://www.keycloak.org/docs/latest/server_development/index.html#_auth_spi documentation.  When I drop the jar file into the deployments directory I get a NoClassDefFoundError.  I guess this has something to do with the JBoss module system.  I tried added a jboss-deployment-structure.xml file with the "org.keycloak.keycloak-services" module, but now I get a ModuleNotFoundError.  Any tips?

Source code for new authenticator:

https://github.com/slominskir/KeycloakAutoLinkAuthenticator

NoClassDefFoundError:

2018-07-09 10:09:34,112 INFO  [org.jboss.as.repository] (DeploymentScanner-threads - 1) WFLYDR0001: Content added at location /opt/wildfly/keycloak-3.4.3/standalone/data/content/39/b99d3fa522078162e540b84481c8ff7c1fb346/content
2018-07-09 10:09:34,136 INFO  [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0027: Starting deployment of "AutoLinkAuthenticator.jar" (runtime-name: "AutoLinkAuthenticator.jar")
2018-07-09 10:09:34,213 INFO  [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] (MSC service thread 1-2) Deploying Keycloak provider: AutoLinkAuthenticator.jar
2018-07-09 10:09:34,219 WARN  [org.jboss.modules] (MSC service thread 1-2) Failed to define class org.keycloak.extras.authentication.authenticators.broker.AutoLinkAuthenticator in Module "deployment.AutoLinkAuthenticator.jar" from Service Module Loader: java.lang.NoClassDefFoundError: Failed to link org/keycloak/extras/authentication/authenticators/broker/AutoLinkAuthenticator (Module "deployment.AutoLinkAuthenticator.jar" from Service Module Loader): org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenticator
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.java:446)
        at org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.java:274)
        at org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoader.java:77)
        at org.jboss.modules.Module.loadModuleClass(Module.java:713)
        at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:190)
        at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:412)
        at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:400)
        at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116)
        at org.keycloak.extras.authentication.authenticators.broker.AutoLinkAuthenticatorFactory.<clinit>(AutoLinkAuthenticatorFactory.java:14)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at java.lang.Class.newInstance(Class.java:442)
        at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:380)
        at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
        at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
        at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47)
        at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
        at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:213)
        at org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:114)
        at org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
        at org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
        at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:165)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)


ModuleNotFoundError:

2018-07-09 10:40:55,135 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service jboss.module.service."deployment.AutoLinkAuthenticator.jar".main: org.jboss.msc.service.StartException in service jboss.module.service."deployment.AutoLinkAuthenticator.jar".main: WFLYSRV0179: Failed to load module: deployment.AutoLinkAuthenticator.jar
        at org.jboss.as.server.moduleservice.ModuleLoadService.start(ModuleLoadService.java:91)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032)
        at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)
Caused by: org.jboss.modules.ModuleNotFoundException: keycloak-services
        at org.jboss.modules.Module.addPaths(Module.java:1217)
        at org.jboss.modules.Module.link(Module.java:1573)
        at org.jboss.modules.Module.relinkIfNecessary(Module.java:1601)
        at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:287)
        at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:271)
        at org.jboss.as.server.moduleservice.ModuleLoadService.start(ModuleLoadService.java:68)
        ... 5 more

Thanks,

Ryan

From stefan.wachter at bosch-si.com  Mon Jul  9 11:40:22 2018
From: stefan.wachter at bosch-si.com (stefan.wachter)
Date: Mon, 9 Jul 2018 17:40:22 +0200
Subject: [keycloak-user] docker image - KEYCLOAK_LOGLEVEL and ROOT_LOGLEVEL
 seem to have no effect
Message-ID: <322250ba-7e1e-775a-750a-79786b8e987c@bosch-si.com>

Hi all,

I run Keycloak (4.0.0.Final) in Docker using the official image. The 
documentation says that setting the environment variables 
KEYCLOAK_LOGLEVEL and ROOT_LOGLEVEL can be used to set log levels. 
However, setting these environment variables seems to have no effect.

Has anybody managed to activate Keycloak debug logging in Docker?

-- 

Best regards,

*Stefan Wachter
INST-ICM/BSV-BS*

Tel.??+49(711)811-58477

*Be**QIK
*


From dt at acutus.pro  Mon Jul  9 12:07:37 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 09 Jul 2018 19:07:37 +0300
Subject: [keycloak-user] Custom Authenticator and NoClassDefFoundError
In-Reply-To: <228796994.4906007.1531149017215.JavaMail.zimbra@jlab.org>
References: <228796994.4906007.1531149017215.JavaMail.zimbra@jlab.org>
Message-ID: <1531152457.21748.1.camel@acutus.pro>

Ryan,

Which version of Keycloak are you on? I was unable to reproduce the
issue neither on KC 4.0.0 nor on 4.1.0 (tested on a clean install). In
my environment the project builds and deploys OK via dropping to
standalone/deployments, I get no errors, and your authenticator
successfully appears in the GUI.

Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-07-09 at 11:10 -0400, Ryan Slominski wrote:
> Hi Keycloak Users,
> 
> I'm attempting to create a custom authenticator by following the
> org.keycloak.examples.authenticator secret question example and https
> ://www.keycloak.org/docs/latest/server_development/index.html#_auth_s
> pi documentation.??When I drop the jar file into the deployments
> directory I get a NoClassDefFoundError.??I guess this has something
> to do with the JBoss module system.??I tried added a jboss-
> deployment-structure.xml file with the "org.keycloak.keycloak-
> services" module, but now I get a ModuleNotFoundError.??Any tips?
> 
> Source code for new authenticator:
> 
> https://github.com/slominskir/KeycloakAutoLinkAuthenticator
> 
> NoClassDefFoundError:
> 
> 2018-07-09 10:09:34,112 INFO??[org.jboss.as.repository]
> (DeploymentScanner-threads - 1) WFLYDR0001: Content added at location
> /opt/wildfly/keycloak-
> 3.4.3/standalone/data/content/39/b99d3fa522078162e540b84481c8ff7c1fb3
> 46/content
> 2018-07-09 10:09:34,136 INFO??[org.jboss.as.server.deployment] (MSC
> service thread 1-2) WFLYSRV0027: Starting deployment of
> "AutoLinkAuthenticator.jar" (runtime-name:
> "AutoLinkAuthenticator.jar")
> 2018-07-09 10:09:34,213
> INFO??[org.keycloak.subsystem.server.extension.KeycloakProviderDeploy
> mentProcessor] (MSC service thread 1-2) Deploying Keycloak provider:
> AutoLinkAuthenticator.jar
> 2018-07-09 10:09:34,219 WARN??[org.jboss.modules] (MSC service thread
> 1-2) Failed to define class
> org.keycloak.extras.authentication.authenticators.broker.AutoLinkAuth
> enticator in Module "deployment.AutoLinkAuthenticator.jar" from
> Service Module Loader: java.lang.NoClassDefFoundError: Failed to link
> org/keycloak/extras/authentication/authenticators/broker/AutoLinkAuth
> enticator (Module "deployment.AutoLinkAuthenticator.jar" from Service
> Module Loader):
> org/keycloak/authentication/authenticators/broker/AbstractIdpAuthenti
> cator
> ????????at
> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> ????????at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstruct
> orAccessorImpl.java:62)
> ????????at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingC
> onstructorAccessorImpl.java:45)
> ????????at
> java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> ????????at
> org.jboss.modules.ModuleClassLoader.defineClass(ModuleClassLoader.jav
> a:446)
> ????????at
> org.jboss.modules.ModuleClassLoader.loadClassLocal(ModuleClassLoader.
> java:274)
> ????????at
> org.jboss.modules.ModuleClassLoader$1.loadClassLocal(ModuleClassLoade
> r.java:77)
> ????????at org.jboss.modules.Module.loadModuleClass(Module.java:713)
> ????????at
> org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:
> 190)
> ????????at
> org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(Con
> currentClassLoader.java:412)
> ????????at
> org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentCl
> assLoader.java:400)
> ????????at
> org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoad
> er.java:116)
> ????????at
> org.keycloak.extras.authentication.authenticators.broker.AutoLinkAuth
> enticatorFactory.<clinit>(AutoLinkAuthenticatorFactory.java:14)
> ????????at
> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> ????????at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstruct
> orAccessorImpl.java:62)
> ????????at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingC
> onstructorAccessorImpl.java:45)
> ????????at
> java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> ????????at java.lang.Class.newInstance(Class.java:442)
> ????????at
> java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:3
> 80)
> ????????at
> java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404)
> ????????at java.util.ServiceLoader$1.next(ServiceLoader.java:480)
> ????????at
> org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoade
> r.java:47)
> ????????at
> org.keycloak.provider.ProviderManager.load(ProviderManager.java:93)
> ????????at
> org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(Def
> aultKeycloakSessionFactory.java:213)
> ????????at
> org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKey
> cloakSessionFactory.java:114)
> ????????at
> org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerR
> egistry.java:42)
> ????????at
> org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentPro
> cessor.deploy(KeycloakProviderDeploymentProcessor.java:54)
> ????????at
> org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(Deplo
> ymentUnitPhaseService.java:165)
> ????????at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(Se
> rviceControllerImpl.java:2032)
> ????????at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceCont
> rollerImpl.java:1955)
> ????????at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
> java:1149)
> ????????at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
> .java:624)
> ????????at java.lang.Thread.run(Thread.java:748)
> 
> 
> ModuleNotFoundError:
> 
> 2018-07-09 10:40:55,135 ERROR [org.jboss.msc.service.fail] (MSC
> service thread 1-4) MSC000001: Failed to start service
> jboss.module.service."deployment.AutoLinkAuthenticator.jar".main:
> org.jboss.msc.service.StartException in service
> jboss.module.service."deployment.AutoLinkAuthenticator.jar".main:
> WFLYSRV0179: Failed to load module:
> deployment.AutoLinkAuthenticator.jar
> ????????at
> org.jboss.as.server.moduleservice.ModuleLoadService.start(ModuleLoadS
> ervice.java:91)
> ????????at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(Se
> rviceControllerImpl.java:2032)
> ????????at
> org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceCont
> rollerImpl.java:1955)
> ????????at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.
> java:1149)
> ????????at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor
> .java:624)
> ????????at java.lang.Thread.run(Thread.java:748)
> Caused by: org.jboss.modules.ModuleNotFoundException: keycloak-
> services
> ????????at org.jboss.modules.Module.addPaths(Module.java:1217)
> ????????at org.jboss.modules.Module.link(Module.java:1573)
> ????????at
> org.jboss.modules.Module.relinkIfNecessary(Module.java:1601)
> ????????at
> org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:287)
> ????????at
> org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:271)
> ????????at
> org.jboss.as.server.moduleservice.ModuleLoadService.start(ModuleLoadS
> ervice.java:68)
> ????????... 5 more
> 
> Thanks,
> 
> Ryan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From corentin.dupont at gmail.com  Mon Jul  9 12:34:49 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Mon, 9 Jul 2018 18:34:49 +0200
Subject: [keycloak-user] UMA policy API
Message-ID: <CAEyhvmo=BHVJ_6LvCepZ+uvgbBUSGPRH+xffKFr2R0u+mNc6Lw@mail.gmail.com>

HI guys,
I started playing with the UMA API...
In the UI, I defined a resource shared with 2 persons.
Here is what I get when I query the API:

curl
http://localhost:8080/auth/realms/waziup/authz/protection/uma-policy?resource=5f2eda15-4d6c-4a20-a22a-7de109998b22
-H "Authorization: Bearer $USERTOKEN" | jq
[
  {
    "id": "4cad9948-12a8-4178-87a8-983509169a2d",
    "name": "028a265c-4cfb-4ef8-9d35-10a3360851df",
    "type": "uma",
    "scopes": [
      "sensors:create",
      "sensors:view",
      "sensors:update"
    ],
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "owner": "2ecfae24-f340-4ad0-a12e-02cdc60cd8ba"
  },
  {
    "id": "f8a10074-49b4-4ab7-b873-eca27b336e35",
    "name": "7b24a369-a0c5-471f-9b94-f3c88a78ae79",
    "type": "uma",
    "scopes": [
      "sensors:create",
      "sensors:delete",
      "sensors:view",
      "sensors:update"
    ],
    "logic": "POSITIVE",
    "decisionStrategy": "UNANIMOUS",
    "owner": "2ecfae24-f340-4ad0-a12e-02cdc60cd8ba"
  }
]

Where can I find the resource id and the recipient of the sharing?
What is "name"?
The doc seems to say that {id} is the resource id:

http://${host}:${port}/auth/realms/${realm_name}/authz/protection/uma-policy/{resource_id}

But that doesn't seem to be the case.

Another question, is there an API where I can find all the regular
policies/permissions, defined in the "Authorization" tab in Keycloak admin
console?
I don't see them in UMA API.

Thank a lot!!

From vinayatoz at gmail.com  Mon Jul  9 12:39:23 2018
From: vinayatoz at gmail.com (Vinay)
Date: Mon, 9 Jul 2018 12:39:23 -0400
Subject: [keycloak-user] Keycloak Roles and Usergroups
Message-ID: <CAAgt2fXTCoRseMaNwEASS30dnFZQ925ZaZkvWpqXrQYAW8c17A@mail.gmail.com>

What is a difference between keycloak roles and usergroups ? are they
interchangeable i.e. can we use roles instead of groups or vice versa to
address a problem ? Is it possible to have roles within roles, just like
groups ?
A clear guidelines on how to use groups and roles will help.

thanks
/Vinay

From ryans at jlab.org  Mon Jul  9 14:03:35 2018
From: ryans at jlab.org (Ryan Slominski)
Date: Mon, 9 Jul 2018 14:03:35 -0400 (EDT)
Subject: [keycloak-user] Custom Authenticator and NoClassDefFoundError
In-Reply-To: <1531152457.21748.1.camel@acutus.pro>
References: <228796994.4906007.1531149017215.JavaMail.zimbra@jlab.org>
	<1531152457.21748.1.camel@acutus.pro>
Message-ID: <678300212.4962060.1531159415970.JavaMail.zimbra@jlab.org>

Hi Dmitry,
  I was using version 3.4.3.  I've upgraded to version 4.1 and now it does work as you say.

Thanks for the help,

Ryan

----- Original Message -----
From: "Dmitry Telegin" <dt at acutus.pro>
To: "Ryan Slominski" <ryans at jlab.org>, "keycloak-user" <keycloak-user at lists.jboss.org>
Sent: Monday, July 9, 2018 12:07:37 PM
Subject: Re: [keycloak-user] Custom Authenticator and NoClassDefFoundError

Ryan,

Which version of Keycloak are you on? I was unable to reproduce the
issue neither on KC 4.0.0 nor on 4.1.0 (tested on a clean install). In
my environment the project builds and deploys OK via dropping to
standalone/deployments, I get no errors, and your authenticator
successfully appears in the GUI.

Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

From jochen at jochen.org  Mon Jul  9 16:19:50 2018
From: jochen at jochen.org (Jochen Hein)
Date: Mon, 09 Jul 2018 22:19:50 +0200
Subject: [keycloak-user] Kerberos Authentication
In-Reply-To: <trinity-480dcf9b-8e38-4702-80aa-c42cabdb84d1-1531116883615@3c-app-webde-bs08>
	("Matthias \=\?utf-8\?Q\?M\=C3\=BCller\=22's\?\= message of "Mon,
	9 Jul 2018 08:14:43 +0200")
References: <trinity-18f90c28-74ae-413a-a24b-ef046a74e7d3-1531041957713@3c-app-webde-bap27>
	<83o9fhfxab.fsf@jochen.org>
	<trinity-e55e46c9-c801-4ef8-8984-2fbc7398b359-1531075579400@3c-app-webde-bs21>
	<83k1q5fpv5.fsf@jochen.org>
	<trinity-480dcf9b-8e38-4702-80aa-c42cabdb84d1-1531116883615@3c-app-webde-bs08>
Message-ID: <83fu0sf9g9.fsf@jochen.org>

"Matthias M?ller" <matthiasmueller07 at web.de> writes:

> I added the necessary fields in the ldap configuration before.
> ?
> Realm: local.domain
> Principal: HTTP/server.name at local.domain
> Keytab: /etc/keytab/servername.keytab

Ok.

> local.domain and server.name are place holder for the original settings.

> The following message is shown with kinit and kvno:
> kinit: Preauthentication failed while getting initial credentials
> No credentials cache found (filename: /tmp/krb5cc_0) while getting client principal name

That's bad. My system has:

[root at saml keycloak]# kinit -kt keycloak.keytab HTTP/saml.example.org
[root at saml keycloak]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: HTTP/saml.example.org at EXAMPLE.ORG

Valid starting       Expires              Service principal
08.07.2018 22:09:40  09.07.2018 22:09:40  krbtgt/EXAMPLE.ORG at EXAMPLE.ORG

Until that works you don't need to look at anyhing else.
Please try:

KRB5_TRACE=/dev/stderr kinit -kt /etc/keytab/servername.keytab HTTP/server.name at local.domain

> When I read the keytab file with klist the output is:
> 0 01/01/1970 00:00:00 HTTP/server.name at local.domain (aes256-cts-hmac-sha1-96)

That date looks fishy.

[root at saml keycloak]# klist -k keycloak.keytab 
Keytab name: FILE:keycloak.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 HTTP/saml.example.org at EXAMPLE.ORG
   1 HTTP/saml.example.org at EXAMPLE.ORG
   1 HTTP/saml.example.org at EXAMPLE.ORG
   1 HTTP/saml.example.org at EXAMPLE.ORG

Can you please move the discussion back to the keycloak list?  Thanks.

Jochen

-- 
This space is intentionally left blank.

From psilva at redhat.com  Mon Jul  9 16:28:57 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 9 Jul 2018 17:28:57 -0300
Subject: [keycloak-user] UMA policy API
In-Reply-To: <CAEyhvmo=BHVJ_6LvCepZ+uvgbBUSGPRH+xffKFr2R0u+mNc6Lw@mail.gmail.com>
References: <CAEyhvmo=BHVJ_6LvCepZ+uvgbBUSGPRH+xffKFr2R0u+mNc6Lw@mail.gmail.com>
Message-ID: <CAJrcDBfaY67sfdZVG+w8WjK1YC5ymr1oSupC40T1Hfw7J13OBA@mail.gmail.com>

Permissions created through UMA flow are not supposed to be managed via
uma-policy endpoint. But additional permissions you want to grant to a
resource on behalf of the resource owner (using roles, groups, clients or
js conditions).

That is why you don't see "users"/"recipients" in the response.

To manage permissions created based on UMA tickets you would need to use
the "/permission/ticket" endpoint which allows you to manage tickets. Need
to update docs with this endpoint though...

On Mon, Jul 9, 2018 at 1:34 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> HI guys,
> I started playing with the UMA API...
> In the UI, I defined a resource shared with 2 persons.
> Here is what I get when I query the API:
>
> curl
> http://localhost:8080/auth/realms/waziup/authz/protection/uma-policy?
> resource=5f2eda15-4d6c-4a20-a22a-7de109998b22
> -H "Authorization: Bearer $USERTOKEN" | jq
> [
>   {
>     "id": "4cad9948-12a8-4178-87a8-983509169a2d",
>     "name": "028a265c-4cfb-4ef8-9d35-10a3360851df",
>     "type": "uma",
>     "scopes": [
>       "sensors:create",
>       "sensors:view",
>       "sensors:update"
>     ],
>     "logic": "POSITIVE",
>     "decisionStrategy": "UNANIMOUS",
>     "owner": "2ecfae24-f340-4ad0-a12e-02cdc60cd8ba"
>   },
>   {
>     "id": "f8a10074-49b4-4ab7-b873-eca27b336e35",
>     "name": "7b24a369-a0c5-471f-9b94-f3c88a78ae79",
>     "type": "uma",
>     "scopes": [
>       "sensors:create",
>       "sensors:delete",
>       "sensors:view",
>       "sensors:update"
>     ],
>     "logic": "POSITIVE",
>     "decisionStrategy": "UNANIMOUS",
>     "owner": "2ecfae24-f340-4ad0-a12e-02cdc60cd8ba"
>   }
> ]
>
> Where can I find the resource id and the recipient of the sharing?
> What is "name"?
> The doc seems to say that {id} is the resource id:
>
> http://${host}:${port}/auth/realms/${realm_name}/authz/
> protection/uma-policy/{resource_id}
>
> But that doesn't seem to be the case.
>
> Another question, is there an API where I can find all the regular
> policies/permissions, defined in the "Authorization" tab in Keycloak admin
> console?
> I don't see them in UMA API.
>
> Thank a lot!!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Mon Jul  9 16:30:19 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 9 Jul 2018 17:30:19 -0300
Subject: [keycloak-user] UMA2: share with all users
In-Reply-To: <CAEyhvmr-32+yYCn+xtm-YFJdAzvWT7ZodSKbW0riST5S=t_X2A@mail.gmail.com>
References: <CAEyhvmr-32+yYCn+xtm-YFJdAzvWT7ZodSKbW0riST5S=t_X2A@mail.gmail.com>
Message-ID: <CAJrcDBeWedkCVnivK888annS7E44hUQ4pLQu5f6Yr-BUVBGFeg@mail.gmail.com>

You can use the "uma-policy" endpoint to define additional permissions to a
resource, where these permissions will be available to users in order to
revoke access.

On Fri, Jul 6, 2018 at 4:40 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hello,
> Is there a way to share resources with all users?
> Or to share with groups?
> In my use case, I need to start with "open" situations, where resources are
> accessible.
> Some users can choose to restrict access to the resource, though.
> I was thinking of using a "isPrivate" attribute to my resource, with
> default to false.
> But maybe it's possible to use UMA instead: start with resource shared with
> all users, and let the users reset the sharings...
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From myoder at cloudera.com  Mon Jul  9 17:59:50 2018
From: myoder at cloudera.com (Michael Yoder)
Date: Mon, 9 Jul 2018 14:59:50 -0700
Subject: [keycloak-user] Keycloak 3.4.3 + Apache httpd 2.4.6 load balancing
	proxy -> infinite redirect
Message-ID: <CAGGJhVf=aJquBoqZ5fuNYS5LbKaFasPRkGuOHWcEoX2ahyruJA@mail.gmail.com>

I've got an infinite redirect loop that I'm trying (and failing...) to
figure out.  I'm using Keycloak 3.4.3, and in front of that I'm using
Apache httpd mod_proxy for load balancing.  If I clear my cookies, or if I
fire up a new Incognito window, everything is fine.  But otherwise, when I
try to log in to my application, I get an infinite redirect loop
(technically, a "302 Found", with the same Location: header each time:
http://
<host>:7192/auth/realms/<realm>/login-actions/authenticate?client_id=<client>&tab_id=...)

I've had a look at what's going over the wire with wireshark, and haven't
been particularly enlightened. I'm just using http for now, not https, but
will do that later.

Interesting parts of my keycloak config are

    <subsystem xmlns="urn:jboss:domain:undertow:4.0">
      <buffer-cache name="default"/>
      <server name="default-server">
        <http-listener
                       name="default"
                       socket-binding="httpish"
                       enable-http2="true"
                       proxy-address-forwarding="true"
        />
        ...
      </server>
      <servlet-container name="default">
        <session-cookie name="AUTH_SESSION_ID" http-only="true" />
        ...
      </servlet-container>

In my httpd config there's

ProxyPreserveHost Off
ProxyAddHeaders On
Listen 7192
ProxyPass / balancer://auth/ stickysession=AUTH_SESSION_ID
ProxyPassReverse / balancer://auth/
<Proxy balancer://auth>
BalancerMember http://<host>:7193 retry=10 route=auth-AUTHSERVER-...
</Proxy>

(Yes I just have one BalancerMember - was attempting to isolate this issue.)

The httpd is listening on port 7192, keycloak is on port 7193.

Since everything is fine if I use an Incognito window, or if I clear my
cookies, I have to imagine that the problem is with the cookies. I looked
at what was going over the wire - in the infinitely looping case, I see two
(different) AUTH_SESSION_ID cookies and one KC_RESTART cookie. In the
"good" case, I see a (different) AUTH_SESSION_ID cookie and one KC_RESTART
cookie. The KC_RESTART cookie is nearly identical between the two except
for the "state" field. This was less helpful than I had hoped.

Any help, hints, or things to debug will be greatly appreciated. Thanks in
advance!
-Mike Yoder

From stefan.wachter at bosch-si.com  Tue Jul 10 02:26:06 2018
From: stefan.wachter at bosch-si.com (stefan.wachter)
Date: Tue, 10 Jul 2018 08:26:06 +0200
Subject: [keycloak-user] docker image - KEYCLOAK_LOGLEVEL and
 ROOT_LOGLEVEL seem to have no effect
In-Reply-To: <322250ba-7e1e-775a-750a-79786b8e987c@bosch-si.com>
References: <322250ba-7e1e-775a-750a-79786b8e987c@bosch-si.com>
Message-ID: <3eee3d22-b44b-bb55-c4ec-703b674b9081@bosch-si.com>

Hi,

after upgrading to 4.1.0.Final the log levels can be set by the 
corresponding environment variables.

Best regards,

*Stefan Wachter
INST-ICM/BSV-BS*

Tel.??+49(711)811-58477

*Be**QIK
*

Am 09.07.2018 um 17:40 schrieb stefan.wachter:
> Hi all,
>
> I run Keycloak (4.0.0.Final) in Docker using the official image. The
> documentation says that setting the environment variables
> KEYCLOAK_LOGLEVEL and ROOT_LOGLEVEL can be used to set log levels.
> However, setting these environment variables seems to have no effect.
>
> Has anybody managed to activate Keycloak debug logging in Docker?
>


From thesofiane at gmail.com  Tue Jul 10 03:36:29 2018
From: thesofiane at gmail.com (So Be)
Date: Tue, 10 Jul 2018 09:36:29 +0200
Subject: [keycloak-user] ERROR
 [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-14)
 server_error for broker login
Message-ID: <CACz=5k=GNnfdQo+qNX1SfkwnGHi86cdEFqgFyiF1ZqSxH2vJNA@mail.gmail.com>

Hi,

after a successful login to external idp, there is no back to the
application and I get this error:

ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default
task-14) server_error for broker login

Thank you.

Sofiane.

From stefan.wachter at bosch-si.com  Tue Jul 10 03:57:40 2018
From: stefan.wachter at bosch-si.com (stefan.wachter)
Date: Tue, 10 Jul 2018 09:57:40 +0200
Subject: [keycloak-user] Introspection of RPT fails
Message-ID: <9706eb13-63d9-6554-ff6d-0093db1ecfb3@bosch-si.com>

Hi,

I have difficulties in determining the cause why introspection of an RPT 
fails. The RPT can be introspected a couple of times before it fails. In 
the log shown below I grepped for "task-26" that seems to have handled 
the failed introspection request.

I have the impression that the problem is related to token refreshments. 
If the "Access Token Lifespan" is set to a smaller value (e.g. 1 
minute), then the failure happens earlier. In particular, it seems that 
after the SECOND set of token refreshments the introspection fails. In 
detail:

There are 3 tokens (together with their refresh tokens) involved:

1. An IdToken that is used for logging into the web application. The 
IdToken is used when a Ticket is exchanged for an RPT (the IdToken is 
set as the "claim_token" parameter in the token request).

2. An RPT.

3. A PAT

When a request hits the application after the tokens have expired the 
first time all tokens are refreshed in turn and the introspection 
succeedes. Yet, if a request hits the application after the tokens have 
expired the second time then all tokens are refreshed again (using the 
refresh tokens that were returned on the first refreshment). The 
following RPT introspection however, fails.

Has anyone experienced the same failure?

Thanks for you attention

Stefan



06:46:12,779 DEBUG 
[org.keycloak.authorization.protection.introspect.RPTIntrospectionProvider] 
(default task-26) Introspecting requesting party token
06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default 
task-26) Active key found: realm=device 
kid=t00ewHrCADcXjvvIFBWQrZnOWiBTVBoyt0-UOzBP7w0 algorithm=RS256
06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default 
task-26) Active key found: realm=device 
kid=ae1f030a-b3a5-4c9a-875a-a0802119fa2a algorithm=HS256
06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default 
task-26) Active key found: realm=device 
kid=2aefcc15-33cf-45f6-a4bf-88535501712c algorithm=AES
06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default 
task-26) Active key realm=device 
kid=t00ewHrCADcXjvvIFBWQrZnOWiBTVBoyt0-UOzBP7w0 algorithm=RS256
06:46:12,780 TRACE 
[org.infinispan.interceptors.InvocationContextInterceptor] (default 
task-26) Invoked with command GetKeyValueCommand 
{key=device.client.query.by.clientId.web-gui, flags=null} and 
InvocationContext 
[org.infinispan.context.SingleKeyNonTxInvocationContext at 6cb8a247]
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default 
task-26) Exists in context? null
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default 
task-26) Retrieved from container 
ImmortalCacheEntry{key=device.client.query.by.clientId.web-gui, value=0} 
(ignoreOwnership=false, isLocal=true)
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default 
task-26) Wrap device.client.query.by.clientId.web-gui for read. 
Entry=ImmortalCacheEntry{key=device.client.query.by.clientId.web-gui, 
value=0}
06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor] 
(default task-26) Executing command: GetKeyValueCommand 
{key=device.client.query.by.clientId.web-gui, flags=null}.
06:46:12,780 TRACE 
[org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default 
task-26) Release locks for keys=[]. owner=null
06:46:12,780 TRACE 
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
task-26) client by name cache hit: web-gui
06:46:12,780 TRACE 
[org.infinispan.interceptors.InvocationContextInterceptor] (default 
task-26) Invoked with command GetKeyValueCommand 
{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null} and 
InvocationContext 
[org.infinispan.context.SingleKeyNonTxInvocationContext at 3a2141a6]
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default 
task-26) Exists in context? null
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default 
task-26) Retrieved from container 
ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, value=0} 
(ignoreOwnership=false, isLocal=true)
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default 
task-26) Wrap b5f94341-0d4c-4280-94e1-10b6771cd66c for read. 
Entry=ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, value=0}
06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor] 
(default task-26) Executing command: GetKeyValueCommand 
{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null}.
06:46:12,780 TRACE 
[org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default 
task-26) Release locks for keys=[]. owner=null
06:46:12,780 TRACE 
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
task-26) client by id cache hit: web-gui
06:46:12,780 TRACE 
[org.infinispan.interceptors.InvocationContextInterceptor] (default 
task-26) Invoked with command GetKeyValueCommand {key=device, 
flags=null} and InvocationContext 
[org.infinispan.context.SingleKeyNonTxInvocationContext at 2f9442f3]
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default 
task-26) Exists in context? null
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default 
task-26) Retrieved from container ImmortalCacheEntry{key=device, 
value=0} (ignoreOwnership=false, isLocal=true)
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default 
task-26) Wrap device for read. Entry=ImmortalCacheEntry{key=device, value=0}
06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor] 
(default task-26) Executing command: GetKeyValueCommand {key=device, 
flags=null}.
06:46:12,780 TRACE 
[org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default 
task-26) Release locks for keys=[]. owner=null
06:46:12,780 TRACE 
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
task-26) by id cache hit: device
06:46:12,780 TRACE 
[org.infinispan.interceptors.InvocationContextInterceptor] (default 
task-26) Invoked with command GetKeyValueCommand 
{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null} and 
InvocationContext 
[org.infinispan.context.SingleKeyNonTxInvocationContext at 30227841]
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default 
task-26) Exists in context? null
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default 
task-26) Retrieved from container 
ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, value=0} 
(ignoreOwnership=false, isLocal=true)
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default 
task-26) Wrap b5f94341-0d4c-4280-94e1-10b6771cd66c for read. 
Entry=ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, value=0}
06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor] 
(default task-26) Executing command: GetKeyValueCommand 
{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null}.
06:46:12,780 TRACE 
[org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default 
task-26) Release locks for keys=[]. owner=null
06:46:12,780 TRACE 
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
task-26) client by id cache hit: web-gui
06:46:12,780 TRACE 
[org.infinispan.interceptors.InvocationContextInterceptor] (default 
task-26) Invoked with command GetKeyValueCommand {key=device, 
flags=null} and InvocationContext 
[org.infinispan.context.SingleKeyNonTxInvocationContext at 19214e98]
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default 
task-26) Exists in context? null
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default 
task-26) Retrieved from container ImmortalCacheEntry{key=device, 
value=0} (ignoreOwnership=false, isLocal=true)
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default 
task-26) Wrap device for read. Entry=ImmortalCacheEntry{key=device, value=0}
06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor] 
(default task-26) Executing command: GetKeyValueCommand {key=device, 
flags=null}.
06:46:12,780 TRACE 
[org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default 
task-26) Release locks for keys=[]. owner=null
06:46:12,780 TRACE 
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default 
task-26) by id cache hit: device
06:46:12,780 DEBUG 
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] 
(default task-26) 
getUserSessionWithPredicate(a3320548-da14-4e0c-adc1-5616c9d0c23b): found 
in local cache
06:46:12,780 TRACE 
[org.keycloak.models.cache.infinispan.UserCacheSession] (default 
task-26) getuserById d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c
06:46:12,780 TRACE 
[org.infinispan.interceptors.InvocationContextInterceptor] (default 
task-26) Invoked with command GetKeyValueCommand 
{key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, flags=null} and 
InvocationContext 
[org.infinispan.context.SingleKeyNonTxInvocationContext at 29bd006b]
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default 
task-26) Exists in context? null
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default 
task-26) Retrieved from container 
ImmortalCacheEntry{key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, value=0} 
(ignoreOwnership=false, isLocal=true)
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default 
task-26) Wrap d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c for read. 
Entry=ImmortalCacheEntry{key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, value=0}
06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor] 
(default task-26) Executing command: GetKeyValueCommand 
{key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, flags=null}.
06:46:12,780 TRACE 
[org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default 
task-26) Release locks for keys=[]. owner=null
06:46:12,780 TRACE 
[org.keycloak.models.cache.infinispan.UserCacheSession] (default 
task-26) getuserById d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c
06:46:12,780 TRACE 
[org.keycloak.models.cache.infinispan.UserCacheSession] (default 
task-26) return managedusers
06:46:12,781 TRACE [org.keycloak.events] (default task-26) 
type=INTROSPECT_TOKEN_ERROR, realmId=device, clientId=resource-server, 
userId=null, ipAddress=139.15.216.71, error=invalid_request, 
detail='Failed to introspect token.', client_auth_method=client-secret, 
requestUri=https://keycloak.apps.de1.bosch-iot-cloud.com/auth/realms/device/protocol/openid-connect/token/introspect, 
cookies=[]

-- 

Best regards,

*Stefan Wachter
INST-ICM/BSV-BS*

Tel.??+49(711)811-58477

*Be**QIK
*


From danielfr at cern.ch  Tue Jul 10 04:13:58 2018
From: danielfr at cern.ch (Daniel Fernandez Rodriguez)
Date: Tue, 10 Jul 2018 10:13:58 +0200
Subject: [keycloak-user] Introspection of RPT fails
In-Reply-To: <9706eb13-63d9-6554-ff6d-0093db1ecfb3@bosch-si.com>
References: <9706eb13-63d9-6554-ff6d-0093db1ecfb3@bosch-si.com>
Message-ID: <abcd3902-b085-2919-d20e-c59c45533839@cern.ch>

Hi Stefan,

I had exactly the same issue with keycloak-3.4.3.Final and 
keycloak-4.0.0.Final. Not sure what may be causing it but I worked 
around it by taking a look at 
https://github.com/iperdomo/keycloak-oauth2-instrospection/blob/master/test.sh

This did the trick for me:

curl -s \
 ???? -d "client_id=validator" \
 ???? -d "client_secret=dd3214ca-eb0a-49ea-94ad-3761f575b11b" \
 ???? -d "token=${ACCESS_TOKEN}" \
 ???? -d "token_type_hint=access_token" \
http://localhost:8080/auth/realms/introspection/protocol/openid-connect/token/introspect

Happy to hear a better answer to this.

Thanks,
Daniel.


On 10/07/18 09:57, stefan.wachter wrote:
> Hi,
>
> I have difficulties in determining the cause why introspection of an RPT
> fails. The RPT can be introspected a couple of times before it fails. In
> the log shown below I grepped for "task-26" that seems to have handled
> the failed introspection request.
>
> I have the impression that the problem is related to token refreshments.
> If the "Access Token Lifespan" is set to a smaller value (e.g. 1
> minute), then the failure happens earlier. In particular, it seems that
> after the SECOND set of token refreshments the introspection fails. In
> detail:
>
> There are 3 tokens (together with their refresh tokens) involved:
>
> 1. An IdToken that is used for logging into the web application. The
> IdToken is used when a Ticket is exchanged for an RPT (the IdToken is
> set as the "claim_token" parameter in the token request).
>
> 2. An RPT.
>
> 3. A PAT
>
> When a request hits the application after the tokens have expired the
> first time all tokens are refreshed in turn and the introspection
> succeedes. Yet, if a request hits the application after the tokens have
> expired the second time then all tokens are refreshed again (using the
> refresh tokens that were returned on the first refreshment). The
> following RPT introspection however, fails.
>
> Has anyone experienced the same failure?
>
> Thanks for you attention
>
> Stefan
>
>
>
> 06:46:12,779 DEBUG
> [org.keycloak.authorization.protection.introspect.RPTIntrospectionProvider]
> (default task-26) Introspecting requesting party token
> 06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default
> task-26) Active key found: realm=device
> kid=t00ewHrCADcXjvvIFBWQrZnOWiBTVBoyt0-UOzBP7w0 algorithm=RS256
> 06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default
> task-26) Active key found: realm=device
> kid=ae1f030a-b3a5-4c9a-875a-a0802119fa2a algorithm=HS256
> 06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default
> task-26) Active key found: realm=device
> kid=2aefcc15-33cf-45f6-a4bf-88535501712c algorithm=AES
> 06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default
> task-26) Active key realm=device
> kid=t00ewHrCADcXjvvIFBWQrZnOWiBTVBoyt0-UOzBP7w0 algorithm=RS256
> 06:46:12,780 TRACE
> [org.infinispan.interceptors.InvocationContextInterceptor] (default
> task-26) Invoked with command GetKeyValueCommand
> {key=device.client.query.by.clientId.web-gui, flags=null} and
> InvocationContext
> [org.infinispan.context.SingleKeyNonTxInvocationContext at 6cb8a247]
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Exists in context? null
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Retrieved from container
> ImmortalCacheEntry{key=device.client.query.by.clientId.web-gui, value=0}
> (ignoreOwnership=false, isLocal=true)
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Wrap device.client.query.by.clientId.web-gui for read.
> Entry=ImmortalCacheEntry{key=device.client.query.by.clientId.web-gui,
> value=0}
> 06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
> (default task-26) Executing command: GetKeyValueCommand
> {key=device.client.query.by.clientId.web-gui, flags=null}.
> 06:46:12,780 TRACE
> [org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
> task-26) Release locks for keys=[]. owner=null
> 06:46:12,780 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-26) client by name cache hit: web-gui
> 06:46:12,780 TRACE
> [org.infinispan.interceptors.InvocationContextInterceptor] (default
> task-26) Invoked with command GetKeyValueCommand
> {key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null} and
> InvocationContext
> [org.infinispan.context.SingleKeyNonTxInvocationContext at 3a2141a6]
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Exists in context? null
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Retrieved from container
> ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, value=0}
> (ignoreOwnership=false, isLocal=true)
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Wrap b5f94341-0d4c-4280-94e1-10b6771cd66c for read.
> Entry=ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, value=0}
> 06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
> (default task-26) Executing command: GetKeyValueCommand
> {key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null}.
> 06:46:12,780 TRACE
> [org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
> task-26) Release locks for keys=[]. owner=null
> 06:46:12,780 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-26) client by id cache hit: web-gui
> 06:46:12,780 TRACE
> [org.infinispan.interceptors.InvocationContextInterceptor] (default
> task-26) Invoked with command GetKeyValueCommand {key=device,
> flags=null} and InvocationContext
> [org.infinispan.context.SingleKeyNonTxInvocationContext at 2f9442f3]
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Exists in context? null
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Retrieved from container ImmortalCacheEntry{key=device,
> value=0} (ignoreOwnership=false, isLocal=true)
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Wrap device for read. Entry=ImmortalCacheEntry{key=device, value=0}
> 06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
> (default task-26) Executing command: GetKeyValueCommand {key=device,
> flags=null}.
> 06:46:12,780 TRACE
> [org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
> task-26) Release locks for keys=[]. owner=null
> 06:46:12,780 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-26) by id cache hit: device
> 06:46:12,780 TRACE
> [org.infinispan.interceptors.InvocationContextInterceptor] (default
> task-26) Invoked with command GetKeyValueCommand
> {key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null} and
> InvocationContext
> [org.infinispan.context.SingleKeyNonTxInvocationContext at 30227841]
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Exists in context? null
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Retrieved from container
> ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, value=0}
> (ignoreOwnership=false, isLocal=true)
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Wrap b5f94341-0d4c-4280-94e1-10b6771cd66c for read.
> Entry=ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, value=0}
> 06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
> (default task-26) Executing command: GetKeyValueCommand
> {key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null}.
> 06:46:12,780 TRACE
> [org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
> task-26) Release locks for keys=[]. owner=null
> 06:46:12,780 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-26) client by id cache hit: web-gui
> 06:46:12,780 TRACE
> [org.infinispan.interceptors.InvocationContextInterceptor] (default
> task-26) Invoked with command GetKeyValueCommand {key=device,
> flags=null} and InvocationContext
> [org.infinispan.context.SingleKeyNonTxInvocationContext at 19214e98]
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Exists in context? null
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Retrieved from container ImmortalCacheEntry{key=device,
> value=0} (ignoreOwnership=false, isLocal=true)
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Wrap device for read. Entry=ImmortalCacheEntry{key=device, value=0}
> 06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
> (default task-26) Executing command: GetKeyValueCommand {key=device,
> flags=null}.
> 06:46:12,780 TRACE
> [org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
> task-26) Release locks for keys=[]. owner=null
> 06:46:12,780 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-26) by id cache hit: device
> 06:46:12,780 DEBUG
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-26)
> getUserSessionWithPredicate(a3320548-da14-4e0c-adc1-5616c9d0c23b): found
> in local cache
> 06:46:12,780 TRACE
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default
> task-26) getuserById d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c
> 06:46:12,780 TRACE
> [org.infinispan.interceptors.InvocationContextInterceptor] (default
> task-26) Invoked with command GetKeyValueCommand
> {key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, flags=null} and
> InvocationContext
> [org.infinispan.context.SingleKeyNonTxInvocationContext at 29bd006b]
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Exists in context? null
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Retrieved from container
> ImmortalCacheEntry{key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, value=0}
> (ignoreOwnership=false, isLocal=true)
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Wrap d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c for read.
> Entry=ImmortalCacheEntry{key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, value=0}
> 06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
> (default task-26) Executing command: GetKeyValueCommand
> {key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, flags=null}.
> 06:46:12,780 TRACE
> [org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
> task-26) Release locks for keys=[]. owner=null
> 06:46:12,780 TRACE
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default
> task-26) getuserById d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c
> 06:46:12,780 TRACE
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default
> task-26) return managedusers
> 06:46:12,781 TRACE [org.keycloak.events] (default task-26)
> type=INTROSPECT_TOKEN_ERROR, realmId=device, clientId=resource-server,
> userId=null, ipAddress=139.15.216.71, error=invalid_request,
> detail='Failed to introspect token.', client_auth_method=client-secret,
> requestUri=https://keycloak.apps.de1.bosch-iot-cloud.com/auth/realms/device/protocol/openid-connect/token/introspect,
> cookies=[]
>


From francisco.bermejo.herrera at tecsisa.com  Tue Jul 10 05:22:54 2018
From: francisco.bermejo.herrera at tecsisa.com (=?UTF-8?Q?Francisco_Jos=C3=A9_Bermejo_Herrera?=)
Date: Tue, 10 Jul 2018 11:22:54 +0200
Subject: [keycloak-user] Questions about Keycloak UMA 2.0 implementation
Message-ID: <CABfc8x51bch1QehZhLo4DO8rfp80OCxfGHGd3tCU_wtdA0SgGw@mail.gmail.com>

Hello, we are testing Keycloak 4.1.0.Final for authentication and
authorization (UMA 2.0 flow).

Some assumptions:

   - The Resource Server owns the resource Foo, and protects it by using
   two scope-based permissions, one requiring READ scope, and the other one
   requiring WRITE scope.
   - User Alice has been granted READ scope for resource Foo.
   - We are not using Policy Enforcers. Enforcement will be implemented at
   the Resource Server.

We are modeling the following flow:

   1. The Requesting Party (Alice) requests access to resource Foo in the
   Resource Server. This request DOES NOT provide an RPT.
   2. The Resource Server detects the absence of RPT, so it requests a
   Permission Ticket to Keycloak, for the Foo resource and both READ and WRITE
   scopes (providing a valid PAT).
   3. Keycloak returns a valid Permission Ticket to the Resource Server.
   4. The Resource Server returns the Permission Ticket (including Keycloak
   token URI (http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token)
   at WWW-Authorization header) with status code 401 to the Requesting Party.
   5. The Requesting Party sends the Permission Ticket (for the Foo
   resource and both READ and WRITE scopes) to Keycloak, in order to get a
   valid RPT.

Here is where things start to get confusing. We expected that Keycloak
would reject the authorization request due to failed permission evaluation
(Alice has READ scope for resource Foo, but DOES NOT have WRITE scope).
Nevertheless, Keycloak returns a valid RPT, granting permission for
resource Foo (just for READ scope).

We are aware that this behavior is UMA 2.0 compliant
<https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-21.html#rfc.section.3.6.4>
:

> If the value is non-null and CandidateGrantedScopes < RequestedScopes, the
> authorization server MUST subsequently issue either an RPT containing
> CandidateGrantedScopes (upgrading as appropriate; see below), or one of the
> error codes. The reason for the two options is that granting only partial
> scopes may not be useful for the client's and requesting party's purposes
> in seeking authorization for access.


But as the RFC explicitly points out, this behavior may not be useful for
the client. We think that the RFC is right, because this renders the client
unable to tell whether the authorization has been partially or completely
fulfilled. And consequently the Resource Server will request again a
Permission Ticket for the Foo resource and both READ and WRITE scopes, so
the whole flow will be repeated over and over again. If this is Keycloak
expected behavior, how can we avoid the infinite loops?

Another question is, when providing a valid RPT along with a Permission
Ticket, why Keycloak deems an RPT as upgraded = true even when the
requested resource has not been authorized? It returns the same RPT with
just jti, exp and iat updated. Since we think that the Authorization Server
must be the one stopping the UMA flow, should not Keycloak return a 403
Forbidden instead? Is this behavior configurable in any way?

Thank you in advance!

From mail at arnoldbechtoldt.com  Tue Jul 10 05:41:14 2018
From: mail at arnoldbechtoldt.com (Arnold Bechtoldt)
Date: Tue, 10 Jul 2018 11:41:14 +0200
Subject: [keycloak-user] Keycloak as external Identity Provider fails on
	group import
Message-ID: <93C4E200-9DB0-4CB0-A11A-F2ECE55EE636@arnoldbechtoldt.com>

Hi,

We?re using Keycloak 3.4.3 (upgrade to 4.x already planned) and use a Keycloak instance (1) as external identity provider for another Keycloak instance (2) that runs in another region. Unfortunately (2) can?t import the group membership (groups claim, array of group names) from the JWT of (1).

It is possible to configure mapper (https://www.keycloak.org/docs/latest/server_admin/index.html#_mappers) but it seems that it works for arbitrary user attributes and roles only. 

Do you have any ideas how to import the group membership of the user?


Thanks!

Arnold

From dt at acutus.pro  Tue Jul 10 06:41:31 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 10 Jul 2018 13:41:31 +0300
Subject: [keycloak-user] View-users permissions only view some users
In-Reply-To: <AM4PR0501MB277045200EF76FD371DED08AC1470@AM4PR0501MB2770.eurprd05.prod.outlook.com>
References: <AM4PR0501MB277045200EF76FD371DED08AC1470@AM4PR0501MB2770.eurprd05.prod.outlook.com>
Message-ID: <1531219291.7582.1.camel@acutus.pro>

Hi Nicolas,

You could try the following:
- put your users into a group;
- create another user;
- grant this user "query-groups" and "impersonation" roles (from the
"realm-management" or "master-realm" client, depending on the realm);
- go to your group, enable permissions, open "view" permission, add a
user policy to allow the user to view group, then repeat for "view-
members" permission.

Now your newly added admin user will be restricted to the contents of
the group. He won't be able to view/impersonate other users, even if he
knows the user's internal ID.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-07-06 at 09:10 +0000, Nicolas Gillet wrote:
> Hello,
> 
> Is it possible to grant a user the permission to view only some (not
> all) users of the realm ?
> Same question about being allowed to impersonate only the user he is
> allowed to see ?
> 
> Thank for any help :-)
> 
> Nicolas GILLET
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Tue Jul 10 06:53:59 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 10 Jul 2018 13:53:59 +0300
Subject: [keycloak-user] How to configure keycloak for native
 application mobile
In-Reply-To: <CADf9yZNL82im-XZv-RGj--WxC8+h+zThDOHMOq9NTQm0BHSZBQ@mail.gmail.com>
References: <CADf9yZNL82im-XZv-RGj--WxC8+h+zThDOHMOq9NTQm0BHSZBQ@mail.gmail.com>
Message-ID: <1531220039.7582.3.camel@acutus.pro>

Hi Christophe,

Basically, there are two options here:

- implement a native login form inside your mobile app and use direct
grant flow. Simply said, this will allow you to POST username +
password to an URL inside Keycloak and obtain access token that you'll
later use to access REST services secured by Keycloak;
- embed a browser widget, let the user authenticate interactively via
Keycloak login screen, obtain a token upon successful login, use token
to access REST services.

Important: in the first scenario, you'll need to know beforehand what
kind of credentials are required by Keycloak (is it username+password,
or username+password+otp etc.) With the second approach, you won't need
to bother as everything will be handled by Keycloak's login UI.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+ 42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-07-06 at 11:21 +0200, Christophe Lehingue wrote:
> Hello,
> 
> 
> I use keycloak for authentication via a website: it's ok.
> 
> On the other hand, how to configure keycloak so that it is
> exploitable
> for native mobile applications?
> Thank you for your attention,
> 
> Regards,
> 
> Christophe
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> *==== IN frenchBonjour,J'utilise keycloak pour l'authentification via
> un site web : c'est ok.Par contre, comment configurer keycloak afin
> que ce soit exploitable pour des applications mobiles natives ?Merci
> de votre attention,Cordialement,Christophe*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From corentin.dupont at gmail.com  Tue Jul 10 07:34:39 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 10 Jul 2018 13:34:39 +0200
Subject: [keycloak-user] Resource set
Message-ID: <CAEyhvmrKPE51ANX=8S+c8wBW-ryHb2gHJMt+pWYJ=bgyADkMXg@mail.gmail.com>

Hi again,

I noticed that the resource set endpoint returns only the resource id:

$ curl -X GET "
http://localhost:8080/auth/realms/waziup/authz/protection/resource_set?name=foo"
-H "Authorization: Bearer $CLIENTTOKEN" | jq

[
  "3f36f6b6-a1ca-452e-8008-855646bcd071"
]

Why not returning the resource body? Currently I need to perform 2 requests
to obtain the resource owner, from the resource name.

Cheers

From dt at acutus.pro  Tue Jul 10 07:59:55 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 10 Jul 2018 14:59:55 +0300
Subject: [keycloak-user] How to keep users from updating their account
 details in admin client?
In-Reply-To: <CAJ0c46+Dg4ebKeL8S0GpGwrBipFWLkPOd+x=mKAE4V6fdg=nGQ@mail.gmail.com>
References: <CAJ0c46+Dg4ebKeL8S0GpGwrBipFWLkPOd+x=mKAE4V6fdg=nGQ@mail.gmail.com>
Message-ID: <1531223995.7582.7.camel@acutus.pro>

Hi Torsten,

AFAIK this cannot be done out of the box. However, per [1],

> At the moment there are two roles associated with the account
> application:
> 
> * view-profile - retrive the user profile (produces json)
> * manage-account - management the account (produces html, and
> consumes forms)

(there's also manage-account-links now, but this is not important here)

Thus, you can revoke manage-account (but let view-profile) and create
your own profile page that would retrieve JSON and render it the way
you like.

[1] http://lists.jboss.org/pipermail/keycloak-dev/2013-November/000678.
html

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail:?info at acutus.pro

On Fri, 2018-07-06 at 14:04 +0200, Torsten Juergeleit wrote:
> ?Hi everyone,
> 
> we have the requirement, that the users are not able to change their
> account details (email, first name, last name) in Keycloak's account
> client. We need read-only access to the admin client, so removing the
> admin
> client from the realm is not an option.
> 
> Is there any way to achieve this other than blocking any post to
> "/auth/realms/<realm>/account/" in our reverse proxy?
> 
> Cheers,
> Torsten
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Tue Jul 10 08:15:09 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 10 Jul 2018 15:15:09 +0300
Subject: [keycloak-user] Read and Write Theme to a DB
In-Reply-To: <CAJYMFR6+H+eY96k0npkZqYqAA9MwGYdi6LZqfaY19akvHdsYug@mail.gmail.com>
References: <CAJYMFR6+H+eY96k0npkZqYqAA9MwGYdi6LZqfaY19akvHdsYug@mail.gmail.com>
Message-ID: <1531224909.7582.9.camel@acutus.pro>

Hi Yegui,

Yes, this is possible, but you'll need to implement a?couple of SPIs
[1]:

- Theme SPI from keycloak-server-spi-private. It's an internal SPI, so
you won't find much docs on it, but everything is more or less clear
from the code - see org.keycloak.theme.Theme* and default
implementations;
- Entity SPI [2]. Even if you opt for pure JDBC (not JPA) for storing
your themes, you'll need to supply a Liquibase changelog, which is done
this way.

Regarding "Read and Write Theme to a DB", I think "write" is a bit
confusing here, since Keycloak doesn't write themes. It will be you
who'll have to write themes to DB, not Keycloak :)

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

[1] https://www.keycloak.org/docs/latest/server_development/index.html#
_providers
[2] https://www.keycloak.org/docs/latest/server_development/index.html#
_extensions_jpa

On Fri, 2018-07-06 at 14:50 -0400, Yegui Cai wrote:
> Hi.
> 
> Would it be possible to store themes in a DB?
> 
> Thanks,
> Yegui
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Tue Jul 10 08:35:43 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 10 Jul 2018 15:35:43 +0300
Subject: [keycloak-user] Configuring Keycloak in Standalone Clustered
 Mode
In-Reply-To: <CAG97radnLkBE34oVG2qYyT9GLjhfRfD7jGqFr7w_3LjnnNWQGQ@mail.gmail.com>
References: <CAG97radnLkBE34oVG2qYyT9GLjhfRfD7jGqFr7w_3LjnnNWQGQ@mail.gmail.com>
Message-ID: <1531226143.7582.11.camel@acutus.pro>

Hi Rafael,

In Keycloak, clustering is implemented via Infinispan [1] (a
distributed cache), which in turn uses JGroups [2] as a communication
layer. By default, nodes use IP multicast for discovery (MPING in
JGroups terminology). So as long as your nodes live in the same private
network that supports multicast, you should be fine.

If IP multicast is restricted (like e.g. on AWS), one can use alternate
discovery methods like JDBC_PING (using shared database) or S3_PING
(obviously, using S3).

See Keycloak documentation on network setup for clustering [3], as well
as Infinispan and JGroups docs on the same.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

[1] http://infinispan.org
[2] http://www.jgroups.org
[3] https://www.keycloak.org/docs/latest/server_installation/index.html
#_clustering

On Sat, 2018-07-07 at 09:09 -0300, Rafael Weing?rtner wrote:
> Hello Keycloak communities,
> 
> I am configuring Keycloak for production, and we will need to use it
> in a
> clustered fashion. I have read about the two possible deployment
> scenarios
> ?Standalone clustered mode???and ?domain clustered mode?.??It seems
> that
> the ?Standalone clustered mode???is the simpler one. Also, we will be
> using
> Docker to deploy Keycloak. Therefore, we will not have the burden of
> managing configuration files manually. The update (configurations
> and/or
> Keycloak versions) should always be a matter of stopping and starting
> a new
> version of the Docker container.
> 
> I have one doubt though. It seems pretty magical that to configure
> Keycloak
> in HA mode I only need to use ?standalone-ha.xml?. How does the
> discovery
> process of nodes happen? I mean, are the replicates communicating
> with each
> other directly, or is everything via a shared database? Do I need to
> expose
> some specific port from my Keycloaks replicas to the network? Or only
> the
> standard 443/80 is enough?
> 
> Thanks in advance for your help ;)
> 
> --
> Rafael Weing?rtner
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Tue Jul 10 08:41:34 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 10 Jul 2018 15:41:34 +0300
Subject: [keycloak-user] Resource quotas
In-Reply-To: <CAEyhvmovFGyFXzzF4gVF6_VWTQYXdb4MRtdCgRmdu3c90_h3ew@mail.gmail.com>
References: <CAEyhvmovFGyFXzzF4gVF6_VWTQYXdb4MRtdCgRmdu3c90_h3ew@mail.gmail.com>
Message-ID: <1531226494.7582.13.camel@acutus.pro>

Hi Corentin,

Can't tell anything about max number of resources created, but you can
definitely limit the number of requests on your frontend. See [1] for
the example of how to do it with HAProxy.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

[1] https://blog.codecentric.de/en/2014/12/haproxy-http-header-rate-lim
iting/

On Mon, 2018-07-09 at 15:03 +0200, Corentin Dupont wrote:
> Hi guys,
> is there any way to do resource quota with Keycloak? I.e. max number
> of
> resource created, max number of request per hour...
> Keycloak could return a 403 (or another code) on an authorization
> request
> with exceeded quota...
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From nikola.malenic at netsetglobal.rs  Tue Jul 10 08:49:28 2018
From: nikola.malenic at netsetglobal.rs (Nikola Malenic)
Date: Tue, 10 Jul 2018 14:49:28 +0200
Subject: [keycloak-user] Keycloak authorization based on business attributes
Message-ID: <00e201d4184c$75606620$60213260$@netsetglobal.rs>

Here is how my application should work: 

Users can use some functionalities of my application if they have enough
chips (token) which they can buy from another application, or they can be
granted to them upon some event, whatever. 
Users have an attribute associated with them called 'chip', which represents
some number. This information should be represented as a claim, probably. 

I want Keycloak to do this authorization for me - to check whether user can
use the functionality or not. I've come across JavaScript-based policies.
It's seems they are able to operate on informations in tokens - like user
email etc, but this is not my case where token can contain obsolete
information, i.e. when token was generated user had enough chips but since
then he spent them. 

Maybe token should be refreshed upon spending chips, but in that case, would
it be updated with current informations bound to user? Or maybe
authorization service can somehow access database during evaluation of a
policy? Could this work or are there any elegant solutions to this use case?

 


From rafaelweingartner at gmail.com  Tue Jul 10 08:55:47 2018
From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=)
Date: Tue, 10 Jul 2018 09:55:47 -0300
Subject: [keycloak-user] Configuring Keycloak in Standalone Clustered
	Mode
In-Reply-To: <1531226143.7582.11.camel@acutus.pro>
References: <CAG97radnLkBE34oVG2qYyT9GLjhfRfD7jGqFr7w_3LjnnNWQGQ@mail.gmail.com>
	<1531226143.7582.11.camel@acutus.pro>
Message-ID: <CAG97radkzXA6q+bA0q8-S+HVcXd0qezUGTWR76Y7noOeHWX-Vw@mail.gmail.com>

Hey Dmitry, thanks for the reply.

The alternative "JDBC_PING" looks promising. However, if I already have a
transit network that can be used to bind together all keycloak replicas, I
can "export/bind" the multicast ports of the containers on the host, and
then everything should work out of the box, right?

On Tue, Jul 10, 2018 at 9:35 AM, Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Rafael,
>
> In Keycloak, clustering is implemented via Infinispan [1] (a
> distributed cache), which in turn uses JGroups [2] as a communication
> layer. By default, nodes use IP multicast for discovery (MPING in
> JGroups terminology). So as long as your nodes live in the same private
> network that supports multicast, you should be fine.
>
> If IP multicast is restricted (like e.g. on AWS), one can use alternate
> discovery methods like JDBC_PING (using shared database) or S3_PING
> (obviously, using S3).
>
> See Keycloak documentation on network setup for clustering [3], as well
> as Infinispan and JGroups docs on the same.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> [1] http://infinispan.org
> [2] http://www.jgroups.org
> [3] https://www.keycloak.org/docs/latest/server_installation/index.html
> #_clustering
>
> On Sat, 2018-07-07 at 09:09 -0300, Rafael Weing?rtner wrote:
> > Hello Keycloak communities,
> >
> > I am configuring Keycloak for production, and we will need to use it
> > in a
> > clustered fashion. I have read about the two possible deployment
> > scenarios
> > ?Standalone clustered mode?  and ?domain clustered mode?.  It seems
> > that
> > the ?Standalone clustered mode?  is the simpler one. Also, we will be
> > using
> > Docker to deploy Keycloak. Therefore, we will not have the burden of
> > managing configuration files manually. The update (configurations
> > and/or
> > Keycloak versions) should always be a matter of stopping and starting
> > a new
> > version of the Docker container.
> >
> > I have one doubt though. It seems pretty magical that to configure
> > Keycloak
> > in HA mode I only need to use ?standalone-ha.xml?. How does the
> > discovery
> > process of nodes happen? I mean, are the replicates communicating
> > with each
> > other directly, or is everything via a shared database? Do I need to
> > expose
> > some specific port from my Keycloaks replicas to the network? Or only
> > the
> > standard 443/80 is enough?
> >
> > Thanks in advance for your help ;)
> >
> > --
> > Rafael Weing?rtner
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Rafael Weing?rtner

From dt at acutus.pro  Tue Jul 10 08:58:08 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 10 Jul 2018 15:58:08 +0300
Subject: [keycloak-user] Keycloak Roles and Usergroups
In-Reply-To: <CAAgt2fXTCoRseMaNwEASS30dnFZQ925ZaZkvWpqXrQYAW8c17A@mail.gmail.com>
References: <CAAgt2fXTCoRseMaNwEASS30dnFZQ925ZaZkvWpqXrQYAW8c17A@mail.gmail.com>
Message-ID: <1531227488.7582.15.camel@acutus.pro>

Hi Vinay,

>From my experience, I'd tell that:
- roles are more likely to reflect person's functions in the
organization;
- groups?are more likely to reflect organizational structure.

For example, if there are offices and departments (like "NY Office",
"IT Department"), that would normally map to nested groups.

On the other hand, business functions would rather map to roles (like
"managers", "developers", "sysadmins" etc.)

There's also a number of technical differences:
- akin to nested groups, there are composite roles. However, the logic
is different: if you grant a composite role to a user, every child role
would be granted, too (which is not true for groups);
- you can assign a role to a group (not vice versa);
- by default, Keycloak adapters can restrict access based on roles
only. If you want to use groups for the same, you'll need to turn on
authorization services and create corresponding policies.

Could you please elaborate on your particular use case? If you describe
it briefly, I think we'll be able decide what's better for you.

Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-07-09 at 12:39 -0400, Vinay wrote:
> What is a difference between keycloak roles and usergroups ? are they
> interchangeable i.e. can we use roles instead of groups or vice versa
> to
> address a problem ? Is it possible to have roles within roles, just
> like
> groups ?
> A clear guidelines on how to use groups and roles will help.
> 
> thanks
> /Vinay
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From manfred.duchrow at caprica.biz  Tue Jul 10 08:58:30 2018
From: manfred.duchrow at caprica.biz (Manfred Duchrow)
Date: Tue, 10 Jul 2018 14:58:30 +0200
Subject: [keycloak-user] IBM DB2 not supported anymore?
Message-ID: <e27f9d20-b998-0c16-33e6-1694a4a5da5b@caprica.biz>

Hi,

in issue https://issues.jboss.org/browse/KEYCLOAK-7519 Stian added a
comment saying

? "Rejecting this as we removed support for DB2 in 4.x. DB2 had very few
users
?? and was by far the most time consuming to maintain."

Is it true that DB2 will not be supported anymore?
Where has it been announced? I cannot find anything in documentation,
release notes or blogs
or user list mentioning it.

I think you shouldn't drop support for DB2. It is a major enterprise
database and many companies
are using it.

Cheers,
??? Manfred



From caiyegui at gmail.com  Tue Jul 10 09:14:13 2018
From: caiyegui at gmail.com (Yegui Cai)
Date: Tue, 10 Jul 2018 09:14:13 -0400
Subject: [keycloak-user] Read and Write Theme to a DB
In-Reply-To: <1531224909.7582.9.camel@acutus.pro>
References: <CAJYMFR6+H+eY96k0npkZqYqAA9MwGYdi6LZqfaY19akvHdsYug@mail.gmail.com>
	<1531224909.7582.9.camel@acutus.pro>
Message-ID: <CAJYMFR7QaumkbG0J-hR5bXAjbxSN7gkn22stDXozz-gx5mn8+w@mail.gmail.com>

Hi Dmitry.

Thanks a lot for your hints. By "wring a theme", I mean storing the theme
in DB.

Another approach which may be helpful for my purpose is maybe changing the
theme based on the info stored in DB. It looks like I need to
implement ThemeResourceProvider and its factory. Am i correct?

Best,
Yegui

On Tue, Jul 10, 2018 at 8:15 AM Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Yegui,
>
> Yes, this is possible, but you'll need to implement a couple of SPIs
> [1]:
>
> - Theme SPI from keycloak-server-spi-private. It's an internal SPI, so
> you won't find much docs on it, but everything is more or less clear
> from the code - see org.keycloak.theme.Theme* and default
> implementations;
> - Entity SPI [2]. Even if you opt for pure JDBC (not JPA) for storing
> your themes, you'll need to supply a Liquibase changelog, which is done
> this way.
>
> Regarding "Read and Write Theme to a DB", I think "write" is a bit
> confusing here, since Keycloak doesn't write themes. It will be you
> who'll have to write themes to DB, not Keycloak :)
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> [1] https://www.keycloak.org/docs/latest/server_development/index.html#
> _providers
> [2] https://www.keycloak.org/docs/latest/server_development/index.html#
> _extensions_jpa
>
> On Fri, 2018-07-06 at 14:50 -0400, Yegui Cai wrote:
> > Hi.
> >
> > Would it be possible to store themes in a DB?
> >
> > Thanks,
> > Yegui
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From dt at acutus.pro  Tue Jul 10 09:21:13 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 10 Jul 2018 16:21:13 +0300
Subject: [keycloak-user] Configuring Keycloak in Standalone Clustered
 Mode
In-Reply-To: <CAG97radkzXA6q+bA0q8-S+HVcXd0qezUGTWR76Y7noOeHWX-Vw@mail.gmail.com>
References: <CAG97radnLkBE34oVG2qYyT9GLjhfRfD7jGqFr7w_3LjnnNWQGQ@mail.gmail.com>
	<1531226143.7582.11.camel@acutus.pro>
	<CAG97radkzXA6q+bA0q8-S+HVcXd0qezUGTWR76Y7noOeHWX-Vw@mail.gmail.com>
Message-ID: <1531228873.7582.17.camel@acutus.pro>

On Tue, 2018-07-10 at 09:55 -0300, Rafael Weing?rtner wrote:
> Hey Dmitry, thanks for the reply.
> 
> The alternative "JDBC_PING" looks promising. However, if I already
> have a transit network that can be used to bind together all keycloak
> replicas, I can "export/bind" the multicast ports of the containers
> on the host, and then everything should work out of the box, right?

Sounds legit, but will require testing of course. I'd recommend that
you use omping [1] to test/troubleshoot multicast issues.

Another option is to set up L2 tunnel between the nodes (like n2n [2]
or even OpenVPN without encryption and compression), but obviously this
will be harder to maintain.

Good luck!
Dmitry

[1] https://github.com/troglobit/omping
[2] https://www.ntop.org/products/n2n/

> 
> On Tue, Jul 10, 2018 at 9:35 AM, Dmitry Telegin <dt at acutus.pro>
> wrote:
> > Hi Rafael,
> > 
> > In Keycloak, clustering is implemented via Infinispan [1] (a
> > distributed cache), which in turn uses JGroups [2] as a
> > communication
> > layer. By default, nodes use IP multicast for discovery (MPING in
> > JGroups terminology). So as long as your nodes live in the same
> > private
> > network that supports multicast, you should be fine.
> > 
> > If IP multicast is restricted (like e.g. on AWS), one can use
> > alternate
> > discovery methods like JDBC_PING (using shared database) or S3_PING
> > (obviously, using S3).
> > 
> > See Keycloak documentation on network setup for clustering [3], as
> > well
> > as Infinispan and JGroups docs on the same.
> > 
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> > 
> > [1] http://infinispan.org
> > [2] http://www.jgroups.org
> > [3] https://www.keycloak.org/docs/latest/server_installation/index.
> > html
> > #_clustering
> > 
> > On Sat, 2018-07-07 at 09:09 -0300, Rafael Weing?rtner wrote:
> > > Hello Keycloak communities,
> > >?
> > > I am configuring Keycloak for production, and we will need to use
> > it
> > > in a
> > > clustered fashion. I have read about the two possible deployment
> > > scenarios
> > > ?Standalone clustered mode???and ?domain clustered mode?.??It
> > seems
> > > that
> > > the ?Standalone clustered mode???is the simpler one. Also, we
> > will be
> > > using
> > > Docker to deploy Keycloak. Therefore, we will not have the burden
> > of
> > > managing configuration files manually. The update (configurations
> > > and/or
> > > Keycloak versions) should always be a matter of stopping and
> > starting
> > > a new
> > > version of the Docker container.
> > >?
> > > I have one doubt though. It seems pretty magical that to
> > configure
> > > Keycloak
> > > in HA mode I only need to use ?standalone-ha.xml?. How does the
> > > discovery
> > > process of nodes happen? I mean, are the replicates communicating
> > > with each
> > > other directly, or is everything via a shared database? Do I need
> > to
> > > expose
> > > some specific port from my Keycloaks replicas to the network? Or
> > only
> > > the
> > > standard 443/80 is enough?
> > >?
> > > Thanks in advance for your help ;)
> > >?
> > > --
> > > Rafael Weing?rtner
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
> 
> 

From rafaelweingartner at gmail.com  Tue Jul 10 09:23:16 2018
From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=)
Date: Tue, 10 Jul 2018 10:23:16 -0300
Subject: [keycloak-user] Configuring Keycloak in Standalone Clustered
	Mode
In-Reply-To: <1531228873.7582.17.camel@acutus.pro>
References: <CAG97radnLkBE34oVG2qYyT9GLjhfRfD7jGqFr7w_3LjnnNWQGQ@mail.gmail.com>
	<1531226143.7582.11.camel@acutus.pro>
	<CAG97radkzXA6q+bA0q8-S+HVcXd0qezUGTWR76Y7noOeHWX-Vw@mail.gmail.com>
	<1531228873.7582.17.camel@acutus.pro>
Message-ID: <CAG97raezMe0hkL2g3tobOA2gg3jbdR9J1w3zKwV85wb9Z_Hg5w@mail.gmail.com>

Thanks for the feedback!
I will test with both. (i) Exporting the ports of the container and also
with (ii) JDBC_PING. Then, I will provide some feedback here.

Thanks again for the help ;)

On Tue, Jul 10, 2018 at 10:21 AM, Dmitry Telegin <dt at acutus.pro> wrote:

> On Tue, 2018-07-10 at 09:55 -0300, Rafael Weing?rtner wrote:
> > Hey Dmitry, thanks for the reply.
> >
> > The alternative "JDBC_PING" looks promising. However, if I already
> > have a transit network that can be used to bind together all keycloak
> > replicas, I can "export/bind" the multicast ports of the containers
> > on the host, and then everything should work out of the box, right?
>
> Sounds legit, but will require testing of course. I'd recommend that
> you use omping [1] to test/troubleshoot multicast issues.
>
> Another option is to set up L2 tunnel between the nodes (like n2n [2]
> or even OpenVPN without encryption and compression), but obviously this
> will be harder to maintain.
>
> Good luck!
> Dmitry
>
> [1] https://github.com/troglobit/omping
> [2] https://www.ntop.org/products/n2n/
>
> >
> > On Tue, Jul 10, 2018 at 9:35 AM, Dmitry Telegin <dt at acutus.pro>
> > wrote:
> > > Hi Rafael,
> > >
> > > In Keycloak, clustering is implemented via Infinispan [1] (a
> > > distributed cache), which in turn uses JGroups [2] as a
> > > communication
> > > layer. By default, nodes use IP multicast for discovery (MPING in
> > > JGroups terminology). So as long as your nodes live in the same
> > > private
> > > network that supports multicast, you should be fine.
> > >
> > > If IP multicast is restricted (like e.g. on AWS), one can use
> > > alternate
> > > discovery methods like JDBC_PING (using shared database) or S3_PING
> > > (obviously, using S3).
> > >
> > > See Keycloak documentation on network setup for clustering [3], as
> > > well
> > > as Infinispan and JGroups docs on the same.
> > >
> > > Cheers,
> > > Dmitry Telegin
> > > CTO, Acutus s.r.o.
> > > Keycloak Consulting and Training
> > >
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > +42 (022) 888-30-71
> > > E-mail: info at acutus.pro
> > >
> > > [1] http://infinispan.org
> > > [2] http://www.jgroups.org
> > > [3] https://www.keycloak.org/docs/latest/server_installation/index.
> > > html
> > > #_clustering
> > >
> > > On Sat, 2018-07-07 at 09:09 -0300, Rafael Weing?rtner wrote:
> > > > Hello Keycloak communities,
> > > >
> > > > I am configuring Keycloak for production, and we will need to use
> > > it
> > > > in a
> > > > clustered fashion. I have read about the two possible deployment
> > > > scenarios
> > > > ?Standalone clustered mode?  and ?domain clustered mode?.  It
> > > seems
> > > > that
> > > > the ?Standalone clustered mode?  is the simpler one. Also, we
> > > will be
> > > > using
> > > > Docker to deploy Keycloak. Therefore, we will not have the burden
> > > of
> > > > managing configuration files manually. The update (configurations
> > > > and/or
> > > > Keycloak versions) should always be a matter of stopping and
> > > starting
> > > > a new
> > > > version of the Docker container.
> > > >
> > > > I have one doubt though. It seems pretty magical that to
> > > configure
> > > > Keycloak
> > > > in HA mode I only need to use ?standalone-ha.xml?. How does the
> > > > discovery
> > > > process of nodes happen? I mean, are the replicates communicating
> > > > with each
> > > > other directly, or is everything via a shared database? Do I need
> > > to
> > > > expose
> > > > some specific port from my Keycloaks replicas to the network? Or
> > > only
> > > > the
> > > > standard 443/80 is enough?
> > > >
> > > > Thanks in advance for your help ;)
> > > >
> > > > --
> > > > Rafael Weing?rtner
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> >
> >
>



-- 
Rafael Weing?rtner

From dt at acutus.pro  Tue Jul 10 09:26:15 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 10 Jul 2018 16:26:15 +0300
Subject: [keycloak-user] Read and Write Theme to a DB
In-Reply-To: <CAJYMFR7QaumkbG0J-hR5bXAjbxSN7gkn22stDXozz-gx5mn8+w@mail.gmail.com>
References: <CAJYMFR6+H+eY96k0npkZqYqAA9MwGYdi6LZqfaY19akvHdsYug@mail.gmail.com>
	<1531224909.7582.9.camel@acutus.pro>
	<CAJYMFR7QaumkbG0J-hR5bXAjbxSN7gkn22stDXozz-gx5mn8+w@mail.gmail.com>
Message-ID: <1531229175.7582.19.camel@acutus.pro>

On Tue, 2018-07-10 at 09:14 -0400, Yegui Cai wrote:
> Hi Dmitry.?
> 
> Thanks a lot for your hints. By "wring a theme", I mean storing the
> theme in DB.?
> 
> Another approach which may be helpful for my purpose is maybe
> changing the theme based on the info stored in DB. It looks like I
> need to implement?ThemeResourceProvider and its factory. Am i
> correct??

AFAIK, ThemeResourceProvider is used to *add* resources on the fly, not
sure if it can *override* existing resources. You are free to try it
however, and tell us about the results :)

Dmitry

> 
> Best,
> Yegui
> 
> On Tue, Jul 10, 2018 at 8:15 AM Dmitry Telegin <dt at acutus.pro> wrote:
> > Hi Yegui,
> > 
> > Yes, this is possible, but you'll need to implement a?couple of
> > SPIs
> > [1]:
> > 
> > - Theme SPI from keycloak-server-spi-private. It's an internal SPI,
> > so
> > you won't find much docs on it, but everything is more or less
> > clear
> > from the code - see org.keycloak.theme.Theme* and default
> > implementations;
> > - Entity SPI [2]. Even if you opt for pure JDBC (not JPA) for
> > storing
> > your themes, you'll need to supply a Liquibase changelog, which is
> > done
> > this way.
> > 
> > Regarding "Read and Write Theme to a DB", I think "write" is a bit
> > confusing here, since Keycloak doesn't write themes. It will be you
> > who'll have to write themes to DB, not Keycloak :)
> > 
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> > 
> > [1] https://www.keycloak.org/docs/latest/server_development/index.h
> > tml#
> > _providers
> > [2] https://www.keycloak.org/docs/latest/server_development/index.h
> > tml#
> > _extensions_jpa
> > 
> > On Fri, 2018-07-06 at 14:50 -0400, Yegui Cai wrote:
> > > Hi.
> > >?
> > > Would it be possible to store themes in a DB?
> > >?
> > > Thanks,
> > > Yegui
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 

From dt at acutus.pro  Tue Jul 10 09:30:22 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 10 Jul 2018 16:30:22 +0300
Subject: [keycloak-user] Keycloak 3.4.3 + Apache httpd 2.4.6 load
 balancing proxy -> infinite redirect
In-Reply-To: <CAGGJhVf=aJquBoqZ5fuNYS5LbKaFasPRkGuOHWcEoX2ahyruJA@mail.gmail.com>
References: <CAGGJhVf=aJquBoqZ5fuNYS5LbKaFasPRkGuOHWcEoX2ahyruJA@mail.gmail.com>
Message-ID: <1531229422.7582.21.camel@acutus.pro>

Hi Michael,

Do you experience this issue while trying to log in to Keycloak Admin
console itself? Or is it some client application protected by Keycloak?
If latter, could you please share client config?

Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-07-09 at 14:59 -0700, Michael Yoder wrote:
> I've got an infinite redirect loop that I'm trying (and failing...)
> to
> figure out.??I'm using Keycloak 3.4.3, and in front of that I'm using
> Apache httpd mod_proxy for load balancing.??If I clear my cookies, or
> if I
> fire up a new Incognito window, everything is fine.??But otherwise,
> when I
> try to log in to my application, I get an infinite redirect loop
> (technically, a "302 Found", with the same Location: header each
> time:
> http://
> <host>:7192/auth/realms/<realm>/login-
> actions/authenticate?client_id=<client>&tab_id=...)
> 
> I've had a look at what's going over the wire with wireshark, and
> haven't
> been particularly enlightened. I'm just using http for now, not
> https, but
> will do that later.
> 
> Interesting parts of my keycloak config are
> 
> ????<subsystem xmlns="urn:jboss:domain:undertow:4.0">
> ??????<buffer-cache name="default"/>
> ??????<server name="default-server">
> ????????<http-listener
> ???????????????????????name="default"
> ???????????????????????socket-binding="httpish"
> ???????????????????????enable-http2="true"
> ???????????????????????proxy-address-forwarding="true"
> ????????/>
> ????????...
> ??????</server>
> ??????<servlet-container name="default">
> ????????<session-cookie name="AUTH_SESSION_ID" http-only="true" />
> ????????...
> ??????</servlet-container>
> 
> In my httpd config there's
> 
> ProxyPreserveHost Off
> ProxyAddHeaders On
> Listen 7192
> ProxyPass / balancer://auth/ stickysession=AUTH_SESSION_ID
> ProxyPassReverse / balancer://auth/
> <Proxy balancer://auth>
> BalancerMember http://<host>:7193 retry=10 route=auth-AUTHSERVER-...
> </Proxy>
> 
> (Yes I just have one BalancerMember - was attempting to isolate this
> issue.)
> 
> The httpd is listening on port 7192, keycloak is on port 7193.
> 
> Since everything is fine if I use an Incognito window, or if I clear
> my
> cookies, I have to imagine that the problem is with the cookies. I
> looked
> at what was going over the wire - in the infinitely looping case, I
> see two
> (different) AUTH_SESSION_ID cookies and one KC_RESTART cookie. In the
> "good" case, I see a (different) AUTH_SESSION_ID cookie and one
> KC_RESTART
> cookie. The KC_RESTART cookie is nearly identical between the two
> except
> for the "state" field. This was less helpful than I had hoped.
> 
> Any help, hints, or things to debug will be greatly appreciated.
> Thanks in
> advance!
> -Mike Yoder
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Tue Jul 10 09:31:24 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 10 Jul 2018 16:31:24 +0300
Subject: [keycloak-user] Keycloak 3.4.3 + Apache httpd 2.4.6 load
 balancing proxy -> infinite redirect
In-Reply-To: <CAGGJhVf=aJquBoqZ5fuNYS5LbKaFasPRkGuOHWcEoX2ahyruJA@mail.gmail.com>
References: <CAGGJhVf=aJquBoqZ5fuNYS5LbKaFasPRkGuOHWcEoX2ahyruJA@mail.gmail.com>
Message-ID: <1531229484.7582.22.camel@acutus.pro>

Quick followup - I'd also suggest that you try latest Keycloak 4.1.0 to
see if the issue persists.

Dmitry

On Mon, 2018-07-09 at 14:59 -0700, Michael Yoder wrote:
> I've got an infinite redirect loop that I'm trying (and failing...)
> to
> figure out.??I'm using Keycloak 3.4.3, and in front of that I'm using
> Apache httpd mod_proxy for load balancing.??If I clear my cookies, or
> if I
> fire up a new Incognito window, everything is fine.??But otherwise,
> when I
> try to log in to my application, I get an infinite redirect loop
> (technically, a "302 Found", with the same Location: header each
> time:
> http://
> <host>:7192/auth/realms/<realm>/login-
> actions/authenticate?client_id=<client>&tab_id=...)
> 
> I've had a look at what's going over the wire with wireshark, and
> haven't
> been particularly enlightened. I'm just using http for now, not
> https, but
> will do that later.
> 
> Interesting parts of my keycloak config are
> 
> ????<subsystem xmlns="urn:jboss:domain:undertow:4.0">
> ??????<buffer-cache name="default"/>
> ??????<server name="default-server">
> ????????<http-listener
> ???????????????????????name="default"
> ???????????????????????socket-binding="httpish"
> ???????????????????????enable-http2="true"
> ???????????????????????proxy-address-forwarding="true"
> ????????/>
> ????????...
> ??????</server>
> ??????<servlet-container name="default">
> ????????<session-cookie name="AUTH_SESSION_ID" http-only="true" />
> ????????...
> ??????</servlet-container>
> 
> In my httpd config there's
> 
> ProxyPreserveHost Off
> ProxyAddHeaders On
> Listen 7192
> ProxyPass / balancer://auth/ stickysession=AUTH_SESSION_ID
> ProxyPassReverse / balancer://auth/
> <Proxy balancer://auth>
> BalancerMember http://<host>:7193 retry=10 route=auth-AUTHSERVER-...
> </Proxy>
> 
> (Yes I just have one BalancerMember - was attempting to isolate this
> issue.)
> 
> The httpd is listening on port 7192, keycloak is on port 7193.
> 
> Since everything is fine if I use an Incognito window, or if I clear
> my
> cookies, I have to imagine that the problem is with the cookies. I
> looked
> at what was going over the wire - in the infinitely looping case, I
> see two
> (different) AUTH_SESSION_ID cookies and one KC_RESTART cookie. In the
> "good" case, I see a (different) AUTH_SESSION_ID cookie and one
> KC_RESTART
> cookie. The KC_RESTART cookie is nearly identical between the two
> except
> for the "state" field. This was less helpful than I had hoped.
> 
> Any help, hints, or things to debug will be greatly appreciated.
> Thanks in
> advance!
> -Mike Yoder
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From corentin.dupont at gmail.com  Tue Jul 10 09:31:50 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 10 Jul 2018 15:31:50 +0200
Subject: [keycloak-user] Retrieve all permissions
Message-ID: <CAEyhvmo9ABZSwqtX7vQta7sj+8UXX8iU6iZa3Mkcp3Go6TkrEg@mail.gmail.com>

Hi guys,
I noticed a couple of strange things when retrieving all the permissions.
I tried:

$ curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-
connect/token -H "Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server"
| jq .access_token -r | cut -d "." -f2 | base64 -d | jq

"authorization": {
    "permissions": [
...

But it seems that this command returns only the permissions for the
resources belonging to the client, excluding resource belonging to other
users?
To get an assessment of all resources, I tried adding a scope:

$ curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-
connect/token -H "Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=#sensors:view"
| jq .access_token -r | cut -d "." -f2 | base64 -d | jq

"authorization": {
    "permissions": [
        {
        "rsid": "9e24320d-ef89-440b-b6d5-d7b5a4896f60",
        "rsname": "foo"

This instead returns a list of resources belonging to all users.
But the list seems to be wrong: it returns sensors to which I *don't* have
access!
If I try the request on the specific resource, it returns (rightfully)
access_denied:

curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=
9e24320d-ef89-440b-b6d5-d7b5a4896f60#sensors:view"
{"error":"access_denied","error_description":"not_authorized"}

Another strange thing, if I try with a non-existent resource ID, there is
no error message and it returns a list of permissions:

$ curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=not-exist#sensors:view"
| jq .access_token -r | cut -d "." -f2 | base64 -d | jq

"authorization": {
    "permissions": [
        {
        "rsid": "9e24320d-ef89-440b-b6d5-d7b5a4896f60",
        "rsname": "foo"
...

From dt at acutus.pro  Tue Jul 10 09:37:50 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 10 Jul 2018 16:37:50 +0300
Subject: [keycloak-user] ERROR
 [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-14)
 server_error for broker login
In-Reply-To: <CACz=5k=GNnfdQo+qNX1SfkwnGHi86cdEFqgFyiF1ZqSxH2vJNA@mail.gmail.com>
References: <CACz=5k=GNnfdQo+qNX1SfkwnGHi86cdEFqgFyiF1ZqSxH2vJNA@mail.gmail.com>
Message-ID: <1531229870.7582.24.camel@acutus.pro>

Hi Sofiane,

Are there any exceptions in Keycloak and/or IDP logs?

What do you see in your browser's network?console?

Also it might be helpful to analyze backchannel traffic between
Keycloak and the IDP. If you have access to SSL private keys, you can
use Wireshark to capture and view the traffic.

Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Tue, 2018-07-10 at 09:36 +0200, So Be wrote:
> Hi,
> 
> after a successful login to external idp, there is no back to the
> application and I get this error:
> 
> ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider]
> (default
> task-14) server_error for broker login
> 
> Thank you.
> 
> Sofiane.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From psilva at redhat.com  Tue Jul 10 10:13:12 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 10 Jul 2018 11:13:12 -0300
Subject: [keycloak-user] Keycloak authorization based on business
	attributes
In-Reply-To: <00e201d4184c$75606620$60213260$@netsetglobal.rs>
References: <00e201d4184c$75606620$60213260$@netsetglobal.rs>
Message-ID: <CAJrcDBe06BE52uZ0U5RrPZvr6dC7fhvqooHp5ZgiuVv8MJYTsg@mail.gmail.com>

Maybe this can help you
https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point.
It is about pushing additional claims and use these claims to evaluate
permissions.

On Tue, Jul 10, 2018 at 9:49 AM, Nikola Malenic <
nikola.malenic at netsetglobal.rs> wrote:

> Here is how my application should work:
>
> Users can use some functionalities of my application if they have enough
> chips (token) which they can buy from another application, or they can be
> granted to them upon some event, whatever.
> Users have an attribute associated with them called 'chip', which
> represents
> some number. This information should be represented as a claim, probably.
>
> I want Keycloak to do this authorization for me - to check whether user can
> use the functionality or not. I've come across JavaScript-based policies.
> It's seems they are able to operate on informations in tokens - like user
> email etc, but this is not my case where token can contain obsolete
> information, i.e. when token was generated user had enough chips but since
> then he spent them.
>
> Maybe token should be refreshed upon spending chips, but in that case,
> would
> it be updated with current informations bound to user? Or maybe
> authorization service can somehow access database during evaluation of a
> policy? Could this work or are there any elegant solutions to this use
> case?
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Tue Jul 10 10:18:32 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 10 Jul 2018 11:18:32 -0300
Subject: [keycloak-user] Resource set
In-Reply-To: <CAEyhvmrKPE51ANX=8S+c8wBW-ryHb2gHJMt+pWYJ=bgyADkMXg@mail.gmail.com>
References: <CAEyhvmrKPE51ANX=8S+c8wBW-ryHb2gHJMt+pWYJ=bgyADkMXg@mail.gmail.com>
Message-ID: <CAJrcDBfrEKe9UXAzwgyu7wASL9j3=13qzCFtPNi0s7FcqJXB6A@mail.gmail.com>

Because usually, you would be more interested in the id in order to
correlate it with the actual resources in your application. We can easily
support an additional parameter (we already have this but it is not being
used at this endpoint) to choose whether or not details about resources
should be returned. If you are interested, please create a JIRA and I'll
try to include in next release.

On Tue, Jul 10, 2018 at 8:34 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi again,
>
> I noticed that the resource set endpoint returns only the resource id:
>
> $ curl -X GET "
> http://localhost:8080/auth/realms/waziup/authz/
> protection/resource_set?name=foo"
> -H "Authorization: Bearer $CLIENTTOKEN" | jq
>
> [
>   "3f36f6b6-a1ca-452e-8008-855646bcd071"
> ]
>
> Why not returning the resource body? Currently I need to perform 2 requests
> to obtain the resource owner, from the resource name.
>
> Cheers
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From corentin.dupont at gmail.com  Tue Jul 10 10:21:34 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 10 Jul 2018 16:21:34 +0200
Subject: [keycloak-user] Resource set
In-Reply-To: <CAJrcDBfrEKe9UXAzwgyu7wASL9j3=13qzCFtPNi0s7FcqJXB6A@mail.gmail.com>
References: <CAEyhvmrKPE51ANX=8S+c8wBW-ryHb2gHJMt+pWYJ=bgyADkMXg@mail.gmail.com>
	<CAJrcDBfrEKe9UXAzwgyu7wASL9j3=13qzCFtPNi0s7FcqJXB6A@mail.gmail.com>
Message-ID: <CAEyhvmp49DwZ5fgw4sARFM91QYayMAHkYSuG1sjA-03WywhLAQ@mail.gmail.com>

Done: https://issues.jboss.org/browse/KEYCLOAK-7804


On Tue, Jul 10, 2018 at 4:18 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Because usually, you would be more interested in the id in order to
> correlate it with the actual resources in your application. We can easily
> support an additional parameter (we already have this but it is not being
> used at this endpoint) to choose whether or not details about resources
> should be returned. If you are interested, please create a JIRA and I'll
> try to include in next release.
>
> On Tue, Jul 10, 2018 at 8:34 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Hi again,
>>
>> I noticed that the resource set endpoint returns only the resource id:
>>
>> $ curl -X GET "
>> http://localhost:8080/auth/realms/waziup/authz/protection/
>> resource_set?name=foo"
>> -H "Authorization: Bearer $CLIENTTOKEN" | jq
>>
>> [
>>   "3f36f6b6-a1ca-452e-8008-855646bcd071"
>> ]
>>
>> Why not returning the resource body? Currently I need to perform 2
>> requests
>> to obtain the resource owner, from the resource name.
>>
>> Cheers
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From ddtxra at gmail.com  Tue Jul 10 10:24:04 2018
From: ddtxra at gmail.com (Daniel Teixeira)
Date: Tue, 10 Jul 2018 16:24:04 +0200
Subject: [keycloak-user] SAML Identity Provider Name ID format(s),
	which one too choose?
Message-ID: <CAHvCgvzhUx9SpUYp8OAn0cdyF=t-iJgdtZVF-a6EHPEMWJYkkQ@mail.gmail.com>

Dear community,

I am trying to configure SAML Identity Providers (for Universities) but I
don't know which NameID Policy Format to choose. In my scenario, the
University users must be linked to LDAP User Federation, users should be
able to login in applications in both ways (either with LDAP or University
credentials).

I have tried the following configuration for the SAML Identity Provider:
Persistent, email and unspecified. And here are the problems I get:

*Persistent*: Works "Ok" but I have 2 issues with it:
1) Logout does not work well, because apparently keycloak does not send
NameQualifier and SPNameQualifier in LogoutRequest, more information in
here: https://issues.shibboleth.net/jira/browse/IDP-1297

2) The persistent nameID may not be "so persistent" in my case, because the
iDP takes the domain where keycloak runs, to make the persistent nameID and
therefore if I change the hostname of my keycloak instance, things may
break in the future. Moreover it does not help with test / dev environments
where the hostname is different (but this is not a problem of keycloak I
assume)...

*unspecified: *I tried unspecified (which, correct me if I am wrong, but
maybe it corresponds to the transient nameID?). In this case, the problem
is that it works the first time, but the second time, since it generates a
new ID, keycloak sees a user with already the same email, or if the user is
not there, it creates a new user everytime....
I have tried to create a mapper in the iDP mappers (Preprocessor Username
Template Importer), but this didn't fix the problem. (In the Provider User
ID and Provider Username) he always takes the random/transient? nameID and
for me this use case, Provider User ID and Provider Username should not
change.


*email: *I have tried to use email, but I get a non-informative error: "An
error occurred." and if I go look at the logs in DEBUG mode I don't see
very much valuable information:

15:32:34,996 DEBUG [org.keycloak.services.resources.IdentityBrokerService]
(default task-31) Authorization code is valid.
15:32:34,997 WARN  [org.keycloak.events] (default task-31)
type=FEDERATED_IDENTITY_LINK_ERROR, realmId=******, clientId=account,
userId=******, ipAddress=******, error=An error occurred.,
code_id=bc92ef2d-5a0c-458c-a3a8-40c91ec13140, username=*****
15:32:34,998 ERROR [org.keycloak.services.resources.IdentityBrokerService]
(default task-31) An error occurred.
15:32:35,014 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(default task-31) JtaTransactionWrapper  commit
15:32:35,014 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
(default task-31) JtaTransactionWrapper end

Can someone point me in the light side of the force :) ?

Thank you very much in advance,
Daniel Teixeira

From celso.agra at gmail.com  Tue Jul 10 10:36:40 2018
From: celso.agra at gmail.com (Celso Agra)
Date: Tue, 10 Jul 2018 11:36:40 -0300
Subject: [keycloak-user] Possibility to Create search method for enabled or
	disabled Users
Message-ID: <CAOFYJDvGUDOecCpCHnMDR8_-E8rBirrfZqeUow-FCAbbA1yzTg@mail.gmail.com>

Hi all,

I'd like to know if would be possible to create a search method to filter
enabled or disabled users.

I saw this class (line 46), and I realize that could be possible to do
that, creating a new query:
https://github.com/keycloak/keycloak/blob/master/model/jpa/src/main/java/org/keycloak/models/jpa/entities/UserEntity.java#L46

I can open an issue or maybe do a pull-request, but I'd like if it is
acceptable for keycloak team.

-- 
---
*Celso Agra*

From caiyegui at gmail.com  Tue Jul 10 10:44:08 2018
From: caiyegui at gmail.com (Yegui Cai)
Date: Tue, 10 Jul 2018 10:44:08 -0400
Subject: [keycloak-user] Read and Write Theme to a DB
In-Reply-To: <1531229175.7582.19.camel@acutus.pro>
References: <CAJYMFR6+H+eY96k0npkZqYqAA9MwGYdi6LZqfaY19akvHdsYug@mail.gmail.com>
	<1531224909.7582.9.camel@acutus.pro>
	<CAJYMFR7QaumkbG0J-hR5bXAjbxSN7gkn22stDXozz-gx5mn8+w@mail.gmail.com>
	<1531229175.7582.19.camel@acutus.pro>
Message-ID: <CAJYMFR7FG2DtmwB2VwcXfY4T1Vz=pmMUNCJ52K1ht-+E3knzPA@mail.gmail.com>

Sure. as long as i can create a simple sample.

On Tue, Jul 10, 2018 at 9:26 AM Dmitry Telegin <dt at acutus.pro> wrote:

> On Tue, 2018-07-10 at 09:14 -0400, Yegui Cai wrote:
> > Hi Dmitry.
> >
> > Thanks a lot for your hints. By "wring a theme", I mean storing the
> > theme in DB.
> >
> > Another approach which may be helpful for my purpose is maybe
> > changing the theme based on the info stored in DB. It looks like I
> > need to implement ThemeResourceProvider and its factory. Am i
> > correct?
>
> AFAIK, ThemeResourceProvider is used to *add* resources on the fly, not
> sure if it can *override* existing resources. You are free to try it
> however, and tell us about the results :)
>
> Dmitry
>
> >
> > Best,
> > Yegui
> >
> > On Tue, Jul 10, 2018 at 8:15 AM Dmitry Telegin <dt at acutus.pro> wrote:
> > > Hi Yegui,
> > >
> > > Yes, this is possible, but you'll need to implement a couple of
> > > SPIs
> > > [1]:
> > >
> > > - Theme SPI from keycloak-server-spi-private. It's an internal SPI,
> > > so
> > > you won't find much docs on it, but everything is more or less
> > > clear
> > > from the code - see org.keycloak.theme.Theme* and default
> > > implementations;
> > > - Entity SPI [2]. Even if you opt for pure JDBC (not JPA) for
> > > storing
> > > your themes, you'll need to supply a Liquibase changelog, which is
> > > done
> > > this way.
> > >
> > > Regarding "Read and Write Theme to a DB", I think "write" is a bit
> > > confusing here, since Keycloak doesn't write themes. It will be you
> > > who'll have to write themes to DB, not Keycloak :)
> > >
> > > Cheers,
> > > Dmitry Telegin
> > > CTO, Acutus s.r.o.
> > > Keycloak Consulting and Training
> > >
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > +42 (022) 888-30-71
> > > E-mail: info at acutus.pro
> > >
> > > [1] https://www.keycloak.org/docs/latest/server_development/index.h
> > > tml#
> > > _providers
> > > [2] https://www.keycloak.org/docs/latest/server_development/index.h
> > > tml#
> > > _extensions_jpa
> > >
> > > On Fri, 2018-07-06 at 14:50 -0400, Yegui Cai wrote:
> > > > Hi.
> > > >
> > > > Would it be possible to store themes in a DB?
> > > >
> > > > Thanks,
> > > > Yegui
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
>

From psilva at redhat.com  Tue Jul 10 11:32:58 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 10 Jul 2018 12:32:58 -0300
Subject: [keycloak-user] Retrieve all permissions
In-Reply-To: <CAEyhvmo9ABZSwqtX7vQta7sj+8UXX8iU6iZa3Mkcp3Go6TkrEg@mail.gmail.com>
References: <CAEyhvmo9ABZSwqtX7vQta7sj+8UXX8iU6iZa3Mkcp3Go6TkrEg@mail.gmail.com>
Message-ID: <CAJrcDBc7n29FWYp_n-sT_bit7xma07inn_ydGeBNF8iQ17EWjA@mail.gmail.com>

On Tue, Jul 10, 2018 at 10:31 AM, Corentin Dupont <corentin.dupont at gmail.com
> wrote:

> Hi guys,
> I noticed a couple of strange things when retrieving all the permissions.
> I tried:
>
> $ curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-
> connect/token -H "Authorization: Bearer $USERTOKEN" -d
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&
> audience=api-server"
> | jq .access_token -r | cut -d "." -f2 | base64 -d | jq
>
> "authorization": {
>     "permissions": [
> ...
>
> But it seems that this command returns only the permissions for the
> resources belonging to the client, excluding resource belonging to other
> users?
>

When obtaining all entitlenents for an user, only resources owned by the
resource server, by the user and shares (via ticket or via account service)
are processed.


> To get an assessment of all resources, I tried adding a scope:
>
> $ curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-
> connect/token -H "Authorization: Bearer $USERTOKEN" -d
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&
> audience=api-server&permission=#sensors:view"
> | jq .access_token -r | cut -d "." -f2 | base64 -d | jq
>
> "authorization": {
>     "permissions": [
>         {
>         "rsid": "9e24320d-ef89-440b-b6d5-d7b5a4896f60",
>         "rsname": "foo"
>
> This instead returns a list of resources belonging to all users.
> But the list seems to be wrong: it returns sensors to which I *don't* have
> access!
> If I try the request on the specific resource, it returns (rightfully)
> access_denied:
>

I tried to do a simple test based on a previous realm configuration you
sent. Could not reproduce the problem.


>
> curl -X POST
> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
> "Authorization: Bearer $USERTOKEN" -d
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&
> audience=api-server&permission=
> 9e24320d-ef89-440b-b6d5-d7b5a4896f60#sensors:view"
> {"error":"access_denied","error_description":"not_authorized"}
>
> Another strange thing, if I try with a non-existent resource ID, there is
> no error message and it returns a list of permissions:
>
> $ curl -X POST
> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
> "Authorization: Bearer $USERTOKEN" -d
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&
> audience=api-server&permission=not-exist#sensors:view"
> | jq .access_token -r | cut -d "." -f2 | base64 -d | jq
>
> "authorization": {
>     "permissions": [
>         {
>         "rsid": "9e24320d-ef89-440b-b6d5-d7b5a4896f60",
>         "rsname": "foo"
> ...
>

I think you reported ths already. Here is the PR
https://github.com/keycloak/keycloak/pull/5357.


> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Tue Jul 10 11:33:47 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 10 Jul 2018 12:33:47 -0300
Subject: [keycloak-user] Introspection of RPT fails
In-Reply-To: <9706eb13-63d9-6554-ff6d-0093db1ecfb3@bosch-si.com>
References: <9706eb13-63d9-6554-ff6d-0093db1ecfb3@bosch-si.com>
Message-ID: <CAJrcDBdZNb=OMOJdvm6D+c0K=UgyEr24NTy9JBt0u05za7KnEg@mail.gmail.com>

Will check this out. Thanks for the report.

On Tue, Jul 10, 2018 at 4:57 AM, stefan.wachter <stefan.wachter at bosch-si.com
> wrote:

> Hi,
>
> I have difficulties in determining the cause why introspection of an RPT
> fails. The RPT can be introspected a couple of times before it fails. In
> the log shown below I grepped for "task-26" that seems to have handled
> the failed introspection request.
>
> I have the impression that the problem is related to token refreshments.
> If the "Access Token Lifespan" is set to a smaller value (e.g. 1
> minute), then the failure happens earlier. In particular, it seems that
> after the SECOND set of token refreshments the introspection fails. In
> detail:
>
> There are 3 tokens (together with their refresh tokens) involved:
>
> 1. An IdToken that is used for logging into the web application. The
> IdToken is used when a Ticket is exchanged for an RPT (the IdToken is
> set as the "claim_token" parameter in the token request).
>
> 2. An RPT.
>
> 3. A PAT
>
> When a request hits the application after the tokens have expired the
> first time all tokens are refreshed in turn and the introspection
> succeedes. Yet, if a request hits the application after the tokens have
> expired the second time then all tokens are refreshed again (using the
> refresh tokens that were returned on the first refreshment). The
> following RPT introspection however, fails.
>
> Has anyone experienced the same failure?
>
> Thanks for you attention
>
> Stefan
>
>
>
> 06:46:12,779 DEBUG
> [org.keycloak.authorization.protection.introspect.RPTIntrospectionProvider]
>
> (default task-26) Introspecting requesting party token
> 06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default
> task-26) Active key found: realm=device
> kid=t00ewHrCADcXjvvIFBWQrZnOWiBTVBoyt0-UOzBP7w0 algorithm=RS256
> 06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default
> task-26) Active key found: realm=device
> kid=ae1f030a-b3a5-4c9a-875a-a0802119fa2a algorithm=HS256
> 06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default
> task-26) Active key found: realm=device
> kid=2aefcc15-33cf-45f6-a4bf-88535501712c algorithm=AES
> 06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default
> task-26) Active key realm=device
> kid=t00ewHrCADcXjvvIFBWQrZnOWiBTVBoyt0-UOzBP7w0 algorithm=RS256
> 06:46:12,780 TRACE
> [org.infinispan.interceptors.InvocationContextInterceptor] (default
> task-26) Invoked with command GetKeyValueCommand
> {key=device.client.query.by.clientId.web-gui, flags=null} and
> InvocationContext
> [org.infinispan.context.SingleKeyNonTxInvocationContext at 6cb8a247]
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Exists in context? null
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Retrieved from container
> ImmortalCacheEntry{key=device.client.query.by.clientId.web-gui, value=0}
> (ignoreOwnership=false, isLocal=true)
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Wrap device.client.query.by.clientId.web-gui for read.
> Entry=ImmortalCacheEntry{key=device.client.query.by.clientId.web-gui,
> value=0}
> 06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
> (default task-26) Executing command: GetKeyValueCommand
> {key=device.client.query.by.clientId.web-gui, flags=null}.
> 06:46:12,780 TRACE
> [org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
> task-26) Release locks for keys=[]. owner=null
> 06:46:12,780 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-26) client by name cache hit: web-gui
> 06:46:12,780 TRACE
> [org.infinispan.interceptors.InvocationContextInterceptor] (default
> task-26) Invoked with command GetKeyValueCommand
> {key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null} and
> InvocationContext
> [org.infinispan.context.SingleKeyNonTxInvocationContext at 3a2141a6]
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Exists in context? null
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Retrieved from container
> ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, value=0}
> (ignoreOwnership=false, isLocal=true)
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Wrap b5f94341-0d4c-4280-94e1-10b6771cd66c for read.
> Entry=ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c,
> value=0}
> 06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
> (default task-26) Executing command: GetKeyValueCommand
> {key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null}.
> 06:46:12,780 TRACE
> [org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
> task-26) Release locks for keys=[]. owner=null
> 06:46:12,780 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-26) client by id cache hit: web-gui
> 06:46:12,780 TRACE
> [org.infinispan.interceptors.InvocationContextInterceptor] (default
> task-26) Invoked with command GetKeyValueCommand {key=device,
> flags=null} and InvocationContext
> [org.infinispan.context.SingleKeyNonTxInvocationContext at 2f9442f3]
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Exists in context? null
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Retrieved from container ImmortalCacheEntry{key=device,
> value=0} (ignoreOwnership=false, isLocal=true)
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Wrap device for read. Entry=ImmortalCacheEntry{key=device,
> value=0}
> 06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
> (default task-26) Executing command: GetKeyValueCommand {key=device,
> flags=null}.
> 06:46:12,780 TRACE
> [org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
> task-26) Release locks for keys=[]. owner=null
> 06:46:12,780 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-26) by id cache hit: device
> 06:46:12,780 TRACE
> [org.infinispan.interceptors.InvocationContextInterceptor] (default
> task-26) Invoked with command GetKeyValueCommand
> {key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null} and
> InvocationContext
> [org.infinispan.context.SingleKeyNonTxInvocationContext at 30227841]
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Exists in context? null
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Retrieved from container
> ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, value=0}
> (ignoreOwnership=false, isLocal=true)
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Wrap b5f94341-0d4c-4280-94e1-10b6771cd66c for read.
> Entry=ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c,
> value=0}
> 06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
> (default task-26) Executing command: GetKeyValueCommand
> {key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null}.
> 06:46:12,780 TRACE
> [org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
> task-26) Release locks for keys=[]. owner=null
> 06:46:12,780 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-26) client by id cache hit: web-gui
> 06:46:12,780 TRACE
> [org.infinispan.interceptors.InvocationContextInterceptor] (default
> task-26) Invoked with command GetKeyValueCommand {key=device,
> flags=null} and InvocationContext
> [org.infinispan.context.SingleKeyNonTxInvocationContext at 19214e98]
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Exists in context? null
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Retrieved from container ImmortalCacheEntry{key=device,
> value=0} (ignoreOwnership=false, isLocal=true)
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Wrap device for read. Entry=ImmortalCacheEntry{key=device,
> value=0}
> 06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
> (default task-26) Executing command: GetKeyValueCommand {key=device,
> flags=null}.
> 06:46:12,780 TRACE
> [org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
> task-26) Release locks for keys=[]. owner=null
> 06:46:12,780 TRACE
> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
> task-26) by id cache hit: device
> 06:46:12,780 DEBUG
> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
> (default task-26)
> getUserSessionWithPredicate(a3320548-da14-4e0c-adc1-5616c9d0c23b): found
> in local cache
> 06:46:12,780 TRACE
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default
> task-26) getuserById d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c
> 06:46:12,780 TRACE
> [org.infinispan.interceptors.InvocationContextInterceptor] (default
> task-26) Invoked with command GetKeyValueCommand
> {key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, flags=null} and
> InvocationContext
> [org.infinispan.context.SingleKeyNonTxInvocationContext at 29bd006b]
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Exists in context? null
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Retrieved from container
> ImmortalCacheEntry{key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, value=0}
> (ignoreOwnership=false, isLocal=true)
> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
> task-26) Wrap d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c for read.
> Entry=ImmortalCacheEntry{key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c,
> value=0}
> 06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
> (default task-26) Executing command: GetKeyValueCommand
> {key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, flags=null}.
> 06:46:12,780 TRACE
> [org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
> task-26) Release locks for keys=[]. owner=null
> 06:46:12,780 TRACE
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default
> task-26) getuserById d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c
> 06:46:12,780 TRACE
> [org.keycloak.models.cache.infinispan.UserCacheSession] (default
> task-26) return managedusers
> 06:46:12,781 TRACE [org.keycloak.events] (default task-26)
> type=INTROSPECT_TOKEN_ERROR, realmId=device, clientId=resource-server,
> userId=null, ipAddress=139.15.216.71, error=invalid_request,
> detail='Failed to introspect token.', client_auth_method=client-secret,
> requestUri=https://keycloak.apps.de1.bosch-iot-cloud.com/
> auth/realms/device/protocol/openid-connect/token/introspect,
> cookies=[]
>
> --
>
> Best regards,
>
> *Stefan Wachter
> INST-ICM/BSV-BS*
>
> Tel.  +49(711)811-58477
>
> *Be**QIK
> *
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From corentin.dupont at gmail.com  Tue Jul 10 13:02:24 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 10 Jul 2018 19:02:24 +0200
Subject: [keycloak-user] Retrieve all permissions
In-Reply-To: <CAJrcDBc7n29FWYp_n-sT_bit7xma07inn_ydGeBNF8iQ17EWjA@mail.gmail.com>
References: <CAEyhvmo9ABZSwqtX7vQta7sj+8UXX8iU6iZa3Mkcp3Go6TkrEg@mail.gmail.com>
	<CAJrcDBc7n29FWYp_n-sT_bit7xma07inn_ydGeBNF8iQ17EWjA@mail.gmail.com>
Message-ID: <CAEyhvmqNSDLp39xPgtD7xTuTQA7kCngV2A=fv04JxD8d7wU97w@mail.gmail.com>

On Tue, Jul 10, 2018 at 5:32 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

>
>
> On Tue, Jul 10, 2018 at 10:31 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Hi guys,
>> I noticed a couple of strange things when retrieving all the permissions.
>> I tried:
>>
>> $ curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-
>> connect/token
>> <http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token>
>> -H "Authorization: Bearer $USERTOKEN" -d
>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
>> ence=api-server"
>> | jq .access_token -r | cut -d "." -f2 | base64 -d | jq
>>
>> "authorization": {
>>     "permissions": [
>> ...
>>
>> But it seems that this command returns only the permissions for the
>> resources belonging to the client, excluding resource belonging to other
>> users?
>>
>
> When obtaining all entitlenents for an user, only resources owned by the
> resource server, by the user and shares (via ticket or via account service)
> are processed.
>

OK, I understand. My use case is to protects an endpoint such as "GET
/resources" that returns a bunch of resources.
So if I understand I have to include multiple resource/scope in the same
request (I thought a generic call would suffice).

BTW, is there a possibility to use JSON in the request, instead of form
data? i.e.

-d {"grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket", "audience":
"api-server" ...}



>
>
>> To get an assessment of all resources, I tried adding a scope:
>>
>> $ curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-
>> connect/token
>> <http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token>
>> -H "Authorization: Bearer $USERTOKEN" -d
>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
>> ence=api-server&permission=#sensors:view"
>> | jq .access_token -r | cut -d "." -f2 | base64 -d | jq
>>
>> "authorization": {
>>     "permissions": [
>>         {
>>         "rsid": "9e24320d-ef89-440b-b6d5-d7b5a4896f60",
>>         "rsname": "foo"
>>
>> This instead returns a list of resources belonging to all users.
>> But the list seems to be wrong: it returns sensors to which I *don't* have
>> access!
>> If I try the request on the specific resource, it returns (rightfully)
>> access_denied:
>>
>
> I tried to do a simple test based on a previous realm configuration you
> sent. Could not reproduce the problem.
>

>
>>
>> curl -X POST
>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
>> "Authorization: Bearer $USERTOKEN" -d
>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
>> ence=api-server&permission=
>> 9e24320d-ef89-440b-b6d5-d7b5a4896f60#sensors:view"
>> {"error":"access_denied","error_description":"not_authorized"}
>>
>> Another strange thing, if I try with a non-existent resource ID, there is
>> no error message and it returns a list of permissions:
>>
>> $ curl -X POST
>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
>> "Authorization: Bearer $USERTOKEN" -d
>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
>> ence=api-server&permission=not-exist#sensors:view"
>> | jq .access_token -r | cut -d "." -f2 | base64 -d | jq
>>
>> "authorization": {
>>     "permissions": [
>>         {
>>         "rsid": "9e24320d-ef89-440b-b6d5-d7b5a4896f60",
>>         "rsname": "foo"
>> ...
>>
>
> I think you reported ths already. Here is the PR https://github.com/
> keycloak/keycloak/pull/5357.
>

Yes, I thought it was already in HEAD, but I see it's not merged (sorry).


>
>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From psilva at redhat.com  Tue Jul 10 15:04:00 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 10 Jul 2018 16:04:00 -0300
Subject: [keycloak-user] Retrieve all permissions
In-Reply-To: <CAEyhvmqNSDLp39xPgtD7xTuTQA7kCngV2A=fv04JxD8d7wU97w@mail.gmail.com>
References: <CAEyhvmo9ABZSwqtX7vQta7sj+8UXX8iU6iZa3Mkcp3Go6TkrEg@mail.gmail.com>
	<CAJrcDBc7n29FWYp_n-sT_bit7xma07inn_ydGeBNF8iQ17EWjA@mail.gmail.com>
	<CAEyhvmqNSDLp39xPgtD7xTuTQA7kCngV2A=fv04JxD8d7wU97w@mail.gmail.com>
Message-ID: <CAJrcDBeUwN5sTCeJss_WN2X4gFaYQM1vrquuwn59ev7+6wULog@mail.gmail.com>

On Tue, Jul 10, 2018 at 2:02 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

>
>
> On Tue, Jul 10, 2018 at 5:32 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>>
>>
>> On Tue, Jul 10, 2018 at 10:31 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi guys,
>>> I noticed a couple of strange things when retrieving all the permissions.
>>> I tried:
>>>
>>> $ curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-
>>> connect/token
>>> <http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token>
>>> -H "Authorization: Bearer $USERTOKEN" -d
>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
>>> ence=api-server"
>>> | jq .access_token -r | cut -d "." -f2 | base64 -d | jq
>>>
>>> "authorization": {
>>>     "permissions": [
>>> ...
>>>
>>> But it seems that this command returns only the permissions for the
>>> resources belonging to the client, excluding resource belonging to other
>>> users?
>>>
>>
>> When obtaining all entitlenents for an user, only resources owned by the
>> resource server, by the user and shares (via ticket or via account service)
>> are processed.
>>
>
> OK, I understand. My use case is to protects an endpoint such as "GET
> /resources" that returns a bunch of resources.
> So if I understand I have to include multiple resource/scope in the same
> request (I thought a generic call would suffice).
>
> BTW, is there a possibility to use JSON in the request, instead of form
> data? i.e.
>

It is possible, but our token endpoint does not support this for other
grant types (like others do) and it is not UMA compliant. We could support
both though, but I need to start a discussion first with the team,


>
> -d {"grant_type": "urn:ietf:params:oauth:grant-type:uma-ticket",
> "audience": "api-server" ...}
>
>
>
>>
>>
>>> To get an assessment of all resources, I tried adding a scope:
>>>
>>> $ curl -X POST http://localhost:8080/auth/realms/waziup/protocol/openid-
>>> connect/token
>>> <http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token>
>>> -H "Authorization: Bearer $USERTOKEN" -d
>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
>>> ence=api-server&permission=#sensors:view"
>>> | jq .access_token -r | cut -d "." -f2 | base64 -d | jq
>>>
>>> "authorization": {
>>>     "permissions": [
>>>         {
>>>         "rsid": "9e24320d-ef89-440b-b6d5-d7b5a4896f60",
>>>         "rsname": "foo"
>>>
>>> This instead returns a list of resources belonging to all users.
>>> But the list seems to be wrong: it returns sensors to which I *don't*
>>> have
>>> access!
>>> If I try the request on the specific resource, it returns (rightfully)
>>> access_denied:
>>>
>>
>> I tried to do a simple test based on a previous realm configuration you
>> sent. Could not reproduce the problem.
>>
>
>>
>>>
>>> curl -X POST
>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>>> -H
>>> "Authorization: Bearer $USERTOKEN" -d
>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
>>> ence=api-server&permission=
>>> 9e24320d-ef89-440b-b6d5-d7b5a4896f60#sensors:view"
>>> {"error":"access_denied","error_description":"not_authorized"}
>>>
>>> Another strange thing, if I try with a non-existent resource ID, there is
>>> no error message and it returns a list of permissions:
>>>
>>> $ curl -X POST
>>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token
>>> -H
>>> "Authorization: Bearer $USERTOKEN" -d
>>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
>>> ence=api-server&permission=not-exist#sensors:view"
>>> | jq .access_token -r | cut -d "." -f2 | base64 -d | jq
>>>
>>> "authorization": {
>>>     "permissions": [
>>>         {
>>>         "rsid": "9e24320d-ef89-440b-b6d5-d7b5a4896f60",
>>>         "rsname": "foo"
>>> ...
>>>
>>
>> I think you reported ths already. Here is the PR
>> https://github.com/keycloak/keycloak/pull/5357.
>>
>
> Yes, I thought it was already in HEAD, but I see it's not merged (sorry).
>
>
>>
>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From torsten.juergeleit at gmail.com  Tue Jul 10 15:35:13 2018
From: torsten.juergeleit at gmail.com (=?utf-8?Q?J=C3=BCrgeleit_Torsten?=)
Date: Tue, 10 Jul 2018 21:35:13 +0200
Subject: [keycloak-user] How to keep users from updating their account
 details in admin client?
In-Reply-To: <1531223995.7582.7.camel@acutus.pro>
References: <CAJ0c46+Dg4ebKeL8S0GpGwrBipFWLkPOd+x=mKAE4V6fdg=nGQ@mail.gmail.com>
	<1531223995.7582.7.camel@acutus.pro>
Message-ID: <F96023F2-9B5D-4DAD-9527-36D057FAD521@gmail.com>

Hi Dmitry,

thanks for then reply.

Cheers,
Torsten


> On 10. Jul 2018, at 13:59, Dmitry Telegin <dt at acutus.pro> wrote:
> 
> Hi Torsten,
> 
> AFAIK this cannot be done out of the box. However, per [1],
> 
>> At the moment there are two roles associated with the account
>> application:
>> 
>> * view-profile - retrive the user profile (produces json)
>> * manage-account - management the account (produces html, and
>> consumes forms)
> 
> (there's also manage-account-links now, but this is not important here)
> 
> Thus, you can revoke manage-account (but let view-profile) and create
> your own profile page that would retrieve JSON and render it the way
> you like.
> 
> [1] http://lists.jboss.org/pipermail/keycloak-dev/2013-November/000678.
> html
> 
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
> 
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
> 
> On Fri, 2018-07-06 at 14:04 +0200, Torsten Juergeleit wrote:
>>  Hi everyone,
>> 
>> we have the requirement, that the users are not able to change their
>> account details (email, first name, last name) in Keycloak's account
>> client. We need read-only access to the admin client, so removing the
>> admin
>> client from the realm is not an option.
>> 
>> Is there any way to achieve this other than blocking any post to
>> "/auth/realms/<realm>/account/" in our reverse proxy?
>> 
>> Cheers,
>> Torsten
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user


From myoder at cloudera.com  Tue Jul 10 17:21:40 2018
From: myoder at cloudera.com (Michael Yoder)
Date: Tue, 10 Jul 2018 14:21:40 -0700
Subject: [keycloak-user] Keycloak 3.4.3 + Apache httpd 2.4.6 load
 balancing proxy -> infinite redirect
In-Reply-To: <1531229422.7582.21.camel@acutus.pro>
References: <CAGGJhVf=aJquBoqZ5fuNYS5LbKaFasPRkGuOHWcEoX2ahyruJA@mail.gmail.com>
	<1531229422.7582.21.camel@acutus.pro>
Message-ID: <CAGGJhVftczRu3rpLeFCETxiV7NQNqbxpBKLAD3UGHoNiSRsXWg@mail.gmail.com>

On Tue, Jul 10, 2018 at 6:30 AM Dmitry Telegin <dt at acutus.pro> wrote:

> Do you experience this issue while trying to log in to Keycloak Admin
> console itself? Or is it some client application protected by Keycloak?
> If latter, could you please share client config?
>

I see this both when logging in to the admin console and to the client
application.
I'll take your suggestion about upgrading and report back later. Thanks for
replying!

-Mike

From hcsgzh at gmail.com  Wed Jul 11 00:03:41 2018
From: hcsgzh at gmail.com (hugh shangguan)
Date: Wed, 11 Jul 2018 16:03:41 +1200
Subject: [keycloak-user] Is that possible to custom token claims? Especially,
 I don't want "sub" in the token claims.
Message-ID: <CAJGrADGkhK9jhL8k+36kk8u29aZgiSeY+L689syFvOYjnujDqg@mail.gmail.com>

Hi there,

I am learning Keycloak system. I wonder if I can change the token claims.

In the endpoint,
http://localhost:8080/auth/realms/demo/.well-known/openid-configuration
I can see there is a claims_supported. Can I set it without "sub"?
"claims_supported": [
    "sub",
    "iss",
    "auth_time",
    "name",
    "given_name",
    "family_name",
    "preferred_username",
    "email"
  ],
  "claim_types_supported": [
    "normal"
  ],


when I login keycloak, I can receive a token, the claims in the token like
this.
{
  "jti": "ea8ea454-6af2-4343-a51f-14092d7566bb",
  "exp": 1531316875,
  "nbf": 0,
  "iat": 1531280875,
  "iss": "http://localhost:8080/auth/realms/demo",
  "sub": "a9ce424d-019b-4222-859d-eba851c875ff",
  "auth_time": 0,
  "session_state": "20dc46d8-029b-4b27-af37-e4b896789e96",
  "resource_access": {},
  "state_checker": "GYcbcAp8yFc0YCmBdKN9jJ1lqXT_oMp9Hoa1WW93uxw"
}

Can I change some config to set the "sub" off? Is that save that browser
can get the user information?

My understanding of keycloak working is steps below. please point out if I
my wrong.
1. client (browser) go to Application server to ask a protected url. and it
will redirect to Keycloak login page.
2. After user finish their login in browser, user will get a code from
keycloak.(seems it ractually is a token).
3. Then browser will send the code to Application server.
4. Application server will ask Keycloak server that if the code is valid
and get a access token. Then Application server decides to allow or not
allow the user .

But I see my browser just get the access token with user information. I
wonder is that secure?

Thanks

-- 
Hugh
Zhaohui Shangguan

From henning.waack at codecentric.de  Wed Jul 11 03:42:34 2018
From: henning.waack at codecentric.de (Henning Waack)
Date: Wed, 11 Jul 2018 09:42:34 +0200
Subject: [keycloak-user] Add consent programmatically
Message-ID: <CAGqTYaw4pTCOw2PxKR-uUbd8T4_Op_wd0ZSCn8DKytG5oMwQHA@mail.gmail.com>

Hi.

Using KC 4.0, I am a little confused about consents. Using the KC Admin
Client, when retrieving a UserResource I can get a (untyped) list of
consents, which represents the consents visible on the KC Admin Homepage
for a given user. Also I can revoke a consent on the UserResource object.

On the UserRepresentation object I have a method getClientConsents which
returns a list of UserConsentRepresentations. These I do not know where to
find on the Admin UI for a user. And these consents are not the same as the
one from the UserResource.

Can someone please explain the difference between these two? And my real
question is: can I programmatically set the consent for a user for a client
which requires consent?

Hope you can help, thanks in advance,

greetings

Henning

From hmlnarik at redhat.com  Wed Jul 11 04:36:32 2018
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Wed, 11 Jul 2018 10:36:32 +0200
Subject: [keycloak-user] SAML Advice assertion with signature
In-Reply-To: <CAA9R9O4BOFG_i-E3+SuOHvBKOG5AyFxdA-6ESUJ302=SYo3xGQ@mail.gmail.com>
References: <12CA6AFF-159E-4DBD-97DE-52838E47E96E@first8.nl>
	<CAA9R9O4BOFG_i-E3+SuOHvBKOG5AyFxdA-6ESUJ302=SYo3xGQ@mail.gmail.com>
Message-ID: <CAMvXD=HmU-XbBQ9K_8WuL3uf2CvrG73V=2KApG4yGj21oofHfA@mail.gmail.com>

This is an interesting case. Could you in the first place create a JIRA and
attach some example to it? Feel free to remove any sensitive information
from the SAML document and/or set the JIRA as security-sensitive issue so
that the attachments remain confidential.

Patch that would ignore any dsig:Signature that occurs below Advice tag -
just like you mentioned - would be most likely the one to follow but I'd
like to inspect the SAML document first to understand the context fully.

We don't provide patches to older upstream versions though, the patch would
land into the newest version only.

Thanks

--Hynek

On Wed, Jul 4, 2018 at 1:41 PM Sebastian Laskawiec <slaskawi at redhat.com>
wrote:

> Hey Arjan,
>
> Long time no see! I hope you're well!
>
> More comment inlined.
>
> Thanks,
> Sebastian
>
> On Thu, Jun 28, 2018 at 4:53 PM Arjan Lamers <a.lamers at first8.nl> wrote:
>
>> Hi,
>>
>> We are running KeyCloak 3.4.3-Final for a client  and are running into
>> trouble with an identity provider (the dutch eHerkenning) that is using
>> SAML Advice tags.
>>
>> We were running an older version of KeyCloak and recently that identity
>> provider started to use <saml:Advice> tags in their responses. We found
>> https://issues.jboss.org/browse/KEYCLOAK-5644, adding support for the
>> Advice tag and that made us upgrade to 3.4.3. However, this patch does not
>> seem to be complete.
>>
>> The patch there ignores the Advice tag when parsing the document. This is
>> fine. However, in our case, the Advice contains two Assertions, both of
>> which are signed (have a Signature tag). The document verification seems to
>> also validate these signatures. This is a problem, since we do not have the
>> keys for these advices, hence the validation fails.
>>
>> We have been advised to fully ignore the Advice tag, including the
>> underlying signatures. I am not a SAML expert but that feels a bit wrong.
>> Any thoughts on that?
>>
>
> Perhaps Hynek or Stian could correct me here but the spec says the
> `Advice` elements can be completely ignored:
>
> "The <Advice> element contains any additional information that the SAML
> authority wishes to provide.
> This information MAY be ignored by applications without affecting either
> the semantics or the validity of
> the assertion."
>
> [1] Page 26
> https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
>
>
>>
>> However, if we do want to go down this road, we would probably patch this
>> in
>>
>>  org.keycloak.saml.processing.core.util.XMLSignatureUtil.validate(Document
>> signedDoc, final KeyLocator locator)
>> by skipping over nodes that have an ?Advice? parent.
>>
>
> This situation seems to be very tricky here. Looking through the spec I
> found that `Advice` tags need to be validated using lax XML validation
> (just as a reminder, lax validation doesn't fail if the schema is not
> found) [2]:
>
> "<Advice> and AdviceType: In addition to SAML-native elements, allows
> elements from other
> namespaces with lax schema validation processing."
>
> There's also a note on signature verification [3]:
>
> "The SAML assertion MAY be signed, which provides both
> authentication of the issuer and integrity protection.
> If such a signature is used, then the <ds:Signature> element MUST be
> present, and a relying party
> MUST verify that the signature is valid (that is, that the assertion has
> not been tampered with) in
> accordance with [XMLSig]. If it is invalid, then the relying party MUST
> NOT rely on the contents of the
> assertion. If it is valid, then the relying party SHOULD evaluate the
> signature to determine the identity and
> appropriateness of the issuer and may continue to process the assertion in
> accordance with this
> specification and as it deems appropriate (for example, evaluating
> conditions, advice, following profile specific
> rules, and so on)."
>
> So to sum it up:
>
>    - Advice tag can be ignored completely
>    - Advice tag needs only lax validation, so it just needs to be a well
>    formed XML, and that's basically it.
>    - If a verifier finds a signature, it needs to validate it. If the
>    signature doesn't pass the validation, we can not rely on the assertion.
>
> From this point, I guess patching the SignatureUtil to skip verification
> of signatures located in `Advice` element, seems not to violate anything.
> That's what we should do in my opinion.
>
> [2] Page 75
> https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
> [3] Page 16
> https://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
>
>
>>
>> Would that be an appropriate approach? Would you be interested in such a
>> patch?
>>
>
> Yes, definitely! Let's start with a patch for master branch and later on,
> we could cherry-pick it to 3.x if needed.
>
>
>>
>>
>> Met vriendelijke groet,
>>
>> Arjan Lamers
>> Software Architect
>> +31 (0)6 23 82 24 05
>>
>>
>>
>> a.lamers at first8.nl
>> https://www.first8.nl <http://www.first8.nl/>
>> Linkedin https://www.linkedin.com/in/arjanl <
>> https://www.linkedin.com/in/profiel-id>
>> Kerkenbos 1059b
>> 6546 BB Nijmegen
>>
>> Bekijk hier de algemene voorwaarden van Conclusion <
>> https://www.conclusion.nl/kleine-lettertjes/algemene-voorwaarden>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From hmlnarik at redhat.com  Wed Jul 11 04:37:14 2018
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Wed, 11 Jul 2018 10:37:14 +0200
Subject: [keycloak-user] IBM DB2 not supported anymore?
In-Reply-To: <e27f9d20-b998-0c16-33e6-1694a4a5da5b@caprica.biz>
References: <e27f9d20-b998-0c16-33e6-1694a4a5da5b@caprica.biz>
Message-ID: <CAMvXD=GysG=EOW=7B0Vj_RLnYJz=6SpDc2FiGL7zMNuOHxhYgg@mail.gmail.com>

While we would love to support variety of databases, the maintenance cost
in non-zero and our survey has shown that DB2 is not popular among Keycloak
users while inadequately increasing maintenance cost. Hence we had to take
a pragmatic step to drop its support in 4.x.

On Tue, Jul 10, 2018 at 3:00 PM Manfred Duchrow <manfred.duchrow at caprica.biz>
wrote:

> Hi,
>
> in issue https://issues.jboss.org/browse/KEYCLOAK-7519 Stian added a
> comment saying
>
>   "Rejecting this as we removed support for DB2 in 4.x. DB2 had very few
> users
>    and was by far the most time consuming to maintain."
>
> Is it true that DB2 will not be supported anymore?
> Where has it been announced? I cannot find anything in documentation,
> release notes or blogs
> or user list mentioning it.
>
> I think you shouldn't drop support for DB2. It is a major enterprise
> database and many companies
> are using it.
>
> Cheers,
>     Manfred
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From hmlnarik at redhat.com  Wed Jul 11 04:38:06 2018
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Wed, 11 Jul 2018 10:38:06 +0200
Subject: [keycloak-user] Possibility to Create search method for enabled
 or disabled Users
In-Reply-To: <CAOFYJDvGUDOecCpCHnMDR8_-E8rBirrfZqeUow-FCAbbA1yzTg@mail.gmail.com>
References: <CAOFYJDvGUDOecCpCHnMDR8_-E8rBirrfZqeUow-FCAbbA1yzTg@mail.gmail.com>
Message-ID: <CAMvXD=HvTWa2yLmDWqwL+GJLmpDr=ZTUVKo-d4EmhP_L-keFjg@mail.gmail.com>

Thanks for your interest. Feel free to add yourself as a watcher / add a
comment / discuss solution to https://issues.jboss.org/browse/KEYCLOAK-7262
efforts to improve user search abilities.

On Tue, Jul 10, 2018 at 4:40 PM Celso Agra <celso.agra at gmail.com> wrote:

> Hi all,
>
> I'd like to know if would be possible to create a search method to filter
> enabled or disabled users.
>
> I saw this class (line 46), and I realize that could be possible to do
> that, creating a new query:
>
> https://github.com/keycloak/keycloak/blob/master/model/jpa/src/main/java/org/keycloak/models/jpa/entities/UserEntity.java#L46
>
> I can open an issue or maybe do a pull-request, but I'd like if it is
> acceptable for keycloak team.
>
> --
> ---
> *Celso Agra*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From nicolas.gillet at market-ip.com  Wed Jul 11 11:31:36 2018
From: nicolas.gillet at market-ip.com (Nicolas Gillet)
Date: Wed, 11 Jul 2018 15:31:36 +0000
Subject: [keycloak-user] View-users permissions only view some users
In-Reply-To: <1531219291.7582.1.camel@acutus.pro>
References: <AM4PR0501MB277045200EF76FD371DED08AC1470@AM4PR0501MB2770.eurprd05.prod.outlook.com>
	<1531219291.7582.1.camel@acutus.pro>
Message-ID: <AM4PR0501MB27707A1B13C3902691588C51C15A0@AM4PR0501MB2770.eurprd05.prod.outlook.com>

Thank you Dmitri,

This definitely helps.
Now my users are coming from an SPI I wrote, guided by the user-storage-jpa-example in KC's repository.
I have data in my users I want to use in order to create the group and manage visibility & impersonation.
However I can't find how to add users in groups and created these groups through the SPI.

I do well see the methods "UserQueryProvider.getGroupMembers" but I have no clue on how to create groups and what the implementation of this methods should do :-/

Is there any example I can get inspiration of where groups are driven by an external source ?

Kind regards,

-----Message d'origine-----
De?: Dmitry Telegin <dt at acutus.pro> 
Envoy??: mardi 10 juillet 2018 12:42
??: Nicolas Gillet <nicolas.gillet at market-ip.com>; keycloak-user at lists.jboss.org
Objet?: Re: [keycloak-user] View-users permissions only view some users

Hi Nicolas,

You could try the following:
- put your users into a group;
- create another user;
- grant this user "query-groups" and "impersonation" roles (from the "realm-management" or "master-realm" client, depending on the realm);
- go to your group, enable permissions, open "view" permission, add a user policy to allow the user to view group, then repeat for "view- members" permission.

Now your newly added admin user will be restricted to the contents of the group. He won't be able to view/impersonate other users, even if he knows the user's internal ID.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-07-06 at 09:10 +0000, Nicolas Gillet wrote:
> Hello,
> 
> Is it possible to grant a user the permission to view only some (not
> all) users of the realm ?
> Same question about being allowed to impersonate only the user he is 
> allowed to see ?
> 
> Thank for any help :-)
> 
> Nicolas GILLET
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From vandana0242 at gmail.com  Wed Jul 11 12:05:52 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Wed, 11 Jul 2018 11:05:52 -0500
Subject: [keycloak-user] Master releam or any other releam
Message-ID: <CAL_K0ex4r59tK1cpkrbfdhxwpGUjduCP1Ez+x8S7rJcF=PCEaQ@mail.gmail.com>

Hello

Which is better option  to have  for configurations  in keycloak by using
the master releam  or  by creating any new releam ?


Thanks,
Vandana

From ssilvert at redhat.com  Wed Jul 11 13:10:41 2018
From: ssilvert at redhat.com (Stan Silvert)
Date: Wed, 11 Jul 2018 13:10:41 -0400
Subject: [keycloak-user] "Secret" realm landing page
Message-ID: <eb707f4d-01b3-40fd-c0de-dad65ee918dd@redhat.com>

Many of you may not know this, but each realm in Keycloak has a 
public-facing page that allows you to retrieve the public key and some 
other realm info as JSON.

http://localhost:8080/auth/realms/master

{"realm":"master","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvUuJC65uwY1u0wX5zDOmDI/hez0AgMWBTQ+FZ1P3IiqawxkAR35dh8PvfsdM0/3TLCEH195J3BMZL6fxPVKwaFN+s7JLYtSSQ/j7w9D+MP7j7OQbpo7ucvwAch2aG96sgqSXlr5ZWgksOXJwPTloFCjvNcnBwbg+sOyIJjxpQ4/augphUgXglOsXRrXuNUQOLmURlPFv//AyN4Iea0kyfWxGn0m4iRl+Mff/Lz5vPtv/m3sFJ/D5iL9WD2uxkmq88a5EgqiW9/U/stj7VDwd3DDTAzqPsicGWDiNdFSpI1AqaNcWGTMeXl0TU29/vW4yqzMgeDxV8ig9uU2DBkTzRwIDAQAB","token-service":"http://localhost:8080/auth/realms/master/protocol/openid-connect","account-service":"http://localhost:8080/auth/realms/master/account","tokens-not-before":0}

First, is anyone using this JSON?

Second, would you like to see something else in its place?? A dashboard 
of available apps perhaps?

Stan


From nils.wild at sinnovate.de  Wed Jul 11 13:42:27 2018
From: nils.wild at sinnovate.de (Nils Wild)
Date: Wed, 11 Jul 2018 19:42:27 +0200
Subject: [keycloak-user] "Secret" realm landing page
In-Reply-To: <eb707f4d-01b3-40fd-c0de-dad65ee918dd@redhat.com>
References: <eb707f4d-01b3-40fd-c0de-dad65ee918dd@redhat.com>
Message-ID: <02f36347-b1e2-68bc-749a-69a3a7afd373@sinnovate.de>

jHipster does rely on that to autoconfigure spring apps with jwt key to 
verify jwt tokens (others do that as well i believe).
Not sure what you mean by apps though.

Nils

Am 11.07.2018 um 19:10 schrieb Stan Silvert:
> Many of you may not know this, but each realm in Keycloak has a
> public-facing page that allows you to retrieve the public key and some
> other realm info as JSON.
>
> http://localhost:8080/auth/realms/master
>
> {"realm":"master","public_key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvUuJC65uwY1u0wX5zDOmDI/hez0AgMWBTQ+FZ1P3IiqawxkAR35dh8PvfsdM0/3TLCEH195J3BMZL6fxPVKwaFN+s7JLYtSSQ/j7w9D+MP7j7OQbpo7ucvwAch2aG96sgqSXlr5ZWgksOXJwPTloFCjvNcnBwbg+sOyIJjxpQ4/augphUgXglOsXRrXuNUQOLmURlPFv//AyN4Iea0kyfWxGn0m4iRl+Mff/Lz5vPtv/m3sFJ/D5iL9WD2uxkmq88a5EgqiW9/U/stj7VDwd3DDTAzqPsicGWDiNdFSpI1AqaNcWGTMeXl0TU29/vW4yqzMgeDxV8ig9uU2DBkTzRwIDAQAB","token-service":"http://localhost:8080/auth/realms/master/protocol/openid-connect","account-service":"http://localhost:8080/auth/realms/master/account","tokens-not-before":0}
>
> First, is anyone using this JSON?
>
> Second, would you like to see something else in its place?? A dashboard
> of available apps perhaps?
>
> Stan
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From vandana0242 at gmail.com  Wed Jul 11 15:48:20 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Wed, 11 Jul 2018 14:48:20 -0500
Subject: [keycloak-user] ERROR
	[org.keycloak.services.resources.IdentityBrokerService]
Message-ID: <CAL_K0ezF8wow7U1hzOwdXv-ww494ZCMmQ6R14CYx1p6=FabYQQ@mail.gmail.com>

Hello

While configuring the Single sign on for the application deployed on
wildfly by using the keycloak and external Identity Provider. We came
across the below errors  and warnings .

How to resolve below warnings & erros


14:10:39,362 WARN [org.hibernate.dialect.H2Dialect] (ServerService Thread
Pool -- 47) HHH000431: Unable to determine H2 database version, certain
features m work
14:11:30,567 WARN [org.keycloak.events] (default task-1)
type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null,
userId=null, ipAddress=10.9.7.2,=invalidRequestMessage
14:11:30,568 ERROR [org.keycloak.services.resources.IdentityBrokerService]
(default task-1) invalidRequestMessage
14:11:51,668 WARN [org.keycloak.events] (default task-2)
type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null,
userId=null, ipAddress=10.9.7.2,=invalidRequestMessage
14:11:51,669 ERROR [org.keycloak.services.resources.IdentityBrokerService]
(default task-2) invalidRequestMessage


Thanks,
Vandana

From dt at acutus.pro  Wed Jul 11 17:18:59 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Thu, 12 Jul 2018 00:18:59 +0300
Subject: [keycloak-user] lock user after being inactive for certain
 period
In-Reply-To: <CABiaesT4p5F+do8cL9YmmCgpJniRnRXbcqKoCcK5RFMAxG5D7w@mail.gmail.com>
References: <CABiaesT4p5F+do8cL9YmmCgpJniRnRXbcqKoCcK5RFMAxG5D7w@mail.gmail.com>
Message-ID: <1531343939.5245.1.camel@acutus.pro>

Hi Sachin,

Sorry for late response, hope it is still important.

There's no such functionality OOTB, however, you can write a simple
Keycloak extension that would periodically check for users'
(in)activity and lock them out. Since Keycloak supports EJBs, you can
leverage EJB TimerService or the @Schedule annotation.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-04-13 at 15:22 +0200, Sachin Rastogi wrote:
> Hi all,
> 
> We need to disable / lock user if user doesn't login into system for
> certain period (such as after 10 days or so). I couldn't find an
> option to
> enable. Please guide me.
> 
> Regards,
> SR
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From jose.colomer.martorell at tecsisa.com  Thu Jul 12 02:41:20 2018
From: jose.colomer.martorell at tecsisa.com (=?UTF-8?Q?Jos=C3=A9_Luis_Colomer_Martorell?=)
Date: Thu, 12 Jul 2018 08:41:20 +0200
Subject: [keycloak-user] Questions about Keycloak UMA 2.0 implementation
Message-ID: <CAEFqDg4F91tdKHXCTtFPSFoSoQwe_TgtX-ttUoaDXx2f_iXp1g@mail.gmail.com>

Hello just to clarify the last question written by Francisco,

i'm also having problems when upgrading the RPT when the requested resource
is not authorized to the user.


This is my current setup:

Users:

Just one user: foouser

Resources:

   - foo-resource
   - bar-resource

Policies:

   - foouser-policy: this policy grants access for only foouser.


Permissions:

   - fooresource-foouser-permission: this permission associates the
   resource "foo-resource" with the policy "foouser-policy"


I obtained the following valid RPT

{
>
>   "jti": "fd8bbd4d-2392-4720-a8bd-34803fde6c41",
>
>   "exp": 1531411894,
>
>   "nbf": 0,
>
>   "iat": 1531375932,
>
>   "iss": "http://127.0.0.1:8080/auth/realms/TestRealm",
>
>   "aud": "demo-upgrade-rpt",
>
>   "sub": "815b5a1d-57b2-4f5e-9ee5-f35c71938a46",
>
>   "typ": "Bearer",
>
>   "azp": "auth-demo-webapp",
>
>   "auth_time": 0,
>
>   "session_state": "c5680f60-f13a-4952-921c-80e3b7544bef",
>
>   "acr": "1",
>
>   "allowed-origins": [],
>
>   "realm_access": {
>
>     "roles": [
>
>       "offline_access",
>
>       "uma_authorization"
>
>     ]
>
>   },
>
>   "resource_access": {
>
>     "account": {
>
>       "roles": [
>
>         "manage-account",
>
>         "view-profile"
>
>       ]
>
>     }
>
>   },
>
>   "authorization": {
>
>     "permissions": [
>
>       {
>
>         "rsid": "1dc34dcd-541e-4f9a-8eab-6bc9a5bac09d",
>
>         "rsname": "foouser-resource"
>
>       }
>
>     ]
>
>   },
>
>   "scope": "profile email",
>
>   "email_verified": false,
>
>   "groups": [],
>
>   "preferred_username": "foouser"
>
> }
>
>
And I tried to upgrade it using a ticket for an unauthorized resource
(bar-resource)

{
>
>   "resources": [
>
>     {
>
>       "id": "c73c3133-b987-4d1f-8195-544735d75433",
>
>       "scopes": []
>
>     }
>
>   ],
>
>   "jti": "49bd25bf-3c2e-4c90-b3af-04bf10580083-1531376034420",
>
>   "exp": 1531411717,
>
>   "nbf": 0,
>
>   "iat": 1531375717,
>
>   "aud": "demo-upgrade-rpt",
>
>   "sub": "96f4fcc9-1992-418d-ac89-24b527ede141",
>
>   "azp": "demo-upgrade-rpt"
>
> }
>
>

 Keycloak returns a 200 OK response including "upgraded": true in the body.
I was expecting a 403 forbidden response, it seems Keycloak just assess the
RPT's permissions, ignoring the ticket ones. Is this correct?

From jose.colomer.martorell at tecsisa.com  Thu Jul 12 02:53:52 2018
From: jose.colomer.martorell at tecsisa.com (=?iso-8859-1?b?Sm9z6Q==?= Luis Colomer Martorell)
Date: Thu, 12 Jul 2018 06:55:52 +0002
Subject: [keycloak-user] Questions about Keycloak UMA 2.0 implementation
Message-ID: <1531378432.7563.0@smtp.gmail.com>

Seems that I failed hardcore using Gmail web interface :| This is 
Francisco's message I wanted to reply: 
http://lists.jboss.org/pipermail/keycloak-user/2018-July/014617.html




From clehingue at gmail.com  Thu Jul 12 03:57:35 2018
From: clehingue at gmail.com (Christophe Lehingue)
Date: Thu, 12 Jul 2018 09:57:35 +0200
Subject: [keycloak-user] How to verify jwt token with jwt.io or javascript
	programme
Message-ID: <CADf9yZPFBfk7JtGoK6LOXF-OmGYHNb+Bmw9axDDx3TG0EErqVA@mail.gmail.com>

Hello,

How can I check the signature of a token (with https://jwt.io/ or an
external javascript programm) ?

The configuration of my client is of "public" acces type :


The keys I use are those defined in the "keys" area of ??the "realm" created :



But that does not work: do you have any idea how could I do this check?

Thanks and good day.

Regards,

Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 12843 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180712/6f40c6ab/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 23704 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180712/6f40c6ab/attachment-0003.png 

From matthiasmueller07 at web.de  Thu Jul 12 06:52:48 2018
From: matthiasmueller07 at web.de (=?UTF-8?Q?=22Matthias_M=C3=BCller=22?=)
Date: Thu, 12 Jul 2018 12:52:48 +0200
Subject: [keycloak-user] Kerberos Authentication
Message-ID: <trinity-2c188d77-b897-4adf-8f68-2635413ba304-1531392768426@3c-app-webde-bs65>

Hello Jochen,

here are the trace information. I d not have much experience with Kerberos, maybe you can see a reason?

KRB5_TRACE=/dev/stderr kinit -kt /etc/keytab/servername.keytab HTTP/servername at domain.local
[8639] 1531391993.35803: Getting initial credentials for HTTP/servername at domain.local
[8639] 1531391993.36009: Looked up etypes in keytab: aes256-cts
[8639] 1531391993.36071: Sending request (196 bytes) to domain.local
[8639] 1531391993.36099: Resolving hostname kerberos.domain.local
[8639] 1531391993.36411: Sending initial UDP request to dgram xx.xx.xx.xx:88
[8639] 1531391994.37505: Initiating TCP connection to stream xx.xx.xx.xx:88
[8639] 1531391994.47972: Sending TCP request to stream xx.xx.xx.xx:88
[8639] 1531391994.59194: Received answer (209 bytes) from stream xx.xx.xx.xx:88
[8639] 1531391994.59365: Terminating TCP connection to stream xx.xx.xx.xx:88
[8639] 1531391994.123891: Response was not from master KDC
[8639] 1531391994.124071: Received error from KDC: -1765328359/Additional pre-authentication required
[8639] 1531391994.124163: Processing preauth types: 16, 15, 19, 2
[8639] 1531391994.124216: Selected etype info: etype aes256-cts, salt "DOMAIN.LOCALHTTPservername", params ""
[8639] 1531391994.124325: Retrieving HTTP/servername at domain.local from FILE:/etc/keytab/servername.keytab (vno 0, enctype aes256-cts) with result: 0/Success
[8639] 1531391994.124420: AS key obtained for encrypted timestamp: aes256-cts/3C17
[8639] 1531391994.124492: Encrypted timestamp (for 1531391993.432619): plain 301AA011180F32303138303731323130333935335AA10502030699EB, encrypted 1AB1CF23868718D3F7DCCB375E7B5C09655FE360088E5877846A9E84E7CCFD424496D15486173B0A8DE54FB12C394A9481BC9DFDCD5A032E
[8639] 1531391994.124544: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[8639] 1531391994.124572: Produced preauth for next request: 2
[8639] 1531391994.124622: Sending request (276 bytes) to domain.local
[8639] 1531391994.124690: Resolving hostname kerberos.domain.local
[8639] 1531391994.124813: Sending initial UDP request to dgram xx.xx.xx.xx:88
[8639] 1531391995.125972: Initiating TCP connection to stream xx.xx.xx.xx:88
[8639] 1531391995.136487: Sending TCP request to stream xx.xx.xx.xx:88
[8639] 1531391995.147521: Received answer (176 bytes) from stream xx.xx.xx.xx:88
[8639] 1531391995.147682: Terminating TCP connection to stream xx.xx.xx.xx:88
[8639] 1531391995.178245: Response was not from master KDC
[8639] 1531391995.178431: Received error from KDC: -1765328360/Preauthentication failed
[8639] 1531391995.178507: Preauth tryagain input types: 16, 15, 19, 2
[8639] 1531391995.178569: Getting initial credentials for HTTP/servername at domain.local
[8639] 1531391995.178667: Looked up etypes in keytab: aes256-cts
[8639] 1531391995.178731: Sending request (196 bytes) to domain.local (master)
kinit: Preauthentication failed while getting initial credentials

domain.local is the Name of the domain
Kerberos.domain.local is a Active Directory Server Kerberos is enabled
servername is the server the application is installed

Thanks

"Matthias M?ller" <matthiasmueller07 at web.de> writes:

> I added the necessary fields in the ldap configuration before.
>  
> Realm: local.domain
> Principal: HTTP/server.name at local.domain
> Keytab: /etc/keytab/servername.keytab

Ok.

> local.domain and server.name are place holder for the original settings.

> The following message is shown with kinit and kvno:
> kinit: Preauthentication failed while getting initial credentials
> No credentials cache found (filename: /tmp/krb5cc_0) while getting client principal name

That's bad. My system has:

[root at saml keycloak]# kinit -kt keycloak.keytab HTTP/saml.example.org
[root at saml keycloak]# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: HTTP/saml.example.org at EXAMPLE.ORG

Valid starting       Expires              Service principal
08.07.2018 22:09:40  09.07.2018 22:09:40  krbtgt/EXAMPLE.ORG at EXAMPLE.ORG

Until that works you don't need to look at anyhing else.
Please try:

KRB5_TRACE=/dev/stderr kinit -kt /etc/keytab/servername.keytab HTTP/server.name at local.domain

> When I read the keytab file with klist the output is:
> 0 01/01/1970 00:00:00 HTTP/server.name at local.domain (aes256-cts-hmac-sha1-96)

That date looks fishy.

[root at saml keycloak]# klist -k keycloak.keytab 
Keytab name: FILE:keycloak.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 HTTP/saml.example.org at EXAMPLE.ORG
   1 HTTP/saml.example.org at EXAMPLE.ORG
   1 HTTP/saml.example.org at EXAMPLE.ORG
   1 HTTP/saml.example.org at EXAMPLE.ORG

Can you please move the discussion back to the keycloak list?  Thanks.

Jochen

-- 
This space is intentionally left blank.


From craig at baseventure.com  Thu Jul 12 07:08:22 2018
From: craig at baseventure.com (Craig Setera)
Date: Thu, 12 Jul 2018 06:08:22 -0500
Subject: [keycloak-user] Dynamically branded login?
Message-ID: <CAPVdwjqvyf+uVObf4OGBbgSKJb_TZ-7OzPuG-abryKJtW2zHew@mail.gmail.com>

We build and host a multitenant application that is currently using
homegrown authentication and authorization (using Picketlink).  We are
considering a move to Keycloak.  My preference would be to use the login
flows that are built in to Keycloak rather than building our own, however
that is dependent on whether we can properly brand those login flows on a
per-customer basis in some dynamic way.

In looking at the theme SPI support, it appears to be mostly targeted to
supporting mulitple "static" themes.  Is it possible to make a theme that
is dynamic based on, for example, a query parameter?   Are there any
examples anywhere on how that might be possible?  Would Keycloak carry
through query parameters if they were provided when launching the login
flow?

Thanks,
Craig

From psilva at redhat.com  Thu Jul 12 09:28:24 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 12 Jul 2018 10:28:24 -0300
Subject: [keycloak-user] Questions about Keycloak UMA 2.0 implementation
In-Reply-To: <CABfc8x51bch1QehZhLo4DO8rfp80OCxfGHGd3tCU_wtdA0SgGw@mail.gmail.com>
References: <CABfc8x51bch1QehZhLo4DO8rfp80OCxfGHGd3tCU_wtdA0SgGw@mail.gmail.com>
Message-ID: <CAJrcDBd4it=k7w1OObmGJXk8qWGQi+VEXh+A3coDvB2b7GiwhA@mail.gmail.com>

Hi,

Currently, we just set upgraded == true if an rpt was provided. I think we
can change the behavior to:

* Set upgraded == false if any permission granted by the RPT was denied
* DENY request if ALL permissions from ticket were denied (and avoid
issuing a new rpt == previous rpt)

Wdyt ?


On Tue, Jul 10, 2018 at 6:22 AM, Francisco Jos? Bermejo Herrera <
francisco.bermejo.herrera at tecsisa.com> wrote:

> Hello, we are testing Keycloak 4.1.0.Final for authentication and
> authorization (UMA 2.0 flow).
>
> Some assumptions:
>
>    - The Resource Server owns the resource Foo, and protects it by using
>    two scope-based permissions, one requiring READ scope, and the other one
>    requiring WRITE scope.
>    - User Alice has been granted READ scope for resource Foo.
>    - We are not using Policy Enforcers. Enforcement will be implemented at
>    the Resource Server.
>
> We are modeling the following flow:
>
>    1. The Requesting Party (Alice) requests access to resource Foo in the
>    Resource Server. This request DOES NOT provide an RPT.
>    2. The Resource Server detects the absence of RPT, so it requests a
>    Permission Ticket to Keycloak, for the Foo resource and both READ and
> WRITE
>    scopes (providing a valid PAT).
>    3. Keycloak returns a valid Permission Ticket to the Resource Server.
>    4. The Resource Server returns the Permission Ticket (including Keycloak
>    token URI (http://${host}:${port}/auth/realms/${realm}/protocol/
> openid-connect/token)
>    at WWW-Authorization header) with status code 401 to the Requesting
> Party.
>    5. The Requesting Party sends the Permission Ticket (for the Foo
>    resource and both READ and WRITE scopes) to Keycloak, in order to get a
>    valid RPT.
>
> Here is where things start to get confusing. We expected that Keycloak
> would reject the authorization request due to failed permission evaluation
> (Alice has READ scope for resource Foo, but DOES NOT have WRITE scope).
> Nevertheless, Keycloak returns a valid RPT, granting permission for
> resource Foo (just for READ scope).
>
> We are aware that this behavior is UMA 2.0 compliant
> <https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-21.html#rfc.
> section.3.6.4>
> :
>
> > If the value is non-null and CandidateGrantedScopes < RequestedScopes,
> the
> > authorization server MUST subsequently issue either an RPT containing
> > CandidateGrantedScopes (upgrading as appropriate; see below), or one of
> the
> > error codes. The reason for the two options is that granting only partial
> > scopes may not be useful for the client's and requesting party's purposes
> > in seeking authorization for access.
>
>
> But as the RFC explicitly points out, this behavior may not be useful for
> the client. We think that the RFC is right, because this renders the client
> unable to tell whether the authorization has been partially or completely
> fulfilled. And consequently the Resource Server will request again a
> Permission Ticket for the Foo resource and both READ and WRITE scopes, so
> the whole flow will be repeated over and over again. If this is Keycloak
> expected behavior, how can we avoid the infinite loops?
>
> Another question is, when providing a valid RPT along with a Permission
> Ticket, why Keycloak deems an RPT as upgraded = true even when the
> requested resource has not been authorized? It returns the same RPT with
> just jti, exp and iat updated. Since we think that the Authorization Server
> must be the one stopping the UMA flow, should not Keycloak return a 403
> Forbidden instead? Is this behavior configurable in any way?
>
> Thank you in advance!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Thu Jul 12 09:29:23 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 12 Jul 2018 10:29:23 -0300
Subject: [keycloak-user] Questions about Keycloak UMA 2.0 implementation
In-Reply-To: <CAEFqDg4F91tdKHXCTtFPSFoSoQwe_TgtX-ttUoaDXx2f_iXp1g@mail.gmail.com>
References: <CAEFqDg4F91tdKHXCTtFPSFoSoQwe_TgtX-ttUoaDXx2f_iXp1g@mail.gmail.com>
Message-ID: <CAJrcDBc_THmzds-bQy-w4phf+7LRoNeWyxxd-7auV_Le800FiQ@mail.gmail.com>

I've replied to the original thread. Does it work for you ?

On Thu, Jul 12, 2018 at 3:41 AM, Jos? Luis Colomer Martorell <
jose.colomer.martorell at tecsisa.com> wrote:

> Hello just to clarify the last question written by Francisco,
>
> i'm also having problems when upgrading the RPT when the requested resource
> is not authorized to the user.
>
>
> This is my current setup:
>
> Users:
>
> Just one user: foouser
>
> Resources:
>
>    - foo-resource
>    - bar-resource
>
> Policies:
>
>    - foouser-policy: this policy grants access for only foouser.
>
>
> Permissions:
>
>    - fooresource-foouser-permission: this permission associates the
>    resource "foo-resource" with the policy "foouser-policy"
>
>
> I obtained the following valid RPT
>
> {
> >
> >   "jti": "fd8bbd4d-2392-4720-a8bd-34803fde6c41",
> >
> >   "exp": 1531411894,
> >
> >   "nbf": 0,
> >
> >   "iat": 1531375932,
> >
> >   "iss": "http://127.0.0.1:8080/auth/realms/TestRealm",
> >
> >   "aud": "demo-upgrade-rpt",
> >
> >   "sub": "815b5a1d-57b2-4f5e-9ee5-f35c71938a46",
> >
> >   "typ": "Bearer",
> >
> >   "azp": "auth-demo-webapp",
> >
> >   "auth_time": 0,
> >
> >   "session_state": "c5680f60-f13a-4952-921c-80e3b7544bef",
> >
> >   "acr": "1",
> >
> >   "allowed-origins": [],
> >
> >   "realm_access": {
> >
> >     "roles": [
> >
> >       "offline_access",
> >
> >       "uma_authorization"
> >
> >     ]
> >
> >   },
> >
> >   "resource_access": {
> >
> >     "account": {
> >
> >       "roles": [
> >
> >         "manage-account",
> >
> >         "view-profile"
> >
> >       ]
> >
> >     }
> >
> >   },
> >
> >   "authorization": {
> >
> >     "permissions": [
> >
> >       {
> >
> >         "rsid": "1dc34dcd-541e-4f9a-8eab-6bc9a5bac09d",
> >
> >         "rsname": "foouser-resource"
> >
> >       }
> >
> >     ]
> >
> >   },
> >
> >   "scope": "profile email",
> >
> >   "email_verified": false,
> >
> >   "groups": [],
> >
> >   "preferred_username": "foouser"
> >
> > }
> >
> >
> And I tried to upgrade it using a ticket for an unauthorized resource
> (bar-resource)
>
> {
> >
> >   "resources": [
> >
> >     {
> >
> >       "id": "c73c3133-b987-4d1f-8195-544735d75433",
> >
> >       "scopes": []
> >
> >     }
> >
> >   ],
> >
> >   "jti": "49bd25bf-3c2e-4c90-b3af-04bf10580083-1531376034420",
> >
> >   "exp": 1531411717,
> >
> >   "nbf": 0,
> >
> >   "iat": 1531375717,
> >
> >   "aud": "demo-upgrade-rpt",
> >
> >   "sub": "96f4fcc9-1992-418d-ac89-24b527ede141",
> >
> >   "azp": "demo-upgrade-rpt"
> >
> > }
> >
> >
>
>  Keycloak returns a 200 OK response including "upgraded": true in the body.
> I was expecting a 403 forbidden response, it seems Keycloak just assess the
> RPT's permissions, ignoring the ticket ones. Is this correct?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From benjamin.d.parrish at gmail.com  Thu Jul 12 11:01:24 2018
From: benjamin.d.parrish at gmail.com (Benjamin Parrish)
Date: Thu, 12 Jul 2018 17:01:24 +0200
Subject: [keycloak-user] Keycloak - NGINX - ASP.NET Core - Cookie
	Authentication Fails
Message-ID: <BC00C265-FC78-403D-9B2B-0B215EE31368@gmail.com>

I am having issues getting my cookie authentication with ASP.NET <http://asp.net/> Core 2.0 to cooperate.  I am using a NGINX reverse proxy.  I can connect my web application to keycloak with an implicit flow, but I get a 401 (Unauthorized) response when logging in.  If I move the application outside of the reverse proxy it works fine.  See this for a slew of conversation that I already had https://github.com/aspnet/Security/issues/1808#issuecomment-404275299 <https://github.com/aspnet/Security/issues/1808#issuecomment-404275299>.

From jose.colomer.martorell at tecsisa.com  Thu Jul 12 11:02:49 2018
From: jose.colomer.martorell at tecsisa.com (=?UTF-8?Q?Jos=C3=A9_Luis_Colomer_Martorell?=)
Date: Thu, 12 Jul 2018 17:02:49 +0200
Subject: [keycloak-user] Questions about Keycloak UMA 2.0 implementation
In-Reply-To: <CAJrcDBc_THmzds-bQy-w4phf+7LRoNeWyxxd-7auV_Le800FiQ@mail.gmail.com>
References: <CAEFqDg4F91tdKHXCTtFPSFoSoQwe_TgtX-ttUoaDXx2f_iXp1g@mail.gmail.com>
	<CAJrcDBc_THmzds-bQy-w4phf+7LRoNeWyxxd-7auV_Le800FiQ@mail.gmail.com>
Message-ID: <CAEFqDg5K=gJVTgWyEbRCtwXGYChg+vKiVMuAFvyiL6JhLA5hUw@mail.gmail.com>

Yes, I think so :) That behavior would be awesome.

2018-07-12 15:29 GMT+02:00 Pedro Igor Silva <psilva at redhat.com>:

> I've replied to the original thread. Does it work for you ?
>
> On Thu, Jul 12, 2018 at 3:41 AM, Jos? Luis Colomer Martorell <
> jose.colomer.martorell at tecsisa.com> wrote:
>
>> Hello just to clarify the last question written by Francisco,
>>
>> i'm also having problems when upgrading the RPT when the requested
>> resource
>> is not authorized to the user.
>>
>>
>> This is my current setup:
>>
>> Users:
>>
>> Just one user: foouser
>>
>> Resources:
>>
>>    - foo-resource
>>    - bar-resource
>>
>> Policies:
>>
>>    - foouser-policy: this policy grants access for only foouser.
>>
>>
>> Permissions:
>>
>>    - fooresource-foouser-permission: this permission associates the
>>
>>    resource "foo-resource" with the policy "foouser-policy"
>>
>>
>> I obtained the following valid RPT
>>
>> {
>> >
>> >   "jti": "fd8bbd4d-2392-4720-a8bd-34803fde6c41",
>> >
>> >   "exp": 1531411894,
>> >
>> >   "nbf": 0,
>> >
>> >   "iat": 1531375932,
>> >
>> >   "iss": "http://127.0.0.1:8080/auth/realms/TestRealm",
>> >
>> >   "aud": "demo-upgrade-rpt",
>> >
>> >   "sub": "815b5a1d-57b2-4f5e-9ee5-f35c71938a46",
>> >
>> >   "typ": "Bearer",
>> >
>> >   "azp": "auth-demo-webapp",
>> >
>> >   "auth_time": 0,
>> >
>> >   "session_state": "c5680f60-f13a-4952-921c-80e3b7544bef",
>> >
>> >   "acr": "1",
>> >
>> >   "allowed-origins": [],
>> >
>> >   "realm_access": {
>> >
>> >     "roles": [
>> >
>> >       "offline_access",
>> >
>> >       "uma_authorization"
>> >
>> >     ]
>> >
>> >   },
>> >
>> >   "resource_access": {
>> >
>> >     "account": {
>> >
>> >       "roles": [
>> >
>> >         "manage-account",
>> >
>> >         "view-profile"
>> >
>> >       ]
>> >
>> >     }
>> >
>> >   },
>> >
>> >   "authorization": {
>> >
>> >     "permissions": [
>> >
>> >       {
>> >
>> >         "rsid": "1dc34dcd-541e-4f9a-8eab-6bc9a5bac09d",
>> >
>> >         "rsname": "foouser-resource"
>> >
>> >       }
>> >
>> >     ]
>> >
>> >   },
>> >
>> >   "scope": "profile email",
>> >
>> >   "email_verified": false,
>> >
>> >   "groups": [],
>> >
>> >   "preferred_username": "foouser"
>> >
>> > }
>> >
>> >
>> And I tried to upgrade it using a ticket for an unauthorized resource
>> (bar-resource)
>>
>> {
>> >
>> >   "resources": [
>> >
>> >     {
>> >
>> >       "id": "c73c3133-b987-4d1f-8195-544735d75433",
>> >
>> >       "scopes": []
>> >
>> >     }
>> >
>> >   ],
>> >
>> >   "jti": "49bd25bf-3c2e-4c90-b3af-04bf10580083-1531376034420",
>> >
>> >   "exp": 1531411717,
>> >
>> >   "nbf": 0,
>> >
>> >   "iat": 1531375717,
>> >
>> >   "aud": "demo-upgrade-rpt",
>> >
>> >   "sub": "96f4fcc9-1992-418d-ac89-24b527ede141",
>> >
>> >   "azp": "demo-upgrade-rpt"
>> >
>> > }
>> >
>> >
>>
>>  Keycloak returns a 200 OK response including "upgraded": true in the
>> body.
>> I was expecting a 403 forbidden response, it seems Keycloak just assess
>> the
>> RPT's permissions, ignoring the ticket ones. Is this correct?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From jose.colomer.martorell at tecsisa.com  Thu Jul 12 11:16:35 2018
From: jose.colomer.martorell at tecsisa.com (=?UTF-8?Q?Jos=C3=A9_Luis_Colomer_Martorell?=)
Date: Thu, 12 Jul 2018 17:16:35 +0200
Subject: [keycloak-user] Questions about Keycloak UMA 2.0 implementation
In-Reply-To: <CAJrcDBc_THmzds-bQy-w4phf+7LRoNeWyxxd-7auV_Le800FiQ@mail.gmail.com>
References: <CAEFqDg4F91tdKHXCTtFPSFoSoQwe_TgtX-ttUoaDXx2f_iXp1g@mail.gmail.com>
	<CAJrcDBc_THmzds-bQy-w4phf+7LRoNeWyxxd-7auV_Le800FiQ@mail.gmail.com>
Message-ID: <CAEFqDg7+4MY9yOU2GymYrhP4Vk7oOXV54ZnBNdbEko5Yk_F9+A@mail.gmail.com>

I think so :)

That behavior would be awesome.

PS: I believe I'm failing so hard with the mail list, sorry about that.

2018-07-12 15:29 GMT+02:00 Pedro Igor Silva <psilva at redhat.com>:

> I've replied to the original thread. Does it work for you ?
>
> On Thu, Jul 12, 2018 at 3:41 AM, Jos? Luis Colomer Martorell <
> jose.colomer.martorell at tecsisa.com> wrote:
>
>> Hello just to clarify the last question written by Francisco,
>>
>> i'm also having problems when upgrading the RPT when the requested
>> resource
>> is not authorized to the user.
>>
>>
>> This is my current setup:
>>
>> Users:
>>
>> Just one user: foouser
>>
>> Resources:
>>
>>    - foo-resource
>>    - bar-resource
>>
>> Policies:
>>
>>    - foouser-policy: this policy grants access for only foouser.
>>
>>
>> Permissions:
>>
>>    - fooresource-foouser-permission: this permission associates the
>>
>>    resource "foo-resource" with the policy "foouser-policy"
>>
>>
>> I obtained the following valid RPT
>>
>> {
>> >
>> >   "jti": "fd8bbd4d-2392-4720-a8bd-34803fde6c41",
>> >
>> >   "exp": 1531411894,
>> >
>> >   "nbf": 0,
>> >
>> >   "iat": 1531375932,
>> >
>> >   "iss": "http://127.0.0.1:8080/auth/realms/TestRealm",
>> >
>> >   "aud": "demo-upgrade-rpt",
>> >
>> >   "sub": "815b5a1d-57b2-4f5e-9ee5-f35c71938a46",
>> >
>> >   "typ": "Bearer",
>> >
>> >   "azp": "auth-demo-webapp",
>> >
>> >   "auth_time": 0,
>> >
>> >   "session_state": "c5680f60-f13a-4952-921c-80e3b7544bef",
>> >
>> >   "acr": "1",
>> >
>> >   "allowed-origins": [],
>> >
>> >   "realm_access": {
>> >
>> >     "roles": [
>> >
>> >       "offline_access",
>> >
>> >       "uma_authorization"
>> >
>> >     ]
>> >
>> >   },
>> >
>> >   "resource_access": {
>> >
>> >     "account": {
>> >
>> >       "roles": [
>> >
>> >         "manage-account",
>> >
>> >         "view-profile"
>> >
>> >       ]
>> >
>> >     }
>> >
>> >   },
>> >
>> >   "authorization": {
>> >
>> >     "permissions": [
>> >
>> >       {
>> >
>> >         "rsid": "1dc34dcd-541e-4f9a-8eab-6bc9a5bac09d",
>> >
>> >         "rsname": "foouser-resource"
>> >
>> >       }
>> >
>> >     ]
>> >
>> >   },
>> >
>> >   "scope": "profile email",
>> >
>> >   "email_verified": false,
>> >
>> >   "groups": [],
>> >
>> >   "preferred_username": "foouser"
>> >
>> > }
>> >
>> >
>> And I tried to upgrade it using a ticket for an unauthorized resource
>> (bar-resource)
>>
>> {
>> >
>> >   "resources": [
>> >
>> >     {
>> >
>> >       "id": "c73c3133-b987-4d1f-8195-544735d75433",
>> >
>> >       "scopes": []
>> >
>> >     }
>> >
>> >   ],
>> >
>> >   "jti": "49bd25bf-3c2e-4c90-b3af-04bf10580083-1531376034420",
>> >
>> >   "exp": 1531411717,
>> >
>> >   "nbf": 0,
>> >
>> >   "iat": 1531375717,
>> >
>> >   "aud": "demo-upgrade-rpt",
>> >
>> >   "sub": "96f4fcc9-1992-418d-ac89-24b527ede141",
>> >
>> >   "azp": "demo-upgrade-rpt"
>> >
>> > }
>> >
>> >
>>
>>  Keycloak returns a 200 OK response including "upgraded": true in the
>> body.
>> I was expecting a 403 forbidden response, it seems Keycloak just assess
>> the
>> RPT's permissions, ignoring the ticket ones. Is this correct?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From nicolas.gillet at market-ip.com  Thu Jul 12 11:40:50 2018
From: nicolas.gillet at market-ip.com (Nicolas Gillet)
Date: Thu, 12 Jul 2018 15:40:50 +0000
Subject: [keycloak-user] View-users permissions only view some users
In-Reply-To: <AM4PR0501MB27707A1B13C3902691588C51C15A0@AM4PR0501MB2770.eurprd05.prod.outlook.com>
References: <AM4PR0501MB277045200EF76FD371DED08AC1470@AM4PR0501MB2770.eurprd05.prod.outlook.com>
	<1531219291.7582.1.camel@acutus.pro>
	<AM4PR0501MB27707A1B13C3902691588C51C15A0@AM4PR0501MB2770.eurprd05.prod.outlook.com>
Message-ID: <AM4PR0501MB2770265B2294F2E79888E42BC1590@AM4PR0501MB2770.eurprd05.prod.outlook.com>

Ok,

After a few hours of try & fail, I managed to created my groups dynamically through the SPI.
The trick was to use the RealmModel that is passed to the providers methods to create groups.
As it's not documented anywhere, I hope this has no caveat. So far the created groups seem to be correct and persisted.

Now I am stuck figuring out how to create a policy that will allow user of a group to manage only users of a subgroup of his own group. :-/

If anyone has a hint ?

Kind regards,

-----Message d'origine-----
De?: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> De la part de Nicolas Gillet
Envoy??: mercredi 11 juillet 2018 17:32
??: keycloak-user at lists.jboss.org
Objet?: Re: [keycloak-user] View-users permissions only view some users

Thank you Dmitri,

This definitely helps.
Now my users are coming from an SPI I wrote, guided by the user-storage-jpa-example in KC's repository.
I have data in my users I want to use in order to create the group and manage visibility & impersonation.
However I can't find how to add users in groups and created these groups through the SPI.

I do well see the methods "UserQueryProvider.getGroupMembers" but I have no clue on how to create groups and what the implementation of this methods should do :-/

Is there any example I can get inspiration of where groups are driven by an external source ?

Kind regards,

-----Message d'origine-----
De?: Dmitry Telegin <dt at acutus.pro>
Envoy??: mardi 10 juillet 2018 12:42
??: Nicolas Gillet <nicolas.gillet at market-ip.com>; keycloak-user at lists.jboss.org Objet?: Re: [keycloak-user] View-users permissions only view some users

Hi Nicolas,

You could try the following:
- put your users into a group;
- create another user;
- grant this user "query-groups" and "impersonation" roles (from the "realm-management" or "master-realm" client, depending on the realm);
- go to your group, enable permissions, open "view" permission, add a user policy to allow the user to view group, then repeat for "view- members" permission.

Now your newly added admin user will be restricted to the contents of the group. He won't be able to view/impersonate other users, even if he knows the user's internal ID.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-07-06 at 09:10 +0000, Nicolas Gillet wrote:
> Hello,
> 
> Is it possible to grant a user the permission to view only some (not
> all) users of the realm ?
> Same question about being allowed to impersonate only the user he is 
> allowed to see ?
> 
> Thank for any help :-)
> 
> Nicolas GILLET
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From nils.wild at sinnovate.de  Thu Jul 12 12:10:55 2018
From: nils.wild at sinnovate.de (Nils Wild)
Date: Thu, 12 Jul 2018 18:10:55 +0200
Subject: [keycloak-user] View-users permissions only view some users
In-Reply-To: <AM4PR0501MB2770265B2294F2E79888E42BC1590@AM4PR0501MB2770.eurprd05.prod.outlook.com>
References: <AM4PR0501MB277045200EF76FD371DED08AC1470@AM4PR0501MB2770.eurprd05.prod.outlook.com>
	<1531219291.7582.1.camel@acutus.pro>
	<AM4PR0501MB27707A1B13C3902691588C51C15A0@AM4PR0501MB2770.eurprd05.prod.outlook.com>
	<AM4PR0501MB2770265B2294F2E79888E42BC1590@AM4PR0501MB2770.eurprd05.prod.outlook.com>
Message-ID: <00b23cfe-f075-24ff-08bc-73be8f024067@sinnovate.de>

Give the user query-users role and enable permissions on the groups (the 
one the user should be able to manage and the group he should not be 
able to manage). Now you can set policies to manage members of that 
group and denie it for the members of the other group.

Nils


Am 12.07.2018 um 17:40 schrieb Nicolas Gillet:
> Ok,
>
> After a few hours of try & fail, I managed to created my groups dynamically through the SPI.
> The trick was to use the RealmModel that is passed to the providers methods to create groups.
> As it's not documented anywhere, I hope this has no caveat. So far the created groups seem to be correct and persisted.
>
> Now I am stuck figuring out how to create a policy that will allow user of a group to manage only users of a subgroup of his own group. :-/
>
> If anyone has a hint ?
>
> Kind regards,
>
> -----Message d'origine-----
> De?: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> De la part de Nicolas Gillet
> Envoy??: mercredi 11 juillet 2018 17:32
> ??: keycloak-user at lists.jboss.org
> Objet?: Re: [keycloak-user] View-users permissions only view some users
>
> Thank you Dmitri,
>
> This definitely helps.
> Now my users are coming from an SPI I wrote, guided by the user-storage-jpa-example in KC's repository.
> I have data in my users I want to use in order to create the group and manage visibility & impersonation.
> However I can't find how to add users in groups and created these groups through the SPI.
>
> I do well see the methods "UserQueryProvider.getGroupMembers" but I have no clue on how to create groups and what the implementation of this methods should do :-/
>
> Is there any example I can get inspiration of where groups are driven by an external source ?
>
> Kind regards,
>
> -----Message d'origine-----
> De?: Dmitry Telegin <dt at acutus.pro>
> Envoy??: mardi 10 juillet 2018 12:42
> ??: Nicolas Gillet <nicolas.gillet at market-ip.com>; keycloak-user at lists.jboss.org Objet?: Re: [keycloak-user] View-users permissions only view some users
>
> Hi Nicolas,
>
> You could try the following:
> - put your users into a group;
> - create another user;
> - grant this user "query-groups" and "impersonation" roles (from the "realm-management" or "master-realm" client, depending on the realm);
> - go to your group, enable permissions, open "view" permission, add a user policy to allow the user to view group, then repeat for "view- members" permission.
>
> Now your newly added admin user will be restricted to the contents of the group. He won't be able to view/impersonate other users, even if he knows the user's internal ID.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Fri, 2018-07-06 at 09:10 +0000, Nicolas Gillet wrote:
>> Hello,
>>
>> Is it possible to grant a user the permission to view only some (not
>> all) users of the realm ?
>> Same question about being allowed to impersonate only the user he is
>> allowed to see ?
>>
>> Thank for any help :-)
>>
>> Nicolas GILLET
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From dt at acutus.pro  Thu Jul 12 13:30:02 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Thu, 12 Jul 2018 20:30:02 +0300
Subject: [keycloak-user] How to verify jwt token with jwt.io or
 javascript programme
In-Reply-To: <CADf9yZPFBfk7JtGoK6LOXF-OmGYHNb+Bmw9axDDx3TG0EErqVA@mail.gmail.com>
References: <CADf9yZPFBfk7JtGoK6LOXF-OmGYHNb+Bmw9axDDx3TG0EErqVA@mail.gmail.com>
Message-ID: <1531416602.7481.7.camel@acutus.pro>

Hi Christophe,

jwt.io expects the public key in full PEM format, like this:

-----BEGIN RSA PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuc0fiNYtzlRN+nDqKg5qqoLN5Qj
/7te1BauoXK8wow5eVamKc9xPjNG99kz0VQcMtPOwqHWEUSwFr77nPhJOYB5ea0ERCeh224
Swiy/mLaxcIJOu9Mex+XZw1kRcxBU64iE9bDs4xi3PYgt+zPVOdqWmF54jiZIRnWAGPa5uX
4AFrwykfDGc+MH6jFiJKxUs0m9VSlmpRj8+/MWVBbNDx7m67xWV6FXbcgsFGrv1+yNIpTrp
leqNpm1M9dHVyVeJYroHEblmNbDj0iqAyKJqPLjNGhM7gYmuckv+vzun9MuiO8fFrguO3+y
hCXhcibdf3hy6ryfGWyFFwdEO8eTB9wIDAQAB
-----END RSA PUBLIC KEY-----

You need to copy your public key from Keycloak realm -> Keys -> Active
-> RSA, then add header and footer, and paste it into the public key
field in jwt.io.

As for JavaScript libraries, you'll need to consult the documentation
for the library of your choice.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Thu, 2018-07-12 at 09:57 +0200, Christophe Lehingue wrote:
> Hello,
> 
> How can I check the signature of a token (with https://jwt.io/ or an
> external javascript programm) ?
> 
> The configuration of my client is of "public" acces type :
> 
> 
> The keys I use are those defined in the "keys" area of the "realm"
> created :
> 
> 
> 
> But that does not work: do you have any idea how could I do this
> check?
> 
> Thanks and good day.
> 
> Regards,
> 
> Christophe
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From psilva at redhat.com  Thu Jul 12 13:35:31 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 12 Jul 2018 14:35:31 -0300
Subject: [keycloak-user] Questions about Keycloak UMA 2.0 implementation
In-Reply-To: <CABfc8x51bch1QehZhLo4DO8rfp80OCxfGHGd3tCU_wtdA0SgGw@mail.gmail.com>
References: <CABfc8x51bch1QehZhLo4DO8rfp80OCxfGHGd3tCU_wtdA0SgGw@mail.gmail.com>
Message-ID: <CAJrcDBf-ZwjBjAu_rFgLe-43=iYxBP9UcBLEPwk+Qwc9bebCsQ@mail.gmail.com>

On Tue, Jul 10, 2018 at 6:22 AM, Francisco Jos? Bermejo Herrera <
francisco.bermejo.herrera at tecsisa.com> wrote:

> Hello, we are testing Keycloak 4.1.0.Final for authentication and
> authorization (UMA 2.0 flow).
>
> Some assumptions:
>
>    - The Resource Server owns the resource Foo, and protects it by using
>    two scope-based permissions, one requiring READ scope, and the other one
>    requiring WRITE scope.
>    - User Alice has been granted READ scope for resource Foo.
>    - We are not using Policy Enforcers. Enforcement will be implemented at
>    the Resource Server.
>
> We are modeling the following flow:
>
>    1. The Requesting Party (Alice) requests access to resource Foo in the
>    Resource Server. This request DOES NOT provide an RPT.
>    2. The Resource Server detects the absence of RPT, so it requests a
>    Permission Ticket to Keycloak, for the Foo resource and both READ and
> WRITE
>    scopes (providing a valid PAT).
>    3. Keycloak returns a valid Permission Ticket to the Resource Server.
>    4. The Resource Server returns the Permission Ticket (including Keycloak
>    token URI (http://${host}:${port}/auth/realms/${realm}/protocol/
> openid-connect/token)
>    at WWW-Authorization header) with status code 401 to the Requesting
> Party.
>    5. The Requesting Party sends the Permission Ticket (for the Foo
>    resource and both READ and WRITE scopes) to Keycloak, in order to get a
>    valid RPT.
>
> Here is where things start to get confusing. We expected that Keycloak
> would reject the authorization request due to failed permission evaluation
> (Alice has READ scope for resource Foo, but DOES NOT have WRITE scope).
> Nevertheless, Keycloak returns a valid RPT, granting permission for
> resource Foo (just for READ scope).
>
> We are aware that this behavior is UMA 2.0 compliant
> <https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-21.html#rfc.
> section.3.6.4>
> :
>
> > If the value is non-null and CandidateGrantedScopes < RequestedScopes,
> the
> > authorization server MUST subsequently issue either an RPT containing
> > CandidateGrantedScopes (upgrading as appropriate; see below), or one of
> the
> > error codes. The reason for the two options is that granting only partial
> > scopes may not be useful for the client's and requesting party's purposes
> > in seeking authorization for access.
>
>
> But as the RFC explicitly points out, this behavior may not be useful for
> the client. We think that the RFC is right, because this renders the client
> unable to tell whether the authorization has been partially or completely
> fulfilled. And consequently the Resource Server will request again a
> Permission Ticket for the Foo resource and both READ and WRITE scopes, so
> the whole flow will be repeated over and over again. If this is Keycloak
> expected behavior, how can we avoid the infinite loops?
>

For this particular case, each scope is associated with a specific HTTP
method ? Can't you obtain tickets accordingly including only the scopes you
need ?

As you noticed, by default, Keycloak issues a RPT for any resource/scope
you sent along with an authorization request. Resource servers (or clients
sending authz requests directly without ticket) should be able to ask only
for specific resources/scopes.


>
> Another question is, when providing a valid RPT along with a Permission
> Ticket, why Keycloak deems an RPT as upgraded = true even when the
> requested resource has not been authorized? It returns the same RPT with
> just jti, exp and iat updated. Since we think that the Authorization Server
> must be the one stopping the UMA flow, should not Keycloak return a 403
> Forbidden instead? Is this behavior configurable in any way?
>
> Thank you in advance!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From jochen at jochen.org  Thu Jul 12 13:45:31 2018
From: jochen at jochen.org (Jochen Hein)
Date: Thu, 12 Jul 2018 19:45:31 +0200
Subject: [keycloak-user] Kerberos Authentication
In-Reply-To: <trinity-2c188d77-b897-4adf-8f68-2635413ba304-1531392768426@3c-app-webde-bs65>
	("Matthias \=\?utf-8\?Q\?M\=C3\=BCller\=22's\?\= message of "Thu,
	12 Jul 2018 12:52:48 +0200")
References: <trinity-2c188d77-b897-4adf-8f68-2635413ba304-1531392768426@3c-app-webde-bs65>
Message-ID: <837em0fiv8.fsf@jochen.org>

"Matthias M?ller" <matthiasmueller07 at web.de> writes:

> here are the trace information. I d not have much experience with Kerberos, maybe you can see a reason?

Not really - there are lots of post for failed authentication with
kerberos and AD. Some talk about errors with encryption types, but
nothing conclusive and your trace doesn't really help me.

> KRB5_TRACE=/dev/stderr kinit -kt /etc/keytab/servername.keytab HTTP/servername at domain.local
...
> [8639] 1531391994.124216: Selected etype info: etype aes256-cts, salt "DOMAIN.LOCALHTTPservername", params ""
> [8639] 1531391994.124325: Retrieving HTTP/servername at domain.local from
> FILE:/etc/keytab/servername.keytab (vno 0, enctype aes256-cts) with
> result: 0/Success
> [8639] 1531391994.124420: AS key obtained for encrypted timestamp: aes256-cts/3C17
> Thanks

Looking for aes256-cts and kerberos with google may have some hints, but
nothing I can really point to.

Do you have access to the KDC logs?  Can you authenticate the the keytab
on a windows machine?

Jochen

-- 
This space is intentionally left blank.

From psilva at redhat.com  Thu Jul 12 14:08:19 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 12 Jul 2018 15:08:19 -0300
Subject: [keycloak-user] Questions about Keycloak UMA 2.0 implementation
In-Reply-To: <CAEFqDg5K=gJVTgWyEbRCtwXGYChg+vKiVMuAFvyiL6JhLA5hUw@mail.gmail.com>
References: <CAEFqDg4F91tdKHXCTtFPSFoSoQwe_TgtX-ttUoaDXx2f_iXp1g@mail.gmail.com>
	<CAJrcDBc_THmzds-bQy-w4phf+7LRoNeWyxxd-7auV_Le800FiQ@mail.gmail.com>
	<CAEFqDg5K=gJVTgWyEbRCtwXGYChg+vKiVMuAFvyiL6JhLA5hUw@mail.gmail.com>
Message-ID: <CAJrcDBenoxh7xr7q9cJn4-RtLW_8MZgh6=7dz3i3dYt=7jOUAw@mail.gmail.com>

Created https://issues.jboss.org/browse/KEYCLOAK-7849.

On Thu, Jul 12, 2018 at 12:02 PM, Jos? Luis Colomer Martorell <
jose.colomer.martorell at tecsisa.com> wrote:

> Yes, I think so :) That behavior would be awesome.
>
> 2018-07-12 15:29 GMT+02:00 Pedro Igor Silva <psilva at redhat.com>:
>
> > I've replied to the original thread. Does it work for you ?
> >
> > On Thu, Jul 12, 2018 at 3:41 AM, Jos? Luis Colomer Martorell <
> > jose.colomer.martorell at tecsisa.com> wrote:
> >
> >> Hello just to clarify the last question written by Francisco,
> >>
> >> i'm also having problems when upgrading the RPT when the requested
> >> resource
> >> is not authorized to the user.
> >>
> >>
> >> This is my current setup:
> >>
> >> Users:
> >>
> >> Just one user: foouser
> >>
> >> Resources:
> >>
> >>    - foo-resource
> >>    - bar-resource
> >>
> >> Policies:
> >>
> >>    - foouser-policy: this policy grants access for only foouser.
> >>
> >>
> >> Permissions:
> >>
> >>    - fooresource-foouser-permission: this permission associates the
> >>
> >>    resource "foo-resource" with the policy "foouser-policy"
> >>
> >>
> >> I obtained the following valid RPT
> >>
> >> {
> >> >
> >> >   "jti": "fd8bbd4d-2392-4720-a8bd-34803fde6c41",
> >> >
> >> >   "exp": 1531411894,
> >> >
> >> >   "nbf": 0,
> >> >
> >> >   "iat": 1531375932,
> >> >
> >> >   "iss": "http://127.0.0.1:8080/auth/realms/TestRealm",
> >> >
> >> >   "aud": "demo-upgrade-rpt",
> >> >
> >> >   "sub": "815b5a1d-57b2-4f5e-9ee5-f35c71938a46",
> >> >
> >> >   "typ": "Bearer",
> >> >
> >> >   "azp": "auth-demo-webapp",
> >> >
> >> >   "auth_time": 0,
> >> >
> >> >   "session_state": "c5680f60-f13a-4952-921c-80e3b7544bef",
> >> >
> >> >   "acr": "1",
> >> >
> >> >   "allowed-origins": [],
> >> >
> >> >   "realm_access": {
> >> >
> >> >     "roles": [
> >> >
> >> >       "offline_access",
> >> >
> >> >       "uma_authorization"
> >> >
> >> >     ]
> >> >
> >> >   },
> >> >
> >> >   "resource_access": {
> >> >
> >> >     "account": {
> >> >
> >> >       "roles": [
> >> >
> >> >         "manage-account",
> >> >
> >> >         "view-profile"
> >> >
> >> >       ]
> >> >
> >> >     }
> >> >
> >> >   },
> >> >
> >> >   "authorization": {
> >> >
> >> >     "permissions": [
> >> >
> >> >       {
> >> >
> >> >         "rsid": "1dc34dcd-541e-4f9a-8eab-6bc9a5bac09d",
> >> >
> >> >         "rsname": "foouser-resource"
> >> >
> >> >       }
> >> >
> >> >     ]
> >> >
> >> >   },
> >> >
> >> >   "scope": "profile email",
> >> >
> >> >   "email_verified": false,
> >> >
> >> >   "groups": [],
> >> >
> >> >   "preferred_username": "foouser"
> >> >
> >> > }
> >> >
> >> >
> >> And I tried to upgrade it using a ticket for an unauthorized resource
> >> (bar-resource)
> >>
> >> {
> >> >
> >> >   "resources": [
> >> >
> >> >     {
> >> >
> >> >       "id": "c73c3133-b987-4d1f-8195-544735d75433",
> >> >
> >> >       "scopes": []
> >> >
> >> >     }
> >> >
> >> >   ],
> >> >
> >> >   "jti": "49bd25bf-3c2e-4c90-b3af-04bf10580083-1531376034420",
> >> >
> >> >   "exp": 1531411717,
> >> >
> >> >   "nbf": 0,
> >> >
> >> >   "iat": 1531375717,
> >> >
> >> >   "aud": "demo-upgrade-rpt",
> >> >
> >> >   "sub": "96f4fcc9-1992-418d-ac89-24b527ede141",
> >> >
> >> >   "azp": "demo-upgrade-rpt"
> >> >
> >> > }
> >> >
> >> >
> >>
> >>  Keycloak returns a 200 OK response including "upgraded": true in the
> >> body.
> >> I was expecting a 403 forbidden response, it seems Keycloak just assess
> >> the
> >> RPT's permissions, ignoring the ticket ones. Is this correct?
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From vandana0242 at gmail.com  Thu Jul 12 14:22:54 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Thu, 12 Jul 2018 13:22:54 -0500
Subject: [keycloak-user] how to enable releam
Message-ID: <CAL_K0ey5gdA1vwKx-5Cz-Hs0LcBT8F8i_GeSAMms6r4rtDWNPw@mail.gmail.com>

 Realm not enabled   on keycloak  page  it showing  how  can I enable it
via command line ?


Thanks,
Vandana

From iali at an10.io  Thu Jul 12 14:38:37 2018
From: iali at an10.io (Irtiza Ali)
Date: Thu, 12 Jul 2018 23:38:37 +0500
Subject: [keycloak-user] How to verify jwt token with jwt.io or
	javascript programme
In-Reply-To: <1531416602.7481.7.camel@acutus.pro>
References: <CADf9yZPFBfk7JtGoK6LOXF-OmGYHNb+Bmw9axDDx3TG0EErqVA@mail.gmail.com>
	<1531416602.7481.7.camel@acutus.pro>
Message-ID: <CAG3apS_jW136VaqxzwB1MPa7WGNhbNXj8383Ze0UaV_DxxQUPg@mail.gmail.com>

Link to the examples:

https://gitlab.com/snippets/1732567

Irtiza Ali

On Thu, Jul 12, 2018 at 10:30 PM, Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Christophe,
>
> jwt.io expects the public key in full PEM format, like this:
>
> -----BEGIN RSA PUBLIC KEY-----
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuc0fiNYtzlRN+nDqKg5qqoLN5Qj
> /7te1BauoXK8wow5eVamKc9xPjNG99kz0VQcMtPOwqHWEUSwFr77nPhJOYB5ea0ERCeh224
> Swiy/mLaxcIJOu9Mex+XZw1kRcxBU64iE9bDs4xi3PYgt+zPVOdqWmF54jiZIRnWAGPa5uX
> 4AFrwykfDGc+MH6jFiJKxUs0m9VSlmpRj8+/MWVBbNDx7m67xWV6FXbcgsFGrv1+yNIpTrp
> leqNpm1M9dHVyVeJYroHEblmNbDj0iqAyKJqPLjNGhM7gYmuckv+vzun9MuiO8fFrguO3+y
> hCXhcibdf3hy6ryfGWyFFwdEO8eTB9wIDAQAB
> -----END RSA PUBLIC KEY-----
>
> You need to copy your public key from Keycloak realm -> Keys -> Active
> -> RSA, then add header and footer, and paste it into the public key
> field in jwt.io.
>
> As for JavaScript libraries, you'll need to consult the documentation
> for the library of your choice.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Thu, 2018-07-12 at 09:57 +0200, Christophe Lehingue wrote:
> > Hello,
> >
> > How can I check the signature of a token (with https://jwt.io/ or an
> > external javascript programm) ?
> >
> > The configuration of my client is of "public" acces type :
> >
> >
> > The keys I use are those defined in the "keys" area of the "realm"
> > created :
> >
> >
> >
> > But that does not work: do you have any idea how could I do this
> > check?
> >
> > Thanks and good day.
> >
> > Regards,
> >
> > Christophe
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From iali at an10.io  Thu Jul 12 14:45:47 2018
From: iali at an10.io (Irtiza Ali)
Date: Thu, 12 Jul 2018 23:45:47 +0500
Subject: [keycloak-user] How to verify jwt token with jwt.io or
	javascript programme
In-Reply-To: <CAG3apS_jW136VaqxzwB1MPa7WGNhbNXj8383Ze0UaV_DxxQUPg@mail.gmail.com>
References: <CADf9yZPFBfk7JtGoK6LOXF-OmGYHNb+Bmw9axDDx3TG0EErqVA@mail.gmail.com>
	<1531416602.7481.7.camel@acutus.pro>
	<CAG3apS_jW136VaqxzwB1MPa7WGNhbNXj8383Ze0UaV_DxxQUPg@mail.gmail.com>
Message-ID: <CAG3apS-C7Grm9Cy=15WF-WGGbyzbOjwfLch3NmdAxS0eefB3Fg@mail.gmail.com>

I hope the examples will help you, in case of any query feel free to ask.

IA

On Thu, Jul 12, 2018 at 11:38 PM, Irtiza Ali <iali at an10.io> wrote:

> Link to the examples:
>
> https://gitlab.com/snippets/1732567
>
> Irtiza Ali
>
> On Thu, Jul 12, 2018 at 10:30 PM, Dmitry Telegin <dt at acutus.pro> wrote:
>
>> Hi Christophe,
>>
>> jwt.io expects the public key in full PEM format, like this:
>>
>> -----BEGIN RSA PUBLIC KEY-----
>> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuc0fiNYtzlRN+nDqKg5qqoLN5Qj
>> /7te1BauoXK8wow5eVamKc9xPjNG99kz0VQcMtPOwqHWEUSwFr77nPhJOYB5ea0ERCeh224
>> Swiy/mLaxcIJOu9Mex+XZw1kRcxBU64iE9bDs4xi3PYgt+zPVOdqWmF54jiZIRnWAGPa5uX
>> 4AFrwykfDGc+MH6jFiJKxUs0m9VSlmpRj8+/MWVBbNDx7m67xWV6FXbcgsFGrv1+yNIpTrp
>> leqNpm1M9dHVyVeJYroHEblmNbDj0iqAyKJqPLjNGhM7gYmuckv+vzun9MuiO8fFrguO3+y
>> hCXhcibdf3hy6ryfGWyFFwdEO8eTB9wIDAQAB
>> -----END RSA PUBLIC KEY-----
>>
>> You need to copy your public key from Keycloak realm -> Keys -> Active
>> -> RSA, then add header and footer, and paste it into the public key
>> field in jwt.io.
>>
>> As for JavaScript libraries, you'll need to consult the documentation
>> for the library of your choice.
>>
>> Cheers,
>> Dmitry Telegin
>> CTO, Acutus s.r.o.
>> Keycloak Consulting and Training
>>
>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
>> +42 (022) 888-30-71
>> E-mail: info at acutus.pro
>>
>> On Thu, 2018-07-12 at 09:57 +0200, Christophe Lehingue wrote:
>> > Hello,
>> >
>> > How can I check the signature of a token (with https://jwt.io/ or an
>> > external javascript programm) ?
>> >
>> > The configuration of my client is of "public" acces type :
>> >
>> >
>> > The keys I use are those defined in the "keys" area of the "realm"
>> > created :
>> >
>> >
>> >
>> > But that does not work: do you have any idea how could I do this
>> > check?
>> >
>> > Thanks and good day.
>> >
>> > Regards,
>> >
>> > Christophe
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From iali at an10.io  Thu Jul 12 14:53:48 2018
From: iali at an10.io (Irtiza Ali)
Date: Thu, 12 Jul 2018 23:53:48 +0500
Subject: [keycloak-user] how to enable releam
In-Reply-To: <CAL_K0ey5gdA1vwKx-5Cz-Hs0LcBT8F8i_GeSAMms6r4rtDWNPw@mail.gmail.com>
References: <CAL_K0ey5gdA1vwKx-5Cz-Hs0LcBT8F8i_GeSAMms6r4rtDWNPw@mail.gmail.com>
Message-ID: <CAG3apS9JJq-hDoa3Kr2rcHN5ULLJS64WXw-L1wDZFc2q5c2_jw@mail.gmail.com>

Look at the admin api, it might help you.

link: https://www.keycloak.org/docs-api/2.5/rest-api/index.html

IA

On Thu, Jul 12, 2018 at 11:22 PM, vandana thota <vandana0242 at gmail.com>
wrote:

>  Realm not enabled   on keycloak  page  it showing  how  can I enable it
> via command line ?
>
>
> Thanks,
> Vandana
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From vandana0242 at gmail.com  Thu Jul 12 14:57:59 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Thu, 12 Jul 2018 13:57:59 -0500
Subject: [keycloak-user] how to enable releam
In-Reply-To: <CAG3apS9JJq-hDoa3Kr2rcHN5ULLJS64WXw-L1wDZFc2q5c2_jw@mail.gmail.com>
References: <CAL_K0ey5gdA1vwKx-5Cz-Hs0LcBT8F8i_GeSAMms6r4rtDWNPw@mail.gmail.com>
	<CAG3apS9JJq-hDoa3Kr2rcHN5ULLJS64WXw-L1wDZFc2q5c2_jw@mail.gmail.com>
Message-ID: <CAL_K0eyjRZp6w6gcqRO1dMZqvGU4VA2UCYr5RMXQbe9PieH5Zg@mail.gmail.com>

I can not able to  open the  keycloak console
IT showing  as like in attachment releam is not enabled .

so how can I do it  by using comman line interface .

What command I have  to run to enable the  master releam  . So that I can
open the Keycloak admin console



On Thu, Jul 12, 2018 at 1:53 PM Irtiza Ali <iali at an10.io> wrote:

> Look at the admin api, it might help you.
>
> link: https://www.keycloak.org/docs-api/2.5/rest-api/index.html
>
> IA
>
> On Thu, Jul 12, 2018 at 11:22 PM, vandana thota <vandana0242 at gmail.com>
> wrote:
>
>>  Realm not enabled   on keycloak  page  it showing  how  can I enable it
>> via command line ?
>>
>>
>> Thanks,
>> Vandana
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: releam.PNG
Type: image/png
Size: 95262 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180712/3fcb6d8f/attachment-0001.png 

From jpperata at gmail.com  Thu Jul 12 15:48:40 2018
From: jpperata at gmail.com (Juan Pablo Perata)
Date: Thu, 12 Jul 2018 16:48:40 -0300
Subject: [keycloak-user] Issue when two user federation providers are
	deployed
In-Reply-To: <CA+BZ0jiPXHb++q+kTwX+bF-7ft+xDKoTkP+Yew786KbDstqChw@mail.gmail.com>
References: <CA+BZ0jipQoSsr36F4f87V1-GYd_yjT4SruwbMbL0zoYntU17LQ@mail.gmail.com>
	<CA+BZ0jiPXHb++q+kTwX+bF-7ft+xDKoTkP+Yew786KbDstqChw@mail.gmail.com>
Message-ID: <CA+BZ0jiDe27Cxbf1Q=vV=DEM-Ci2=mKXVUrvjpVwnUCuqd8NZQ@mail.gmail.com>

Anyone who faced the same? Appreciate any help

El jue., 28 de jun. de 2018 21:36, Juan Pablo Perata <jpperata at gmail.com>
escribi?:

> Hi,
>
> I have been facing an issue with having two user federation providers
> deployed on the same keycloak instance.
>
> When both are deployed, one of them appears as not visible from the admin
> console.
>
> I created this issue when I explain better the situation:
> https://issues.jboss.org/browse/KEYCLOAK-7735?_sscc=t
>
> It seems to be a bug but cannot confirm that.
>
> I appreciate if someone faced something similar or points out something I
> do not see.
>
> Regards,
> Juan
>
>
>

From soumya.mishra at aktana.com  Thu Jul 12 16:00:03 2018
From: soumya.mishra at aktana.com (Soumya Mishra)
Date: Thu, 12 Jul 2018 13:00:03 -0700
Subject: [keycloak-user] how to change the reset password link in the email
	to our own custom url
Message-ID: <CAFdYJBAKiV1tbP940Y9kXRkk9AFsWqMV9HDX+2TLNQ8TUKjdEg@mail.gmail.com>

Hello Everyone,

We use keycloak API rest to send email password reset to users.

We do not expose keycloak to outside clients. We have built a wrapper
around it.

We would need to change the the url used in the email link presented to
users in the email sent to them.

I have looked at some of the examples but none of them seem to be working.

http://lists.jboss.org/pipermail/keycloak-user/2015-October/003428.html
http://lists.jboss.org/pipermail/keycloak-user/2017-April/010302.html
http://lists.jboss.org/pipermail/keycloak-user/2015-October/003429.html

Is there an easy way to do so, you guys know??

Regards,
Soumya

From alatwork at gmx.com  Thu Jul 12 16:18:28 2018
From: alatwork at gmx.com (Alvin Alf)
Date: Thu, 12 Jul 2018 22:18:28 +0200
Subject: [keycloak-user] OAuth 2.0 Extension Grants?
Message-ID: <trinity-a58c8600-73de-450d-ade5-dc8bb4b1fc8d-1531426708533@3c-app-mailcom-bs07>


From vandana0242 at gmail.com  Thu Jul 12 17:54:05 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Thu, 12 Jul 2018 16:54:05 -0500
Subject: [keycloak-user] how to unintsall the keycloak-4.0.0.Final
Message-ID: <CAL_K0ey1qHj+xU_EsG=2k1hZVJvXW5edXXY7oDpfDHC_yMVg3g@mail.gmail.com>

Hello


how to unintsall the keycloak-4.0.0.Final  on the server ?
What commands needs  to run

Thanks,
Vandana

From bruno at abstractj.org  Thu Jul 12 18:54:15 2018
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 12 Jul 2018 19:54:15 -0300
Subject: [keycloak-user] how to unintsall the keycloak-4.0.0.Final
In-Reply-To: <CAL_K0ey1qHj+xU_EsG=2k1hZVJvXW5edXXY7oDpfDHC_yMVg3g@mail.gmail.com>
References: <CAL_K0ey1qHj+xU_EsG=2k1hZVJvXW5edXXY7oDpfDHC_yMVg3g@mail.gmail.com>
Message-ID: <20180712225415.GA2124@abstractj.org>

As far as I can tell, there's no particular commmand to uninstall. Only stop 
the server and delete the keycloak folder. Unless you installed Keycloak 
through some package management system.

On 2018-07-12, vandana thota wrote:
> Hello
> 
> 
> how to unintsall the keycloak-4.0.0.Final  on the server ?
> What commands needs  to run
> 
> Thanks,
> Vandana
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From bruno at abstractj.org  Thu Jul 12 19:06:49 2018
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 12 Jul 2018 20:06:49 -0300
Subject: [keycloak-user] how to enable releam
In-Reply-To: <CAL_K0eyjRZp6w6gcqRO1dMZqvGU4VA2UCYr5RMXQbe9PieH5Zg@mail.gmail.com>
References: <CAL_K0ey5gdA1vwKx-5Cz-Hs0LcBT8F8i_GeSAMms6r4rtDWNPw@mail.gmail.com>
	<CAG3apS9JJq-hDoa3Kr2rcHN5ULLJS64WXw-L1wDZFc2q5c2_jw@mail.gmail.com>
	<CAL_K0eyjRZp6w6gcqRO1dMZqvGU4VA2UCYr5RMXQbe9PieH5Zg@mail.gmail.com>
Message-ID: <20180712230649.GB2124@abstractj.org>

Please take a look at https://www.keycloak.org/docs/latest/server_admin/index.html#the-admin-cli.

Plus, provide more detailed information about your environment in the
next e-mails. In this way, people can help you.

On 2018-07-12, vandana thota wrote:
> I can not able to  open the  keycloak console
> IT showing  as like in attachment releam is not enabled .
> 
> so how can I do it  by using comman line interface .
> 
> What command I have  to run to enable the  master releam  . So that I can
> open the Keycloak admin console
> 
> 
> 
> On Thu, Jul 12, 2018 at 1:53 PM Irtiza Ali <iali at an10.io> wrote:
> 
> > Look at the admin api, it might help you.
> >
> > link: https://www.keycloak.org/docs-api/2.5/rest-api/index.html
> >
> > IA
> >
> > On Thu, Jul 12, 2018 at 11:22 PM, vandana thota <vandana0242 at gmail.com>
> > wrote:
> >
> >>  Realm not enabled   on keycloak  page  it showing  how  can I enable it
> >> via command line ?
> >>
> >>
> >> Thanks,
> >> Vandana
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >
> >


> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


-- 

abstractj

From bruno at abstractj.org  Thu Jul 12 19:18:18 2018
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 12 Jul 2018 20:18:18 -0300
Subject: [keycloak-user] Issue when two user federation providers are
 deployed
In-Reply-To: <CA+BZ0jipQoSsr36F4f87V1-GYd_yjT4SruwbMbL0zoYntU17LQ@mail.gmail.com>
References: <CA+BZ0jipQoSsr36F4f87V1-GYd_yjT4SruwbMbL0zoYntU17LQ@mail.gmail.com>
Message-ID: <20180712231817.GA18758@abstractj.org>

Please, add the exact steps to reproduce or add the code to your
federation providers. The less time people spend trying to reproduce
your scenario the better.

At the moment people are busy with other tasks, so you have to wait
a bit or if you think you can fix, please provide a patch.

On 2018-06-28, Juan Pablo Perata wrote:
> Hi,
> 
> I have been facing an issue with having two user federation providers
> deployed on the same keycloak instance.
> 
> When both are deployed, one of them appears as not visible from the admin
> console.
> 
> I created this issue when I explain better the situation:
> https://issues.jboss.org/browse/KEYCLOAK-7735?_sscc=t
> 
> It seems to be a bug but cannot confirm that.
> 
> I appreciate if someone faced something similar or points out something I
> do not see.
> 
> Regards,
> Juan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From bruno at abstractj.org  Thu Jul 12 19:23:15 2018
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 12 Jul 2018 20:23:15 -0300
Subject: [keycloak-user] ERROR
 [org.keycloak.services.resources.IdentityBrokerService]
In-Reply-To: <CAL_K0ezF8wow7U1hzOwdXv-ww494ZCMmQ6R14CYx1p6=FabYQQ@mail.gmail.com>
References: <CAL_K0ezF8wow7U1hzOwdXv-ww494ZCMmQ6R14CYx1p6=FabYQQ@mail.gmail.com>
Message-ID: <20180712232315.GB18758@abstractj.org>

Maybe this link answer your question? 
https://stackoverflow.com/questions/38157862/hhh000431-unable-to-determine-h2-database-version-certain-features-may-not-wor

On 2018-07-11, vandana thota wrote:
> Hello
> 
> While configuring the Single sign on for the application deployed on
> wildfly by using the keycloak and external Identity Provider. We came
> across the below errors  and warnings .
> 
> How to resolve below warnings & erros
> 
> 
> 14:10:39,362 WARN [org.hibernate.dialect.H2Dialect] (ServerService Thread
> Pool -- 47) HHH000431: Unable to determine H2 database version, certain
> features m work
> 14:11:30,567 WARN [org.keycloak.events] (default task-1)
> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null,
> userId=null, ipAddress=10.9.7.2,=invalidRequestMessage
> 14:11:30,568 ERROR [org.keycloak.services.resources.IdentityBrokerService]
> (default task-1) invalidRequestMessage
> 14:11:51,668 WARN [org.keycloak.events] (default task-2)
> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null,
> userId=null, ipAddress=10.9.7.2,=invalidRequestMessage
> 14:11:51,669 ERROR [org.keycloak.services.resources.IdentityBrokerService]
> (default task-2) invalidRequestMessage
> 
> 
> Thanks,
> Vandana
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From dt at acutus.pro  Thu Jul 12 20:03:46 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Fri, 13 Jul 2018 03:03:46 +0300
Subject: [keycloak-user] how to enable releam
In-Reply-To: <CAL_K0eyjRZp6w6gcqRO1dMZqvGU4VA2UCYr5RMXQbe9PieH5Zg@mail.gmail.com>
References: <CAL_K0ey5gdA1vwKx-5Cz-Hs0LcBT8F8i_GeSAMms6r4rtDWNPw@mail.gmail.com>
	<CAG3apS9JJq-hDoa3Kr2rcHN5ULLJS64WXw-L1wDZFc2q5c2_jw@mail.gmail.com>
	<CAL_K0eyjRZp6w6gcqRO1dMZqvGU4VA2UCYr5RMXQbe9PieH5Zg@mail.gmail.com>
Message-ID: <1531440226.10591.1.camel@acutus.pro>

Hi Vandana,
Congratulations, disabling master realm is a landmine each aspiring
Keycloak guru must step on :)
Unfortunately, CLI and REST API won't help you here, since they require
authentication, and authentication is no longer possible due to
disabled realm.
You should connect to your database and issue an SQL statement:
UPDATE realm SET enabled = true WHERE id = 'master';
Then try to login to admin console once again.
Cheers,Dmitry
On Thu, 2018-07-12 at 13:57 -0500, vandana thota wrote:
> I can not able to??open the??keycloak console
> IT showing??as like in attachment releam is not enabled .
> 
> so how can I do it??by using comman line interface .
> 
> What command I have??to run to enable the??master releam??. So that I
> can
> open the Keycloak admin console
> 
> 
> 
> On Thu, Jul 12, 2018 at 1:53 PM Irtiza Ali <iali at an10.io> wrote:
> 
> > Look at the admin api, it might help you.
> > 
> > link: https://www.keycloak.org/docs-api/2.5/rest-api/index.html
> > 
> > IA
> > 
> > On Thu, Jul 12, 2018 at 11:22 PM, vandana thota <vandana0242 at gmail.
> > com>
> > wrote:
> > 
> > > ?Realm not enabled???on keycloak??page??it showing??how??can I
> > > enable it
> > > via command line ?
> > > 
> > > 
> > > Thanks,
> > > Vandana
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > 
> > 
> > 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From vandana0242 at gmail.com  Fri Jul 13 00:05:08 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Thu, 12 Jul 2018 23:05:08 -0500
Subject: [keycloak-user] how to enable releam
In-Reply-To: <1531440226.10591.1.camel@acutus.pro>
References: <CAL_K0ey5gdA1vwKx-5Cz-Hs0LcBT8F8i_GeSAMms6r4rtDWNPw@mail.gmail.com>
	<CAG3apS9JJq-hDoa3Kr2rcHN5ULLJS64WXw-L1wDZFc2q5c2_jw@mail.gmail.com>
	<CAL_K0eyjRZp6w6gcqRO1dMZqvGU4VA2UCYr5RMXQbe9PieH5Zg@mail.gmail.com>
	<1531440226.10591.1.camel@acutus.pro>
Message-ID: <CAL_K0ey9203_vRA0+zwQaH5ywPfqJgWpJ_zx_ExaBkG74J+H5w@mail.gmail.com>

I did not  setup any database  yet . How  I have to set it up ?

Thanks,
Vandana

On Thu, Jul 12, 2018 at 7:03 PM Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Vandana,
>
> Congratulations, disabling master realm is a landmine each aspiring
> Keycloak guru must step on :)
>
> Unfortunately, CLI and REST API won't help you here, since they require
> authentication, and authentication is no longer possible due to disabled
> realm.
>
> You should connect to your database and issue an SQL statement:
>
> UPDATE realm SET enabled = true WHERE id = 'master';
>
>
> Then try to login to admin console once again.
>
>
> Cheers,
>
> Dmitry
>
>
> On Thu, 2018-07-12 at 13:57 -0500, vandana thota wrote:
>
> I can not able to  open the  keycloak console
> IT showing  as like in attachment releam is not enabled .
>
> so how can I do it  by using comman line interface .
>
> What command I have  to run to enable the  master releam  . So that I can
> open the Keycloak admin console
>
>
>
> On Thu, Jul 12, 2018 at 1:53 PM Irtiza Ali <iali at an10.io> wrote:
>
>
>
> Look at the admin api, it might help you.
>
> link: https://www.keycloak.org/docs-api/2.5/rest-api/index.html
>
> IA
>
> On Thu, Jul 12, 2018 at 11:22 PM, vandana thota <vandana0242 at gmail.com>
> wrote:
>
>
>
>  Realm not enabled   on keycloak  page  it showing  how  can I enable it
> via command line ?
>
>
> Thanks,
> Vandana
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From vandana0242 at gmail.com  Fri Jul 13 00:06:50 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Thu, 12 Jul 2018 23:06:50 -0500
Subject: [keycloak-user] ERROR
	[org.keycloak.services.resources.IdentityBrokerService]
In-Reply-To: <20180712232315.GB18758@abstractj.org>
References: <CAL_K0ezF8wow7U1hzOwdXv-ww494ZCMmQ6R14CYx1p6=FabYQQ@mail.gmail.com>
	<20180712232315.GB18758@abstractj.org>
Message-ID: <CAL_K0exejT1_uO=T6b_yh=xa4WmKiTKdFTiySjJ72XQKxH_iLg@mail.gmail.com>

You have posted  for this warning .
4:10:39,362 WARN [org.hibernate.dialect.H2Dialect] (ServerService Thread
Pool -- 47) HHH000431: Unable to determine H2 database version, certain
features m work

I want  to know the actual solution for this below error
14:11:51,669 ERROR [org.keycloak.services.resources.IdentityBrokerService]
(default task-2) invalidRequestMessage

And also  below  warnings


14:11:30,567 WARN [org.keycloak.events] (default task-1)
type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null,
userId=null, ipAddress=10.9.7.2,=invalidRequestMessage
14:11:30,568 ERROR [org.keycloak.services.resources.IdentityBrokerService]
(default task-1) invalidRequestMessage
14:11:51,668 WARN [org.keycloak.events] (default task-2)
type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null,
userId=null, ipAddress=10.9.7.2,=invalidRequestMessage



On Thu, Jul 12, 2018 at 6:23 PM Bruno Oliveira <bruno at abstractj.org> wrote:

> Maybe this link answer your question?
>
> https://stackoverflow.com/questions/38157862/hhh000431-unable-to-determine-h2-database-version-certain-features-may-not-wor
>
> On 2018-07-11, vandana thota wrote:
> > Hello
> >
> > While configuring the Single sign on for the application deployed on
> > wildfly by using the keycloak and external Identity Provider. We came
> > across the below errors  and warnings .
> >
> > How to resolve below warnings & erros
> >
> >
> > 14:10:39,362 WARN [org.hibernate.dialect.H2Dialect] (ServerService Thread
> > Pool -- 47) HHH000431: Unable to determine H2 database version, certain
> > features m work
> > 14:11:30,567 WARN [org.keycloak.events] (default task-1)
> > type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null,
> > userId=null, ipAddress=10.9.7.2,=invalidRequestMessage
> > 14:11:30,568 ERROR
> [org.keycloak.services.resources.IdentityBrokerService]
> > (default task-1) invalidRequestMessage
> > 14:11:51,668 WARN [org.keycloak.events] (default task-2)
> > type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null,
> > userId=null, ipAddress=10.9.7.2,=invalidRequestMessage
> > 14:11:51,669 ERROR
> [org.keycloak.services.resources.IdentityBrokerService]
> > (default task-2) invalidRequestMessage
> >
> >
> > Thanks,
> > Vandana
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
>

From iali at an10.io  Fri Jul 13 00:50:22 2018
From: iali at an10.io (Irtiza Ali)
Date: Fri, 13 Jul 2018 09:50:22 +0500
Subject: [keycloak-user] how to enable releam
In-Reply-To: <CAL_K0ey9203_vRA0+zwQaH5ywPfqJgWpJ_zx_ExaBkG74J+H5w@mail.gmail.com>
References: <CAL_K0ey5gdA1vwKx-5Cz-Hs0LcBT8F8i_GeSAMms6r4rtDWNPw@mail.gmail.com>
	<CAG3apS9JJq-hDoa3Kr2rcHN5ULLJS64WXw-L1wDZFc2q5c2_jw@mail.gmail.com>
	<CAL_K0eyjRZp6w6gcqRO1dMZqvGU4VA2UCYr5RMXQbe9PieH5Zg@mail.gmail.com>
	<1531440226.10591.1.camel@acutus.pro>
	<CAL_K0ey9203_vRA0+zwQaH5ywPfqJgWpJ_zx_ExaBkG74J+H5w@mail.gmail.com>
Message-ID: <CAG3apS_oWFQ+v9ryhOYX2+0xGEXTWH9GZLZQj5fyKjgmxWg89g@mail.gmail.com>

if you have done anything, then remove keycloak instance and its
dependencies.

On Fri, Jul 13, 2018 at 9:05 AM, vandana thota <vandana0242 at gmail.com>
wrote:

> I did not  setup any database  yet . How  I have to set it up ?
>
> Thanks,
> Vandana
>
> On Thu, Jul 12, 2018 at 7:03 PM Dmitry Telegin <dt at acutus.pro> wrote:
>
> > Hi Vandana,
> >
> > Congratulations, disabling master realm is a landmine each aspiring
> > Keycloak guru must step on :)
> >
> > Unfortunately, CLI and REST API won't help you here, since they require
> > authentication, and authentication is no longer possible due to disabled
> > realm.
> >
> > You should connect to your database and issue an SQL statement:
> >
> > UPDATE realm SET enabled = true WHERE id = 'master';
> >
> >
> > Then try to login to admin console once again.
> >
> >
> > Cheers,
> >
> > Dmitry
> >
> >
> > On Thu, 2018-07-12 at 13:57 -0500, vandana thota wrote:
> >
> > I can not able to  open the  keycloak console
> > IT showing  as like in attachment releam is not enabled .
> >
> > so how can I do it  by using comman line interface .
> >
> > What command I have  to run to enable the  master releam  . So that I can
> > open the Keycloak admin console
> >
> >
> >
> > On Thu, Jul 12, 2018 at 1:53 PM Irtiza Ali <iali at an10.io> wrote:
> >
> >
> >
> > Look at the admin api, it might help you.
> >
> > link: https://www.keycloak.org/docs-api/2.5/rest-api/index.html
> >
> > IA
> >
> > On Thu, Jul 12, 2018 at 11:22 PM, vandana thota <vandana0242 at gmail.com>
> > wrote:
> >
> >
> >
> >  Realm not enabled   on keycloak  page  it showing  how  can I enable it
> > via command line ?
> >
> >
> > Thanks,
> > Vandana
> > _______________________________________________
> > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://
> lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> > _______________________________________________
> > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://
> lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From vandana0242 at gmail.com  Fri Jul 13 01:12:32 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Fri, 13 Jul 2018 01:12:32 -0400
Subject: [keycloak-user] how to enable releam
In-Reply-To: <CAG3apS_oWFQ+v9ryhOYX2+0xGEXTWH9GZLZQj5fyKjgmxWg89g@mail.gmail.com>
References: <CAL_K0ey5gdA1vwKx-5Cz-Hs0LcBT8F8i_GeSAMms6r4rtDWNPw@mail.gmail.com>
	<CAG3apS9JJq-hDoa3Kr2rcHN5ULLJS64WXw-L1wDZFc2q5c2_jw@mail.gmail.com>
	<CAL_K0eyjRZp6w6gcqRO1dMZqvGU4VA2UCYr5RMXQbe9PieH5Zg@mail.gmail.com>
	<1531440226.10591.1.camel@acutus.pro>
	<CAL_K0ey9203_vRA0+zwQaH5ywPfqJgWpJ_zx_ExaBkG74J+H5w@mail.gmail.com>
	<CAG3apS_oWFQ+v9ryhOYX2+0xGEXTWH9GZLZQj5fyKjgmxWg89g@mail.gmail.com>
Message-ID: <CAL_K0ez3AXDjBJmpuLWEKteTbhkf-L3CYnZWr=fr2ENm6tzMTg@mail.gmail.com>

Thanks Ali.  It  worked

On Fri, Jul 13, 2018 at 12:50 AM Irtiza Ali <iali at an10.io> wrote:

> if you have done anything, then remove keycloak instance and its
> dependencies.
>
> On Fri, Jul 13, 2018 at 9:05 AM, vandana thota <vandana0242 at gmail.com>
> wrote:
>
>> I did not  setup any database  yet . How  I have to set it up ?
>>
>> Thanks,
>> Vandana
>>
>> On Thu, Jul 12, 2018 at 7:03 PM Dmitry Telegin <dt at acutus.pro> wrote:
>>
>> > Hi Vandana,
>> >
>> > Congratulations, disabling master realm is a landmine each aspiring
>> > Keycloak guru must step on :)
>> >
>> > Unfortunately, CLI and REST API won't help you here, since they require
>> > authentication, and authentication is no longer possible due to disabled
>> > realm.
>> >
>> > You should connect to your database and issue an SQL statement:
>> >
>> > UPDATE realm SET enabled = true WHERE id = 'master';
>> >
>> >
>> > Then try to login to admin console once again.
>> >
>> >
>> > Cheers,
>> >
>> > Dmitry
>> >
>> >
>> > On Thu, 2018-07-12 at 13:57 -0500, vandana thota wrote:
>> >
>> > I can not able to  open the  keycloak console
>> > IT showing  as like in attachment releam is not enabled .
>> >
>> > so how can I do it  by using comman line interface .
>> >
>> > What command I have  to run to enable the  master releam  . So that I
>> can
>> > open the Keycloak admin console
>> >
>> >
>> >
>> > On Thu, Jul 12, 2018 at 1:53 PM Irtiza Ali <iali at an10.io> wrote:
>> >
>> >
>> >
>> > Look at the admin api, it might help you.
>> >
>> > link: https://www.keycloak.org/docs-api/2.5/rest-api/index.html
>> >
>> > IA
>> >
>> > On Thu, Jul 12, 2018 at 11:22 PM, vandana thota <vandana0242 at gmail.com>
>> > wrote:
>> >
>> >
>> >
>> >  Realm not enabled   on keycloak  page  it showing  how  can I enable it
>> > via command line ?
>> >
>> >
>> > Thanks,
>> > Vandana
>> > _______________________________________________
>> > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://
>> lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://
>> lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From francisco.bermejo.herrera at tecsisa.com  Fri Jul 13 03:39:50 2018
From: francisco.bermejo.herrera at tecsisa.com (Francisco =?iso-8859-1?b?Sm9z6Q==?= Bermejo Herrera)
Date: Fri, 13 Jul 2018 09:39:50 +0200
Subject: [keycloak-user] Questions about Keycloak UMA 2.0 implementation
In-Reply-To: <CAJrcDBd4it=k7w1OObmGJXk8qWGQi+VEXh+A3coDvB2b7GiwhA@mail.gmail.com>
References: <CABfc8x51bch1QehZhLo4DO8rfp80OCxfGHGd3tCU_wtdA0SgGw@mail.gmail.com>
	<CAJrcDBd4it=k7w1OObmGJXk8qWGQi+VEXh+A3coDvB2b7GiwhA@mail.gmail.com>
Message-ID: <1531467590.8726.0@smtp.gmail.com>

Thanks for your reply. Yes, that behavior would be perfect.



2018-07-12 15:28 GMT+02:00 Pedro Igor Silva <psilva at redhat.com>:
> Hi,
> 
> Currently, we just set upgraded == true if an rpt was provided. I 
> think we can change the behavior to:
> 
> * Set upgraded == false if any permission granted by the RPT was 
> denied
> * DENY request if ALL permissions from ticket were denied (and avoid 
> issuing a new rpt == previous rpt)
> 
> Wdyt ?
> 
> 
> On Tue, Jul 10, 2018 at 6:22 AM, Francisco Jos? Bermejo Herrera 
> <francisco.bermejo.herrera at tecsisa.com> wrote:
>> Hello, we are testing Keycloak 4.1.0.Final for authentication and
>> authorization (UMA 2.0 flow).
>> 
>> Some assumptions:
>> 
>>    - The Resource Server owns the resource Foo, and protects it by 
>> using
>>    two scope-based permissions, one requiring READ scope, and the 
>> other one
>>    requiring WRITE scope.
>>    - User Alice has been granted READ scope for resource Foo.
>>    - We are not using Policy Enforcers. Enforcement will be 
>> implemented at
>>    the Resource Server.
>> 
>> We are modeling the following flow:
>> 
>>    1. The Requesting Party (Alice) requests access to resource Foo 
>> in the
>>    Resource Server. This request DOES NOT provide an RPT.
>>    2. The Resource Server detects the absence of RPT, so it requests 
>> a
>>    Permission Ticket to Keycloak, for the Foo resource and both READ 
>> and WRITE
>>    scopes (providing a valid PAT).
>>    3. Keycloak returns a valid Permission Ticket to the Resource 
>> Server.
>>    4. The Resource Server returns the Permission Ticket (including 
>> Keycloak
>>    token URI 
>> (http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token)
>>    at WWW-Authorization header) with status code 401 to the 
>> Requesting Party.
>>    5. The Requesting Party sends the Permission Ticket (for the Foo
>>    resource and both READ and WRITE scopes) to Keycloak, in order to 
>> get a
>>    valid RPT.
>> 
>> Here is where things start to get confusing. We expected that 
>> Keycloak
>> would reject the authorization request due to failed permission 
>> evaluation
>> (Alice has READ scope for resource Foo, but DOES NOT have WRITE 
>> scope).
>> Nevertheless, Keycloak returns a valid RPT, granting permission for
>> resource Foo (just for READ scope).
>> 
>> We are aware that this behavior is UMA 2.0 compliant
>> <https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-21.html#rfc.section.3.6.4>
>> :
>> 
>> > If the value is non-null and CandidateGrantedScopes < 
>> RequestedScopes, the
>> > authorization server MUST subsequently issue either an RPT 
>> containing
>> > CandidateGrantedScopes (upgrading as appropriate; see below), or 
>> one of the
>> > error codes. The reason for the two options is that granting only 
>> partial
>> > scopes may not be useful for the client's and requesting party's 
>> purposes
>> > in seeking authorization for access.
>> 
>> 
>> But as the RFC explicitly points out, this behavior may not be 
>> useful for
>> the client. We think that the RFC is right, because this renders the 
>> client
>> unable to tell whether the authorization has been partially or 
>> completely
>> fulfilled. And consequently the Resource Server will request again a
>> Permission Ticket for the Foo resource and both READ and WRITE 
>> scopes, so
>> the whole flow will be repeated over and over again. If this is 
>> Keycloak
>> expected behavior, how can we avoid the infinite loops?
>> 
>> Another question is, when providing a valid RPT along with a 
>> Permission
>> Ticket, why Keycloak deems an RPT as upgraded = true even when the
>> requested resource has not been authorized? It returns the same RPT 
>> with
>> just jti, exp and iat updated. Since we think that the Authorization 
>> Server
>> must be the one stopping the UMA flow, should not Keycloak return a 
>> 403
>> Forbidden instead? Is this behavior configurable in any way?
>> 
>> Thank you in advance!
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 



From nikola.malenic at netsetglobal.rs  Fri Jul 13 03:49:20 2018
From: nikola.malenic at netsetglobal.rs (Nikola Malenic)
Date: Fri, 13 Jul 2018 09:49:20 +0200
Subject: [keycloak-user] Frontend and backend on separate servers
Message-ID: <005301d41a7e$02bfc230$083f4690$@netsetglobal.rs>

I would like to host backend on secured network, i.e. it would be accessible
only from certain IPs.

Frontend (Angular application) would be served by different server in public
zone, which would have access to the secured network because requests from
it's IP would be allowed to go through firewall.

 

Is it possible to achieve this in an easy way? I wouldn't like to implement
proxy endpoints for all backend services in secured zone.

 

Many thanks,

Nikola


From francisco.bermejo.herrera at tecsisa.com  Fri Jul 13 04:17:29 2018
From: francisco.bermejo.herrera at tecsisa.com (Francisco =?iso-8859-1?b?Sm9z6Q==?= Bermejo Herrera)
Date: Fri, 13 Jul 2018 10:17:29 +0200
Subject: [keycloak-user] Questions about Keycloak UMA 2.0 implementation
In-Reply-To: <CAJrcDBf-ZwjBjAu_rFgLe-43=iYxBP9UcBLEPwk+Qwc9bebCsQ@mail.gmail.com>
References: <CABfc8x51bch1QehZhLo4DO8rfp80OCxfGHGd3tCU_wtdA0SgGw@mail.gmail.com>
	<CAJrcDBf-ZwjBjAu_rFgLe-43=iYxBP9UcBLEPwk+Qwc9bebCsQ@mail.gmail.com>
Message-ID: <1531469849.8726.1@smtp.gmail.com>

If Keycloak behavior is changed according to your proposal described in 
your previous message, then there shouldn't be any problem with authz 
requests in our model.

It is true that the scopes described in our example are a bit 
misleading. Think about something like READ and READ-PREMIUM instead, 
used at a GET endpoint, and the Resource Server just checks whether one 
of these scopes is contained in the RPT, returning a ticket with READ 
and READ-PREMIUM when none of them has been provided. When the Client 
requests the new RPT by using the ticket, Keycloak would return a RPT 
including either READ or READ-PREMIUM, or 403 Forbidden.

As I said before, this is perfectly aligned with the new Keycloak 
behavior.

On jue, jul 12, 2018 at 7:35 , Pedro Igor Silva <psilva at redhat.com> 
wrote:
> 
> 
> On Tue, Jul 10, 2018 at 6:22 AM, Francisco Jos? Bermejo Herrera 
> <francisco.bermejo.herrera at tecsisa.com> wrote:
>> Hello, we are testing Keycloak 4.1.0.Final for authentication and
>> authorization (UMA 2.0 flow).
>> 
>> Some assumptions:
>> 
>>    - The Resource Server owns the resource Foo, and protects it by 
>> using
>>    two scope-based permissions, one requiring READ scope, and the 
>> other one
>>    requiring WRITE scope.
>>    - User Alice has been granted READ scope for resource Foo.
>>    - We are not using Policy Enforcers. Enforcement will be 
>> implemented at
>>    the Resource Server.
>> 
>> We are modeling the following flow:
>> 
>>    1. The Requesting Party (Alice) requests access to resource Foo 
>> in the
>>    Resource Server. This request DOES NOT provide an RPT.
>>    2. The Resource Server detects the absence of RPT, so it requests 
>> a
>>    Permission Ticket to Keycloak, for the Foo resource and both READ 
>> and WRITE
>>    scopes (providing a valid PAT).
>>    3. Keycloak returns a valid Permission Ticket to the Resource 
>> Server.
>>    4. The Resource Server returns the Permission Ticket (including 
>> Keycloak
>>    token URI 
>> (http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token)
>>    at WWW-Authorization header) with status code 401 to the 
>> Requesting Party.
>>    5. The Requesting Party sends the Permission Ticket (for the Foo
>>    resource and both READ and WRITE scopes) to Keycloak, in order to 
>> get a
>>    valid RPT.
>> 
>> Here is where things start to get confusing. We expected that 
>> Keycloak
>> would reject the authorization request due to failed permission 
>> evaluation
>> (Alice has READ scope for resource Foo, but DOES NOT have WRITE 
>> scope).
>> Nevertheless, Keycloak returns a valid RPT, granting permission for
>> resource Foo (just for READ scope).
>> 
>> We are aware that this behavior is UMA 2.0 compliant
>> <https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-21.html#rfc.section.3.6.4>
>> :
>> 
>> > If the value is non-null and CandidateGrantedScopes < 
>> RequestedScopes, the
>> > authorization server MUST subsequently issue either an RPT 
>> containing
>> > CandidateGrantedScopes (upgrading as appropriate; see below), or 
>> one of the
>> > error codes. The reason for the two options is that granting only 
>> partial
>> > scopes may not be useful for the client's and requesting party's 
>> purposes
>> > in seeking authorization for access.
>> 
>> 
>> But as the RFC explicitly points out, this behavior may not be 
>> useful for
>> the client. We think that the RFC is right, because this renders the 
>> client
>> unable to tell whether the authorization has been partially or 
>> completely
>> fulfilled. And consequently the Resource Server will request again a
>> Permission Ticket for the Foo resource and both READ and WRITE 
>> scopes, so
>> the whole flow will be repeated over and over again. If this is 
>> Keycloak
>> expected behavior, how can we avoid the infinite loops?
> 
> For this particular case, each scope is associated with a specific 
> HTTP method ? Can't you obtain tickets accordingly including only the 
> scopes you need ?
> 
> As you noticed, by default, Keycloak issues a RPT for any 
> resource/scope you sent along with an authorization request. Resource 
> servers (or clients sending authz requests directly without ticket) 
> should be able to ask only for specific resources/scopes.
> 
>> 
>> Another question is, when providing a valid RPT along with a 
>> Permission
>> Ticket, why Keycloak deems an RPT as upgraded = true even when the
>> requested resource has not been authorized? It returns the same RPT 
>> with
>> just jti, exp and iat updated. Since we think that the Authorization 
>> Server
>> must be the one stopping the UMA flow, should not Keycloak return a 
>> 403
>> Forbidden instead? Is this behavior configurable in any way?
>> 
>> Thank you in advance!
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From psilva at redhat.com  Fri Jul 13 08:26:57 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 13 Jul 2018 09:26:57 -0300
Subject: [keycloak-user] Questions about Keycloak UMA 2.0 implementation
In-Reply-To: <1531469849.8726.1@smtp.gmail.com>
References: <CABfc8x51bch1QehZhLo4DO8rfp80OCxfGHGd3tCU_wtdA0SgGw@mail.gmail.com>
	<CAJrcDBf-ZwjBjAu_rFgLe-43=iYxBP9UcBLEPwk+Qwc9bebCsQ@mail.gmail.com>
	<1531469849.8726.1@smtp.gmail.com>
Message-ID: <CAJrcDBfYWou+NpuvvKuN86ogmTMPPze2Mue51Bas9UPr+AvQeQ@mail.gmail.com>

I see. Just to make sure we are aligned. The changes I'm proposing are more
aligned with spec and provide:

* Only mark RPT as upgraded if ALL permissions granted by a previous RPT
were granted
* DENY authorization requests in case you are sending a previous issued RPT
and ANY additional permissions in a ticket are DENIED.
* Still keep current behavior where the server may grant additional
permissions even though you requested only a sub set of them. E.g.: You ask
for source "foo" + scope "a" and the server may grant resource "foo" +
scope "a" and "b".

On Fri, Jul 13, 2018 at 5:17 AM, Francisco Jos? Bermejo Herrera <
francisco.bermejo.herrera at tecsisa.com> wrote:

> If Keycloak behavior is changed according to your proposal described in
> your previous message, then there shouldn't be any problem with authz
> requests in our model.
>
> It is true that the scopes described in our example are a bit misleading.
> Think about something like READ and READ-PREMIUM instead, used at a GET
> endpoint, and the Resource Server just checks whether one of these scopes
> is contained in the RPT, returning a ticket with READ and READ-PREMIUM when
> none of them has been provided. When the Client requests the new RPT by
> using the ticket, Keycloak would return a RPT including either READ or
> READ-PREMIUM, or 403 Forbidden.
>
> As I said before, this is perfectly aligned with the new Keycloak behavior.
>
> On jue, jul 12, 2018 at 7:35 , Pedro Igor Silva <psilva at redhat.com> wrote:
>
>
>
> On Tue, Jul 10, 2018 at 6:22 AM, Francisco Jos? Bermejo Herrera <
> francisco.bermejo.herrera at tecsisa.com> wrote:
>
>> Hello, we are testing Keycloak 4.1.0.Final for authentication and
>> authorization (UMA 2.0 flow).
>>
>> Some assumptions:
>>
>>    - The Resource Server owns the resource Foo, and protects it by using
>>    two scope-based permissions, one requiring READ scope, and the other
>> one
>>    requiring WRITE scope.
>>    - User Alice has been granted READ scope for resource Foo.
>>    - We are not using Policy Enforcers. Enforcement will be implemented at
>>    the Resource Server.
>>
>> We are modeling the following flow:
>>
>>    1. The Requesting Party (Alice) requests access to resource Foo in the
>>    Resource Server. This request DOES NOT provide an RPT.
>>    2. The Resource Server detects the absence of RPT, so it requests a
>>    Permission Ticket to Keycloak, for the Foo resource and both READ and
>> WRITE
>>    scopes (providing a valid PAT).
>>    3. Keycloak returns a valid Permission Ticket to the Resource Server.
>>    4. The Resource Server returns the Permission Ticket (including
>> Keycloak
>>    token URI (http://${host}:${port}/auth/realms/${realm}/protocol/openid
>> -connect/token)
>>    at WWW-Authorization header) with status code 401 to the Requesting
>> Party.
>>    5. The Requesting Party sends the Permission Ticket (for the Foo
>>    resource and both READ and WRITE scopes) to Keycloak, in order to get a
>>    valid RPT.
>>
>> Here is where things start to get confusing. We expected that Keycloak
>> would reject the authorization request due to failed permission evaluation
>> (Alice has READ scope for resource Foo, but DOES NOT have WRITE scope).
>> Nevertheless, Keycloak returns a valid RPT, granting permission for
>> resource Foo (just for READ scope).
>>
>> We are aware that this behavior is UMA 2.0 compliant
>> <https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-21.
>> html#rfc.section.3.6.4>
>> :
>>
>> > If the value is non-null and CandidateGrantedScopes < RequestedScopes,
>> the
>> > authorization server MUST subsequently issue either an RPT containing
>> > CandidateGrantedScopes (upgrading as appropriate; see below), or one of
>> the
>> > error codes. The reason for the two options is that granting only
>> partial
>> > scopes may not be useful for the client's and requesting party's
>> purposes
>> > in seeking authorization for access.
>>
>>
>> But as the RFC explicitly points out, this behavior may not be useful for
>> the client. We think that the RFC is right, because this renders the
>> client
>> unable to tell whether the authorization has been partially or completely
>> fulfilled. And consequently the Resource Server will request again a
>> Permission Ticket for the Foo resource and both READ and WRITE scopes, so
>> the whole flow will be repeated over and over again. If this is Keycloak
>> expected behavior, how can we avoid the infinite loops?
>>
>
> For this particular case, each scope is associated with a specific HTTP
> method ? Can't you obtain tickets accordingly including only the scopes you
> need ?
>
> As you noticed, by default, Keycloak issues a RPT for any resource/scope
> you sent along with an authorization request. Resource servers (or clients
> sending authz requests directly without ticket) should be able to ask only
> for specific resources/scopes.
>
>
>>
>> Another question is, when providing a valid RPT along with a Permission
>> Ticket, why Keycloak deems an RPT as upgraded = true even when the
>> requested resource has not been authorized? It returns the same RPT with
>> just jti, exp and iat updated. Since we think that the Authorization
>> Server
>> must be the one stopping the UMA flow, should not Keycloak return a 403
>> Forbidden instead? Is this behavior configurable in any way?
>>
>> Thank you in advance!
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From francisco.bermejo.herrera at tecsisa.com  Fri Jul 13 08:47:29 2018
From: francisco.bermejo.herrera at tecsisa.com (Francisco =?iso-8859-1?b?Sm9z6Q==?= Bermejo Herrera)
Date: Fri, 13 Jul 2018 14:47:29 +0200
Subject: [keycloak-user] Questions about Keycloak UMA 2.0 implementation
In-Reply-To: <CAJrcDBfYWou+NpuvvKuN86ogmTMPPze2Mue51Bas9UPr+AvQeQ@mail.gmail.com>
References: <CABfc8x51bch1QehZhLo4DO8rfp80OCxfGHGd3tCU_wtdA0SgGw@mail.gmail.com>
	<CAJrcDBf-ZwjBjAu_rFgLe-43=iYxBP9UcBLEPwk+Qwc9bebCsQ@mail.gmail.com>
	<1531469849.8726.1@smtp.gmail.com>
	<CAJrcDBfYWou+NpuvvKuN86ogmTMPPze2Mue51Bas9UPr+AvQeQ@mail.gmail.com>
Message-ID: <1531486050.8726.2@smtp.gmail.com>

We're OK with all your changes. But, just a quick remark, you say:

> Still keep current behavior where the server may grant additional 
> permissions even though you requested only a sub set of them. E.g.: 
> You ask for source "foo" + scope "a" and the server may grant 
> resource "foo" + scope "a" and "b".

IMHO this isn't the current behavior, since if you ask for resource 
"foo" + scope "a", the server grants "foo" + scope "a". But, it is true 
that if you ask for resource "foo" + any scope (by leaving scope 
empty), the server may grant you resource "foo" + scope "a" and "b".

For example:

- Ticket request (just "read" scope)

> POST /auth/realms/TestRealm/authz/protection/permission HTTP/1.1
> Host: 127.0.0.1:8080
> Content-Type: application/json
> Authorization: Bearer eyJ...
> [
> {"resource_id": "fooresources", "resource_scopes": ["read"]}
> ]

- RPT issued using the ticket (note: Alice has permissions for both 
"read" and "write" scopes)

> {
>   "jti": "2a8a98ed-f058-4d4d-8321-1501896f773d",
>   "exp": 1531489206,
>   "nbf": 0,
>   "iat": 1531485606,
>   "iss": "http://127.0.0.1:8080/auth/realms/TestRealm",
>   "aud": "auth-demo-ws",
>   "sub": "4c3b0694-c1fe-405a-ac35-d4cf9e14aabd",
>   "typ": "Bearer",
>   "azp": "auth-demo-webapp",
>   "auth_time": 0,
>   "session_state": "34a4ec1e-9bd3-4413-b785-ae0dda7287d6",
>   "acr": "1",
>   "allowed-origins": [],
>   "realm_access": {
>     "roles": [
>       "offline_access",
>       "uma_authorization"
>     ]
>   },
>   "resource_access": {
>     "auth-demo-webapp": {
>       "roles": [
>         "owner"
>       ]
>     },
>     "auth-demo-ws": {
>       "roles": [
>         "fooresource-reader",
>         "fooresource-writer"
>       ]
>     }
>   },
>   "authorization": {
>     "permissions": [
>       {
>         "scopes": [
>           "read"
>         ],
>         "rsid": "dbc5e6a1-d65a-4510-b354-d12b8dd67dc2",
>         "rsname": "fooresources"
>       }
>     ]
>   },
>   "scope": "email profile",
>   "tenant_id": "12345",
>   "email_verified": true,
>   "roles": [
>     "role_owner"
>   ],
>   "name": "Alice Brown",
>   "groups": [
>     "/auth-demo/admin"
>   ],
>   "preferred_username": "alice",
>   "given_name": "Alice",
>   "family_name": "Brown",
>   "email": "alice at test.com"
> }

On vie, jul 13, 2018 at 2:26 , Pedro Igor Silva <psilva at redhat.com> 
wrote:
> I see. Just to make sure we are aligned. The changes I'm proposing 
> are more aligned with spec and provide:
> 
> * Only mark RPT as upgraded if ALL permissions granted by a previous 
> RPT were granted
> * DENY authorization requests in case you are sending a previous 
> issued RPT and ANY additional permissions in a ticket are DENIED.
> * Still keep current behavior where the server may grant additional 
> permissions even though you requested only a sub set of them. E.g.: 
> You ask for source "foo" + scope "a" and the server may grant 
> resource "foo" + scope "a" and "b".
> 
> On Fri, Jul 13, 2018 at 5:17 AM, Francisco Jos? Bermejo Herrera 
> <francisco.bermejo.herrera at tecsisa.com> wrote:
>> If Keycloak behavior is changed according to your proposal described 
>> in your previous message, then there shouldn't be any problem with 
>> authz requests in our model.
>> 
>> It is true that the scopes described in our example are a bit 
>> misleading. Think about something like READ and READ-PREMIUM 
>> instead, used at a GET endpoint, and the Resource Server just checks 
>> whether one of these scopes is contained in the RPT, returning a 
>> ticket with READ and READ-PREMIUM when none of them has been 
>> provided. When the Client requests the new RPT by using the ticket, 
>> Keycloak would return a RPT including either READ or READ-PREMIUM, 
>> or 403 Forbidden.
>> 
>> As I said before, this is perfectly aligned with the new Keycloak 
>> behavior.
>> 
>> On jue, jul 12, 2018 at 7:35 , Pedro Igor Silva <psilva at redhat.com> 
>> wrote:
>>> 
>>> 
>>> On Tue, Jul 10, 2018 at 6:22 AM, Francisco Jos? Bermejo Herrera 
>>> <francisco.bermejo.herrera at tecsisa.com> wrote:
>>>> Hello, we are testing Keycloak 4.1.0.Final for authentication and
>>>> authorization (UMA 2.0 flow).
>>>> 
>>>> Some assumptions:
>>>> 
>>>>    - The Resource Server owns the resource Foo, and protects it by 
>>>> using
>>>>    two scope-based permissions, one requiring READ scope, and the 
>>>> other one
>>>>    requiring WRITE scope.
>>>>    - User Alice has been granted READ scope for resource Foo.
>>>>    - We are not using Policy Enforcers. Enforcement will be 
>>>> implemented at
>>>>    the Resource Server.
>>>> 
>>>> We are modeling the following flow:
>>>> 
>>>>    1. The Requesting Party (Alice) requests access to resource Foo 
>>>> in the
>>>>    Resource Server. This request DOES NOT provide an RPT.
>>>>    2. The Resource Server detects the absence of RPT, so it 
>>>> requests a
>>>>    Permission Ticket to Keycloak, for the Foo resource and both 
>>>> READ and WRITE
>>>>    scopes (providing a valid PAT).
>>>>    3. Keycloak returns a valid Permission Ticket to the Resource 
>>>> Server.
>>>>    4. The Resource Server returns the Permission Ticket (including 
>>>> Keycloak
>>>>    token URI 
>>>> (http://${host}:${port}/auth/realms/${realm}/protocol/openid-connect/token)
>>>>    at WWW-Authorization header) with status code 401 to the 
>>>> Requesting Party.
>>>>    5. The Requesting Party sends the Permission Ticket (for the Foo
>>>>    resource and both READ and WRITE scopes) to Keycloak, in order 
>>>> to get a
>>>>    valid RPT.
>>>> 
>>>> Here is where things start to get confusing. We expected that 
>>>> Keycloak
>>>> would reject the authorization request due to failed permission 
>>>> evaluation
>>>> (Alice has READ scope for resource Foo, but DOES NOT have WRITE 
>>>> scope).
>>>> Nevertheless, Keycloak returns a valid RPT, granting permission for
>>>> resource Foo (just for READ scope).
>>>> 
>>>> We are aware that this behavior is UMA 2.0 compliant
>>>> <https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-21.html#rfc.section.3.6.4>
>>>> :
>>>> 
>>>> > If the value is non-null and CandidateGrantedScopes < 
>>>> RequestedScopes, the
>>>> > authorization server MUST subsequently issue either an RPT 
>>>> containing
>>>> > CandidateGrantedScopes (upgrading as appropriate; see below), or 
>>>> one of the
>>>> > error codes. The reason for the two options is that granting 
>>>> only partial
>>>> > scopes may not be useful for the client's and requesting party's 
>>>> purposes
>>>> > in seeking authorization for access.
>>>> 
>>>> 
>>>> But as the RFC explicitly points out, this behavior may not be 
>>>> useful for
>>>> the client. We think that the RFC is right, because this renders 
>>>> the client
>>>> unable to tell whether the authorization has been partially or 
>>>> completely
>>>> fulfilled. And consequently the Resource Server will request again 
>>>> a
>>>> Permission Ticket for the Foo resource and both READ and WRITE 
>>>> scopes, so
>>>> the whole flow will be repeated over and over again. If this is 
>>>> Keycloak
>>>> expected behavior, how can we avoid the infinite loops?
>>> 
>>> For this particular case, each scope is associated with a specific 
>>> HTTP method ? Can't you obtain tickets accordingly including only 
>>> the scopes you need ?
>>> 
>>> As you noticed, by default, Keycloak issues a RPT for any 
>>> resource/scope you sent along with an authorization request. 
>>> Resource servers (or clients sending authz requests directly 
>>> without ticket) should be able to ask only for specific 
>>> resources/scopes.
>>> 
>>>> 
>>>> Another question is, when providing a valid RPT along with a 
>>>> Permission
>>>> Ticket, why Keycloak deems an RPT as upgraded = true even when the
>>>> requested resource has not been authorized? It returns the same 
>>>> RPT with
>>>> just jti, exp and iat updated. Since we think that the 
>>>> Authorization Server
>>>> must be the one stopping the UMA flow, should not Keycloak return 
>>>> a 403
>>>> Forbidden instead? Is this behavior configurable in any way?
>>>> 
>>>> Thank you in advance!
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> 
> 

From alatwork at gmx.com  Fri Jul 13 10:58:55 2018
From: alatwork at gmx.com (Alvin Alf)
Date: Fri, 13 Jul 2018 16:58:55 +0200
Subject: [keycloak-user] OAuth 2.0 Extension Grants?
References: <trinity-a58c8600-73de-450d-ade5-dc8bb4b1fc8d-1531426708533@3c-app-mailcom-bs07>
Message-ID: <trinity-f72ed8e3-3738-4ae1-97fb-bb30f3594aa0-1531493935221@3c-app-mailcom-bs12>

Sent this in HTMl by accident. Let's try this again.
?
Does Keycloak (4.0 and up) support custom extension grants?
?
Relevant section:
https://tools.ietf.org/html/rfc6749#section-4.5
?
Context:
My company has a legacy api that rolled its own access token protocol. I want to create a custom grant type that uses our legacy token as credentials for the token endpoint.

Thanks in advance,
Al


From psilva at redhat.com  Fri Jul 13 11:57:45 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 13 Jul 2018 12:57:45 -0300
Subject: [keycloak-user] Questions about Keycloak UMA 2.0 implementation
In-Reply-To: <1531486050.8726.2@smtp.gmail.com>
References: <CABfc8x51bch1QehZhLo4DO8rfp80OCxfGHGd3tCU_wtdA0SgGw@mail.gmail.com>
	<CAJrcDBf-ZwjBjAu_rFgLe-43=iYxBP9UcBLEPwk+Qwc9bebCsQ@mail.gmail.com>
	<1531469849.8726.1@smtp.gmail.com>
	<CAJrcDBfYWou+NpuvvKuN86ogmTMPPze2Mue51Bas9UPr+AvQeQ@mail.gmail.com>
	<1531486050.8726.2@smtp.gmail.com>
Message-ID: <CAJrcDBd-7e=74VBYfwSg92rwV3kwDPFvr72LHx9u1YaFg05BKA@mail.gmail.com>

Yeah, you are right. Bad example. I was thinking about asking two scopes
and returning only one of them because other was denied ...

On Fri, Jul 13, 2018 at 9:47 AM, Francisco Jos? Bermejo Herrera <
francisco.bermejo.herrera at tecsisa.com> wrote:

> We're OK with all your changes. But, just a quick remark, you say:
>
> Still keep current behavior where the server may grant additional
> permissions even though you requested only a sub set of them. E.g.: You ask
> for source "foo" + scope "a" and the server may grant resource "foo" +
> scope "a" and "b".
>
>
> IMHO this isn't the current behavior, since if you ask for resource "foo"
> + scope "a", the server grants "foo" + scope "a". But, it is true that if
> you ask for resource "foo" + any scope (by leaving scope empty), the server
> may grant you resource "foo" + scope "a" and "b".
>
> For example:
>
> - Ticket request (just "read" scope)
>
> POST /auth/realms/TestRealm/authz/protection/permission HTTP/1.1
>
> Host: 127.0.0.1:8080
> Content-Type: application/json
> Authorization: Bearer eyJ...
> [
> {"resource_id": "fooresources", "resource_scopes": ["read"]}
> ]
>
>
> - RPT issued using the ticket (note: Alice has permissions for both "read"
> and "write" scopes)
>
> {
>
>   "jti": "2a8a98ed-f058-4d4d-8321-1501896f773d",
>
>   "exp": 1531489206,
>
>   "nbf": 0,
>
>   "iat": 1531485606,
>
>   "iss": "http://127.0.0.1:8080/auth/realms/TestRealm",
>
>   "aud": "auth-demo-ws",
>
>   "sub": "4c3b0694-c1fe-405a-ac35-d4cf9e14aabd",
>
>   "typ": "Bearer",
>
>   "azp": "auth-demo-webapp",
>
>   "auth_time": 0,
>
>   "session_state": "34a4ec1e-9bd3-4413-b785-ae0dda7287d6",
>
>   "acr": "1",
>
>   "allowed-origins": [],
>
>   "realm_access": {
>
>     "roles": [
>
>       "offline_access",
>
>       "uma_authorization"
>
>     ]
>
>   },
>
>   "resource_access": {
>
>     "auth-demo-webapp": {
>
>       "roles": [
>
>         "owner"
>
>       ]
>
>     },
>
>     "auth-demo-ws": {
>
>       "roles": [
>
>         "fooresource-reader",
>
>         "fooresource-writer"
>
>       ]
>
>     }
>
>   },
>
>   "authorization": {
>
>     "permissions": [
>
>       {
>
>         "scopes": [
>
>           "read"
>
>         ],
>
>         "rsid": "dbc5e6a1-d65a-4510-b354-d12b8dd67dc2",
>
>         "rsname": "fooresources"
>
>       }
>
>     ]
>
>   },
>
>   "scope": "email profile",
>
>   "tenant_id": "12345",
>
>   "email_verified": true,
>
>   "roles": [
>
>     "role_owner"
>
>   ],
>
>   "name": "Alice Brown",
>
>   "groups": [
>
>     "/auth-demo/admin"
>
>   ],
>
>   "preferred_username": "alice",
>
>   "given_name": "Alice",
>
>   "family_name": "Brown",
>
>   "email": "alice at test.com"
>
> }
>
>
> On vie, jul 13, 2018 at 2:26 , Pedro Igor Silva <psilva at redhat.com> wrote:
>
> I see. Just to make sure we are aligned. The changes I'm proposing are
> more aligned with spec and provide:
>
> * Only mark RPT as upgraded if ALL permissions granted by a previous RPT
> were granted
> * DENY authorization requests in case you are sending a previous issued
> RPT and ANY additional permissions in a ticket are DENIED.
> * Still keep current behavior where the server may grant additional
> permissions even though you requested only a sub set of them. E.g.: You ask
> for source "foo" + scope "a" and the server may grant resource "foo" +
> scope "a" and "b".
>
> On Fri, Jul 13, 2018 at 5:17 AM, Francisco Jos? Bermejo Herrera <
> francisco.bermejo.herrera at tecsisa.com> wrote:
>
>> If Keycloak behavior is changed according to your proposal described in
>> your previous message, then there shouldn't be any problem with authz
>> requests in our model.
>>
>> It is true that the scopes described in our example are a bit misleading.
>> Think about something like READ and READ-PREMIUM instead, used at a GET
>> endpoint, and the Resource Server just checks whether one of these scopes
>> is contained in the RPT, returning a ticket with READ and READ-PREMIUM when
>> none of them has been provided. When the Client requests the new RPT by
>> using the ticket, Keycloak would return a RPT including either READ or
>> READ-PREMIUM, or 403 Forbidden.
>>
>> As I said before, this is perfectly aligned with the new Keycloak
>> behavior.
>>
>> On jue, jul 12, 2018 at 7:35 , Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>
>>
>> On Tue, Jul 10, 2018 at 6:22 AM, Francisco Jos? Bermejo Herrera <
>> francisco.bermejo.herrera at tecsisa.com> wrote:
>>
>>> Hello, we are testing Keycloak 4.1.0.Final for authentication and
>>> authorization (UMA 2.0 flow).
>>>
>>> Some assumptions:
>>>
>>>    - The Resource Server owns the resource Foo, and protects it by using
>>>    two scope-based permissions, one requiring READ scope, and the other
>>> one
>>>    requiring WRITE scope.
>>>    - User Alice has been granted READ scope for resource Foo.
>>>    - We are not using Policy Enforcers. Enforcement will be implemented
>>> at
>>>    the Resource Server.
>>>
>>> We are modeling the following flow:
>>>
>>>    1. The Requesting Party (Alice) requests access to resource Foo in the
>>>    Resource Server. This request DOES NOT provide an RPT.
>>>    2. The Resource Server detects the absence of RPT, so it requests a
>>>    Permission Ticket to Keycloak, for the Foo resource and both READ and
>>> WRITE
>>>    scopes (providing a valid PAT).
>>>    3. Keycloak returns a valid Permission Ticket to the Resource Server.
>>>    4. The Resource Server returns the Permission Ticket (including
>>> Keycloak
>>>    token URI (http://${host}:${port}/auth/r
>>> ealms/${realm}/protocol/openid-connect/token)
>>>    at WWW-Authorization header) with status code 401 to the Requesting
>>> Party.
>>>    5. The Requesting Party sends the Permission Ticket (for the Foo
>>>    resource and both READ and WRITE scopes) to Keycloak, in order to get
>>> a
>>>    valid RPT.
>>>
>>> Here is where things start to get confusing. We expected that Keycloak
>>> would reject the authorization request due to failed permission
>>> evaluation
>>> (Alice has READ scope for resource Foo, but DOES NOT have WRITE scope).
>>> Nevertheless, Keycloak returns a valid RPT, granting permission for
>>> resource Foo (just for READ scope).
>>>
>>> We are aware that this behavior is UMA 2.0 compliant
>>> <https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-21.h
>>> tml#rfc.section.3.6.4>
>>> :
>>>
>>> > If the value is non-null and CandidateGrantedScopes < RequestedScopes,
>>> the
>>> > authorization server MUST subsequently issue either an RPT containing
>>> > CandidateGrantedScopes (upgrading as appropriate; see below), or one
>>> of the
>>> > error codes. The reason for the two options is that granting only
>>> partial
>>> > scopes may not be useful for the client's and requesting party's
>>> purposes
>>> > in seeking authorization for access.
>>>
>>>
>>> But as the RFC explicitly points out, this behavior may not be useful for
>>> the client. We think that the RFC is right, because this renders the
>>> client
>>> unable to tell whether the authorization has been partially or completely
>>> fulfilled. And consequently the Resource Server will request again a
>>> Permission Ticket for the Foo resource and both READ and WRITE scopes, so
>>> the whole flow will be repeated over and over again. If this is Keycloak
>>> expected behavior, how can we avoid the infinite loops?
>>>
>>
>> For this particular case, each scope is associated with a specific HTTP
>> method ? Can't you obtain tickets accordingly including only the scopes you
>> need ?
>>
>> As you noticed, by default, Keycloak issues a RPT for any resource/scope
>> you sent along with an authorization request. Resource servers (or clients
>> sending authz requests directly without ticket) should be able to ask only
>> for specific resources/scopes.
>>
>>
>>>
>>> Another question is, when providing a valid RPT along with a Permission
>>> Ticket, why Keycloak deems an RPT as upgraded = true even when the
>>> requested resource has not been authorized? It returns the same RPT with
>>> just jti, exp and iat updated. Since we think that the Authorization
>>> Server
>>> must be the one stopping the UMA flow, should not Keycloak return a 403
>>> Forbidden instead? Is this behavior configurable in any way?
>>>
>>> Thank you in advance!
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From max.allan+keycloak at surevine.com  Fri Jul 13 12:30:51 2018
From: max.allan+keycloak at surevine.com (Max Allan)
Date: Fri, 13 Jul 2018 17:30:51 +0100
Subject: [keycloak-user] Keycloak as OIDC provider to AWS ALB, any hints!
Message-ID: <CADNp1Bbo8bfzj=Yq3EJsMnTyKuSkW1VOm2PQLrO2pLnY_pU3FA@mail.gmail.com>

 ?Hi,

The AWS ALB? will allow you to authenticate to cognito or OIDC nowadays.

I thought "Great, I can connect it up to my KeyCloak".
Sadly not. Well, I can connect it to KeyCloak and see sensible looking
headers and JWTs flowing back and forth.
And then the ALB says "500 Internal Server Error" :-(

I can see a request to keycloak (from the client) :
https://auth.care.surevine.com/auth/realms/care/protocol/openid-connect/auth?client_id=jira&redirect_uri=https%3A%2F%2Fdev.care.surevine.com%2Foauth2%2Fidpresponse&response_type=code&scope=email&state=8sp1j3N3baPa1r%2BEjDViEe5S2%2BOFqfbafOydLei7YpkSf99waAoS32Ndkj4QUf%2FQ29LfaaUJNIMifQ4N53Tg%2BGSwb2zbgvsHrCfcARJWICHRhpZ2zpvGZbzJd8T%2FV5QUhHWL7kTGpscgOgpaMAPquI6QPbYLxRE2ekpN73XhRTQ4LBFoSUCfHW60x70vTJ3SbPTwkTFbwyZ%2FBVo%3D


And it 302 redirects back to the ALB :

https://dev.care.surevine.com/oauth2/idpresponse?state=8sp1j3N3baPa1r%2BEjDViEe5S2%2BOFqfbafOydLei7YpkSf99waAoS32Ndkj4QUf%2FQ29LfaaUJNIMifQ4N53Tg%2BGSwb2zbgvsHrCfcARJWICHRhpZ2zpvGZbzJd8T%2FV5QUhHWL7kTGpscgOgpaMAPquI6QPbYLxRE2ekpN73XhRTQ4LBFoSUCfHW60x70vTJ3SbPTwkTFbwyZ%2FBVo%3D&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..1WmnIXPxo_LeP7ERufRgtw.cFEmEJV_q94bhpBQLz0QEzSYitZtCgIGc5295VHbhwreJn9e4rxWolcRSPLz1VtliniI-MgSZ8wRoyNYYPiAUdXZ4z53__Z2CoRNMr0xNg96S0u5Xobo3EEzKy37x_9flU2ypWxfehQ-ZaXFoQhY6xL6y8QADlM-DmaR27bL5WUGYsTUQg5PY695PiygS7u3yQM1zUjHO2T3iROOuNr_5S-6LyaUo8GWD1XSMxp9ydlJTm-oC8Lmh2tCDvhRoJqj.amBQSuQIGlk7Ganopg4O2A


On the KeyCloak server I can see the POST requests from the browser coming
in and hitting the authenticate URL, KC hands back a 302 (the URL above)
Then the ALB does a POST to the token endpoint and gets a 200 response with
a nice chunk of access token. I can decode it and see my details quite
happily. I even validated the signature. (Using jwt.io 's debugger.)
Although the ALB doesn't ask for the certificate at any stage, so I don't
think it even bothers validating it.

But it doesn't seem to like it. And gives me a 500 error.

(I can authenticate with Google OIDC without any trouble...)


(NB Any secrets in any of those strings won't get you very far, there is no
content yet :-) )

From myoder at cloudera.com  Fri Jul 13 14:18:53 2018
From: myoder at cloudera.com (Michael Yoder)
Date: Fri, 13 Jul 2018 11:18:53 -0700
Subject: [keycloak-user] Keycloak 3.4.3 + Apache httpd 2.4.6 load
 balancing proxy -> infinite redirect
In-Reply-To: <CAGGJhVftczRu3rpLeFCETxiV7NQNqbxpBKLAD3UGHoNiSRsXWg@mail.gmail.com>
References: <CAGGJhVf=aJquBoqZ5fuNYS5LbKaFasPRkGuOHWcEoX2ahyruJA@mail.gmail.com>
	<1531229422.7582.21.camel@acutus.pro>
	<CAGGJhVftczRu3rpLeFCETxiV7NQNqbxpBKLAD3UGHoNiSRsXWg@mail.gmail.com>
Message-ID: <CAGGJhVfM+_OqRqar32rURT_9vS05p=+kzeOGEfJd8Uf-xiGOMQ@mail.gmail.com>

To my surprise this seems to have gone away after the upgrade. I'll keep an
eye on it, but thanks!
-Mike


On Tue, Jul 10, 2018 at 2:21 PM Michael Yoder <myoder at cloudera.com> wrote:

> On Tue, Jul 10, 2018 at 6:30 AM Dmitry Telegin <dt at acutus.pro> wrote:
>
>> Do you experience this issue while trying to log in to Keycloak Admin
>> console itself? Or is it some client application protected by Keycloak?
>> If latter, could you please share client config?
>>
>
> I see this both when logging in to the admin console and to the client
> application.
> I'll take your suggestion about upgrading and report back later. Thanks
> for replying!
>
> -Mike
>

From francisco.bermejo.herrera at tecsisa.com  Fri Jul 13 16:51:24 2018
From: francisco.bermejo.herrera at tecsisa.com (=?UTF-8?Q?Francisco_Jos=C3=A9_Bermejo_Herrera?=)
Date: Fri, 13 Jul 2018 22:51:24 +0200
Subject: [keycloak-user] Questions about Keycloak UMA 2.0 implementation
In-Reply-To: <CAJrcDBd-7e=74VBYfwSg92rwV3kwDPFvr72LHx9u1YaFg05BKA@mail.gmail.com>
References: <CABfc8x51bch1QehZhLo4DO8rfp80OCxfGHGd3tCU_wtdA0SgGw@mail.gmail.com>
	<CAJrcDBf-ZwjBjAu_rFgLe-43=iYxBP9UcBLEPwk+Qwc9bebCsQ@mail.gmail.com>
	<1531469849.8726.1@smtp.gmail.com>
	<CAJrcDBfYWou+NpuvvKuN86ogmTMPPze2Mue51Bas9UPr+AvQeQ@mail.gmail.com>
	<1531486050.8726.2@smtp.gmail.com>
	<CAJrcDBd-7e=74VBYfwSg92rwV3kwDPFvr72LHx9u1YaFg05BKA@mail.gmail.com>
Message-ID: <CABfc8x71siKSJOS7nY7pJ5PkVCeZMoOAJUqz3msOvWn=CUA24A@mail.gmail.com>

I see. There is no problem either way. BTW, we tested your implementation
of the proposed changes and it seems to work perfectly. Nice job!

2018-07-13 17:57 GMT+02:00 Pedro Igor Silva <psilva at redhat.com>:

> Yeah, you are right. Bad example. I was thinking about asking two scopes
> and returning only one of them because other was denied ...
>
>
> On Fri, Jul 13, 2018 at 9:47 AM, Francisco Jos? Bermejo Herrera <
> francisco.bermejo.herrera at tecsisa.com> wrote:
>
>> We're OK with all your changes. But, just a quick remark, you say:
>>
>> Still keep current behavior where the server may grant additional
>> permissions even though you requested only a sub set of them. E.g.: You ask
>> for source "foo" + scope "a" and the server may grant resource "foo" +
>> scope "a" and "b".
>>
>>
>> IMHO this isn't the current behavior, since if you ask for resource "foo"
>> + scope "a", the server grants "foo" + scope "a". But, it is true that if
>> you ask for resource "foo" + any scope (by leaving scope empty), the server
>> may grant you resource "foo" + scope "a" and "b".
>>
>> For example:
>>
>> - Ticket request (just "read" scope)
>>
>> POST /auth/realms/TestRealm/authz/protection/permission HTTP/1.1
>>
>> Host: 127.0.0.1:8080
>> Content-Type: application/json
>> Authorization: Bearer eyJ...
>> [
>> {"resource_id": "fooresources", "resource_scopes": ["read"]}
>> ]
>>
>>
>> - RPT issued using the ticket (note: Alice has permissions for both
>> "read" and "write" scopes)
>>
>> {
>>
>>   "jti": "2a8a98ed-f058-4d4d-8321-1501896f773d",
>>
>>   "exp": 1531489206,
>>
>>   "nbf": 0,
>>
>>   "iat": 1531485606,
>>
>>   "iss": "http://127.0.0.1:8080/auth/realms/TestRealm",
>>
>>   "aud": "auth-demo-ws",
>>
>>   "sub": "4c3b0694-c1fe-405a-ac35-d4cf9e14aabd",
>>
>>   "typ": "Bearer",
>>
>>   "azp": "auth-demo-webapp",
>>
>>   "auth_time": 0,
>>
>>   "session_state": "34a4ec1e-9bd3-4413-b785-ae0dda7287d6",
>>
>>   "acr": "1",
>>
>>   "allowed-origins": [],
>>
>>   "realm_access": {
>>
>>     "roles": [
>>
>>       "offline_access",
>>
>>       "uma_authorization"
>>
>>     ]
>>
>>   },
>>
>>   "resource_access": {
>>
>>     "auth-demo-webapp": {
>>
>>       "roles": [
>>
>>         "owner"
>>
>>       ]
>>
>>     },
>>
>>     "auth-demo-ws": {
>>
>>       "roles": [
>>
>>         "fooresource-reader",
>>
>>         "fooresource-writer"
>>
>>       ]
>>
>>     }
>>
>>   },
>>
>>   "authorization": {
>>
>>     "permissions": [
>>
>>       {
>>
>>         "scopes": [
>>
>>           "read"
>>
>>         ],
>>
>>         "rsid": "dbc5e6a1-d65a-4510-b354-d12b8dd67dc2",
>>
>>         "rsname": "fooresources"
>>
>>       }
>>
>>     ]
>>
>>   },
>>
>>   "scope": "email profile",
>>
>>   "tenant_id": "12345",
>>
>>   "email_verified": true,
>>
>>   "roles": [
>>
>>     "role_owner"
>>
>>   ],
>>
>>   "name": "Alice Brown",
>>
>>   "groups": [
>>
>>     "/auth-demo/admin"
>>
>>   ],
>>
>>   "preferred_username": "alice",
>>
>>   "given_name": "Alice",
>>
>>   "family_name": "Brown",
>>
>>   "email": "alice at test.com"
>>
>> }
>>
>>
>> On vie, jul 13, 2018 at 2:26 , Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>> I see. Just to make sure we are aligned. The changes I'm proposing are
>> more aligned with spec and provide:
>>
>> * Only mark RPT as upgraded if ALL permissions granted by a previous RPT
>> were granted
>> * DENY authorization requests in case you are sending a previous issued
>> RPT and ANY additional permissions in a ticket are DENIED.
>> * Still keep current behavior where the server may grant additional
>> permissions even though you requested only a sub set of them. E.g.: You ask
>> for source "foo" + scope "a" and the server may grant resource "foo" +
>> scope "a" and "b".
>>
>> On Fri, Jul 13, 2018 at 5:17 AM, Francisco Jos? Bermejo Herrera <
>> francisco.bermejo.herrera at tecsisa.com> wrote:
>>
>>> If Keycloak behavior is changed according to your proposal described in
>>> your previous message, then there shouldn't be any problem with authz
>>> requests in our model.
>>>
>>> It is true that the scopes described in our example are a bit
>>> misleading. Think about something like READ and READ-PREMIUM instead, used
>>> at a GET endpoint, and the Resource Server just checks whether one of these
>>> scopes is contained in the RPT, returning a ticket with READ and
>>> READ-PREMIUM when none of them has been provided. When the Client requests
>>> the new RPT by using the ticket, Keycloak would return a RPT including
>>> either READ or READ-PREMIUM, or 403 Forbidden.
>>>
>>> As I said before, this is perfectly aligned with the new Keycloak
>>> behavior.
>>>
>>> On jue, jul 12, 2018 at 7:35 , Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>
>>>
>>> On Tue, Jul 10, 2018 at 6:22 AM, Francisco Jos? Bermejo Herrera <
>>> francisco.bermejo.herrera at tecsisa.com> wrote:
>>>
>>>> Hello, we are testing Keycloak 4.1.0.Final for authentication and
>>>> authorization (UMA 2.0 flow).
>>>>
>>>> Some assumptions:
>>>>
>>>>    - The Resource Server owns the resource Foo, and protects it by using
>>>>    two scope-based permissions, one requiring READ scope, and the other
>>>> one
>>>>    requiring WRITE scope.
>>>>    - User Alice has been granted READ scope for resource Foo.
>>>>    - We are not using Policy Enforcers. Enforcement will be implemented
>>>> at
>>>>    the Resource Server.
>>>>
>>>> We are modeling the following flow:
>>>>
>>>>    1. The Requesting Party (Alice) requests access to resource Foo in
>>>> the
>>>>    Resource Server. This request DOES NOT provide an RPT.
>>>>    2. The Resource Server detects the absence of RPT, so it requests a
>>>>    Permission Ticket to Keycloak, for the Foo resource and both READ
>>>> and WRITE
>>>>    scopes (providing a valid PAT).
>>>>    3. Keycloak returns a valid Permission Ticket to the Resource Server.
>>>>    4. The Resource Server returns the Permission Ticket (including
>>>> Keycloak
>>>>    token URI (http://${host}:${port}/auth/r
>>>> ealms/${realm}/protocol/openid-connect/token)
>>>>    at WWW-Authorization header) with status code 401 to the Requesting
>>>> Party.
>>>>    5. The Requesting Party sends the Permission Ticket (for the Foo
>>>>    resource and both READ and WRITE scopes) to Keycloak, in order to
>>>> get a
>>>>    valid RPT.
>>>>
>>>> Here is where things start to get confusing. We expected that Keycloak
>>>> would reject the authorization request due to failed permission
>>>> evaluation
>>>> (Alice has READ scope for resource Foo, but DOES NOT have WRITE scope).
>>>> Nevertheless, Keycloak returns a valid RPT, granting permission for
>>>> resource Foo (just for READ scope).
>>>>
>>>> We are aware that this behavior is UMA 2.0 compliant
>>>> <https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-21.h
>>>> tml#rfc.section.3.6.4>
>>>> :
>>>>
>>>> > If the value is non-null and CandidateGrantedScopes <
>>>> RequestedScopes, the
>>>> > authorization server MUST subsequently issue either an RPT containing
>>>> > CandidateGrantedScopes (upgrading as appropriate; see below), or one
>>>> of the
>>>> > error codes. The reason for the two options is that granting only
>>>> partial
>>>> > scopes may not be useful for the client's and requesting party's
>>>> purposes
>>>> > in seeking authorization for access.
>>>>
>>>>
>>>> But as the RFC explicitly points out, this behavior may not be useful
>>>> for
>>>> the client. We think that the RFC is right, because this renders the
>>>> client
>>>> unable to tell whether the authorization has been partially or
>>>> completely
>>>> fulfilled. And consequently the Resource Server will request again a
>>>> Permission Ticket for the Foo resource and both READ and WRITE scopes,
>>>> so
>>>> the whole flow will be repeated over and over again. If this is Keycloak
>>>> expected behavior, how can we avoid the infinite loops?
>>>>
>>>
>>> For this particular case, each scope is associated with a specific HTTP
>>> method ? Can't you obtain tickets accordingly including only the scopes you
>>> need ?
>>>
>>> As you noticed, by default, Keycloak issues a RPT for any resource/scope
>>> you sent along with an authorization request. Resource servers (or clients
>>> sending authz requests directly without ticket) should be able to ask only
>>> for specific resources/scopes.
>>>
>>>
>>>>
>>>> Another question is, when providing a valid RPT along with a Permission
>>>> Ticket, why Keycloak deems an RPT as upgraded = true even when the
>>>> requested resource has not been authorized? It returns the same RPT with
>>>> just jti, exp and iat updated. Since we think that the Authorization
>>>> Server
>>>> must be the one stopping the UMA flow, should not Keycloak return a 403
>>>> Forbidden instead? Is this behavior configurable in any way?
>>>>
>>>> Thank you in advance!
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>

From corentin.dupont at gmail.com  Sat Jul 14 12:48:40 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Sat, 14 Jul 2018 18:48:40 +0200
Subject: [keycloak-user] Combine grants
Message-ID: <CAEyhvmrTdSyzL2hjDrY3Zg_xwfDAVMZ=9nX0RXwGcwyaBcmWBg@mail.gmail.com>

Another question for you guys:
is it possible to combine grants?
Now to get some permissions, I need to perform 2 requests:

USERTOKEN=`curl -X POST  -H "Content-Type:
application/x-www-form-urlencoded" -d
'username=cdupont&password=password&grant_type=password&client_id=api-server&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
"http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
jq .access_token -r`

curl -X POST
http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
"Authorization: Bearer $USERTOKEN" -d
"grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audience=api-server&permission=ce023344-a01e-4d3c-8ba8-dc626e088dfd#sensors:view"

The first with grant_type=password and the second with
grant_type=urn:ietf:params:oauth:grant-type:uma-ticket.
However HTTP requests are expensive...
It would be nice to make only one request.

From corentin.dupont at gmail.com  Sun Jul 15 17:18:05 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Sun, 15 Jul 2018 23:18:05 +0200
Subject: [keycloak-user] Resource unicity
Message-ID: <CAEyhvmq2p-Uc_xrCk__f-dxBMROBEwAQ7BY2ZZL_YEV2tWvCew@mail.gmail.com>

Hi,
is there a way to configure Keycloak to ensure resource unicity, even with
different users?
In my application, resources names need to be unique, even if created with
different users...

Thanks!!!

From Ori.Doolman at amdocs.com  Mon Jul 16 05:53:07 2018
From: Ori.Doolman at amdocs.com (Ori Doolman)
Date: Mon, 16 Jul 2018 09:53:07 +0000
Subject: [keycloak-user] Customizing account change password to send an email
Message-ID: <F12603E320A90546946D142FB805B94601735D1D49@ILRAADAGBE1.corp.amdocs.com>

Hello,

In the Account management page, I have an option to change user's password.
Is there any way (SPI) to customize the change password function, and add the ability for sending an email after password is changed ?

I think the current implementation code is under
/keycloak-services/src/main/java/org/keycloak/forms/account/freemarker/FreeMarkerAccountProvider.java


Thanks,

Ori Doolman
Lead Software Architect
Amdocs Optima

+972 9 778 6914 (office)
+972 50 9111442 (mobile)

[cid:image001.png at 01D2C8DE.BFF33E10]

This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,

you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 3506 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180716/819d7c9d/attachment.png 

From lrozenblyum at gmail.com  Mon Jul 16 06:26:11 2018
From: lrozenblyum at gmail.com (Leonid Rozenblyum)
Date: Mon, 16 Jul 2018 13:26:11 +0300
Subject: [keycloak-user] Programmatical users authentication
Message-ID: <CANZPfwStEv3K01WvEBcC9HCqWj02S8xOQmdJOFkATaPbk9UHPw@mail.gmail.com>

Thanks to REST API we can authentcate admin users who can work on behalf of
'admin-cli' account.

Can we authenticate usual users programmatically?

From psilva at redhat.com  Mon Jul 16 07:52:01 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 16 Jul 2018 08:52:01 -0300
Subject: [keycloak-user] Resource unicity
In-Reply-To: <CAEyhvmq2p-Uc_xrCk__f-dxBMROBEwAQ7BY2ZZL_YEV2tWvCew@mail.gmail.com>
References: <CAEyhvmq2p-Uc_xrCk__f-dxBMROBEwAQ7BY2ZZL_YEV2tWvCew@mail.gmail.com>
Message-ID: <CAJrcDBfF_j95xrt4cnBncW51BbmdgYbsHg8XkJU78hDKJt=W7Q@mail.gmail.com>

Hi,

There isn't. But you can manage this on your application when creating
resources.

Regards.
Pedro Igor

On Sun, Jul 15, 2018 at 6:18 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi,
> is there a way to configure Keycloak to ensure resource unicity, even with
> different users?
> In my application, resources names need to be unique, even if created with
> different users...
>
> Thanks!!!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From stefan.wachter at bosch-si.com  Mon Jul 16 07:54:56 2018
From: stefan.wachter at bosch-si.com (stefan.wachter)
Date: Mon, 16 Jul 2018 13:54:56 +0200
Subject: [keycloak-user] Introspection of RPT fails
In-Reply-To: <CAJrcDBdZNb=OMOJdvm6D+c0K=UgyEr24NTy9JBt0u05za7KnEg@mail.gmail.com>
References: <9706eb13-63d9-6554-ff6d-0093db1ecfb3@bosch-si.com>
	<CAJrcDBdZNb=OMOJdvm6D+c0K=UgyEr24NTy9JBt0u05za7KnEg@mail.gmail.com>
Message-ID: <cf3ad48f-b4d5-362a-9da6-45c9a901e17c@bosch-si.com>

Any news on this? Should I file a ticket?

Best regards,

*Stefan Wachter
INST-ICM/BSV-BS*

Tel.??+49(711)811-58477

*Be**QIK
*

Am 10.07.2018 um 17:33 schrieb Pedro Igor Silva:
> Will check this out. Thanks for the report.
>
> On Tue, Jul 10, 2018 at 4:57 AM, stefan.wachter 
> <stefan.wachter at bosch-si.com <mailto:stefan.wachter at bosch-si.com>> wrote:
>
>     Hi,
>
>     I have difficulties in determining the cause why introspection of
>     an RPT
>     fails. The RPT can be introspected a couple of times before it
>     fails. In
>     the log shown below I grepped for "task-26" that seems to have
>     handled
>     the failed introspection request.
>
>     I have the impression that the problem is related to token
>     refreshments.
>     If the "Access Token Lifespan" is set to a smaller value (e.g. 1
>     minute), then the failure happens earlier. In particular, it seems
>     that
>     after the SECOND set of token refreshments the introspection
>     fails. In
>     detail:
>
>     There are 3 tokens (together with their refresh tokens) involved:
>
>     1. An IdToken that is used for logging into the web application. The
>     IdToken is used when a Ticket is exchanged for an RPT (the IdToken is
>     set as the "claim_token" parameter in the token request).
>
>     2. An RPT.
>
>     3. A PAT
>
>     When a request hits the application after the tokens have expired the
>     first time all tokens are refreshed in turn and the introspection
>     succeedes. Yet, if a request hits the application after the tokens
>     have
>     expired the second time then all tokens are refreshed again (using
>     the
>     refresh tokens that were returned on the first refreshment). The
>     following RPT introspection however, fails.
>
>     Has anyone experienced the same failure?
>
>     Thanks for you attention
>
>     Stefan
>
>
>
>     06:46:12,779 DEBUG
>     [org.keycloak.authorization.protection.introspect.RPTIntrospectionProvider]
>
>     (default task-26) Introspecting requesting party token
>     06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default
>     task-26) Active key found: realm=device
>     kid=t00ewHrCADcXjvvIFBWQrZnOWiBTVBoyt0-UOzBP7w0 algorithm=RS256
>     06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default
>     task-26) Active key found: realm=device
>     kid=ae1f030a-b3a5-4c9a-875a-a0802119fa2a algorithm=HS256
>     06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default
>     task-26) Active key found: realm=device
>     kid=2aefcc15-33cf-45f6-a4bf-88535501712c algorithm=AES
>     06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default
>     task-26) Active key realm=device
>     kid=t00ewHrCADcXjvvIFBWQrZnOWiBTVBoyt0-UOzBP7w0 algorithm=RS256
>     06:46:12,780 TRACE
>     [org.infinispan.interceptors.InvocationContextInterceptor] (default
>     task-26) Invoked with command GetKeyValueCommand
>     {key=device.client.query.by
>     <http://device.client.query.by>.clientId.web-gui, flags=null} and
>     InvocationContext
>     [org.infinispan.context.SingleKeyNonTxInvocationContext at 6cb8a247]
>     06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl]
>     (default
>     task-26) Exists in context? null
>     06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl]
>     (default
>     task-26) Retrieved from container
>     ImmortalCacheEntry{key=device.client.query.by.clientId.web-gui,
>     value=0}
>     (ignoreOwnership=false, isLocal=true)
>     06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl]
>     (default
>     task-26) Wrap device.client.query.by
>     <http://device.client.query.by>.clientId.web-gui for read.
>     Entry=ImmortalCacheEntry{key=device.client.query.by
>     <http://device.client.query.by>.clientId.web-gui,
>     value=0}
>     06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
>     (default task-26) Executing command: GetKeyValueCommand
>     {key=device.client.query.by
>     <http://device.client.query.by>.clientId.web-gui, flags=null}.
>     06:46:12,780 TRACE
>     [org.infinispan.util.concurrent.locks.impl.DefaultLockManager]
>     (default
>     task-26) Release locks for keys=[]. owner=null
>     06:46:12,780 TRACE
>     [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
>     task-26) client by name cache hit: web-gui
>     06:46:12,780 TRACE
>     [org.infinispan.interceptors.InvocationContextInterceptor] (default
>     task-26) Invoked with command GetKeyValueCommand
>     {key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null} and
>     InvocationContext
>     [org.infinispan.context.SingleKeyNonTxInvocationContext at 3a2141a6]
>     06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl]
>     (default
>     task-26) Exists in context? null
>     06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl]
>     (default
>     task-26) Retrieved from container
>     ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, value=0}
>     (ignoreOwnership=false, isLocal=true)
>     06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl]
>     (default
>     task-26) Wrap b5f94341-0d4c-4280-94e1-10b6771cd66c for read.
>     Entry=ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c,
>     value=0}
>     06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
>     (default task-26) Executing command: GetKeyValueCommand
>     {key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null}.
>     06:46:12,780 TRACE
>     [org.infinispan.util.concurrent.locks.impl.DefaultLockManager]
>     (default
>     task-26) Release locks for keys=[]. owner=null
>     06:46:12,780 TRACE
>     [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
>     task-26) client by id cache hit: web-gui
>     06:46:12,780 TRACE
>     [org.infinispan.interceptors.InvocationContextInterceptor] (default
>     task-26) Invoked with command GetKeyValueCommand {key=device,
>     flags=null} and InvocationContext
>     [org.infinispan.context.SingleKeyNonTxInvocationContext at 2f9442f3]
>     06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl]
>     (default
>     task-26) Exists in context? null
>     06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl]
>     (default
>     task-26) Retrieved from container ImmortalCacheEntry{key=device,
>     value=0} (ignoreOwnership=false, isLocal=true)
>     06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl]
>     (default
>     task-26) Wrap device for read.
>     Entry=ImmortalCacheEntry{key=device, value=0}
>     06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
>     (default task-26) Executing command: GetKeyValueCommand {key=device,
>     flags=null}.
>     06:46:12,780 TRACE
>     [org.infinispan.util.concurrent.locks.impl.DefaultLockManager]
>     (default
>     task-26) Release locks for keys=[]. owner=null
>     06:46:12,780 TRACE
>     [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
>     task-26) by id cache hit: device
>     06:46:12,780 TRACE
>     [org.infinispan.interceptors.InvocationContextInterceptor] (default
>     task-26) Invoked with command GetKeyValueCommand
>     {key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null} and
>     InvocationContext
>     [org.infinispan.context.SingleKeyNonTxInvocationContext at 30227841]
>     06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl]
>     (default
>     task-26) Exists in context? null
>     06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl]
>     (default
>     task-26) Retrieved from container
>     ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, value=0}
>     (ignoreOwnership=false, isLocal=true)
>     06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl]
>     (default
>     task-26) Wrap b5f94341-0d4c-4280-94e1-10b6771cd66c for read.
>     Entry=ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c,
>     value=0}
>     06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
>     (default task-26) Executing command: GetKeyValueCommand
>     {key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null}.
>     06:46:12,780 TRACE
>     [org.infinispan.util.concurrent.locks.impl.DefaultLockManager]
>     (default
>     task-26) Release locks for keys=[]. owner=null
>     06:46:12,780 TRACE
>     [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
>     task-26) client by id cache hit: web-gui
>     06:46:12,780 TRACE
>     [org.infinispan.interceptors.InvocationContextInterceptor] (default
>     task-26) Invoked with command GetKeyValueCommand {key=device,
>     flags=null} and InvocationContext
>     [org.infinispan.context.SingleKeyNonTxInvocationContext at 19214e98]
>     06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl]
>     (default
>     task-26) Exists in context? null
>     06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl]
>     (default
>     task-26) Retrieved from container ImmortalCacheEntry{key=device,
>     value=0} (ignoreOwnership=false, isLocal=true)
>     06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl]
>     (default
>     task-26) Wrap device for read.
>     Entry=ImmortalCacheEntry{key=device, value=0}
>     06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
>     (default task-26) Executing command: GetKeyValueCommand {key=device,
>     flags=null}.
>     06:46:12,780 TRACE
>     [org.infinispan.util.concurrent.locks.impl.DefaultLockManager]
>     (default
>     task-26) Release locks for keys=[]. owner=null
>     06:46:12,780 TRACE
>     [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
>     task-26) by id cache hit: device
>     06:46:12,780 DEBUG
>     [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
>
>     (default task-26)
>     getUserSessionWithPredicate(a3320548-da14-4e0c-adc1-5616c9d0c23b):
>     found
>     in local cache
>     06:46:12,780 TRACE
>     [org.keycloak.models.cache.infinispan.UserCacheSession] (default
>     task-26) getuserById d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c
>     06:46:12,780 TRACE
>     [org.infinispan.interceptors.InvocationContextInterceptor] (default
>     task-26) Invoked with command GetKeyValueCommand
>     {key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, flags=null} and
>     InvocationContext
>     [org.infinispan.context.SingleKeyNonTxInvocationContext at 29bd006b]
>     06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl]
>     (default
>     task-26) Exists in context? null
>     06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl]
>     (default
>     task-26) Retrieved from container
>     ImmortalCacheEntry{key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, value=0}
>     (ignoreOwnership=false, isLocal=true)
>     06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl]
>     (default
>     task-26) Wrap d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c for read.
>     Entry=ImmortalCacheEntry{key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c,
>     value=0}
>     06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
>     (default task-26) Executing command: GetKeyValueCommand
>     {key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, flags=null}.
>     06:46:12,780 TRACE
>     [org.infinispan.util.concurrent.locks.impl.DefaultLockManager]
>     (default
>     task-26) Release locks for keys=[]. owner=null
>     06:46:12,780 TRACE
>     [org.keycloak.models.cache.infinispan.UserCacheSession] (default
>     task-26) getuserById d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c
>     06:46:12,780 TRACE
>     [org.keycloak.models.cache.infinispan.UserCacheSession] (default
>     task-26) return managedusers
>     06:46:12,781 TRACE [org.keycloak.events] (default task-26)
>     type=INTROSPECT_TOKEN_ERROR, realmId=device,
>     clientId=resource-server,
>     userId=null, ipAddress=139.15.216.71, error=invalid_request,
>     detail='Failed to introspect token.',
>     client_auth_method=client-secret,
>     requestUri=https://keycloak.apps.de1.bosch-iot-cloud.com/auth/realms/device/protocol/openid-connect/token/introspect
>     <https://keycloak.apps.de1.bosch-iot-cloud.com/auth/realms/device/protocol/openid-connect/token/introspect>,
>
>     cookies=[]
>
>     -- 
>
>     Best regards,
>
>     *Stefan Wachter
>     INST-ICM/BSV-BS*
>
>     Tel.??+49(711)811-58477
>
>     *Be**QIK
>     *
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>


From psilva at redhat.com  Mon Jul 16 08:50:02 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 16 Jul 2018 09:50:02 -0300
Subject: [keycloak-user] Combine grants
In-Reply-To: <CAEyhvmrTdSyzL2hjDrY3Zg_xwfDAVMZ=9nX0RXwGcwyaBcmWBg@mail.gmail.com>
References: <CAEyhvmrTdSyzL2hjDrY3Zg_xwfDAVMZ=9nX0RXwGcwyaBcmWBg@mail.gmail.com>
Message-ID: <CAJrcDBcvYBKP6ViwnWk50HztZTL_=YeZNYnBbqtTPT-wa-bZXg@mail.gmail.com>

Thing is that you need a token to identify the subject making the request.

On Sat, Jul 14, 2018 at 1:48 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Another question for you guys:
> is it possible to combine grants?
> Now to get some permissions, I need to perform 2 requests:
>
> USERTOKEN=`curl -X POST  -H "Content-Type:
> application/x-www-form-urlencoded" -d
> 'username=cdupont&password=password&grant_type=password&
> client_id=api-server&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token" |
> jq .access_token -r`
>
> curl -X POST
> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
> "Authorization: Bearer $USERTOKEN" -d
> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&
> audience=api-server&permission=ce023344-a01e-4d3c-
> 8ba8-dc626e088dfd#sensors:view"
>
> The first with grant_type=password and the second with
> grant_type=urn:ietf:params:oauth:grant-type:uma-ticket.
> However HTTP requests are expensive...
> It would be nice to make only one request.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Mon Jul 16 08:55:09 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 16 Jul 2018 09:55:09 -0300
Subject: [keycloak-user] Questions about Keycloak UMA 2.0 implementation
In-Reply-To: <CABfc8x71siKSJOS7nY7pJ5PkVCeZMoOAJUqz3msOvWn=CUA24A@mail.gmail.com>
References: <CABfc8x51bch1QehZhLo4DO8rfp80OCxfGHGd3tCU_wtdA0SgGw@mail.gmail.com>
	<CAJrcDBf-ZwjBjAu_rFgLe-43=iYxBP9UcBLEPwk+Qwc9bebCsQ@mail.gmail.com>
	<1531469849.8726.1@smtp.gmail.com>
	<CAJrcDBfYWou+NpuvvKuN86ogmTMPPze2Mue51Bas9UPr+AvQeQ@mail.gmail.com>
	<1531486050.8726.2@smtp.gmail.com>
	<CAJrcDBd-7e=74VBYfwSg92rwV3kwDPFvr72LHx9u1YaFg05BKA@mail.gmail.com>
	<CABfc8x71siKSJOS7nY7pJ5PkVCeZMoOAJUqz3msOvWn=CUA24A@mail.gmail.com>
Message-ID: <CAJrcDBcgkA-U-qGH+gT-dBtFKC_W9y1ABQLzeAKXERv7wBKJ_g@mail.gmail.com>

Cool. Thanks for the feedback.

On Fri, Jul 13, 2018 at 5:51 PM, Francisco Jos? Bermejo Herrera <
francisco.bermejo.herrera at tecsisa.com> wrote:

> I see. There is no problem either way. BTW, we tested your implementation
> of the proposed changes and it seems to work perfectly. Nice job!
>
> 2018-07-13 17:57 GMT+02:00 Pedro Igor Silva <psilva at redhat.com>:
>
>> Yeah, you are right. Bad example. I was thinking about asking two scopes
>> and returning only one of them because other was denied ...
>>
>>
>> On Fri, Jul 13, 2018 at 9:47 AM, Francisco Jos? Bermejo Herrera <
>> francisco.bermejo.herrera at tecsisa.com> wrote:
>>
>>> We're OK with all your changes. But, just a quick remark, you say:
>>>
>>> Still keep current behavior where the server may grant additional
>>> permissions even though you requested only a sub set of them. E.g.: You ask
>>> for source "foo" + scope "a" and the server may grant resource "foo" +
>>> scope "a" and "b".
>>>
>>>
>>> IMHO this isn't the current behavior, since if you ask for resource
>>> "foo" + scope "a", the server grants "foo" + scope "a". But, it is true
>>> that if you ask for resource "foo" + any scope (by leaving scope empty),
>>> the server may grant you resource "foo" + scope "a" and "b".
>>>
>>> For example:
>>>
>>> - Ticket request (just "read" scope)
>>>
>>> POST /auth/realms/TestRealm/authz/protection/permission HTTP/1.1
>>>
>>> Host: 127.0.0.1:8080
>>> Content-Type: application/json
>>> Authorization: Bearer eyJ...
>>> [
>>> {"resource_id": "fooresources", "resource_scopes": ["read"]}
>>> ]
>>>
>>>
>>> - RPT issued using the ticket (note: Alice has permissions for both
>>> "read" and "write" scopes)
>>>
>>> {
>>>
>>>   "jti": "2a8a98ed-f058-4d4d-8321-1501896f773d",
>>>
>>>   "exp": 1531489206,
>>>
>>>   "nbf": 0,
>>>
>>>   "iat": 1531485606,
>>>
>>>   "iss": "http://127.0.0.1:8080/auth/realms/TestRealm",
>>>
>>>   "aud": "auth-demo-ws",
>>>
>>>   "sub": "4c3b0694-c1fe-405a-ac35-d4cf9e14aabd",
>>>
>>>   "typ": "Bearer",
>>>
>>>   "azp": "auth-demo-webapp",
>>>
>>>   "auth_time": 0,
>>>
>>>   "session_state": "34a4ec1e-9bd3-4413-b785-ae0dda7287d6",
>>>
>>>   "acr": "1",
>>>
>>>   "allowed-origins": [],
>>>
>>>   "realm_access": {
>>>
>>>     "roles": [
>>>
>>>       "offline_access",
>>>
>>>       "uma_authorization"
>>>
>>>     ]
>>>
>>>   },
>>>
>>>   "resource_access": {
>>>
>>>     "auth-demo-webapp": {
>>>
>>>       "roles": [
>>>
>>>         "owner"
>>>
>>>       ]
>>>
>>>     },
>>>
>>>     "auth-demo-ws": {
>>>
>>>       "roles": [
>>>
>>>         "fooresource-reader",
>>>
>>>         "fooresource-writer"
>>>
>>>       ]
>>>
>>>     }
>>>
>>>   },
>>>
>>>   "authorization": {
>>>
>>>     "permissions": [
>>>
>>>       {
>>>
>>>         "scopes": [
>>>
>>>           "read"
>>>
>>>         ],
>>>
>>>         "rsid": "dbc5e6a1-d65a-4510-b354-d12b8dd67dc2",
>>>
>>>         "rsname": "fooresources"
>>>
>>>       }
>>>
>>>     ]
>>>
>>>   },
>>>
>>>   "scope": "email profile",
>>>
>>>   "tenant_id": "12345",
>>>
>>>   "email_verified": true,
>>>
>>>   "roles": [
>>>
>>>     "role_owner"
>>>
>>>   ],
>>>
>>>   "name": "Alice Brown",
>>>
>>>   "groups": [
>>>
>>>     "/auth-demo/admin"
>>>
>>>   ],
>>>
>>>   "preferred_username": "alice",
>>>
>>>   "given_name": "Alice",
>>>
>>>   "family_name": "Brown",
>>>
>>>   "email": "alice at test.com"
>>>
>>> }
>>>
>>>
>>> On vie, jul 13, 2018 at 2:26 , Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>> I see. Just to make sure we are aligned. The changes I'm proposing are
>>> more aligned with spec and provide:
>>>
>>> * Only mark RPT as upgraded if ALL permissions granted by a previous RPT
>>> were granted
>>> * DENY authorization requests in case you are sending a previous issued
>>> RPT and ANY additional permissions in a ticket are DENIED.
>>> * Still keep current behavior where the server may grant additional
>>> permissions even though you requested only a sub set of them. E.g.: You ask
>>> for source "foo" + scope "a" and the server may grant resource "foo" +
>>> scope "a" and "b".
>>>
>>> On Fri, Jul 13, 2018 at 5:17 AM, Francisco Jos? Bermejo Herrera <
>>> francisco.bermejo.herrera at tecsisa.com> wrote:
>>>
>>>> If Keycloak behavior is changed according to your proposal described in
>>>> your previous message, then there shouldn't be any problem with authz
>>>> requests in our model.
>>>>
>>>> It is true that the scopes described in our example are a bit
>>>> misleading. Think about something like READ and READ-PREMIUM instead, used
>>>> at a GET endpoint, and the Resource Server just checks whether one of these
>>>> scopes is contained in the RPT, returning a ticket with READ and
>>>> READ-PREMIUM when none of them has been provided. When the Client requests
>>>> the new RPT by using the ticket, Keycloak would return a RPT including
>>>> either READ or READ-PREMIUM, or 403 Forbidden.
>>>>
>>>> As I said before, this is perfectly aligned with the new Keycloak
>>>> behavior.
>>>>
>>>> On jue, jul 12, 2018 at 7:35 , Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>
>>>>
>>>> On Tue, Jul 10, 2018 at 6:22 AM, Francisco Jos? Bermejo Herrera <
>>>> francisco.bermejo.herrera at tecsisa.com> wrote:
>>>>
>>>>> Hello, we are testing Keycloak 4.1.0.Final for authentication and
>>>>> authorization (UMA 2.0 flow).
>>>>>
>>>>> Some assumptions:
>>>>>
>>>>>    - The Resource Server owns the resource Foo, and protects it by
>>>>> using
>>>>>    two scope-based permissions, one requiring READ scope, and the
>>>>> other one
>>>>>    requiring WRITE scope.
>>>>>    - User Alice has been granted READ scope for resource Foo.
>>>>>    - We are not using Policy Enforcers. Enforcement will be
>>>>> implemented at
>>>>>    the Resource Server.
>>>>>
>>>>> We are modeling the following flow:
>>>>>
>>>>>    1. The Requesting Party (Alice) requests access to resource Foo in
>>>>> the
>>>>>    Resource Server. This request DOES NOT provide an RPT.
>>>>>    2. The Resource Server detects the absence of RPT, so it requests a
>>>>>    Permission Ticket to Keycloak, for the Foo resource and both READ
>>>>> and WRITE
>>>>>    scopes (providing a valid PAT).
>>>>>    3. Keycloak returns a valid Permission Ticket to the Resource
>>>>> Server.
>>>>>    4. The Resource Server returns the Permission Ticket (including
>>>>> Keycloak
>>>>>    token URI (http://${host}:${port}/auth/r
>>>>> ealms/${realm}/protocol/openid-connect/token)
>>>>>    at WWW-Authorization header) with status code 401 to the Requesting
>>>>> Party.
>>>>>    5. The Requesting Party sends the Permission Ticket (for the Foo
>>>>>    resource and both READ and WRITE scopes) to Keycloak, in order to
>>>>> get a
>>>>>    valid RPT.
>>>>>
>>>>> Here is where things start to get confusing. We expected that Keycloak
>>>>> would reject the authorization request due to failed permission
>>>>> evaluation
>>>>> (Alice has READ scope for resource Foo, but DOES NOT have WRITE scope).
>>>>> Nevertheless, Keycloak returns a valid RPT, granting permission for
>>>>> resource Foo (just for READ scope).
>>>>>
>>>>> We are aware that this behavior is UMA 2.0 compliant
>>>>> <https://docs.kantarainitiative.org/uma/ed/uma-core-2.0-21.h
>>>>> tml#rfc.section.3.6.4>
>>>>> :
>>>>>
>>>>> > If the value is non-null and CandidateGrantedScopes <
>>>>> RequestedScopes, the
>>>>> > authorization server MUST subsequently issue either an RPT containing
>>>>> > CandidateGrantedScopes (upgrading as appropriate; see below), or one
>>>>> of the
>>>>> > error codes. The reason for the two options is that granting only
>>>>> partial
>>>>> > scopes may not be useful for the client's and requesting party's
>>>>> purposes
>>>>> > in seeking authorization for access.
>>>>>
>>>>>
>>>>> But as the RFC explicitly points out, this behavior may not be useful
>>>>> for
>>>>> the client. We think that the RFC is right, because this renders the
>>>>> client
>>>>> unable to tell whether the authorization has been partially or
>>>>> completely
>>>>> fulfilled. And consequently the Resource Server will request again a
>>>>> Permission Ticket for the Foo resource and both READ and WRITE scopes,
>>>>> so
>>>>> the whole flow will be repeated over and over again. If this is
>>>>> Keycloak
>>>>> expected behavior, how can we avoid the infinite loops?
>>>>>
>>>>
>>>> For this particular case, each scope is associated with a specific HTTP
>>>> method ? Can't you obtain tickets accordingly including only the scopes you
>>>> need ?
>>>>
>>>> As you noticed, by default, Keycloak issues a RPT for any
>>>> resource/scope you sent along with an authorization request. Resource
>>>> servers (or clients sending authz requests directly without ticket) should
>>>> be able to ask only for specific resources/scopes.
>>>>
>>>>
>>>>>
>>>>> Another question is, when providing a valid RPT along with a Permission
>>>>> Ticket, why Keycloak deems an RPT as upgraded = true even when the
>>>>> requested resource has not been authorized? It returns the same RPT
>>>>> with
>>>>> just jti, exp and iat updated. Since we think that the Authorization
>>>>> Server
>>>>> must be the one stopping the UMA flow, should not Keycloak return a 403
>>>>> Forbidden instead? Is this behavior configurable in any way?
>>>>>
>>>>> Thank you in advance!
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>

From corentin.dupont at gmail.com  Mon Jul 16 10:09:05 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Mon, 16 Jul 2018 16:09:05 +0200
Subject: [keycloak-user] Combine grants
In-Reply-To: <CAJrcDBcvYBKP6ViwnWk50HztZTL_=YeZNYnBbqtTPT-wa-bZXg@mail.gmail.com>
References: <CAEyhvmrTdSyzL2hjDrY3Zg_xwfDAVMZ=9nX0RXwGcwyaBcmWBg@mail.gmail.com>
	<CAJrcDBcvYBKP6ViwnWk50HztZTL_=YeZNYnBbqtTPT-wa-bZXg@mail.gmail.com>
Message-ID: <CAEyhvmpocuz7RfH5_PhnkVuVGyqwh4TLP8qpPmvToRXBfNgozA@mail.gmail.com>

I was thinking to pass both the login/password and the permission request
on the same call (maybe a bit complicated).

On Mon, Jul 16, 2018 at 2:50 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> Thing is that you need a token to identify the subject making the request.
>
> On Sat, Jul 14, 2018 at 1:48 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Another question for you guys:
>> is it possible to combine grants?
>> Now to get some permissions, I need to perform 2 requests:
>>
>> USERTOKEN=`curl -X POST  -H "Content-Type:
>> application/x-www-form-urlencoded" -d
>> 'username=cdupont&password=password&grant_type=password&clie
>> nt_id=api-server&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0'
>> "http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token"
>> |
>> jq .access_token -r`
>>
>> curl -X POST
>> http://localhost:8080/auth/realms/waziup/protocol/openid-connect/token -H
>> "Authorization: Bearer $USERTOKEN" -d
>> "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket&audi
>> ence=api-server&permission=ce023344-a01e-4d3c-8ba8-
>> dc626e088dfd#sensors:view"
>>
>> The first with grant_type=password and the second with
>> grant_type=urn:ietf:params:oauth:grant-type:uma-ticket.
>> However HTTP requests are expensive...
>> It would be nice to make only one request.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From corentin.dupont at gmail.com  Mon Jul 16 10:12:45 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Mon, 16 Jul 2018 16:12:45 +0200
Subject: [keycloak-user] Retrieve all permissions
In-Reply-To: <CAJrcDBem_a_OWTe9Oa08btguHFtXL1E3q8AkKcOERn4jPqQiNQ@mail.gmail.com>
References: <CAEyhvmo9ABZSwqtX7vQta7sj+8UXX8iU6iZa3Mkcp3Go6TkrEg@mail.gmail.com>
	<CAJrcDBc7n29FWYp_n-sT_bit7xma07inn_ydGeBNF8iQ17EWjA@mail.gmail.com>
	<CAEyhvmpUOfyYfB=dKuydwp38nQD4Zp2tD6RW-que=4KW1u9SCA@mail.gmail.com>
	<CAJrcDBdjtWtw+efES=GMxG7iwqPuzgK6iaUZnr9WXub=2_Sndg@mail.gmail.com>
	<CAEyhvmp9t2Bmery_ksUumdWDPg8qp=CwdFsyR9UDnLEWh2eFuA@mail.gmail.com>
	<CAEyhvmovwDz6PcBf_9Ffc-1=D63_VGcHtWvNNJTht4_hTwqfhQ@mail.gmail.com>
	<CAJrcDBd7TLVVgWm3HydWCyk89-fg3BU5zJqtKByoC1UMnqOHUg@mail.gmail.com>
	<CAJrcDBer6sbAekukU6C5bCUrLA+Nv3XVkXH1OcXVWAVCOvqSnw@mail.gmail.com>
	<CAEyhvmqP3bhouLdt8C73urC-SMhcAH+vMDRpzKXaDeLOCrueWA@mail.gmail.com>
	<CAEyhvmpbqz++j45q0LyjzhLeRj_uTVyTV0SjYDB_1BtWGeSkjA@mail.gmail.com>
	<CAEyhvmqwkMsH2dKU8z4F2za2N_P3X2cYd_0btXW_Vfj8brkDeQ@mail.gmail.com>
	<CAJrcDBem_a_OWTe9Oa08btguHFtXL1E3q8AkKcOERn4jPqQiNQ@mail.gmail.com>
Message-ID: <CAEyhvmo7UH=X6BtCfea9-DcJdmg2NkWZ6sX35oCKTrzh=WD9=Q@mail.gmail.com>

OK, great...
What was weird for me is that a resource can be rejected one way, and
rejected the other... With the same scope.


On Mon, Jul 16, 2018 at 2:03 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> I was expecting to run some tests today .... But now I see what is
> happening.
>
> The behavior is correct. If you are asking permissions for "MyScope" only,
> your policies should be able to evaluate whether or not permissions should
> be granted to the scope itself, regardless of the resource. In fact, that
> is what you are asking in your authorization request. We allow permissions
> granted only yo scopes.
>
> On Sun, Jul 15, 2018 at 5:31 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> I think I understood the problem.
>> This Javascript policy will yield different result if a permission
>> request is made on the resource+scope, or with just scope.
>>
>> var permission = $evaluation.getPermission();
>> if(permission.getResource()) {
>>    $evaluation.deny();
>> } else {
>>    $evaluation.grant();
>> }
>>
>> A permission request on "MyResource#MyScope" will yield a 403 Forbidden.
>> However, a request on "#MyScope" will return the resource (among others).
>>
>> I noticed that the policy is evaluated twice: once with the resource,
>> once without. Is that correct?
>>
>> On Fri, Jul 13, 2018 at 4:58 PM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi Pedro,
>>> so finally did you manage to reproduce the bug?
>>> Cheers
>>>
>>> On Thu, Jul 12, 2018 at 9:52 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>>
>>>>
>>>> On Wed, Jul 11, 2018 at 9:55 PM, Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> The configuration you sent has a resource "Sensors". Is this the
>>>>> resource I need to use to get permissions ? I mean the resource I need to
>>>>> use to get a DENY.
>>>>>
>>>>
>>>> In my example I used the resource "Sensor2-ea0541de1ab7132a1d45b
>>>> 85f9b2139f7", but "Sensors" will also work.
>>>> BTW, I see that the export I gave you doesn't have the resource "
>>>> Sensor2-ea0541de1ab7132a1d45b85f9b2139f7", is it normal?
>>>> This resource was created using the API.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>> Also, I noted that "Admin Users" which is used by permission "View
>>>>> Sensor" has no user defined,
>>>>>
>>>>
>>>> I think this is due to this problem that I reported:
>>>> https://issues.jboss.org/browse/KEYCLOAK-7786?filter=-2
>>>> It seems that users are not exported with the policy. I do have users
>>>> in the policy "Admin Users".
>>>> Do you have the same issue if you export the realm?
>>>> I used:
>>>> docker-compose run --entrypoint "/opt/jboss/docker-entrypoint.sh -b
>>>> 0.0.0.0 -Dkeycloak.migration.action=export
>>>> -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=/opt/
>>>> jboss/keycloak/standalone/data/" keycloak
>>>>
>>>>
>>>>
>>>>
>>>>> but "View Sensor" permission is set as "Affirmative". In this case,
>>>>> there is a policy "Unregistered users" that do grant access to user
>>>>> "guest", because the user is granted with the role. So access is granted to
>>>>> resource "Sensors".
>>>>>
>>>>> Wdyt ?
>>>>>
>>>>
>>>> I'm still experimenting. I have an API like this:
>>>> GET /sensors
>>>> POST /sensors
>>>> GET /sensors/<Sensor-xxxxx>
>>>> ...
>>>>
>>>> At first I used a resource "Sensors" to represent "/sensors", and
>>>> resources created with name "Sensor-xxxx" for each specific resources.
>>>> But now I see that this is not enough. When performing GET /sensors, I
>>>> need to filter the sensors list by matching it with the permission list
>>>> retrieved with "#sensors:view".
>>>>
>>>> Anyway, you can modify any of the policies to obtain a "DENY", that
>>>> should reproduce the problem :)
>>>>
>>>>
>>>>>
>>>>>
>>>>> On Wed, Jul 11, 2018 at 1:12 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Tks !!
>>>>>>
>>>>>> On Wed, Jul 11, 2018 at 12:29 PM, Corentin Dupont <
>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>
>>>>>>> PS. I used the account "guest":
>>>>>>> USERTOKEN=`curl -X POST  -H "Content-Type:
>>>>>>> application/x-www-form-urlencoded" -d 'username=guest&password=guest
>>>>>>> &grant_type=password&client_id=api-server&client_secret=4e9d
>>>>>>> cb80-efcd-484c-b3d7-1e95a0096ac0&scope=offline_access' "
>>>>>>> http://localhost:8080/auth/realms/waziup/protocol/openid-co
>>>>>>> nnect/token" | jq .access_token -r`
>>>>>>>
>>>>>>> On Wed, Jul 11, 2018 at 5:15 PM, Corentin Dupont <
>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>
>>>>>>>> Here is the realm.
>>>>>>>> You should be able to reproduce the bug with the commands I gave
>>>>>>>> (hopefully).
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, Jul 11, 2018 at 3:08 PM, Pedro Igor Silva <
>>>>>>>> psilva at redhat.com> wrote:
>>>>>>>>
>>>>>>>>> Please, share it ... I have that previous export you sent me
>>>>>>>>> already, maybe you can just give me the steps to set up things like:
>>>>>>>>>
>>>>>>>>> * Create resource X where user Y is owner
>>>>>>>>>
>>>>>>>>> On Wed, Jul 11, 2018 at 5:57 AM, Corentin Dupont <
>>>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hi Pedro,
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> This instead returns a list of resources belonging to all users.
>>>>>>>>>>>> But the list seems to be wrong: it returns sensors to which I
>>>>>>>>>>>> *don't* have
>>>>>>>>>>>> access!
>>>>>>>>>>>> If I try the request on the specific resource, it returns
>>>>>>>>>>>> (rightfully)
>>>>>>>>>>>> access_denied:
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I tried to do a simple test based on a previous realm
>>>>>>>>>>> configuration you sent. Could not reproduce the problem.
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I retried this morning, I still have the problem:
>>>>>>>>>>
>>>>>>>>>> $ curl -X POST http://localhost:8080/auth/rea
>>>>>>>>>> lms/waziup/protocol/openid-connect/token -H "Authorization:
>>>>>>>>>> Bearer $USERTOKEN" -d "grant_type=urn:ietf:params:oa
>>>>>>>>>> uth:grant-type:uma-ticket&audience=api-server&permission=baa
>>>>>>>>>> b7620-7d36-4efd-8810-b7cb33e54527#sensors:view"
>>>>>>>>>> {"error":"access_denied","error_description":"not_authorized"}
>>>>>>>>>>
>>>>>>>>>> $ curl -X POST http://localhost:8080/auth/rea
>>>>>>>>>> lms/waziup/protocol/openid-connect/token -H "Authorization:
>>>>>>>>>> Bearer $USERTOKEN" -d "grant_type=urn:ietf:params:oa
>>>>>>>>>> uth:grant-type:uma-ticket&audience=api-server&permission=#sensors:view"
>>>>>>>>>> | jq .access_token -r | cut -d "." -f2 | base64 -d | jq
>>>>>>>>>> ".authorization.permissions[] | select(.rsid ==
>>>>>>>>>> \"baab7620-7d36-4efd-8810-b7cb33e54527\")"
>>>>>>>>>> {
>>>>>>>>>>   "scopes": [
>>>>>>>>>>     "sensors:view"
>>>>>>>>>>   ],
>>>>>>>>>>   "rsid": "baab7620-7d36-4efd-8810-b7cb33e54527",
>>>>>>>>>>   "rsname": "Sensor2-ea0541de1ab7132a1d45b85f9b2139f7"
>>>>>>>>>> }
>>>>>>>>>>
>>>>>>>>>> On the first request, the resource baab7620-7d36-4efd-8810-b7cb33
>>>>>>>>>> e54527 is denied, while on the second it appears in the list
>>>>>>>>>> returned.
>>>>>>>>>> If you want, I can give you another export of my realm...
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

From corentin.dupont at gmail.com  Mon Jul 16 10:13:15 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Mon, 16 Jul 2018 16:13:15 +0200
Subject: [keycloak-user] Retrieve all permissions
In-Reply-To: <CAEyhvmo7UH=X6BtCfea9-DcJdmg2NkWZ6sX35oCKTrzh=WD9=Q@mail.gmail.com>
References: <CAEyhvmo9ABZSwqtX7vQta7sj+8UXX8iU6iZa3Mkcp3Go6TkrEg@mail.gmail.com>
	<CAJrcDBc7n29FWYp_n-sT_bit7xma07inn_ydGeBNF8iQ17EWjA@mail.gmail.com>
	<CAEyhvmpUOfyYfB=dKuydwp38nQD4Zp2tD6RW-que=4KW1u9SCA@mail.gmail.com>
	<CAJrcDBdjtWtw+efES=GMxG7iwqPuzgK6iaUZnr9WXub=2_Sndg@mail.gmail.com>
	<CAEyhvmp9t2Bmery_ksUumdWDPg8qp=CwdFsyR9UDnLEWh2eFuA@mail.gmail.com>
	<CAEyhvmovwDz6PcBf_9Ffc-1=D63_VGcHtWvNNJTht4_hTwqfhQ@mail.gmail.com>
	<CAJrcDBd7TLVVgWm3HydWCyk89-fg3BU5zJqtKByoC1UMnqOHUg@mail.gmail.com>
	<CAJrcDBer6sbAekukU6C5bCUrLA+Nv3XVkXH1OcXVWAVCOvqSnw@mail.gmail.com>
	<CAEyhvmqP3bhouLdt8C73urC-SMhcAH+vMDRpzKXaDeLOCrueWA@mail.gmail.com>
	<CAEyhvmpbqz++j45q0LyjzhLeRj_uTVyTV0SjYDB_1BtWGeSkjA@mail.gmail.com>
	<CAEyhvmqwkMsH2dKU8z4F2za2N_P3X2cYd_0btXW_Vfj8brkDeQ@mail.gmail.com>
	<CAJrcDBem_a_OWTe9Oa08btguHFtXL1E3q8AkKcOERn4jPqQiNQ@mail.gmail.com>
	<CAEyhvmo7UH=X6BtCfea9-DcJdmg2NkWZ6sX35oCKTrzh=WD9=Q@mail.gmail.com>
Message-ID: <CAEyhvmrr5tZkJG=MHb+G=4gbj7g9Rj4Et=Gref7DE5koDK+5TA@mail.gmail.com>

Sorry typo

On Mon, Jul 16, 2018 at 4:12 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

>
> OK, great...
> What was weird for me is that a resource can be accepted one way, and
> rejected the other... With the same scope.
>
>
> On Mon, Jul 16, 2018 at 2:03 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> I was expecting to run some tests today .... But now I see what is
>> happening.
>>
>> The behavior is correct. If you are asking permissions for "MyScope"
>> only, your policies should be able to evaluate whether or not permissions
>> should be granted to the scope itself, regardless of the resource. In fact,
>> that is what you are asking in your authorization request. We allow
>> permissions granted only yo scopes.
>>
>> On Sun, Jul 15, 2018 at 5:31 PM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> I think I understood the problem.
>>> This Javascript policy will yield different result if a permission
>>> request is made on the resource+scope, or with just scope.
>>>
>>> var permission = $evaluation.getPermission();
>>> if(permission.getResource()) {
>>>    $evaluation.deny();
>>> } else {
>>>    $evaluation.grant();
>>> }
>>>
>>> A permission request on "MyResource#MyScope" will yield a 403 Forbidden.
>>> However, a request on "#MyScope" will return the resource (among
>>> others).
>>>
>>> I noticed that the policy is evaluated twice: once with the resource,
>>> once without. Is that correct?
>>>
>>> On Fri, Jul 13, 2018 at 4:58 PM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Hi Pedro,
>>>> so finally did you manage to reproduce the bug?
>>>> Cheers
>>>>
>>>> On Thu, Jul 12, 2018 at 9:52 AM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Wed, Jul 11, 2018 at 9:55 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> The configuration you sent has a resource "Sensors". Is this the
>>>>>> resource I need to use to get permissions ? I mean the resource I need to
>>>>>> use to get a DENY.
>>>>>>
>>>>>
>>>>> In my example I used the resource "Sensor2-ea0541de1ab7132a1d45b
>>>>> 85f9b2139f7", but "Sensors" will also work.
>>>>> BTW, I see that the export I gave you doesn't have the resource "
>>>>> Sensor2-ea0541de1ab7132a1d45b85f9b2139f7", is it normal?
>>>>> This resource was created using the API.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> Also, I noted that "Admin Users" which is used by permission "View
>>>>>> Sensor" has no user defined,
>>>>>>
>>>>>
>>>>> I think this is due to this problem that I reported:
>>>>> https://issues.jboss.org/browse/KEYCLOAK-7786?filter=-2
>>>>> It seems that users are not exported with the policy. I do have users
>>>>> in the policy "Admin Users".
>>>>> Do you have the same issue if you export the realm?
>>>>> I used:
>>>>> docker-compose run --entrypoint "/opt/jboss/docker-entrypoint.sh -b
>>>>> 0.0.0.0 -Dkeycloak.migration.action=export
>>>>> -Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=/opt/
>>>>> jboss/keycloak/standalone/data/" keycloak
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> but "View Sensor" permission is set as "Affirmative". In this case,
>>>>>> there is a policy "Unregistered users" that do grant access to user
>>>>>> "guest", because the user is granted with the role. So access is granted to
>>>>>> resource "Sensors".
>>>>>>
>>>>>> Wdyt ?
>>>>>>
>>>>>
>>>>> I'm still experimenting. I have an API like this:
>>>>> GET /sensors
>>>>> POST /sensors
>>>>> GET /sensors/<Sensor-xxxxx>
>>>>> ...
>>>>>
>>>>> At first I used a resource "Sensors" to represent "/sensors", and
>>>>> resources created with name "Sensor-xxxx" for each specific resources.
>>>>> But now I see that this is not enough. When performing GET /sensors, I
>>>>> need to filter the sensors list by matching it with the permission list
>>>>> retrieved with "#sensors:view".
>>>>>
>>>>> Anyway, you can modify any of the policies to obtain a "DENY", that
>>>>> should reproduce the problem :)
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Jul 11, 2018 at 1:12 PM, Pedro Igor Silva <psilva at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Tks !!
>>>>>>>
>>>>>>> On Wed, Jul 11, 2018 at 12:29 PM, Corentin Dupont <
>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>
>>>>>>>> PS. I used the account "guest":
>>>>>>>> USERTOKEN=`curl -X POST  -H "Content-Type:
>>>>>>>> application/x-www-form-urlencoded" -d
>>>>>>>> 'username=guest&password=guest&grant_type=password&client_id
>>>>>>>> =api-server&client_secret=4e9dcb80-efcd-484c-b3d7-1e95a0096ac0&scope=offline_access'
>>>>>>>> "http://localhost:8080/auth/realms/waziup/protocol/openid-co
>>>>>>>> nnect/token" | jq .access_token -r`
>>>>>>>>
>>>>>>>> On Wed, Jul 11, 2018 at 5:15 PM, Corentin Dupont <
>>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>>
>>>>>>>>> Here is the realm.
>>>>>>>>> You should be able to reproduce the bug with the commands I gave
>>>>>>>>> (hopefully).
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Wed, Jul 11, 2018 at 3:08 PM, Pedro Igor Silva <
>>>>>>>>> psilva at redhat.com> wrote:
>>>>>>>>>
>>>>>>>>>> Please, share it ... I have that previous export you sent me
>>>>>>>>>> already, maybe you can just give me the steps to set up things like:
>>>>>>>>>>
>>>>>>>>>> * Create resource X where user Y is owner
>>>>>>>>>>
>>>>>>>>>> On Wed, Jul 11, 2018 at 5:57 AM, Corentin Dupont <
>>>>>>>>>> corentin.dupont at gmail.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Hi Pedro,
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> This instead returns a list of resources belonging to all users.
>>>>>>>>>>>>> But the list seems to be wrong: it returns sensors to which I
>>>>>>>>>>>>> *don't* have
>>>>>>>>>>>>> access!
>>>>>>>>>>>>> If I try the request on the specific resource, it returns
>>>>>>>>>>>>> (rightfully)
>>>>>>>>>>>>> access_denied:
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I tried to do a simple test based on a previous realm
>>>>>>>>>>>> configuration you sent. Could not reproduce the problem.
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I retried this morning, I still have the problem:
>>>>>>>>>>>
>>>>>>>>>>> $ curl -X POST http://localhost:8080/auth/rea
>>>>>>>>>>> lms/waziup/protocol/openid-connect/token -H "Authorization:
>>>>>>>>>>> Bearer $USERTOKEN" -d "grant_type=urn:ietf:params:oa
>>>>>>>>>>> uth:grant-type:uma-ticket&audience=api-server&permission=baa
>>>>>>>>>>> b7620-7d36-4efd-8810-b7cb33e54527#sensors:view"
>>>>>>>>>>> {"error":"access_denied","error_description":"not_authorized"}
>>>>>>>>>>>
>>>>>>>>>>> $ curl -X POST http://localhost:8080/auth/rea
>>>>>>>>>>> lms/waziup/protocol/openid-connect/token -H "Authorization:
>>>>>>>>>>> Bearer $USERTOKEN" -d "grant_type=urn:ietf:params:oa
>>>>>>>>>>> uth:grant-type:uma-ticket&audience=api-server&permission=#sensors:view"
>>>>>>>>>>> | jq .access_token -r | cut -d "." -f2 | base64 -d | jq
>>>>>>>>>>> ".authorization.permissions[] | select(.rsid ==
>>>>>>>>>>> \"baab7620-7d36-4efd-8810-b7cb33e54527\")"
>>>>>>>>>>> {
>>>>>>>>>>>   "scopes": [
>>>>>>>>>>>     "sensors:view"
>>>>>>>>>>>   ],
>>>>>>>>>>>   "rsid": "baab7620-7d36-4efd-8810-b7cb33e54527",
>>>>>>>>>>>   "rsname": "Sensor2-ea0541de1ab7132a1d45b85f9b2139f7"
>>>>>>>>>>> }
>>>>>>>>>>>
>>>>>>>>>>> On the first request, the resource
>>>>>>>>>>> baab7620-7d36-4efd-8810-b7cb33e54527 is denied, while on the
>>>>>>>>>>> second it appears in the list returned.
>>>>>>>>>>> If you want, I can give you another export of my realm...
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

From vandana0242 at gmail.com  Mon Jul 16 12:21:39 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Mon, 16 Jul 2018 11:21:39 -0500
Subject: [keycloak-user] ERROR
	[org.keycloak.services.resources.IdentityBrokerService
Message-ID: <CAL_K0eybBqSTkyzA+ELf+v7Q1vf9igMT_qjoS+_vTgmnyj6hFw@mail.gmail.com>

Hello


Can any one look  into this  and please show  the solution to this :

*realmId=master, clientId=null, userId=null,
ipAddress=10.9.7.2,=invalidRequestMessage14:11:30,568 ERROR
[org.keycloak.services.resources.IdentityBrokerService] (default task-1)
invalidRequestMessage*

Thanks,
Vandana

From vandana0242 at gmail.com  Mon Jul 16 12:30:23 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Mon, 16 Jul 2018 11:30:23 -0500
Subject: [keycloak-user] Need Wildfly Technical person
Message-ID: <CAL_K0ezPESfc=1=A1JfE-aNdJNE-Mp27Ps0DntsaLs+URZNhVg@mail.gmail.com>

Hello

Is there  any contact number  to  reach wildfly  technical  person  from
wildfyl organization ?

Thanks.

From vandana0242 at gmail.com  Mon Jul 16 13:35:30 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Mon, 16 Jul 2018 12:35:30 -0500
Subject: [keycloak-user] hard time with keycloak
Message-ID: <CAL_K0eway4fNzVMd0-U-zsHZYiVOCwHUqy8hsbh8ooSWf-hcMw@mail.gmail.com>

Any other SAML 2.0  module  ( other than keycloak for  wildfly server)
which talks  to External SAML  2.0 Identity provider  ?

Because  keycloak  is not possible to have single sign on configuration for
wildfly  server.

From vandana0242 at gmail.com  Mon Jul 16 13:37:09 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Mon, 16 Jul 2018 12:37:09 -0500
Subject: [keycloak-user] need the web link for keycloak 4.0.0 final to
	download
Message-ID: <CAL_K0exd4A3HYKOW7QoXQdPeHvFxrwA_PTNvo_UzEP4rnowz9A@mail.gmail.com>

need  the  web link  for keycloak 4.0.0 final  to download   along with the
suitable  adapters to download


Thanks,
Vandana

From bruno at abstractj.org  Mon Jul 16 13:42:44 2018
From: bruno at abstractj.org (Bruno Oliveira)
Date: Mon, 16 Jul 2018 14:42:44 -0300
Subject: [keycloak-user] need the web link for keycloak 4.0.0 final to
	download
In-Reply-To: <CAL_K0exd4A3HYKOW7QoXQdPeHvFxrwA_PTNvo_UzEP4rnowz9A@mail.gmail.com>
References: <CAL_K0exd4A3HYKOW7QoXQdPeHvFxrwA_PTNvo_UzEP4rnowz9A@mail.gmail.com>
Message-ID: <CAM5SUC6X_JVD6NzWxX0e0WpmNxsMhP1H4uhbwH-DW1dQhsP5Sw@mail.gmail.com>

https://www.keycloak.org/downloads.html

On Mon, Jul 16, 2018 at 2:39 PM vandana thota <vandana0242 at gmail.com> wrote:

> need  the  web link  for keycloak 4.0.0 final  to download   along with the
> suitable  adapters to download
>
>
> Thanks,
> Vandana
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From dt at acutus.pro  Mon Jul 16 13:43:17 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 16 Jul 2018 20:43:17 +0300
Subject: [keycloak-user] Customizing account change password to send an
 email
In-Reply-To: <F12603E320A90546946D142FB805B94601735D1D49@ILRAADAGBE1.corp.amdocs.com>
References: <F12603E320A90546946D142FB805B94601735D1D49@ILRAADAGBE1.corp.amdocs.com>
Message-ID: <1531762997.6818.6.camel@acutus.pro>

Hi Ori,

There's org.keycloak.events.EventListenerSpi in keycloak-server-spi-private. You can implement an EventListenerProvider (plus the corresponding factory) and listen for events of type EventType.UPDATE_PASSWORD.
Then retrieve an EmailSenderProvider from your KeycloakSession, and voil?!

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-07-16 at 09:53 +0000, Ori Doolman wrote:
> Hello,
> 
> In the Account management page, I have an option to change user's password.
> Is there any way (SPI) to customize the change password function, and add the ability for sending an email after password is changed ?
> 
> I think the current implementation code is under
> /keycloak-services/src/main/java/org/keycloak/forms/account/freemarker/FreeMarkerAccountProvider.java
> 
> 
> Thanks,
> 
> Ori Doolman
> Lead Software Architect
> Amdocs Optima
> 
> +972 9 778 6914 (office)
> +972 50 9111442 (mobile)
> 
> [cid:image001.png at 01D2C8DE.BFF33E10]
> 
> This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
> 
> you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From vandana0242 at gmail.com  Mon Jul 16 13:45:39 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Mon, 16 Jul 2018 12:45:39 -0500
Subject: [keycloak-user] need the web link for keycloak 4.0.0 final to
	download
In-Reply-To: <CAM5SUC6X_JVD6NzWxX0e0WpmNxsMhP1H4uhbwH-DW1dQhsP5Sw@mail.gmail.com>
References: <CAL_K0exd4A3HYKOW7QoXQdPeHvFxrwA_PTNvo_UzEP4rnowz9A@mail.gmail.com>
	<CAM5SUC6X_JVD6NzWxX0e0WpmNxsMhP1H4uhbwH-DW1dQhsP5Sw@mail.gmail.com>
Message-ID: <CAL_K0ezHpFc_yDrvonM=APWcG-NxaHceeWDG5wq4Gd=7rO24_A@mail.gmail.com>

I have that link already but it has 4.1.0  not 4.0.0 final  related
packages.

Thanks,
Vandana



On Mon, Jul 16, 2018 at 12:42 PM Bruno Oliveira <bruno at abstractj.org> wrote:

> https://www.keycloak.org/downloads.html
>
> On Mon, Jul 16, 2018 at 2:39 PM vandana thota <vandana0242 at gmail.com>
> wrote:
>
>> need  the  web link  for keycloak 4.0.0 final  to download   along with
>> the
>> suitable  adapters to download
>>
>>
>> Thanks,
>> Vandana
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From bruno at abstractj.org  Mon Jul 16 13:56:21 2018
From: bruno at abstractj.org (Bruno Oliveira)
Date: Mon, 16 Jul 2018 14:56:21 -0300
Subject: [keycloak-user] need the web link for keycloak 4.0.0 final to
	download
In-Reply-To: <CAL_K0ezHpFc_yDrvonM=APWcG-NxaHceeWDG5wq4Gd=7rO24_A@mail.gmail.com>
References: <CAL_K0exd4A3HYKOW7QoXQdPeHvFxrwA_PTNvo_UzEP4rnowz9A@mail.gmail.com>
	<CAM5SUC6X_JVD6NzWxX0e0WpmNxsMhP1H4uhbwH-DW1dQhsP5Sw@mail.gmail.com>
	<CAL_K0ezHpFc_yDrvonM=APWcG-NxaHceeWDG5wq4Gd=7rO24_A@mail.gmail.com>
Message-ID: <CAM5SUC7tjjg5=v-fAquT6t3gp+HKK_16JxkUTg__naW4aY_+OA@mail.gmail.com>

If you scroll down to the page, you're going to hit this
https://www.keycloak.org/downloads-archive.html

On Mon, Jul 16, 2018 at 2:45 PM vandana thota <vandana0242 at gmail.com> wrote:

> I have that link already but it has 4.1.0  not 4.0.0 final  related
> packages.
>
> Thanks,
> Vandana
>
>
>
> On Mon, Jul 16, 2018 at 12:42 PM Bruno Oliveira <bruno at abstractj.org>
> wrote:
>
>> https://www.keycloak.org/downloads.html
>>
>> On Mon, Jul 16, 2018 at 2:39 PM vandana thota <vandana0242 at gmail.com>
>> wrote:
>>
>>> need  the  web link  for keycloak 4.0.0 final  to download   along with
>>> the
>>> suitable  adapters to download
>>>
>>>
>>> Thanks,
>>> Vandana
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>

From vandana0242 at gmail.com  Mon Jul 16 13:58:54 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Mon, 16 Jul 2018 12:58:54 -0500
Subject: [keycloak-user] need the web link for keycloak 4.0.0 final to
	download
In-Reply-To: <CAM5SUC7tjjg5=v-fAquT6t3gp+HKK_16JxkUTg__naW4aY_+OA@mail.gmail.com>
References: <CAL_K0exd4A3HYKOW7QoXQdPeHvFxrwA_PTNvo_UzEP4rnowz9A@mail.gmail.com>
	<CAM5SUC6X_JVD6NzWxX0e0WpmNxsMhP1H4uhbwH-DW1dQhsP5Sw@mail.gmail.com>
	<CAL_K0ezHpFc_yDrvonM=APWcG-NxaHceeWDG5wq4Gd=7rO24_A@mail.gmail.com>
	<CAM5SUC7tjjg5=v-fAquT6t3gp+HKK_16JxkUTg__naW4aY_+OA@mail.gmail.com>
Message-ID: <CAL_K0ezcxjkvKozOAm0y73YRRZpR7e7MqBHbYJ9_9GZ_SbcsRw@mail.gmail.com>

yes  even tried that  all 4.0.0.0  redirects  to 4.0.0.0 beta 1  not to the
4.0.0.0 final

did they deleted the package 4.0.0 final from repo  if not where  we  can
find  it

On Mon, Jul 16, 2018 at 12:56 PM Bruno Oliveira <bruno at abstractj.org> wrote:

> If you scroll down to the page, you're going to hit this
> https://www.keycloak.org/downloads-archive.html
>
> On Mon, Jul 16, 2018 at 2:45 PM vandana thota <vandana0242 at gmail.com>
> wrote:
>
>> I have that link already but it has 4.1.0  not 4.0.0 final  related
>> packages.
>>
>> Thanks,
>> Vandana
>>
>>
>>
>> On Mon, Jul 16, 2018 at 12:42 PM Bruno Oliveira <bruno at abstractj.org>
>> wrote:
>>
>>> https://www.keycloak.org/downloads.html
>>>
>>> On Mon, Jul 16, 2018 at 2:39 PM vandana thota <vandana0242 at gmail.com>
>>> wrote:
>>>
>>>> need  the  web link  for keycloak 4.0.0 final  to download   along with
>>>> the
>>>> suitable  adapters to download
>>>>
>>>>
>>>> Thanks,
>>>> Vandana
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>

From psilva at redhat.com  Mon Jul 16 14:28:05 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 16 Jul 2018 15:28:05 -0300
Subject: [keycloak-user] Introspection of RPT fails
In-Reply-To: <cf3ad48f-b4d5-362a-9da6-45c9a901e17c@bosch-si.com>
References: <9706eb13-63d9-6554-ff6d-0093db1ecfb3@bosch-si.com>
	<CAJrcDBdZNb=OMOJdvm6D+c0K=UgyEr24NTy9JBt0u05za7KnEg@mail.gmail.com>
	<cf3ad48f-b4d5-362a-9da6-45c9a901e17c@bosch-si.com>
Message-ID: <CAJrcDBe1me25pZ8nj6U8oY-jDHBWGGK2r6F1A+hRdm74-uGk_A@mail.gmail.com>

Hi,

I've created https://issues.jboss.org/browse/KEYCLOAK-7864. Pull request
also sent with a fix.

The issue is that we were not setting the authorization claim to refresh
tokens issued via grant_type == refresh_token.

Thanks.
Pedro Igor

On Mon, Jul 16, 2018 at 8:54 AM, stefan.wachter <stefan.wachter at bosch-si.com
> wrote:

> Any news on this? Should I file a ticket?
>
> Best regards,
>
>
> *Stefan Wachter INST-ICM/BSV-BS*
>
> Tel.  +49(711)811-58477
>
> *Be*
> *QIK *
> Am 10.07.2018 um 17:33 schrieb Pedro Igor Silva:
>
> Will check this out. Thanks for the report.
>
> On Tue, Jul 10, 2018 at 4:57 AM, stefan.wachter <
> stefan.wachter at bosch-si.com> wrote:
>
>> Hi,
>>
>> I have difficulties in determining the cause why introspection of an RPT
>> fails. The RPT can be introspected a couple of times before it fails. In
>> the log shown below I grepped for "task-26" that seems to have handled
>> the failed introspection request.
>>
>> I have the impression that the problem is related to token refreshments.
>> If the "Access Token Lifespan" is set to a smaller value (e.g. 1
>> minute), then the failure happens earlier. In particular, it seems that
>> after the SECOND set of token refreshments the introspection fails. In
>> detail:
>>
>> There are 3 tokens (together with their refresh tokens) involved:
>>
>> 1. An IdToken that is used for logging into the web application. The
>> IdToken is used when a Ticket is exchanged for an RPT (the IdToken is
>> set as the "claim_token" parameter in the token request).
>>
>> 2. An RPT.
>>
>> 3. A PAT
>>
>> When a request hits the application after the tokens have expired the
>> first time all tokens are refreshed in turn and the introspection
>> succeedes. Yet, if a request hits the application after the tokens have
>> expired the second time then all tokens are refreshed again (using the
>> refresh tokens that were returned on the first refreshment). The
>> following RPT introspection however, fails.
>>
>> Has anyone experienced the same failure?
>>
>> Thanks for you attention
>>
>> Stefan
>>
>>
>>
>> 06:46:12,779 DEBUG
>> [org.keycloak.authorization.protection.introspect.RPTIntrospectionProvider]
>>
>> (default task-26) Introspecting requesting party token
>> 06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default
>> task-26) Active key found: realm=device
>> kid=t00ewHrCADcXjvvIFBWQrZnOWiBTVBoyt0-UOzBP7w0 algorithm=RS256
>> 06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default
>> task-26) Active key found: realm=device
>> kid=ae1f030a-b3a5-4c9a-875a-a0802119fa2a algorithm=HS256
>> 06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default
>> task-26) Active key found: realm=device
>> kid=2aefcc15-33cf-45f6-a4bf-88535501712c algorithm=AES
>> 06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default
>> task-26) Active key realm=device
>> kid=t00ewHrCADcXjvvIFBWQrZnOWiBTVBoyt0-UOzBP7w0 algorithm=RS256
>> 06:46:12,780 TRACE
>> [org.infinispan.interceptors.InvocationContextInterceptor] (default
>> task-26) Invoked with command GetKeyValueCommand
>> {key=device.client.query.by.clientId.web-gui, flags=null} and
>> InvocationContext
>> [org.infinispan.context.SingleKeyNonTxInvocationContext at 6cb8a247]
>> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
>> task-26) Exists in context? null
>> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
>> task-26) Retrieved from container
>> ImmortalCacheEntry{key=device.client.query.by.clientId.web-gui, value=0}
>> (ignoreOwnership=false, isLocal=true)
>> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
>> task-26) Wrap device.client.query.by.clientId.web-gui for read.
>> Entry=ImmortalCacheEntry{key=device.client.query.by.clientId.web-gui,
>> value=0}
>> 06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
>> (default task-26) Executing command: GetKeyValueCommand
>> {key=device.client.query.by.clientId.web-gui, flags=null}.
>> 06:46:12,780 TRACE
>> [org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
>> task-26) Release locks for keys=[]. owner=null
>> 06:46:12,780 TRACE
>> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
>> task-26) client by name cache hit: web-gui
>> 06:46:12,780 TRACE
>> [org.infinispan.interceptors.InvocationContextInterceptor] (default
>> task-26) Invoked with command GetKeyValueCommand
>> {key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null} and
>> InvocationContext
>> [org.infinispan.context.SingleKeyNonTxInvocationContext at 3a2141a6]
>> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
>> task-26) Exists in context? null
>> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
>> task-26) Retrieved from container
>> ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, value=0}
>> (ignoreOwnership=false, isLocal=true)
>> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
>> task-26) Wrap b5f94341-0d4c-4280-94e1-10b6771cd66c for read.
>> Entry=ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c,
>> value=0}
>> 06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
>> (default task-26) Executing command: GetKeyValueCommand
>> {key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null}.
>> 06:46:12,780 TRACE
>> [org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
>> task-26) Release locks for keys=[]. owner=null
>> 06:46:12,780 TRACE
>> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
>> task-26) client by id cache hit: web-gui
>> 06:46:12,780 TRACE
>> [org.infinispan.interceptors.InvocationContextInterceptor] (default
>> task-26) Invoked with command GetKeyValueCommand {key=device,
>> flags=null} and InvocationContext
>> [org.infinispan.context.SingleKeyNonTxInvocationContext at 2f9442f3]
>> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
>> task-26) Exists in context? null
>> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
>> task-26) Retrieved from container ImmortalCacheEntry{key=device,
>> value=0} (ignoreOwnership=false, isLocal=true)
>> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
>> task-26) Wrap device for read. Entry=ImmortalCacheEntry{key=device,
>> value=0}
>> 06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
>> (default task-26) Executing command: GetKeyValueCommand {key=device,
>> flags=null}.
>> 06:46:12,780 TRACE
>> [org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
>> task-26) Release locks for keys=[]. owner=null
>> 06:46:12,780 TRACE
>> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
>> task-26) by id cache hit: device
>> 06:46:12,780 TRACE
>> [org.infinispan.interceptors.InvocationContextInterceptor] (default
>> task-26) Invoked with command GetKeyValueCommand
>> {key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null} and
>> InvocationContext
>> [org.infinispan.context.SingleKeyNonTxInvocationContext at 30227841]
>> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
>> task-26) Exists in context? null
>> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
>> task-26) Retrieved from container
>> ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, value=0}
>> (ignoreOwnership=false, isLocal=true)
>> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
>> task-26) Wrap b5f94341-0d4c-4280-94e1-10b6771cd66c for read.
>> Entry=ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c,
>> value=0}
>> 06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
>> (default task-26) Executing command: GetKeyValueCommand
>> {key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null}.
>> 06:46:12,780 TRACE
>> [org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
>> task-26) Release locks for keys=[]. owner=null
>> 06:46:12,780 TRACE
>> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
>> task-26) client by id cache hit: web-gui
>> 06:46:12,780 TRACE
>> [org.infinispan.interceptors.InvocationContextInterceptor] (default
>> task-26) Invoked with command GetKeyValueCommand {key=device,
>> flags=null} and InvocationContext
>> [org.infinispan.context.SingleKeyNonTxInvocationContext at 19214e98]
>> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
>> task-26) Exists in context? null
>> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
>> task-26) Retrieved from container ImmortalCacheEntry{key=device,
>> value=0} (ignoreOwnership=false, isLocal=true)
>> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
>> task-26) Wrap device for read. Entry=ImmortalCacheEntry{key=device,
>> value=0}
>> 06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
>> (default task-26) Executing command: GetKeyValueCommand {key=device,
>> flags=null}.
>> 06:46:12,780 TRACE
>> [org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
>> task-26) Release locks for keys=[]. owner=null
>> 06:46:12,780 TRACE
>> [org.keycloak.models.cache.infinispan.RealmCacheSession] (default
>> task-26) by id cache hit: device
>> 06:46:12,780 DEBUG
>> [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
>> (default task-26)
>> getUserSessionWithPredicate(a3320548-da14-4e0c-adc1-5616c9d0c23b): found
>> in local cache
>> 06:46:12,780 TRACE
>> [org.keycloak.models.cache.infinispan.UserCacheSession] (default
>> task-26) getuserById d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c
>> 06:46:12,780 TRACE
>> [org.infinispan.interceptors.InvocationContextInterceptor] (default
>> task-26) Invoked with command GetKeyValueCommand
>> {key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, flags=null} and
>> InvocationContext
>> [org.infinispan.context.SingleKeyNonTxInvocationContext at 29bd006b]
>> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
>> task-26) Exists in context? null
>> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
>> task-26) Retrieved from container
>> ImmortalCacheEntry{key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, value=0}
>> (ignoreOwnership=false, isLocal=true)
>> 06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
>> task-26) Wrap d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c for read.
>> Entry=ImmortalCacheEntry{key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c,
>> value=0}
>> 06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
>> (default task-26) Executing command: GetKeyValueCommand
>> {key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, flags=null}.
>> 06:46:12,780 TRACE
>> [org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
>> task-26) Release locks for keys=[]. owner=null
>> 06:46:12,780 TRACE
>> [org.keycloak.models.cache.infinispan.UserCacheSession] (default
>> task-26) getuserById d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c
>> 06:46:12,780 TRACE
>> [org.keycloak.models.cache.infinispan.UserCacheSession] (default
>> task-26) return managedusers
>> 06:46:12,781 TRACE [org.keycloak.events] (default task-26)
>> type=INTROSPECT_TOKEN_ERROR, realmId=device, clientId=resource-server,
>> userId=null, ipAddress=139.15.216.71, error=invalid_request,
>> detail='Failed to introspect token.', client_auth_method=client-secret,
>> requestUri=https://keycloak.apps.de1.bosch-iot-cloud.com/aut
>> h/realms/device/protocol/openid-connect/token/introspect,
>> cookies=[]
>>
>> --
>>
>> Best regards,
>>
>> *Stefan Wachter
>> INST-ICM/BSV-BS*
>>
>> Tel.  +49(711)811-58477
>>
>> *Be**QIK
>> *
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>

From pkboucher801 at gmail.com  Mon Jul 16 14:42:19 2018
From: pkboucher801 at gmail.com (pkboucher801 at gmail.com)
Date: Mon, 16 Jul 2018 14:42:19 -0400
Subject: [keycloak-user] Global "reporting" role like admin but with
	read-only access to everything?
Message-ID: <001901d41d34$ba2d1a90$2e874fb0$@gmail.com>

According to
https://www.keycloak.org/docs/latest/server_admin/index.html#global-roles
there are two global roles, admin and create-realm, but we would like to add
a third one, call it reporting, that has read-only access to all settings in
every realm (so all of the view- and query- permissions).

 

We can create the role as a composite with permissions over every realm, but
if a new realm is added later, the reporting role has no access unless we
explicitly grant it.

 

Is it possible for us to add a global role by creating a new realm role in
the master realm, and giving it a particular configuration and/or set of
permissions?

 

Thanks!

 

Regards,

Peter K. Boucher

 


From pkboucher801 at gmail.com  Mon Jul 16 14:50:50 2018
From: pkboucher801 at gmail.com (pkboucher801 at gmail.com)
Date: Mon, 16 Jul 2018 14:50:50 -0400
Subject: [keycloak-user] Global "reporting" role like admin but with
	read-only access to everything?
In-Reply-To: <001901d41d34$ba2d1a90$2e874fb0$@gmail.com>
References: <001901d41d34$ba2d1a90$2e874fb0$@gmail.com>
Message-ID: <065001d41d35$ea8676e0$bf9364a0$@gmail.com>

Apologies if this is a duplicate.

 

From: pkboucher801 at gmail.com [mailto:pkboucher801 at gmail.com] 
Sent: Monday, July 16, 2018 2:42 PM
To: keycloak-user at lists.jboss.org
Subject: Global "reporting" role like admin but with read-only access to
everything?

 

According to
https://www.keycloak.org/docs/latest/server_admin/index.html#global-roles
there are two global roles, admin and create-realm, but we would like to add
a third one, call it reporting, that has read-only access to all settings in
every realm (so all of the view- and query- permissions).

 

We can create the role as a composite with permissions over every realm, but
if a new realm is added later, the reporting role has no access unless we
explicitly grant it.

 

Is it possible for us to add a global role by creating a new realm role in
the master realm, and giving it a particular configuration and/or set of
permissions?

 

Thanks!

 

Regards,

Peter K. Boucher

 


From ddtxra at gmail.com  Mon Jul 16 18:32:14 2018
From: ddtxra at gmail.com (Daniel Teixeira)
Date: Tue, 17 Jul 2018 00:32:14 +0200
Subject: [keycloak-user] Programmatical users authentication
In-Reply-To: <CANZPfwStEv3K01WvEBcC9HCqWj02S8xOQmdJOFkATaPbk9UHPw@mail.gmail.com>
References: <CANZPfwStEv3K01WvEBcC9HCqWj02S8xOQmdJOFkATaPbk9UHPw@mail.gmail.com>
Message-ID: <CAHvCgvwAzKBFVH+OOfTgx9deSLOP52JmYF-XHidy3_6qpn6SiA@mail.gmail.com>

Not sure if this could help you, but this sshows how to get access tokens
programmatically with python:

https://github.com/ddtxra/python-console-keycloak-example


On Mon, Jul 16, 2018 at 12:26 PM, Leonid Rozenblyum <lrozenblyum at gmail.com>
wrote:

> Thanks to REST API we can authentcate admin users who can work on behalf of
> 'admin-cli' account.
>
> Can we authenticate usual users programmatically?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Daniel Teixeira

From dt at acutus.pro  Mon Jul 16 19:32:43 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 17 Jul 2018 02:32:43 +0300
Subject: [keycloak-user] Global "reporting" role like admin but with
 read-only access to everything?
In-Reply-To: <001901d41d34$ba2d1a90$2e874fb0$@gmail.com>
References: <001901d41d34$ba2d1a90$2e874fb0$@gmail.com>
Message-ID: <1531783963.4364.5.camel@acutus.pro>

Hi Peter, sorry for not having replied to your first posting,

AFAIK currently you cannot configure a role in a way that it is automatically granted access to every realm, including newly created ones.

You may ask: "but look, that's exactly how the global admin role works!" - that's true, but the global admin role has some special handling that is invoked every time a realm is created (see org.keycloak.services.managers.RealmManager::createRealm)

Good news is that you can have the same behavior for your role, at a reasonably low price of creating and deploying a simple Keycloak extension.

Look?how it's done in BeerCloak:
https://github.com/dteleguin/beercloak/blob/master/beercloak-module/src/main/java/beercloak/providers/BeerResourceProviderFactory.java

In a few words: BeerCloak?registers a listener for the RealmPostCreateEvent, and when it arrives, adds two client roles to the global "admin" role.
In your case, you'll be adding all "view-*" and "query-*" roles (belonging to the "<new_realm>-realm" client) to your "reporting" role.

Good luck and feel free to ask any questions on BeerCloak,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail:?info at acutus.pro

On Mon, 2018-07-16 at 14:42 -0400, pkboucher801 at gmail.com wrote:
> According to
> https://www.keycloak.org/docs/latest/server_admin/index.html#global-roles
> there are two global roles, admin and create-realm, but we would like to add
> a third one, call it reporting, that has read-only access to all settings in
> every realm (so all of the view- and query- permissions).
> 
>  
> 
> We can create the role as a composite with permissions over every realm, but
> if a new realm is added later, the reporting role has no access unless we
> explicitly grant it.
> 
>  
> 
> Is it possible for us to add a global role by creating a new realm role in
> the master realm, and giving it a particular configuration and/or set of
> permissions?
> 
>  
> 
> Thanks!
> 
>  
> 
> Regards,
> 
> Peter K. Boucher
> 
>  
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stefan.wachter at bosch-si.com  Tue Jul 17 02:02:07 2018
From: stefan.wachter at bosch-si.com (stefan.wachter)
Date: Tue, 17 Jul 2018 08:02:07 +0200
Subject: [keycloak-user] Introspection of RPT fails
In-Reply-To: <CAJrcDBe1me25pZ8nj6U8oY-jDHBWGGK2r6F1A+hRdm74-uGk_A@mail.gmail.com>
References: <9706eb13-63d9-6554-ff6d-0093db1ecfb3@bosch-si.com>
	<CAJrcDBdZNb=OMOJdvm6D+c0K=UgyEr24NTy9JBt0u05za7KnEg@mail.gmail.com>
	<cf3ad48f-b4d5-362a-9da6-45c9a901e17c@bosch-si.com>
	<CAJrcDBe1me25pZ8nj6U8oY-jDHBWGGK2r6F1A+hRdm74-uGk_A@mail.gmail.com>
Message-ID: <7373bd89-95c1-120d-d40c-597d2a0c9450@bosch-si.com>

Thanks a lot, Pedro Igor!

Best regards,

*Stefan Wachter
INST-ICM/BSV-BS*

Tel.??+49(711)811-58477

*Be**QIK
*

Am 16.07.2018 um 20:28 schrieb Pedro Igor Silva:
> Hi,
>
> I've created https://issues.jboss.org/browse/KEYCLOAK-7864. Pull 
> request also sent with a fix.
>
> The issue is that we were not setting the authorization claim to 
> refresh tokens issued via grant_type == refresh_token.
>
> Thanks.
> Pedro Igor
>
> On Mon, Jul 16, 2018 at 8:54 AM, stefan.wachter 
> <stefan.wachter at bosch-si.com <mailto:stefan.wachter at bosch-si.com>> wrote:
>
>     Any news on this? Should I file a ticket?
>
>     Best regards,
>
>     *Stefan Wachter
>     INST-ICM/BSV-BS*
>
>     Tel.??+49(711)811-58477
>
>     *Be**QIK
>     *
>
>     Am 10.07.2018 um 17:33 schrieb Pedro Igor Silva:
>>     Will check this out. Thanks for the report.
>>
>>     On Tue, Jul 10, 2018 at 4:57 AM, stefan.wachter
>>     <stefan.wachter at bosch-si.com
>>     <mailto:stefan.wachter at bosch-si.com>> wrote:
>>
>>         Hi,
>>
>>         I have difficulties in determining the cause why
>>         introspection of an RPT
>>         fails. The RPT can be introspected a couple of times before
>>         it fails. In
>>         the log shown below I grepped for "task-26" that seems to
>>         have handled
>>         the failed introspection request.
>>
>>         I have the impression that the problem is related to token
>>         refreshments.
>>         If the "Access Token Lifespan" is set to a smaller value (e.g. 1
>>         minute), then the failure happens earlier. In particular, it
>>         seems that
>>         after the SECOND set of token refreshments the introspection
>>         fails. In
>>         detail:
>>
>>         There are 3 tokens (together with their refresh tokens) involved:
>>
>>         1. An IdToken that is used for logging into the web
>>         application. The
>>         IdToken is used when a Ticket is exchanged for an RPT (the
>>         IdToken is
>>         set as the "claim_token" parameter in the token request).
>>
>>         2. An RPT.
>>
>>         3. A PAT
>>
>>         When a request hits the application after the tokens have
>>         expired the
>>         first time all tokens are refreshed in turn and the
>>         introspection
>>         succeedes. Yet, if a request hits the application after the
>>         tokens have
>>         expired the second time then all tokens are refreshed again
>>         (using the
>>         refresh tokens that were returned on the first refreshment). The
>>         following RPT introspection however, fails.
>>
>>         Has anyone experienced the same failure?
>>
>>         Thanks for you attention
>>
>>         Stefan
>>
>>
>>
>>         06:46:12,779 DEBUG
>>         [org.keycloak.authorization.pr
>>         <http://org.keycloak.authorization.pr>otection.introspect.RPTIntrospectionProvider]
>>
>>         (default task-26) Introspecting requesting party token
>>         06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager]
>>         (default
>>         task-26) Active key found: realm=device
>>         kid=t00ewHrCADcXjvvIFBWQrZnOWiBTVBoyt0-UOzBP7w0 algorithm=RS256
>>         06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager]
>>         (default
>>         task-26) Active key found: realm=device
>>         kid=ae1f030a-b3a5-4c9a-875a-a0802119fa2a algorithm=HS256
>>         06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager]
>>         (default
>>         task-26) Active key found: realm=device
>>         kid=2aefcc15-33cf-45f6-a4bf-88535501712c algorithm=AES
>>         06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager]
>>         (default
>>         task-26) Active key realm=device
>>         kid=t00ewHrCADcXjvvIFBWQrZnOWiBTVBoyt0-UOzBP7w0 algorithm=RS256
>>         06:46:12,780 TRACE
>>         [org.infinispan.interceptors.InvocationContextInterceptor]
>>         (default
>>         task-26) Invoked with command GetKeyValueCommand
>>         {key=device.client.query.by
>>         <http://device.client.query.by>.clientId.web-gui, flags=null}
>>         and
>>         InvocationContext
>>         [org.infinispan.context.SingleKeyNonTxInvocationContext at 6cb8a247]
>>         06:46:12,780 TRACE
>>         [org.infinispan.container.EntryFactoryImpl] (default
>>         task-26) Exists in context? null
>>         06:46:12,780 TRACE
>>         [org.infinispan.container.EntryFactoryImpl] (default
>>         task-26) Retrieved from container
>>         ImmortalCacheEntry{key=device.client.query.by.clientId.web-gui,
>>         value=0}
>>         (ignoreOwnership=false, isLocal=true)
>>         06:46:12,780 TRACE
>>         [org.infinispan.container.EntryFactoryImpl] (default
>>         task-26) Wrap device.client.query.by
>>         <http://device.client.query.by>.clientId.web-gui for read.
>>         Entry=ImmortalCacheEntry{key=device.client.query.by
>>         <http://device.client.query.by>.clientId.web-gui,
>>         value=0}
>>         06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
>>         (default task-26) Executing command: GetKeyValueCommand
>>         {key=device.client.query.by
>>         <http://device.client.query.by>.clientId.web-gui, flags=null}.
>>         06:46:12,780 TRACE
>>         [org.infinispan.util.concurrent.locks.impl.DefaultLockManager]
>>         (default
>>         task-26) Release locks for keys=[]. owner=null
>>         06:46:12,780 TRACE
>>         [org.keycloak.models.cache.infinispan.RealmCacheSession]
>>         (default
>>         task-26) client by name cache hit: web-gui
>>         06:46:12,780 TRACE
>>         [org.infinispan.interceptors.InvocationContextInterceptor]
>>         (default
>>         task-26) Invoked with command GetKeyValueCommand
>>         {key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null} and
>>         InvocationContext
>>         [org.infinispan.context.SingleKeyNonTxInvocationContext at 3a2141a6]
>>         06:46:12,780 TRACE
>>         [org.infinispan.container.EntryFactoryImpl] (default
>>         task-26) Exists in context? null
>>         06:46:12,780 TRACE
>>         [org.infinispan.container.EntryFactoryImpl] (default
>>         task-26) Retrieved from container
>>         ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c,
>>         value=0}
>>         (ignoreOwnership=false, isLocal=true)
>>         06:46:12,780 TRACE
>>         [org.infinispan.container.EntryFactoryImpl] (default
>>         task-26) Wrap b5f94341-0d4c-4280-94e1-10b6771cd66c for read.
>>         Entry=ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c,
>>         value=0}
>>         06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
>>         (default task-26) Executing command: GetKeyValueCommand
>>         {key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null}.
>>         06:46:12,780 TRACE
>>         [org.infinispan.util.concurrent.locks.impl.DefaultLockManager]
>>         (default
>>         task-26) Release locks for keys=[]. owner=null
>>         06:46:12,780 TRACE
>>         [org.keycloak.models.cache.infinispan.RealmCacheSession]
>>         (default
>>         task-26) client by id cache hit: web-gui
>>         06:46:12,780 TRACE
>>         [org.infinispan.interceptors.InvocationContextInterceptor]
>>         (default
>>         task-26) Invoked with command GetKeyValueCommand {key=device,
>>         flags=null} and InvocationContext
>>         [org.infinispan.context.SingleKeyNonTxInvocationContext at 2f9442f3]
>>         06:46:12,780 TRACE
>>         [org.infinispan.container.EntryFactoryImpl] (default
>>         task-26) Exists in context? null
>>         06:46:12,780 TRACE
>>         [org.infinispan.container.EntryFactoryImpl] (default
>>         task-26) Retrieved from container ImmortalCacheEntry{key=device,
>>         value=0} (ignoreOwnership=false, isLocal=true)
>>         06:46:12,780 TRACE
>>         [org.infinispan.container.EntryFactoryImpl] (default
>>         task-26) Wrap device for read.
>>         Entry=ImmortalCacheEntry{key=device, value=0}
>>         06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
>>         (default task-26) Executing command: GetKeyValueCommand
>>         {key=device,
>>         flags=null}.
>>         06:46:12,780 TRACE
>>         [org.infinispan.util.concurrent.locks.impl.DefaultLockManager]
>>         (default
>>         task-26) Release locks for keys=[]. owner=null
>>         06:46:12,780 TRACE
>>         [org.keycloak.models.cache.infinispan.RealmCacheSession]
>>         (default
>>         task-26) by id cache hit: device
>>         06:46:12,780 TRACE
>>         [org.infinispan.interceptors.InvocationContextInterceptor]
>>         (default
>>         task-26) Invoked with command GetKeyValueCommand
>>         {key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null} and
>>         InvocationContext
>>         [org.infinispan.context.SingleKeyNonTxInvocationContext at 30227841]
>>         06:46:12,780 TRACE
>>         [org.infinispan.container.EntryFactoryImpl] (default
>>         task-26) Exists in context? null
>>         06:46:12,780 TRACE
>>         [org.infinispan.container.EntryFactoryImpl] (default
>>         task-26) Retrieved from container
>>         ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c,
>>         value=0}
>>         (ignoreOwnership=false, isLocal=true)
>>         06:46:12,780 TRACE
>>         [org.infinispan.container.EntryFactoryImpl] (default
>>         task-26) Wrap b5f94341-0d4c-4280-94e1-10b6771cd66c for read.
>>         Entry=ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c,
>>         value=0}
>>         06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
>>         (default task-26) Executing command: GetKeyValueCommand
>>         {key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null}.
>>         06:46:12,780 TRACE
>>         [org.infinispan.util.concurrent.locks.impl.DefaultLockManager]
>>         (default
>>         task-26) Release locks for keys=[]. owner=null
>>         06:46:12,780 TRACE
>>         [org.keycloak.models.cache.infinispan.RealmCacheSession]
>>         (default
>>         task-26) client by id cache hit: web-gui
>>         06:46:12,780 TRACE
>>         [org.infinispan.interceptors.InvocationContextInterceptor]
>>         (default
>>         task-26) Invoked with command GetKeyValueCommand {key=device,
>>         flags=null} and InvocationContext
>>         [org.infinispan.context.SingleKeyNonTxInvocationContext at 19214e98]
>>         06:46:12,780 TRACE
>>         [org.infinispan.container.EntryFactoryImpl] (default
>>         task-26) Exists in context? null
>>         06:46:12,780 TRACE
>>         [org.infinispan.container.EntryFactoryImpl] (default
>>         task-26) Retrieved from container ImmortalCacheEntry{key=device,
>>         value=0} (ignoreOwnership=false, isLocal=true)
>>         06:46:12,780 TRACE
>>         [org.infinispan.container.EntryFactoryImpl] (default
>>         task-26) Wrap device for read.
>>         Entry=ImmortalCacheEntry{key=device, value=0}
>>         06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
>>         (default task-26) Executing command: GetKeyValueCommand
>>         {key=device,
>>         flags=null}.
>>         06:46:12,780 TRACE
>>         [org.infinispan.util.concurrent.locks.impl.DefaultLockManager]
>>         (default
>>         task-26) Release locks for keys=[]. owner=null
>>         06:46:12,780 TRACE
>>         [org.keycloak.models.cache.infinispan.RealmCacheSession]
>>         (default
>>         task-26) by id cache hit: device
>>         06:46:12,780 DEBUG
>>         [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
>>
>>         (default task-26)
>>         getUserSessionWithPredicate(a3320548-da14-4e0c-adc1-5616c9d0c23b):
>>         found
>>         in local cache
>>         06:46:12,780 TRACE
>>         [org.keycloak.models.cache.infinispan.UserCacheSession] (default
>>         task-26) getuserById d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c
>>         06:46:12,780 TRACE
>>         [org.infinispan.interceptors.InvocationContextInterceptor]
>>         (default
>>         task-26) Invoked with command GetKeyValueCommand
>>         {key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, flags=null} and
>>         InvocationContext
>>         [org.infinispan.context.SingleKeyNonTxInvocationContext at 29bd006b]
>>         06:46:12,780 TRACE
>>         [org.infinispan.container.EntryFactoryImpl] (default
>>         task-26) Exists in context? null
>>         06:46:12,780 TRACE
>>         [org.infinispan.container.EntryFactoryImpl] (default
>>         task-26) Retrieved from container
>>         ImmortalCacheEntry{key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c,
>>         value=0}
>>         (ignoreOwnership=false, isLocal=true)
>>         06:46:12,780 TRACE
>>         [org.infinispan.container.EntryFactoryImpl] (default
>>         task-26) Wrap d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c for read.
>>         Entry=ImmortalCacheEntry{key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c,
>>         value=0}
>>         06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
>>         (default task-26) Executing command: GetKeyValueCommand
>>         {key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, flags=null}.
>>         06:46:12,780 TRACE
>>         [org.infinispan.util.concurrent.locks.impl.DefaultLockManager]
>>         (default
>>         task-26) Release locks for keys=[]. owner=null
>>         06:46:12,780 TRACE
>>         [org.keycloak.models.cache.infinispan.UserCacheSession] (default
>>         task-26) getuserById d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c
>>         06:46:12,780 TRACE
>>         [org.keycloak.models.cache.infinispan.UserCacheSession] (default
>>         task-26) return managedusers
>>         06:46:12,781 TRACE [org.keycloak.events] (default task-26)
>>         type=INTROSPECT_TOKEN_ERROR, realmId=device,
>>         clientId=resource-server,
>>         userId=null, ipAddress=139.15.216.71, error=invalid_request,
>>         detail='Failed to introspect token.',
>>         client_auth_method=client-secret,
>>         requestUri=https://keycloak.apps.de1.bosch-iot-cloud.com/auth/realms/device/protocol/openid-connect/token/introspect
>>         <https://keycloak.apps.de1.bosch-iot-cloud.com/auth/realms/device/protocol/openid-connect/token/introspect>,
>>
>>         cookies=[]
>>
>>         -- 
>>
>>         Best regards,
>>
>>         *Stefan Wachter
>>         INST-ICM/BSV-BS*
>>
>>         Tel.??+49(711)811-58477
>>
>>         *Be**QIK
>>         *
>>
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>
>


From h2-wada at nri.co.jp  Tue Jul 17 02:29:29 2018
From: h2-wada at nri.co.jp (Hiroyuki Wada)
Date: Tue, 17 Jul 2018 15:29:29 +0900
Subject: [keycloak-user] Keycloak as OIDC provider to AWS ALB, any hints!
In-Reply-To: <CADNp1Bbo8bfzj=Yq3EJsMnTyKuSkW1VOm2PQLrO2pLnY_pU3FA@mail.gmail.com>
References: <CADNp1Bbo8bfzj=Yq3EJsMnTyKuSkW1VOm2PQLrO2pLnY_pU3FA@mail.gmail.com>
Message-ID: <5B4D8CC9.3070707@nri.co.jp>

Hi Max,

I tried integrating AWS ELB and Keycloak one month ago
and I encountered same problem.

Because AWS ELB doesn't follow the OAuth2 spec correctly,
it rejects the token endpoint response from Keycloak.
The response from Keycloak contains "token_type" as follows:

"token_type":"bearer"

But AWS ELB expects as follows:

"token_type":"Bearer"

OAuth2 spec says the value is case insensitive as below.

> https://tools.ietf.org/html/rfc6749#section-4.2.2
>
> token_type
> REQUIRED. The type of the token issued as described in
> Section 7.1. Value is case insensitive.

So, I think we need to wait until AWS fixes this issue...

If you want to try it now, you can do it by replacing the response
in front of Keycloak using Apache HTTPD Server and so on.

I tried the below setting for Apache HTTPD Server and it works!!
I used Substitute Directive to replace the value.

<VirtualHost *:80>
     ProxyPass / http://localhost:8080/
     ProxyPassReverse / http://localhost:8080/
     ProxyErrorOverride off

     AddOutputFilterByType SUBSTITUTE application/json
     Substitute s/"token_type":"bearer"/"token_type":"Bearer"/n
</VirtualHost>


Best Regards,

-- 
Hiroyuki Wada
Nomura Research Institute, Ltd.
h2-wada at nri.co.jp

--------------------------------------------------------------------
PLEASE READ:This e-mail is confidential and intended for
the named recipient only. If you are not an intended recipient,
please notify the sender and delete this e-mail.
--------------------------------------------------------------------

On 2018/07/14 1:30, Max Allan wrote:
>   ?Hi,
>
> The AWS ALB? will allow you to authenticate to cognito or OIDC nowadays.
>
> I thought "Great, I can connect it up to my KeyCloak".
> Sadly not. Well, I can connect it to KeyCloak and see sensible looking
> headers and JWTs flowing back and forth.
> And then the ALB says "500 Internal Server Error" :-(
>
> I can see a request to keycloak (from the client) :
> https://auth.care.surevine.com/auth/realms/care/protocol/openid-connect/auth?client_id=jira&redirect_uri=https%3A%2F%2Fdev.care.surevine.com%2Foauth2%2Fidpresponse&response_type=code&scope=email&state=8sp1j3N3baPa1r%2BEjDViEe5S2%2BOFqfbafOydLei7YpkSf99waAoS32Ndkj4QUf%2FQ29LfaaUJNIMifQ4N53Tg%2BGSwb2zbgvsHrCfcARJWICHRhpZ2zpvGZbzJd8T%2FV5QUhHWL7kTGpscgOgpaMAPquI6QPbYLxRE2ekpN73XhRTQ4LBFoSUCfHW60x70vTJ3SbPTwkTFbwyZ%2FBVo%3D
>
>
> And it 302 redirects back to the ALB :
>
> https://dev.care.surevine.com/oauth2/idpresponse?state=8sp1j3N3baPa1r%2BEjDViEe5S2%2BOFqfbafOydLei7YpkSf99waAoS32Ndkj4QUf%2FQ29LfaaUJNIMifQ4N53Tg%2BGSwb2zbgvsHrCfcARJWICHRhpZ2zpvGZbzJd8T%2FV5QUhHWL7kTGpscgOgpaMAPquI6QPbYLxRE2ekpN73XhRTQ4LBFoSUCfHW60x70vTJ3SbPTwkTFbwyZ%2FBVo%3D&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..1WmnIXPxo_LeP7ERufRgtw.cFEmEJV_q94bhpBQLz0QEzSYitZtCgIGc5295VHbhwreJn9e4rxWolcRSPLz1VtliniI-MgSZ8wRoyNYYPiAUdXZ4z53__Z2CoRNMr0xNg96S0u5Xobo3EEzKy37x_9flU2ypWxfehQ-ZaXFoQhY6xL6y8QADlM-DmaR27bL5WUGYsTUQg5PY695PiygS7u3yQM1zUjHO2T3iROOuNr_5S-6LyaUo8GWD1XSMxp9ydlJTm-oC8Lmh2tCDvhRoJqj.amBQSuQIGlk7Ganopg4O2A
>
>
> On the KeyCloak server I can see the POST requests from the browser coming
> in and hitting the authenticate URL, KC hands back a 302 (the URL above)
> Then the ALB does a POST to the token endpoint and gets a 200 response with
> a nice chunk of access token. I can decode it and see my details quite
> happily. I even validated the signature. (Using jwt.io 's debugger.)
> Although the ALB doesn't ask for the certificate at any stage, so I don't
> think it even bothers validating it.
>
> But it doesn't seem to like it. And gives me a 500 error.
>
> (I can authenticate with Google OIDC without any trouble...)
>
>
> (NB Any secrets in any of those strings won't get you very far, there is no
> content yet :-) )
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


From corentin.dupont at gmail.com  Tue Jul 17 04:19:11 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 17 Jul 2018 10:19:11 +0200
Subject: [keycloak-user] Authorization resource SPI
Message-ID: <CAEyhvmo2t6QOCzWMVqk-9ryX23cCBgLPehSRUdOze+12u9jWEQ@mail.gmail.com>

Hi,
is it possible to implement a resource SPI? The idea would be to let an
external database to manage Keycloak resources.

I currently manage my resources in two databases: Keycloak for properties
such as owner and visibility; and a regular Mongo for the rest of
properties relative to my business (think location, sensor values etc.).

However, having resource split over two databases becomes more and more
awkward.
I have to keep them always in sync, for example creating and deleting the
resource in both location. It becomes even more complicated when something
fails on one database (such as 409 Conflict): I have to undo what was done
on the other DB.

So it would be best to avoid duplication of data and manage everything in
the Mongo external database. Is it possible?

Cheers

From simon.faust at gmx.de  Tue Jul 17 05:11:24 2018
From: simon.faust at gmx.de (Simon Faust)
Date: Tue, 17 Jul 2018 11:11:24 +0200
Subject: [keycloak-user] AT as Query Param
Message-ID: <6fab3b1a-ca7a-189f-a849-624a4260d1f8@gmx.de>

Hi,

I've a REST Server secured using bearer-only. Now I'm stuck with the 
file download usecase (no token in http header).

According to KEYCLOAK-2650 
<https://issues.jboss.org/browse/KEYCLOAK-2650> it's possible to pass 
Access Token as a Query Parameter (guess its name is "access_token", 
right?). On testing that every request I make gets redirected to 
/sso/login.

Am I missing some configuration? It seems that the Keycloak adapter does 
not try at all to get a token from query param... I'm using 
keycloak-spring-security-adapter 3.2.1

Thanks in advance, Simon

From pa.galiana at gmail.com  Tue Jul 17 06:03:34 2018
From: pa.galiana at gmail.com (Pierre-Arnaud Galiana)
Date: Tue, 17 Jul 2018 12:03:34 +0200
Subject: [keycloak-user] update keycloak realm
Message-ID: <CACRpr65jV+OSGsx2gy6RYdVgtzDZtGX44PcZEsbP-qomk5O7QA@mail.gmail.com>

Following on an old thread (
http://lists.jboss.org/pipermail/keycloak-user/2016-May/006230.html), I
want to mention a pragmatic startup strategy I'm currently implementing in
a project:

To upgrade an existing realm (containing users) with a new realm.json
configuration (prepared in dev), we go through these steps:

- start a one-off "export instance", that exports realms and their users
(one json per realm, and realm users in "chunked files")
- once export complete, we kill that "export instance"
- prepare files to be imported: realm.json from our dev build, and users
json files that were just exported in the first step
- start the "real" keycloak with import flag, and mode OVERWRITE_EXISTING:
realms are deleted and recreated, then users re-imported

Still a few things to improve, such as environmnent-specific values (e.g.
redirect URLs), and of course that requires to shut down your instance.

Also the whole things is mostly our docker entrypoint, so a bit
heavy-handed approcah for docker...

Call to the keycloak team: this seems to be working, but is there some kind
of flaw that I didn't see yet?

Hope this can help someone too.

Pierre

From psilva at redhat.com  Tue Jul 17 08:02:09 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 17 Jul 2018 09:02:09 -0300
Subject: [keycloak-user] Authorization resource SPI
In-Reply-To: <CAEyhvmo2t6QOCzWMVqk-9ryX23cCBgLPehSRUdOze+12u9jWEQ@mail.gmail.com>
References: <CAEyhvmo2t6QOCzWMVqk-9ryX23cCBgLPehSRUdOze+12u9jWEQ@mail.gmail.com>
Message-ID: <CAJrcDBc89yMYtVN9vELW_af9ehDErYXwHzC1XaRNRjWDipj5UA@mail.gmail.com>

+1. We have this issue already https://issues.jboss.org/browse/KEYCLOAK-4905.
Bill Burke suggested this SPI some time ago.

This is one of the drawbacks when doing UMA and managing resources via
Protection API. I also think that this SPI would make things a lot easier
in regards to resource mgmt.

Would be nice if you could start something and contribute with us :)

Regards.
Pedro Igor

On Tue, Jul 17, 2018 at 5:19 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi,
> is it possible to implement a resource SPI? The idea would be to let an
> external database to manage Keycloak resources.
>
> I currently manage my resources in two databases: Keycloak for properties
> such as owner and visibility; and a regular Mongo for the rest of
> properties relative to my business (think location, sensor values etc.).
>
> However, having resource split over two databases becomes more and more
> awkward.
> I have to keep them always in sync, for example creating and deleting the
> resource in both location. It becomes even more complicated when something
> fails on one database (such as 409 Conflict): I have to undo what was done
> on the other DB.
>
> So it would be best to avoid duplication of data and manage everything in
> the Mongo external database. Is it possible?
>
> Cheers
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From caiyegui at gmail.com  Tue Jul 17 08:03:28 2018
From: caiyegui at gmail.com (Yegui Cai)
Date: Tue, 17 Jul 2018 08:03:28 -0400
Subject: [keycloak-user] Hot deploy in domain mode
Message-ID: <CAJYMFR5OROUMNoUpFBeHagFoABMAS3VAovhgATY7SZ_yU+oZWg@mail.gmail.com>

Hi.
I know in standalone mode, hot deploy can be done by putting the jar file
under standalone/deployments. How can I do hot deploy in domain mode?
Thanks!
Yegui

From caiyegui at gmail.com  Tue Jul 17 08:05:16 2018
From: caiyegui at gmail.com (Yegui Cai)
Date: Tue, 17 Jul 2018 08:05:16 -0400
Subject: [keycloak-user] Read and Write Theme to a DB
In-Reply-To: <CAJYMFR7FG2DtmwB2VwcXfY4T1Vz=pmMUNCJ52K1ht-+E3knzPA@mail.gmail.com>
References: <CAJYMFR6+H+eY96k0npkZqYqAA9MwGYdi6LZqfaY19akvHdsYug@mail.gmail.com>
	<1531224909.7582.9.camel@acutus.pro>
	<CAJYMFR7QaumkbG0J-hR5bXAjbxSN7gkn22stDXozz-gx5mn8+w@mail.gmail.com>
	<1531229175.7582.19.camel@acutus.pro>
	<CAJYMFR7FG2DtmwB2VwcXfY4T1Vz=pmMUNCJ52K1ht-+E3knzPA@mail.gmail.com>
Message-ID: <CAJYMFR6FNwdNrNeLGuhb6_dbsbN=ygYnwc0rWhxg0sZQ7p2dnQ@mail.gmail.com>

Dmitry, you are right. The interface can not intercept theme resources.

On Tue, Jul 10, 2018 at 10:44 AM Yegui Cai <caiyegui at gmail.com> wrote:

> Sure. as long as i can create a simple sample.
>
> On Tue, Jul 10, 2018 at 9:26 AM Dmitry Telegin <dt at acutus.pro> wrote:
>
>> On Tue, 2018-07-10 at 09:14 -0400, Yegui Cai wrote:
>> > Hi Dmitry.
>> >
>> > Thanks a lot for your hints. By "wring a theme", I mean storing the
>> > theme in DB.
>> >
>> > Another approach which may be helpful for my purpose is maybe
>> > changing the theme based on the info stored in DB. It looks like I
>> > need to implement ThemeResourceProvider and its factory. Am i
>> > correct?
>>
>> AFAIK, ThemeResourceProvider is used to *add* resources on the fly, not
>> sure if it can *override* existing resources. You are free to try it
>> however, and tell us about the results :)
>>
>> Dmitry
>>
>> >
>> > Best,
>> > Yegui
>> >
>> > On Tue, Jul 10, 2018 at 8:15 AM Dmitry Telegin <dt at acutus.pro> wrote:
>> > > Hi Yegui,
>> > >
>> > > Yes, this is possible, but you'll need to implement a couple of
>> > > SPIs
>> > > [1]:
>> > >
>> > > - Theme SPI from keycloak-server-spi-private. It's an internal SPI,
>> > > so
>> > > you won't find much docs on it, but everything is more or less
>> > > clear
>> > > from the code - see org.keycloak.theme.Theme* and default
>> > > implementations;
>> > > - Entity SPI [2]. Even if you opt for pure JDBC (not JPA) for
>> > > storing
>> > > your themes, you'll need to supply a Liquibase changelog, which is
>> > > done
>> > > this way.
>> > >
>> > > Regarding "Read and Write Theme to a DB", I think "write" is a bit
>> > > confusing here, since Keycloak doesn't write themes. It will be you
>> > > who'll have to write themes to DB, not Keycloak :)
>> > >
>> > > Cheers,
>> > > Dmitry Telegin
>> > > CTO, Acutus s.r.o.
>> > > Keycloak Consulting and Training
>> > >
>> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
>> > > +42 (022) 888-30-71
>> > > E-mail: info at acutus.pro
>> > >
>> > > [1] https://www.keycloak.org/docs/latest/server_development/index.h
>> > > tml#
>> > > _providers
>> > > [2] https://www.keycloak.org/docs/latest/server_development/index.h
>> > > tml#
>> > > _extensions_jpa
>> > >
>> > > On Fri, 2018-07-06 at 14:50 -0400, Yegui Cai wrote:
>> > > > Hi.
>> > > >
>> > > > Would it be possible to store themes in a DB?
>> > > >
>> > > > Thanks,
>> > > > Yegui
>> > > > _______________________________________________
>> > > > keycloak-user mailing list
>> > > > keycloak-user at lists.jboss.org
>> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>>
>

From stefan.wachter at bosch-si.com  Tue Jul 17 08:09:58 2018
From: stefan.wachter at bosch-si.com (stefan.wachter)
Date: Tue, 17 Jul 2018 14:09:58 +0200
Subject: [keycloak-user] revocation of permission / policy for user managed
 resource does not influence activeness issued RPT for that resource
Message-ID: <763b8db6-81c8-54ac-2cd6-c288e58d336c@bosch-si.com>

Hi,

I finally managed to setup a scenario where an RPT gives access to a 
"user managed" resource that was created by the protection api 
(https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_protection_resources_api) 
and that is protected by a permission / policy that was created using 
the policy api 
(https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_authorization_uma_policy_api).

The policy checks the email by evaluating some JavaScript:

$evaluation.getContext().getIdentity().getAttributes().getValue('email').asString(0).startsWith('$email')) $evaluation.grant()

After the resource and its accompanying policy is created by api calls 
they appears on the "Keycloak Account Management" user interface in the 
"My Resources" section. Access with a suitable RPT is granted. However, 
when the permission / policy is revoked then the RPT that was issued 
based on that policy remains "active". The RPT can even be refreshed!

What has to be done in order to revoke the RPT and/or its refresh token?

-- 

Best regards,

*Stefan Wachter
INST-ICM/BSV-BS*

Tel.??+49(711)811-58477

*Be**QIK
*


From corentin.dupont at gmail.com  Tue Jul 17 08:38:28 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 17 Jul 2018 14:38:28 +0200
Subject: [keycloak-user] Authorization resource SPI
In-Reply-To: <CAJrcDBc89yMYtVN9vELW_af9ehDErYXwHzC1XaRNRjWDipj5UA@mail.gmail.com>
References: <CAEyhvmo2t6QOCzWMVqk-9ryX23cCBgLPehSRUdOze+12u9jWEQ@mail.gmail.com>
	<CAJrcDBc89yMYtVN9vELW_af9ehDErYXwHzC1XaRNRjWDipj5UA@mail.gmail.com>
Message-ID: <CAEyhvmrBs+WiK3_iUCAWe=f4-i=aKwsC7S5zG_bRbedPWv9yoQ@mail.gmail.com>

On Tue, Jul 17, 2018 at 2:02 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> +1. We have this issue already https://issues.jboss.
> org/browse/KEYCLOAK-4905. Bill Burke suggested this SPI some time ago.
>
> This is one of the drawbacks when doing UMA and managing resources via
> Protection API. I also think that this SPI would make things a lot easier
> in regards to resource mgmt.
>

Would UMA still be possible with such a SPI?


>
> Would be nice if you could start something and contribute with us :)
>

I would be really glad :) however a bit full right now, let's see later...


>
> Regards.
> Pedro Igor
>
> On Tue, Jul 17, 2018 at 5:19 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Hi,
>> is it possible to implement a resource SPI? The idea would be to let an
>> external database to manage Keycloak resources.
>>
>> I currently manage my resources in two databases: Keycloak for properties
>> such as owner and visibility; and a regular Mongo for the rest of
>> properties relative to my business (think location, sensor values etc.).
>>
>> However, having resource split over two databases becomes more and more
>> awkward.
>> I have to keep them always in sync, for example creating and deleting the
>> resource in both location. It becomes even more complicated when something
>> fails on one database (such as 409 Conflict): I have to undo what was done
>> on the other DB.
>>
>> So it would be best to avoid duplication of data and manage everything in
>> the Mongo external database. Is it possible?
>>
>> Cheers
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From psilva at redhat.com  Tue Jul 17 09:57:20 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 17 Jul 2018 10:57:20 -0300
Subject: [keycloak-user] Authorization resource SPI
In-Reply-To: <CAEyhvmrBs+WiK3_iUCAWe=f4-i=aKwsC7S5zG_bRbedPWv9yoQ@mail.gmail.com>
References: <CAEyhvmo2t6QOCzWMVqk-9ryX23cCBgLPehSRUdOze+12u9jWEQ@mail.gmail.com>
	<CAJrcDBc89yMYtVN9vELW_af9ehDErYXwHzC1XaRNRjWDipj5UA@mail.gmail.com>
	<CAEyhvmrBs+WiK3_iUCAWe=f4-i=aKwsC7S5zG_bRbedPWv9yoQ@mail.gmail.com>
Message-ID: <CAJrcDBfSebKE0qJamAfT3AwUrCPckD6vvX=RoMK4VPOTEUUqKw@mail.gmail.com>

UMA only defines the Protection API / Resource Registration Endpoint. We
could support that without impact compliance ...

On Tue, Jul 17, 2018 at 9:38 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

>
>
> On Tue, Jul 17, 2018 at 2:02 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> +1. We have this issue already https://issues.jboss.o
>> rg/browse/KEYCLOAK-4905. Bill Burke suggested this SPI some time ago.
>>
>> This is one of the drawbacks when doing UMA and managing resources via
>> Protection API. I also think that this SPI would make things a lot easier
>> in regards to resource mgmt.
>>
>
> Would UMA still be possible with such a SPI?
>
>
>>
>> Would be nice if you could start something and contribute with us :)
>>
>
> I would be really glad :) however a bit full right now, let's see later...
>
>
>>
>> Regards.
>> Pedro Igor
>>
>> On Tue, Jul 17, 2018 at 5:19 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi,
>>> is it possible to implement a resource SPI? The idea would be to let an
>>> external database to manage Keycloak resources.
>>>
>>> I currently manage my resources in two databases: Keycloak for properties
>>> such as owner and visibility; and a regular Mongo for the rest of
>>> properties relative to my business (think location, sensor values etc.).
>>>
>>> However, having resource split over two databases becomes more and more
>>> awkward.
>>> I have to keep them always in sync, for example creating and deleting the
>>> resource in both location. It becomes even more complicated when
>>> something
>>> fails on one database (such as 409 Conflict): I have to undo what was
>>> done
>>> on the other DB.
>>>
>>> So it would be best to avoid duplication of data and manage everything in
>>> the Mongo external database. Is it possible?
>>>
>>> Cheers
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From psilva at redhat.com  Tue Jul 17 10:07:12 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 17 Jul 2018 11:07:12 -0300
Subject: [keycloak-user] revocation of permission / policy for user
 managed resource does not influence activeness issued RPT for that resource
In-Reply-To: <763b8db6-81c8-54ac-2cd6-c288e58d336c@bosch-si.com>
References: <763b8db6-81c8-54ac-2cd6-c288e58d336c@bosch-si.com>
Message-ID: <CAJrcDBfpEb5fV8Rsz5KLpt8RDFWv3tmtVs4+XPM=TK5hnPTn2A@mail.gmail.com>

We don't have a token revocation endpoint yet. Same goes for regular access
tokens.

What you can do now is revoke user session / logout. I think someone is
working on a PR to support a revocation endpoint ...

On Tue, Jul 17, 2018 at 9:09 AM, stefan.wachter <stefan.wachter at bosch-si.com
> wrote:

> Hi,
>
> I finally managed to setup a scenario where an RPT gives access to a
> "user managed" resource that was created by the protection api
> (https://www.keycloak.org/docs/latest/authorization_
> services/index.html#_service_protection_resources_api)
> and that is protected by a permission / policy that was created using
> the policy api
> (https://www.keycloak.org/docs/latest/authorization_
> services/index.html#_service_authorization_uma_policy_api).
>
> The policy checks the email by evaluating some JavaScript:
>
> $evaluation.getContext().getIdentity().getAttributes().
> getValue('email').asString(0).startsWith('$email')) $evaluation.grant()
>
> After the resource and its accompanying policy is created by api calls
> they appears on the "Keycloak Account Management" user interface in the
> "My Resources" section. Access with a suitable RPT is granted. However,
> when the permission / policy is revoked then the RPT that was issued
> based on that policy remains "active". The RPT can even be refreshed!
>
> What has to be done in order to revoke the RPT and/or its refresh token?
>
> --
>
> Best regards,
>
> *Stefan Wachter
> INST-ICM/BSV-BS*
>
> Tel.  +49(711)811-58477
>
> *Be**QIK
> *
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From nicolas.gillet at market-ip.com  Tue Jul 17 10:08:56 2018
From: nicolas.gillet at market-ip.com (Nicolas Gillet)
Date: Tue, 17 Jul 2018 14:08:56 +0000
Subject: [keycloak-user] ABAC policy, attributes not avialable
Message-ID: <AM4PR0501MB2770A5A1D8C1771812033894C15C0@AM4PR0501MB2770.eurprd05.prod.outlook.com>

Hello

I am trying to write a javascript Attribute Based Access Control (ABAC) policy.
I want to control the access to group resource using the authenticated user's attributes and the attributes configured on the group.
So I configured the policy via Groups > myGroup > permissions > view-members and select my javascript policy.

Problem: in the script, neither my identity nor my group attributes are available.
Here is my script:

var context = $evaluation.getContext();
var resourcePermission = $evaluation.getPermission();
var identity = context.getIdentity();
var idAttributes = identity.getAttributes();
var ctxAttributes = context.getAttributes();
var resource = resourcePermission.getResource();

print('idAttributes.CUSTOM_PROP: ' + idAttributes.getValue('CUSTOM_PROP'));
print('ctxAttributes.CUSTOM_PROP: ' + ctxAttributes.getValue('CUSTOM_PROP'));
print('resource.getAttributes: ' + resource.getAttributes);

$evaluation.grant();

When I use the API end point as follow :
http://keycloak.dev.local/auth/admin/realms/ngp/groups/myGroup/members/
It triggers the script and prints the following in wildfly console :

ESC[0mESC[0m15:36:13,000 INFO  [stdout] (default task-3) idAttributes.CUSTOM_PROP: null
ESC[0mESC[0m15:36:13,011 INFO  [stdout] (default task-3) ctxAttributes.CUSTOM_PROP: null
ESC[0mESC[0m15:36:13,011 INFO  [stdout] (default task-3) resource.getAttributes: undefined

So my custom attribute is null. And worse, the resource does not even seems to have a getAttributes() method at all ?!
I tripple checked, my user has the custom attribute "CUSTOM_PROP" defined with value "test" and my group has attributes as well.

The documentation says the resource I retrieve that way should be an instance of org.keycloak.authorization.model.Resource
which, according to the javadoc, must define a getAttributes() methods. However it's ... undefined ?!

The keycloak version I use is 4.0.0.

Can anyone help me find what's wrong with my script ?

Many thanks,


Nicolas GILLET

From hasebullah.ansari at syntlogo.de  Tue Jul 17 10:15:34 2018
From: hasebullah.ansari at syntlogo.de (Ansari, Hasebullah)
Date: Tue, 17 Jul 2018 14:15:34 +0000
Subject: [keycloak-user] Fine grain permission for a realm admin user that
 can also create client and create a User in his Realm
Message-ID: <D43C12BF-89F6-4317-8A1C-F7405AA3B8F8@syntlogo.de>

Hello all,

                I have a use case scenario with indulges fine grain permission settings for an admin of a particular realm that should create a client and create a user with restrictions like he must not play with the client ?realm-management? and that he must not map realm-admin to himself. The problem is I can achieve to restict the realm admin to manage one client or restrict him to map only said roles but then he cannot create client or create user himself because he requires more coarse role like ?manage-users? or ?manage-clients?. And once I give the realm admin these two roles then he could do everything in the realm and this is the problem.

So in short,

  1.  I want to have a realm-admin that can create users and clients in his dedicated realm
  2.  Also I want to make sure that he doesn?t have access to play around with realm-management client and that he doesn?t have access to map roles to himself or other users with something like ?manage-user, manage-realm, manage, manage-clients?

Cheers,

__________________________________________________________________________________________________________________________
Besuchen Sie LOGIN MASTER<https://login-master.com/> ? Die L?sung f?r die Benutzerverwaltung f?r das Web.
__________________________________________________________________________________________________________________________
Hasebullah A Ansari
Master of Engineering in IT, Heidelberg

IT Specialist / Java Entwickler
Syntlogo GmbH
Mercedesstra?e 1
D-71063 Sindelfingen

Email:      hasebullah.ansari at syntlogo.de<mailto:hasebullah.ansari at syntlogo.de>
Website: www.syntlogo.de<http://www.syntlogo.de/>

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empf?nger sein, so bitten wir Sie h?flichst, diesen Umstand
unverz?glich dem Absender mitzuteilen und die Nachricht zu l?schen. Jede nicht genehmigte Weiterverbreitung oder Vervielf?ltigung
ist nicht gestattet. Da wir Echtheit und Vollst?ndigkeit des Nachrichteninhalts nicht garantieren k?nnen, sind die vorstehenden
Ausf?hrungen rechtlich nicht bindend. Eine Haftung hierf?r wird daher ausgeschlossen.

This message is confidential. If you are not the intended recipient, we kindly ask you to inform the sender and delete the information.
Any unauthorised dissemination or copying hereof is prohibited. As we cannot guarantee the genuineness or completeness of the information
contained in this message, the statements set forth above are not legally binding. Accordingly, we cannot accept liability therefore.

Stuttgart HRB 245317, Gesch?ftsf?hrer Dr. G. Baruzzi, USt-ID: DE 219566705
__________________________________________________________________________________________________________________________



From psilva at redhat.com  Tue Jul 17 11:06:08 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 17 Jul 2018 12:06:08 -0300
Subject: [keycloak-user] ABAC policy, attributes not avialable
In-Reply-To: <AM4PR0501MB2770A5A1D8C1771812033894C15C0@AM4PR0501MB2770.eurprd05.prod.outlook.com>
References: <AM4PR0501MB2770A5A1D8C1771812033894C15C0@AM4PR0501MB2770.eurprd05.prod.outlook.com>
Message-ID: <CAJrcDBdqfCjbyTeXxuur9R74kcf1bE2nB4RSNYHU2i9ne1eoNA@mail.gmail.com>

You should be able to obtain any attribute defined to the user.

But regarding group attributes from the resource instance, it won't work
because this functionality is not exposing group's attributes via the
resource instance.

There are other things we need to improve in this functionality of
fine-grained permissions to admin console. There are a few things missing
or too complicated to be done ...

On Tue, Jul 17, 2018 at 11:08 AM, Nicolas Gillet <
nicolas.gillet at market-ip.com> wrote:

> Hello
>
> I am trying to write a javascript Attribute Based Access Control (ABAC)
> policy.
> I want to control the access to group resource using the authenticated
> user's attributes and the attributes configured on the group.
> So I configured the policy via Groups > myGroup > permissions >
> view-members and select my javascript policy.
>
> Problem: in the script, neither my identity nor my group attributes are
> available.
> Here is my script:
>
> var context = $evaluation.getContext();
> var resourcePermission = $evaluation.getPermission();
> var identity = context.getIdentity();
> var idAttributes = identity.getAttributes();
> var ctxAttributes = context.getAttributes();
> var resource = resourcePermission.getResource();
>
> print('idAttributes.CUSTOM_PROP: ' + idAttributes.getValue('CUSTOM_
> PROP'));
> print('ctxAttributes.CUSTOM_PROP: ' + ctxAttributes.getValue('
> CUSTOM_PROP'));
> print('resource.getAttributes: ' + resource.getAttributes);


> $evaluation.grant();
>
> When I use the API end point as follow :
> http://keycloak.dev.local/auth/admin/realms/ngp/groups/myGroup/members/
> It triggers the script and prints the following in wildfly console :
>
> ESC[0mESC[0m15:36:13,000 INFO  [stdout] (default task-3)
> idAttributes.CUSTOM_PROP: null
> ESC[0mESC[0m15:36:13,011 INFO  [stdout] (default task-3)
> ctxAttributes.CUSTOM_PROP: null
> ESC[0mESC[0m15:36:13,011 INFO  [stdout] (default task-3)
> resource.getAttributes: undefined
>
> So my custom attribute is null. And worse, the resource does not even
> seems to have a getAttributes() method at all ?!
> I tripple checked, my user has the custom attribute "CUSTOM_PROP" defined
> with value "test" and my group has attributes as well.
>
> The documentation says the resource I retrieve that way should be an
> instance of org.keycloak.authorization.model.Resource
> which, according to the javadoc, must define a getAttributes() methods.
> However it's ... undefined ?!
>
> The keycloak version I use is 4.0.0.
>
> Can anyone help me find what's wrong with my script ?
>
> Many thanks,
>
>
> Nicolas GILLET
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Tue Jul 17 11:27:54 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 17 Jul 2018 12:27:54 -0300
Subject: [keycloak-user] revocation of permission / policy for user
 managed resource does not influence activeness issued RPT for that resource
In-Reply-To: <CAJrcDBfpEb5fV8Rsz5KLpt8RDFWv3tmtVs4+XPM=TK5hnPTn2A@mail.gmail.com>
References: <763b8db6-81c8-54ac-2cd6-c288e58d336c@bosch-si.com>
	<CAJrcDBfpEb5fV8Rsz5KLpt8RDFWv3tmtVs4+XPM=TK5hnPTn2A@mail.gmail.com>
Message-ID: <CAJrcDBda6=3ega8LvgZGgPeeD5Z2gH9HYhHv3ZH6ZZ0G0tHpVw@mail.gmail.com>

I'm also wondering if we should re-evaluate permissions when refreshing
tokens. Right now, we just copy permissions to the new token ...

On Tue, Jul 17, 2018 at 11:07 AM, Pedro Igor Silva <psilva at redhat.com>
wrote:

> We don't have a token revocation endpoint yet. Same goes for regular
> access tokens.
>
> What you can do now is revoke user session / logout. I think someone is
> working on a PR to support a revocation endpoint ...
>
>
> On Tue, Jul 17, 2018 at 9:09 AM, stefan.wachter <
> stefan.wachter at bosch-si.com> wrote:
>
>> Hi,
>>
>> I finally managed to setup a scenario where an RPT gives access to a
>> "user managed" resource that was created by the protection api
>> (https://www.keycloak.org/docs/latest/authorization_services
>> /index.html#_service_protection_resources_api)
>> and that is protected by a permission / policy that was created using
>> the policy api
>> (https://www.keycloak.org/docs/latest/authorization_services
>> /index.html#_service_authorization_uma_policy_api).
>>
>> The policy checks the email by evaluating some JavaScript:
>>
>> $evaluation.getContext().getIdentity().getAttributes().getVa
>> lue('email').asString(0).startsWith('$email')) $evaluation.grant()
>>
>> After the resource and its accompanying policy is created by api calls
>> they appears on the "Keycloak Account Management" user interface in the
>> "My Resources" section. Access with a suitable RPT is granted. However,
>> when the permission / policy is revoked then the RPT that was issued
>> based on that policy remains "active". The RPT can even be refreshed!
>>
>> What has to be done in order to revoke the RPT and/or its refresh token?
>>
>> --
>>
>> Best regards,
>>
>> *Stefan Wachter
>> INST-ICM/BSV-BS*
>>
>> Tel.  +49(711)811-58477
>>
>> *Be**QIK
>> *
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From nicolas.gillet at market-ip.com  Tue Jul 17 11:32:00 2018
From: nicolas.gillet at market-ip.com (Nicolas Gillet)
Date: Tue, 17 Jul 2018 15:32:00 +0000
Subject: [keycloak-user] ABAC policy, attributes not avialable
In-Reply-To: <CAJrcDBdqfCjbyTeXxuur9R74kcf1bE2nB4RSNYHU2i9ne1eoNA@mail.gmail.com>
References: <AM4PR0501MB2770A5A1D8C1771812033894C15C0@AM4PR0501MB2770.eurprd05.prod.outlook.com>
	<CAJrcDBdqfCjbyTeXxuur9R74kcf1bE2nB4RSNYHU2i9ne1eoNA@mail.gmail.com>
Message-ID: <AM4PR0501MB277012DAF6AAD1FD94AB13F9C15C0@AM4PR0501MB2770.eurprd05.prod.outlook.com>

Hello Pedro,

Thank you for your quick reply,

For the user?s attributes, I have access to ?general? attributes like email, but not the ?custom? one. (My users are loaded from an home-made SPI, if that?s relevant)
Any hint how I can debug why my other user?s attributes that are not there ?

For the group, can you think of a workaround so that I can base my access decision on the group ?

Are the limitations for javascript only ? Maybe writing a drool rule would do ?

Many thanks,

Nicolas.

De : Pedro Igor Silva <psilva at redhat.com>
Envoy? : mardi 17 juillet 2018 17:06
? : Nicolas Gillet <nicolas.gillet at market-ip.com>
Cc : keycloak-user at lists.jboss.org
Objet : Re: [keycloak-user] ABAC policy, attributes not avialable

You should be able to obtain any attribute defined to the user.

But regarding group attributes from the resource instance, it won't work because this functionality is not exposing group's attributes via the resource instance.

There are other things we need to improve in this functionality of fine-grained permissions to admin console. There are a few things missing or too complicated to be done ...

On Tue, Jul 17, 2018 at 11:08 AM, Nicolas Gillet <nicolas.gillet at market-ip.com<mailto:nicolas.gillet at market-ip.com>> wrote:
Hello

I am trying to write a javascript Attribute Based Access Control (ABAC) policy.
I want to control the access to group resource using the authenticated user's attributes and the attributes configured on the group.
So I configured the policy via Groups > myGroup > permissions > view-members and select my javascript policy.

Problem: in the script, neither my identity nor my group attributes are available.
Here is my script:

var context = $evaluation.getContext();
var resourcePermission = $evaluation.getPermission();
var identity = context.getIdentity();
var idAttributes = identity.getAttributes();
var ctxAttributes = context.getAttributes();
var resource = resourcePermission.getResource();

print('idAttributes.CUSTOM_PROP: ' + idAttributes.getValue('CUSTOM_PROP'));
print('ctxAttributes.CUSTOM_PROP: ' + ctxAttributes.getValue('CUSTOM_PROP'));
print('resource.getAttributes: ' + resource.getAttributes);

$evaluation.grant();

When I use the API end point as follow :
http://keycloak.dev.local/auth/admin/realms/ngp/groups/myGroup/members/
It triggers the script and prints the following in wildfly console :

ESC[0mESC[0m15:36:13,000 INFO  [stdout] (default task-3) idAttributes.CUSTOM_PROP: null
ESC[0mESC[0m15:36:13,011 INFO  [stdout] (default task-3) ctxAttributes.CUSTOM_PROP: null
ESC[0mESC[0m15:36:13,011 INFO  [stdout] (default task-3) resource.getAttributes: undefined

So my custom attribute is null. And worse, the resource does not even seems to have a getAttributes() method at all ?!
I tripple checked, my user has the custom attribute "CUSTOM_PROP" defined with value "test" and my group has attributes as well.

The documentation says the resource I retrieve that way should be an instance of org.keycloak.authorization.model.Resource
which, according to the javadoc, must define a getAttributes() methods. However it's ... undefined ?!

The keycloak version I use is 4.0.0.

Can anyone help me find what's wrong with my script ?

Many thanks,


Nicolas GILLET
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From psilva at redhat.com  Tue Jul 17 11:39:29 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 17 Jul 2018 12:39:29 -0300
Subject: [keycloak-user] ABAC policy, attributes not avialable
In-Reply-To: <AM4PR0501MB277012DAF6AAD1FD94AB13F9C15C0@AM4PR0501MB2770.eurprd05.prod.outlook.com>
References: <AM4PR0501MB2770A5A1D8C1771812033894C15C0@AM4PR0501MB2770.eurprd05.prod.outlook.com>
	<CAJrcDBdqfCjbyTeXxuur9R74kcf1bE2nB4RSNYHU2i9ne1eoNA@mail.gmail.com>
	<AM4PR0501MB277012DAF6AAD1FD94AB13F9C15C0@AM4PR0501MB2770.eurprd05.prod.outlook.com>
Message-ID: <CAJrcDBcSaVE36iydYCyue_mibL_h_eO0hfhKmz=4qgtjXrbYUg@mail.gmail.com>

On Tue, Jul 17, 2018 at 12:32 PM, Nicolas Gillet <
nicolas.gillet at market-ip.com> wrote:

> Hello Pedro,
>
>
>
> Thank you for your quick reply,
>
>
>
> For the user?s attributes, I have access to ?general? attributes like
> email, but not the ?custom? one. (My users are loaded from an home-made
> SPI, if that?s relevant)
>
> Any hint how I can debug why my other user?s attributes that are not there
> ?
>

Hard to say, but I can tell you how it works. When evaluating permissions,
the "identity" is basically an wrapper to the "user model". So, when you
call "identity.getAttributes" you are basically accessing the attributes
defined to the user. Maybe your implementation of the SPI is not setting
the attributes correctly ?


>
>
> For the group, can you think of a workaround so that I can base my access
> decision on the group ?
>
>
>
> Are the limitations for javascript only ? Maybe writing a drool rule would
> do ?
>

For this one we need to change how we pass the "resource" instance to
policies. One solution would be to pass a wrapper to the group (just like
we do for identity/usermodel) so you can have access to the attributes.


>
>
> Many thanks,
>
>
>
> Nicolas.
>
>
>
> *De :* Pedro Igor Silva <psilva at redhat.com>
> *Envoy? :* mardi 17 juillet 2018 17:06
> *? :* Nicolas Gillet <nicolas.gillet at market-ip.com>
> *Cc :* keycloak-user at lists.jboss.org
> *Objet :* Re: [keycloak-user] ABAC policy, attributes not avialable
>
>
>
> You should be able to obtain any attribute defined to the user.
>
>
>
> But regarding group attributes from the resource instance, it won't work
> because this functionality is not exposing group's attributes via the
> resource instance.
>
>
>
> There are other things we need to improve in this functionality of
> fine-grained permissions to admin console. There are a few things missing
> or too complicated to be done ...
>
>
>
> On Tue, Jul 17, 2018 at 11:08 AM, Nicolas Gillet <
> nicolas.gillet at market-ip.com> wrote:
>
> Hello
>
> I am trying to write a javascript Attribute Based Access Control (ABAC)
> policy.
> I want to control the access to group resource using the authenticated
> user's attributes and the attributes configured on the group.
> So I configured the policy via Groups > myGroup > permissions >
> view-members and select my javascript policy.
>
> Problem: in the script, neither my identity nor my group attributes are
> available.
> Here is my script:
>
> var context = $evaluation.getContext();
> var resourcePermission = $evaluation.getPermission();
> var identity = context.getIdentity();
> var idAttributes = identity.getAttributes();
> var ctxAttributes = context.getAttributes();
> var resource = resourcePermission.getResource();
>
> print('idAttributes.CUSTOM_PROP: ' + idAttributes.getValue('CUSTOM_
> PROP'));
> print('ctxAttributes.CUSTOM_PROP: ' + ctxAttributes.getValue('
> CUSTOM_PROP'));
> print('resource.getAttributes: ' + resource.getAttributes);
>
>
> $evaluation.grant();
>
> When I use the API end point as follow :
> http://keycloak.dev.local/auth/admin/realms/ngp/groups/myGroup/members/
> It triggers the script and prints the following in wildfly console :
>
> ESC[0mESC[0m15:36:13,000 INFO  [stdout] (default task-3)
> idAttributes.CUSTOM_PROP: null
> ESC[0mESC[0m15:36:13,011 INFO  [stdout] (default task-3)
> ctxAttributes.CUSTOM_PROP: null
> ESC[0mESC[0m15:36:13,011 INFO  [stdout] (default task-3)
> resource.getAttributes: undefined
>
> So my custom attribute is null. And worse, the resource does not even
> seems to have a getAttributes() method at all ?!
> I tripple checked, my user has the custom attribute "CUSTOM_PROP" defined
> with value "test" and my group has attributes as well.
>
> The documentation says the resource I retrieve that way should be an
> instance of org.keycloak.authorization.model.Resource
> which, according to the javadoc, must define a getAttributes() methods.
> However it's ... undefined ?!
>
> The keycloak version I use is 4.0.0.
>
> Can anyone help me find what's wrong with my script ?
>
> Many thanks,
>
>
> Nicolas GILLET
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From vandana0242 at gmail.com  Tue Jul 17 14:19:27 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Tue, 17 Jul 2018 13:19:27 -0500
Subject: [keycloak-user] WARN [org.keycloak.events] (default task-49)
 type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=Demo-Realm, clientId=null,
 userId=null, ipAddress=10.4.7.2, error=invalid_code,
 identity_provider=saml-sample-app
Message-ID: <CAL_K0eyjejQ3zDxXCGWwWi+9GgTT26q0-M6YsxLjLwrLy5BZ+A@mail.gmail.com>

Hello

Can any  one knows  how to resolve this below error  :

WARN [org.keycloak.events] (default task-49)
type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=Demo-Realm, clientId=null,
userId=null, ipAddress=10.4.7.2, error=invalid_code,
identity_provider=saml-sample-app

Thanks.

From rakesh.alladi at salesfusion.com  Tue Jul 17 15:18:01 2018
From: rakesh.alladi at salesfusion.com (Rakesh Alladi)
Date: Tue, 17 Jul 2018 15:18:01 -0400
Subject: [keycloak-user] Best Practices in Production environment
Message-ID: <CA+87PGHE-33YDH--XhW2uX-Aa+HYT-PzKwotdG_AS7YgszDV2A@mail.gmail.com>

Hi All,

In terms of securing the REST Api,can someone please shed somelight on what
are the OIDC/OAuth Flow considerations one should consider that are at par
with Best Practices to be implemented in Production environment:

1. How should a REST service be secured and configured in Keycloak? Should
we use Access Type as "bearer-only" or "Confidential"
2. How should an Internal REST client is configured? Should we use "Offline
Access" or "Client Credentials"
3. How should an External REST client is configured? Should we use "Client
Credentials"

Any help on the above is much appreciated.

Thanks
Rakesh

-- 
IMPORTANT: The information contained in this message is intended only for 
the confidential use of the designated recipient. If the reader of this 
message is not the intended recipient or an agent responsible for 
delivering it to the intended recipient, you are hereby notified that you 
have received this document in error and that any review, dissemination, 
distribution or copying of this message is strictly prohibited. If you have 
received this communication in error, please notify us immediately and 
delete this message and any attachments from your computer. Thank you.

From stefan.wachter at gmx.de  Tue Jul 17 15:47:35 2018
From: stefan.wachter at gmx.de (Stefan Wachter)
Date: Tue, 17 Jul 2018 21:47:35 +0200
Subject: [keycloak-user] revocation of permission / policy for user
 managed resource does not influence activeness issued RPT for that resource
In-Reply-To: <CAJrcDBda6=3ega8LvgZGgPeeD5Z2gH9HYhHv3ZH6ZZ0G0tHpVw@mail.gmail.com>
References: <763b8db6-81c8-54ac-2cd6-c288e58d336c@bosch-si.com>
	<CAJrcDBfpEb5fV8Rsz5KLpt8RDFWv3tmtVs4+XPM=TK5hnPTn2A@mail.gmail.com>
	<CAJrcDBda6=3ega8LvgZGgPeeD5Z2gH9HYhHv3ZH6ZZ0G0tHpVw@mail.gmail.com>
Message-ID: <b0077587-2b62-762f-43f8-2c495fa7754e@gmx.de>

I think that re-evaluation of permissions on refresh would be an 
important improvement. If I had a choice between a revocation endpoint 
and a re-evaluation on refresh behaviour I would clearly prefer the 
re-evaluation on refresh behaviour.


On 17.07.2018 17:27, Pedro Igor Silva wrote:
> I'm also wondering if we should re-evaluate permissions when refreshing
> tokens. Right now, we just copy permissions to the new token ...
>
> On Tue, Jul 17, 2018 at 11:07 AM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> We don't have a token revocation endpoint yet. Same goes for regular
>> access tokens.
>>
>> What you can do now is revoke user session / logout. I think someone is
>> working on a PR to support a revocation endpoint ...
>>
>>
>> On Tue, Jul 17, 2018 at 9:09 AM, stefan.wachter <
>> stefan.wachter at bosch-si.com> wrote:
>>
>>> Hi,
>>>
>>> I finally managed to setup a scenario where an RPT gives access to a
>>> "user managed" resource that was created by the protection api
>>> (https://www.keycloak.org/docs/latest/authorization_services
>>> /index.html#_service_protection_resources_api)
>>> and that is protected by a permission / policy that was created using
>>> the policy api
>>> (https://www.keycloak.org/docs/latest/authorization_services
>>> /index.html#_service_authorization_uma_policy_api).
>>>
>>> The policy checks the email by evaluating some JavaScript:
>>>
>>> $evaluation.getContext().getIdentity().getAttributes().getVa
>>> lue('email').asString(0).startsWith('$email')) $evaluation.grant()
>>>
>>> After the resource and its accompanying policy is created by api calls
>>> they appears on the "Keycloak Account Management" user interface in the
>>> "My Resources" section. Access with a suitable RPT is granted. However,
>>> when the permission / policy is revoked then the RPT that was issued
>>> based on that policy remains "active". The RPT can even be refreshed!
>>>
>>> What has to be done in order to revoke the RPT and/or its refresh token?
>>>
>>> --
>>>
>>> Best regards,
>>>
>>> *Stefan Wachter
>>> INST-ICM/BSV-BS*
>>>
>>> Tel.  +49(711)811-58477
>>>
>>> *Be**QIK
>>> *
>>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From simon.faust at gmx.de  Tue Jul 17 15:58:59 2018
From: simon.faust at gmx.de (Simon Faust)
Date: Tue, 17 Jul 2018 21:58:59 +0200
Subject: [keycloak-user] AT as Query Param
In-Reply-To: <6fab3b1a-ca7a-189f-a849-624a4260d1f8@gmx.de>
References: <6fab3b1a-ca7a-189f-a849-624a4260d1f8@gmx.de>
Message-ID: <20275f53-dd50-f38e-e568-abc4c565a112@gmx.de>

it seems to be fixed in version 4.2.0

For those working on older versions:

Instantiate KeycloakAuthenticationProcessingFilter with an additional 
RequestMatcher that matches requests having an access_token query parameter.

Adapt KeycloakAuthenticationProcessingFilter.successfulAuthentication() 
to handle queryParamToken-request like bearerToken- and basicAuth-requests.

Cheers Simon

Am 17.07.2018 um 11:11 schrieb Simon Faust:

> Hi,
>
> I've a REST Server secured using bearer-only. Now I'm stuck with the
> file download usecase (no token in http header).
>
> According to KEYCLOAK-2650
> <https://issues.jboss.org/browse/KEYCLOAK-2650> it's possible to pass
> Access Token as a Query Parameter (guess its name is "access_token",
> right?). On testing that every request I make gets redirected to
> /sso/login.
>
> Am I missing some configuration? It seems that the Keycloak adapter does
> not try at all to get a token from query param... I'm using
> keycloak-spring-security-adapter 3.2.1
>
> Thanks in advance, Simon
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From aechols at bfcsaz.com  Tue Jul 17 16:28:02 2018
From: aechols at bfcsaz.com (Aaron Echols)
Date: Tue, 17 Jul 2018 13:28:02 -0700
Subject: [keycloak-user] Sync Issues
Message-ID: <CAHj77GVm=jVjc-dbePf+=dvhb8Dzf=9x-VDuQ8ok0UPAz1TECw@mail.gmail.com>

Hello All,

I've successfully setup a cluster with 2 nodes. Everything is working
great, except for one issue I can't figure out. I'm starting to pull my
hair out and wanted to see if anyone else has seen the issue and how to
correct it.

I've setup a user federation using Active Directory (Server 2016) using
Keycloak 3.4.3. They are load balanced behind Netscaler 12.0.x. Infinispan
seems to be working correctly. It's backed by a MariaDB 10.1.x, 3 node
cluster. Things I've noted:

   - I can create a local user and it syncs instantly between the KC 3.4.3
   nodes
   - Password syncs work, all changes to attributes sync, etc
   - I change settings for the user federation I created and they DON'T
   sync, so creating a mapper, changing a sync setting, etc, they have to be
   changed by hand manually on each node.
   - Same with Role and realm-management. I can apply a permission to a
   group or user and it doesn't sync.
   - If I restart the wildfly server, the changes to propagate to the
   opposite node everytime.



I deleted a custom role in the realm-management client, and it deleted it
from the database. On the secondary node, I saw the file was still listed,
even with hard refreshes of the browser. I clicked to delete the custom
role and got the following in the server.log:



ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-26)
Uncaught server error: java.lang.IllegalStateException: Not found in
database
        at
org.keycloak.models.cache.infinispan.RoleAdapter.isUpdated(RoleAdapter.java:66)
        at
org.keycloak.models.cache.infinispan.RoleAdapter.getId(RoleAdapter.java:105)
        at
org.keycloak.models.cache.infinispan.RealmCacheSession.removeRole(RealmCacheSession.java:736)
        at
org.keycloak.models.cache.infinispan.ClientAdapter.removeRole(ClientAdapter.java:587)
        at
org.keycloak.services.resources.admin.RoleResource.deleteRole(RoleResource.java:53)
        at
org.keycloak.services.resources.admin.RoleByIdResource.deleteRole(RoleByIdResource.java:115)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
        at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
        at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
        at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
        at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
        at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
        at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
        at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
        at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
        at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
        at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
        at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
        at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
        at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
        at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
        at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
        at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
        at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
        at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
        at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at java.lang.Thread.run(Thread.java:748)



I'm not sure if there is an issue with Infinispan or a sql connection
issue. I've included my SQL connection string as well:



                <datasource jndi-name="java:jboss/datasources/KeycloakDS"
pool-name="KeycloakDS" enabled="true" use-java-context="true">
                    <connection-url>jdbc:mariadb://
10.5.30.202:3306/keycloak?useUnicode=yes;characterEncoding=UTF-8;sessionVariables=wait_timeout=180;autoRe
connect=true</connection-url>
                    <driver>mariadb</driver>
                    <pool>
                        <max-pool-size>20</max-pool-size>
                    </pool>
                    <security>
                        <user-name>keycloak_user</user-name>
                        <password><some-passphrase></password>
                    </security>
                    <validation>
                        <check-valid-connection-sql>select
1</check-valid-connection-sql>
                        <validate-on-match>true</validate-on-match>
                        <background-validation>true</background-validation>

<background-validation-millis>10000</background-validation-millis>
                    </validation>
                </datasource>
                <drivers>
                    <!-- driver declaration -->
                    <driver name="mariadb" module="org.mariadb">

<xa-datasource-class>org.mariadb.jdbc.Driver</xa-datasource-class>
                    </driver>
                    <driver name="h2" module="com.h2database.h2">

<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
                    </driver>
                </drivers>
            </datasources>



I'm using the mariadb-java-client-2.2.3 driver.



<?xml version="1.0" ?>
<module xmlns="urn:jboss:module:1.3" name="org.mariadb">

    <resources>
        <resource-root path="mariadb-java-client-2.2.3.jar"/>
    </resources>

    <dependencies>
        <module name="javax.api"/>
        <module name="javax.transaction.api"/>
    </dependencies>
</module>


Any assistance would be appreciated. I'll grab whatever information is
needed. Thank you in advance. :)
--
*Aaron Echols*

From vandana0242 at gmail.com  Tue Jul 17 17:48:05 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Tue, 17 Jul 2018 16:48:05 -0500
Subject: [keycloak-user] keycloak and application configuration | how to
	resolve this error
Message-ID: <CAL_K0eyzkOrWUxH7WN1+_jYp8e36iqibeenb9jfgDOQJgGbQvg@mail.gmail.com>

ESC[0mESC[31m16:36:59,379 ERROR [io.undertow.request] (default task-1)
UT005023: Exception handling request to /sample/:
java.lang.NullPointerException
        at java.lang.String.contains(String.java:2133)
        at
org.keycloak.adapters.saml.elytron.KeycloakHttpServerAuthenticationMechanism.evaluateRequest(KeycloakHttpServerAuthenticationMechanism.java:82)
        at
org.wildfly.security.http.util.SetMechanismInformationMechanismFactory$1.evaluateRequest(SetMechanismInformationMechanismFactory.java:114)
        at
org.wildfly.security.http.util.SecurityIdentityServerMechanismFactory$1.evaluateRequest(SecurityIdentityServerMechanismFactory.java:77)
        at
org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.authenticate(HttpAuthenticator.java:115)
        at
org.wildfly.security.http.HttpAuthenticator$AuthenticationExchange.access$100(HttpAuthenticator.java:94)
        at
org.wildfly.security.http.HttpAuthenticator.authenticate(HttpAuthenticator.java:78)
        at
org.wildfly.elytron.web.undertow.server.SecurityContextImpl.authenticate(SecurityContextImpl.java:100)
        at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
        at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
        at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
        at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
        at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
        at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
        at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)

From dt at acutus.pro  Tue Jul 17 18:58:04 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Wed, 18 Jul 2018 01:58:04 +0300
Subject: [keycloak-user] Sync Issues
In-Reply-To: <CAHj77GVm=jVjc-dbePf+=dvhb8Dzf=9x-VDuQ8ok0UPAz1TECw@mail.gmail.com>
References: <CAHj77GVm=jVjc-dbePf+=dvhb8Dzf=9x-VDuQ8ok0UPAz1TECw@mail.gmail.com>
Message-ID: <1531868284.4438.3.camel@acutus.pro>

Hi Aaron,

This all sounds very weird. Off the top of my head:
- try latest Keycloak (4.1.0), is the issue reproducible?
- Infinispan exposes quite a lot of stuff via JMX. Run JMC or JConsole,
connect to the Keycloak process, go to MBeans ->
org.wildfly.clustering.infinispan -> Cache -> "keycloak" -> Cache. How
many caches are there? (should be 15 as of KC 4.1.0) Are they all
running? Are there any abnormalities? Entries under CacheManager might
be useful, too.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Tue, 2018-07-17 at 13:28 -0700, Aaron Echols wrote:
> Hello All,
> 
> I've successfully setup a cluster with 2 nodes. Everything is working
> great, except for one issue I can't figure out. I'm starting to pull my
> hair out and wanted to see if anyone else has seen the issue and how to
> correct it.
> 
> I've setup a user federation using Active Directory (Server 2016) using
> Keycloak 3.4.3. They are load balanced behind Netscaler 12.0.x. Infinispan
> seems to be working correctly. It's backed by a MariaDB 10.1.x, 3 node
> cluster. Things I've noted:
> 
>    - I can create a local user and it syncs instantly between the KC 3.4.3
>    nodes
>    - Password syncs work, all changes to attributes sync, etc
>    - I change settings for the user federation I created and they DON'T
>    sync, so creating a mapper, changing a sync setting, etc, they have to be
>    changed by hand manually on each node.
>    - Same with Role and realm-management. I can apply a permission to a
>    group or user and it doesn't sync.
>    - If I restart the wildfly server, the changes to propagate to the
>    opposite node everytime.
> 
> 
> 
> I deleted a custom role in the realm-management client, and it deleted it
> from the database. On the secondary node, I saw the file was still listed,
> even with hard refreshes of the browser. I clicked to delete the custom
> role and got the following in the server.log:
> 
> 
> 
> ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-26)
> Uncaught server error: java.lang.IllegalStateException: Not found in
> database
>         at
> org.keycloak.models.cache.infinispan.RoleAdapter.isUpdated(RoleAdapter.java:66)
>         at
> org.keycloak.models.cache.infinispan.RoleAdapter.getId(RoleAdapter.java:105)
>         at
> org.keycloak.models.cache.infinispan.RealmCacheSession.removeRole(RealmCacheSession.java:736)
>         at
> org.keycloak.models.cache.infinispan.ClientAdapter.removeRole(ClientAdapter.java:587)
>         at
> org.keycloak.services.resources.admin.RoleResource.deleteRole(RoleResource.java:53)
>         at
> org.keycloak.services.resources.admin.RoleByIdResource.deleteRole(RoleByIdResource.java:115)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.lang.reflect.Method.invoke(Method.java:498)
>         at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>         at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>         at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
>         at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
>         at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>         at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>         at
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>         at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>         at
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>         at
> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>         at
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>         at
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>         at
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>         at
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>         at
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>         at
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>         at
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>         at
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>         at
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>         at
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>         at
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>         at
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>         at
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>         at
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>         at
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>         at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>         at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>         at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>         at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>         at
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>         at
> io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>         at
> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
>         at
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>         at
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>         at java.lang.Thread.run(Thread.java:748)
> 
> 
> 
> I'm not sure if there is an issue with Infinispan or a sql connection
> issue. I've included my SQL connection string as well:
> 
> 
> 
>                 <datasource jndi-name="java:jboss/datasources/KeycloakDS"
> pool-name="KeycloakDS" enabled="true" use-java-context="true">
>                     <connection-url>jdbc:mariadb://
> 10.5.30.202:3306/keycloak?useUnicode=yes;characterEncoding=UTF-8;sessionVariables=wait_timeout=180;autoRe
> connect=true</connection-url>
>                     <driver>mariadb</driver>
>                     <pool>
>                         <max-pool-size>20</max-pool-size>
>                     </pool>
>                     <security>
>                         <user-name>keycloak_user</user-name>
>                         <password><some-passphrase></password>
>                     </security>
>                     <validation>
>                         <check-valid-connection-sql>select
> 1</check-valid-connection-sql>
>                         <validate-on-match>true</validate-on-match>
>                         <background-validation>true</background-validation>
> 
> <background-validation-millis>10000</background-validation-millis>
>                     </validation>
>                 </datasource>
>                 <drivers>
>                     <!-- driver declaration -->
>                     <driver name="mariadb" module="org.mariadb">
> 
> <xa-datasource-class>org.mariadb.jdbc.Driver</xa-datasource-class>
>                     </driver>
>                     <driver name="h2" module="com.h2database.h2">
> 
> <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
>                     </driver>
>                 </drivers>
>             </datasources>
> 
> 
> 
> I'm using the mariadb-java-client-2.2.3 driver.
> 
> 
> 
> <?xml version="1.0" ?>
> <module xmlns="urn:jboss:module:1.3" name="org.mariadb">
> 
>     <resources>
>         <resource-root path="mariadb-java-client-2.2.3.jar"/>
>     </resources>
> 
>     <dependencies>
>         <module name="javax.api"/>
>         <module name="javax.transaction.api"/>
>     </dependencies>
> </module>
> 
> 
> Any assistance would be appreciated. I'll grab whatever information is
> needed. Thank you in advance. :)
> --
> *Aaron Echols*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From aechols at bfcsaz.com  Tue Jul 17 19:01:52 2018
From: aechols at bfcsaz.com (Aaron Echols)
Date: Tue, 17 Jul 2018 16:01:52 -0700
Subject: [keycloak-user] Sync Issues
In-Reply-To: <1531868284.4438.3.camel@acutus.pro>
References: <CAHj77GVm=jVjc-dbePf+=dvhb8Dzf=9x-VDuQ8ok0UPAz1TECw@mail.gmail.com>
	<1531868284.4438.3.camel@acutus.pro>
Message-ID: <CAHj77GXchLykxa-r5MCpQfoYO69OXDU=e6fNZAFnSyPJUU49OQ@mail.gmail.com>

Hi  Dmitry,

Thanks for the reply!

I just finished upgrading to 4.1.0 and the issue persists...

Let me try running the console and take a look there and see what it shows.
I'll post back shortly. Thanks for the help!
--
*Aaron Echols*

On Tue, Jul 17, 2018 at 3:58 PM Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Aaron,
>
> This all sounds very weird. Off the top of my head:
> - try latest Keycloak (4.1.0), is the issue reproducible?
> - Infinispan exposes quite a lot of stuff via JMX. Run JMC or JConsole,
> connect to the Keycloak process, go to MBeans ->
> org.wildfly.clustering.infinispan -> Cache -> "keycloak" -> Cache. How
> many caches are there? (should be 15 as of KC 4.1.0) Are they all
> running? Are there any abnormalities? Entries under CacheManager might
> be useful, too.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Tue, 2018-07-17 at 13:28 -0700, Aaron Echols wrote:
> > Hello All,
> >
> > I've successfully setup a cluster with 2 nodes. Everything is working
> > great, except for one issue I can't figure out. I'm starting to pull my
> > hair out and wanted to see if anyone else has seen the issue and how to
> > correct it.
> >
> > I've setup a user federation using Active Directory (Server 2016) using
> > Keycloak 3.4.3. They are load balanced behind Netscaler 12.0.x.
> Infinispan
> > seems to be working correctly. It's backed by a MariaDB 10.1.x, 3 node
> > cluster. Things I've noted:
> >
> >    - I can create a local user and it syncs instantly between the KC
> 3.4.3
> >    nodes
> >    - Password syncs work, all changes to attributes sync, etc
> >    - I change settings for the user federation I created and they DON'T
> >    sync, so creating a mapper, changing a sync setting, etc, they have
> to be
> >    changed by hand manually on each node.
> >    - Same with Role and realm-management. I can apply a permission to a
> >    group or user and it doesn't sync.
> >    - If I restart the wildfly server, the changes to propagate to the
> >    opposite node everytime.
> >
> >
> >
> > I deleted a custom role in the realm-management client, and it deleted it
> > from the database. On the secondary node, I saw the file was still
> listed,
> > even with hard refreshes of the browser. I clicked to delete the custom
> > role and got the following in the server.log:
> >
> >
> >
> > ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default
> task-26)
> > Uncaught server error: java.lang.IllegalStateException: Not found in
> > database
> >         at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.isUpdated(RoleAdapter.java:66)
> >         at
> >
> org.keycloak.models.cache.infinispan.RoleAdapter.getId(RoleAdapter.java:105)
> >         at
> >
> org.keycloak.models.cache.infinispan.RealmCacheSession.removeRole(RealmCacheSession.java:736)
> >         at
> >
> org.keycloak.models.cache.infinispan.ClientAdapter.removeRole(ClientAdapter.java:587)
> >         at
> >
> org.keycloak.services.resources.admin.RoleResource.deleteRole(RoleResource.java:53)
> >         at
> >
> org.keycloak.services.resources.admin.RoleByIdResource.deleteRole(RoleByIdResource.java:115)
> >         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >         at
> >
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> >         at
> >
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >         at java.lang.reflect.Method.invoke(Method.java:498)
> >         at
> >
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
> >         at
> >
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
> >         at
> >
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
> >         at
> >
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
> >         at
> >
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
> >         at
> >
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> >         at
> >
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
> >         at
> >
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
> >         at
> >
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
> >         at
> >
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
> >         at
> >
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
> >         at
> >
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
> >         at
> >
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> >         at
> >
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> >         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> >         at
> >
> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> >         at
> >
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> >         at
> >
> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> >         at
> > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
> >         at
> >
> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> >         at
> >
> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> >         at
> >
> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> >         at
> >
> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> >         at
> >
> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> >         at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >         at
> >
> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> >         at
> >
> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> >         at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >         at
> >
> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> >         at
> >
> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> >         at
> >
> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> >         at
> >
> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> >         at
> >
> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> >         at
> >
> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> >         at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >         at
> >
> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> >         at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >         at
> >
> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> >         at
> >
> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> >         at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
> >         at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
> >         at
> >
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
> >         at
> >
> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
> >         at
> >
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
> >         at
> >
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
> >         at
> >
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
> >         at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> >         at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> >         at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> >         at
> >
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
> >         at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
> >         at
> >
> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> >         at
> >
> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
> >         at
> > io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
> >         at
> > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
> >         at
> >
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> >         at
> >
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> >         at java.lang.Thread.run(Thread.java:748)
> >
> >
> >
> > I'm not sure if there is an issue with Infinispan or a sql connection
> > issue. I've included my SQL connection string as well:
> >
> >
> >
> >                 <datasource jndi-name="java:jboss/datasources/KeycloakDS"
> > pool-name="KeycloakDS" enabled="true" use-java-context="true">
> >                     <connection-url>jdbc:mariadb://
> >
> 10.5.30.202:3306/keycloak?useUnicode=yes;characterEncoding=UTF-8;sessionVariables=wait_timeout=180;autoRe
> > connect=true</connection-url>
> >                     <driver>mariadb</driver>
> >                     <pool>
> >                         <max-pool-size>20</max-pool-size>
> >                     </pool>
> >                     <security>
> >                         <user-name>keycloak_user</user-name>
> >                         <password><some-passphrase></password>
> >                     </security>
> >                     <validation>
> >                         <check-valid-connection-sql>select
> > 1</check-valid-connection-sql>
> >                         <validate-on-match>true</validate-on-match>
> >
>  <background-validation>true</background-validation>
> >
> > <background-validation-millis>10000</background-validation-millis>
> >                     </validation>
> >                 </datasource>
> >                 <drivers>
> >                     <!-- driver declaration -->
> >                     <driver name="mariadb" module="org.mariadb">
> >
> > <xa-datasource-class>org.mariadb.jdbc.Driver</xa-datasource-class>
> >                     </driver>
> >                     <driver name="h2" module="com.h2database.h2">
> >
> > <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
> >                     </driver>
> >                 </drivers>
> >             </datasources>
> >
> >
> >
> > I'm using the mariadb-java-client-2.2.3 driver.
> >
> >
> >
> > <?xml version="1.0" ?>
> > <module xmlns="urn:jboss:module:1.3" name="org.mariadb">
> >
> >     <resources>
> >         <resource-root path="mariadb-java-client-2.2.3.jar"/>
> >     </resources>
> >
> >     <dependencies>
> >         <module name="javax.api"/>
> >         <module name="javax.transaction.api"/>
> >     </dependencies>
> > </module>
> >
> >
> > Any assistance would be appreciated. I'll grab whatever information is
> > needed. Thank you in advance. :)
> > --
> > *Aaron Echols*
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From victor.bail at gmail.com  Tue Jul 17 21:00:22 2018
From: victor.bail at gmail.com (Victor Bail)
Date: Wed, 18 Jul 2018 10:30:22 +0930
Subject: [keycloak-user] SAML client brokering to a SAML provider
Message-ID: <CABMjHnzewZFqm2K5dwZdvn2yUzM5vhJcB0xJTGa8ng0g4_SsTg@mail.gmail.com>

Hi all,

I'm trying to configure a client with SAML that authenticates in a keycloak
provider going through a keycloak broker (keycloak provider and keycloak
broker are in the same server in different realms).
Client is a wildfly 11 using the keycloak-SAML adapter. Broker and provider
are using keycloak 4.1.0.
I have achieved an OIDC client connecting through the broker to the SAML
provider, but I'm not able to do it with a SAML client.

In the client, I have this configuration in the wildfly standalone.xml:

            <secure-deployment name="TestClientKeyCloakSAML.war">
                <SP entityID="Broker" sslPolicy="EXTERNAL" logoutPage="
http://localhost:8280/auth/realms/Broker/protocol/saml">
                    <Keys>
                        <Key signing="true">
                            <PrivateKeyPem></PrivateKeyPem>
                          <CertificatePem></CertificatePem>
                        </Key>
                    </Keys>
                    <IDP entityID="idp" signatureAlgorithm="RSA_SHA256"
signatureCanonicalizationMethod="http://www.w3.org/2001/10/xml-exc-c14n#">
                        <SingleSignOnService signRequest="true"
validateResponseSignature="true" validateAssertionSignature="false"
requestBinding="POST" bindingUrl="
http://localhost:8280/auth/realms/Broker/protocol/saml"/>
                        <SingleLogoutService
validateRequestSignature="true" validateResponseSignature="true"
signRequest="true" signResponse="true" requestBinding="POST"
responseBinding="POST" postBindingUrl="
http://localhost:8280/auth/realms/Broker/protocol/saml" redirectBindingUrl="
http://localhost:8280/auth/realms/Broker/protocol/saml"/>
                    </IDP>
                </SP>
            </secure-deployment>

The Identity Provider in the broker realm has this configuration:
  -SSO service URL: http://localhost:8180/auth/realms/Athens/protocol/saml

And the SAML client has this configuration:
 -Client ID: http://localhost:8280/auth/realms/Broker
 -Client Protocol: SAML
 -Master SAML processing URL:
http://localhost:8080/TestClientKeyCloakSAML/saml


If we login from the client, we can go trough the broker and login in the
provider, but the response from the provider arrives to the broker and
returns this error:
  10:22:00,529 WARN  [org.keycloak.protocol.saml.SamlService] (default
task-20) Unknown saml response.
  10:22:00,529 WARN  [org.keycloak.protocol.saml.SamlService] (default
task-20) UserSession is not tagged as logging out.
  10:22:00,529 WARN  [org.keycloak.events] (default task-20)
type=LOGOUT_ERROR, realmId=Broker, clientId=null, userId=null,
ipAddress=127.0.0.1, error=invalid_logout_response

The problem is that the response is arriving to
SAMLService.BindingProtocol.handleSamlResponse and it seems that that
method only handles logout responses.

What is the configuration needed to authenticate a SAML client through a
broker to a SAML provider?

Thanks!

Victor.

From Yann.Jouanin at witbe.net  Wed Jul 18 02:37:29 2018
From: Yann.Jouanin at witbe.net (Yann Jouanin)
Date: Wed, 18 Jul 2018 06:37:29 +0000
Subject: [keycloak-user] Implicit flow between two (or more) keycloak
	instances
Message-ID: <b2a360b62b304b40b2cb3d73652b70b9@witbe.net>

Hello,

I am currently trying to use implicit flow between two keycloak instances.
My setup is :
We have one keycloak used in our cloud and one on customer premise, federating the customer's ldap.

Because there is no network connectivity between both the keycloak instances I want to use the implicit flow so the customer access our service in cloud, get redirected to our keycloak instance for login and then has the option to use its on premise instance configured as a OIDC identity provider.
The setup work in a lab with standard flow, but with implicit flow, I get an error message "Standard flow is disabled for the client"

Is implicit flow usable in this case?

Best regards,
Yann Jouanin


From ghinea.alexandru.george at gmail.com  Wed Jul 18 03:05:04 2018
From: ghinea.alexandru.george at gmail.com (Ghinea Alexandru George)
Date: Wed, 18 Jul 2018 10:05:04 +0300
Subject: [keycloak-user] Keycloak Login Recaptcha
Message-ID: <CAPKk93JhmG9z7OvYuP+Xoq6ZQD-+Fxo3yMjHYG1tOdf9o2b58Q@mail.gmail.com>

Hello,

I've been trying to add recaptcha to the Login Page of the Keycloak, but it
seems that I can't fix it.
The recaptcha doesn't appear in the flow Browser even though I added the
needed classes (LoginRecaptcha and Factory Recaptcha).

Can you tell me which methods from the RegistrationRecaptcha I need in
order to implement it in Browser and should I simply extend
UsernamePasswordForm and Factory without implementing any other class?

Thank you!

From stefan.wachter at bosch-si.com  Wed Jul 18 04:43:20 2018
From: stefan.wachter at bosch-si.com (stefan.wachter)
Date: Wed, 18 Jul 2018 10:43:20 +0200
Subject: [keycloak-user] Policy-API - How to Set a User Policy
Message-ID: <f339ca23-60ab-750f-32b7-db8bfa69e1ef@bosch-si.com>

Hi,

how can one set a user policy, (i.e. a set of users) to a user managed 
resource? Looking at the class 
org.keycloak.representations.idm.authorization.UmaPermissionRepresentation 
I do not see a field that could be used for specifiying a set of user ids.


public class UmaPermissionRepresentationextends AbstractPolicyRepresentation {
     
     private Stringid;
     private Stringdescription;
     private Set<String>roles;
     private Set<String>groups;
     private Set<String>clients;
     private Stringcondition;
...
}

public class AbstractPolicyRepresentation {

     private Stringid;
     private Stringname;
     private Stringdescription;
     private Stringtype;
     private Set<String>policies;
     private Set<String>resources;
     private Set<String>scopes;
     private Logiclogic = Logic.POSITIVE;
     private DecisionStrategydecisionStrategy = DecisionStrategy.UNANIMOUS;
     private Stringowner;
...

}

BTW: Why does the derived UmaPermissionRepresentation class have an id 
and description field of its own? I think these fields are inherited 
from its base class AbstractPolicyRepresentation.

-- 

Best regards,

*Stefan Wachter
INST-ICM/BSV-BS*

Tel.??+49(711)811-58477

*Be**QIK
*


From nicolas.gillet at market-ip.com  Wed Jul 18 04:50:53 2018
From: nicolas.gillet at market-ip.com (Nicolas Gillet)
Date: Wed, 18 Jul 2018 08:50:53 +0000
Subject: [keycloak-user] ABAC policy, attributes not avialable
In-Reply-To: <CAJrcDBcSaVE36iydYCyue_mibL_h_eO0hfhKmz=4qgtjXrbYUg@mail.gmail.com>
References: <AM4PR0501MB2770A5A1D8C1771812033894C15C0@AM4PR0501MB2770.eurprd05.prod.outlook.com>
	<CAJrcDBdqfCjbyTeXxuur9R74kcf1bE2nB4RSNYHU2i9ne1eoNA@mail.gmail.com>
	<AM4PR0501MB277012DAF6AAD1FD94AB13F9C15C0@AM4PR0501MB2770.eurprd05.prod.outlook.com>
	<CAJrcDBcSaVE36iydYCyue_mibL_h_eO0hfhKmz=4qgtjXrbYUg@mail.gmail.com>
Message-ID: <AM4PR0501MB27706B2E59C7C62711779636C1530@AM4PR0501MB2770.eurprd05.prod.outlook.com>

Hello Pedro,

To check if my SPI could be the problem, I created a user directly in KC admin and disabled my user federation.
In the javascript I print all available attributes like follow :

identity.getAttributes().toMap().keySet()

My custom attributes are not there :-/
All the attributes I have are :

sub, kc.realm.roles, kc.client.account.roles, iss, typ, preferred_username, given_name, kc.client.realm-management.roles, aud, acr, nbf, azp, auth_time, name, exp, session_state, iat, family_name, jti, email

Could this be a bug or a misconfiguration of keycloak ?

Regards,

Nicolas.


De : Pedro Igor Silva <psilva at redhat.com>
Envoy? : mardi 17 juillet 2018 17:39
? : Nicolas Gillet <nicolas.gillet at market-ip.com>
Cc : keycloak-user at lists.jboss.org
Objet : Re: [keycloak-user] ABAC policy, attributes not avialable



On Tue, Jul 17, 2018 at 12:32 PM, Nicolas Gillet <nicolas.gillet at market-ip.com<mailto:nicolas.gillet at market-ip.com>> wrote:
Hello Pedro,

Thank you for your quick reply,

For the user?s attributes, I have access to ?general? attributes like email, but not the ?custom? one. (My users are loaded from an home-made SPI, if that?s relevant)
Any hint how I can debug why my other user?s attributes that are not there ?

Hard to say, but I can tell you how it works. When evaluating permissions, the "identity" is basically an wrapper to the "user model". So, when you call "identity.getAttributes" you are basically accessing the attributes defined to the user. Maybe your implementation of the SPI is not setting the attributes correctly ?


For the group, can you think of a workaround so that I can base my access decision on the group ?

Are the limitations for javascript only ? Maybe writing a drool rule would do ?

For this one we need to change how we pass the "resource" instance to policies. One solution would be to pass a wrapper to the group (just like we do for identity/usermodel) so you can have access to the attributes.


Many thanks,

Nicolas.

De : Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Envoy? : mardi 17 juillet 2018 17:06
? : Nicolas Gillet <nicolas.gillet at market-ip.com<mailto:nicolas.gillet at market-ip.com>>
Cc : keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Objet : Re: [keycloak-user] ABAC policy, attributes not avialable

You should be able to obtain any attribute defined to the user.

But regarding group attributes from the resource instance, it won't work because this functionality is not exposing group's attributes via the resource instance.

There are other things we need to improve in this functionality of fine-grained permissions to admin console. There are a few things missing or too complicated to be done ...

On Tue, Jul 17, 2018 at 11:08 AM, Nicolas Gillet <nicolas.gillet at market-ip.com<mailto:nicolas.gillet at market-ip.com>> wrote:
Hello

I am trying to write a javascript Attribute Based Access Control (ABAC) policy.
I want to control the access to group resource using the authenticated user's attributes and the attributes configured on the group.
So I configured the policy via Groups > myGroup > permissions > view-members and select my javascript policy.

Problem: in the script, neither my identity nor my group attributes are available.
Here is my script:

var context = $evaluation.getContext();
var resourcePermission = $evaluation.getPermission();
var identity = context.getIdentity();
var idAttributes = identity.getAttributes();
var ctxAttributes = context.getAttributes();
var resource = resourcePermission.getResource();

print('idAttributes.CUSTOM_PROP: ' + idAttributes.getValue('CUSTOM_PROP'));
print('ctxAttributes.CUSTOM_PROP: ' + ctxAttributes.getValue('CUSTOM_PROP'));
print('resource.getAttributes: ' + resource.getAttributes);

$evaluation.grant();

When I use the API end point as follow :
http://keycloak.dev.local/auth/admin/realms/ngp/groups/myGroup/members/
It triggers the script and prints the following in wildfly console :

ESC[0mESC[0m15:36:13,000 INFO  [stdout] (default task-3) idAttributes.CUSTOM_PROP: null
ESC[0mESC[0m15:36:13,011 INFO  [stdout] (default task-3) ctxAttributes.CUSTOM_PROP: null
ESC[0mESC[0m15:36:13,011 INFO  [stdout] (default task-3) resource.getAttributes: undefined

So my custom attribute is null. And worse, the resource does not even seems to have a getAttributes() method at all ?!
I tripple checked, my user has the custom attribute "CUSTOM_PROP" defined with value "test" and my group has attributes as well.

The documentation says the resource I retrieve that way should be an instance of org.keycloak.authorization.model.Resource
which, according to the javadoc, must define a getAttributes() methods. However it's ... undefined ?!

The keycloak version I use is 4.0.0.

Can anyone help me find what's wrong with my script ?

Many thanks,


Nicolas GILLET
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



From stefan.wachter at bosch-si.com  Wed Jul 18 05:09:58 2018
From: stefan.wachter at bosch-si.com (stefan.wachter)
Date: Wed, 18 Jul 2018 11:09:58 +0200
Subject: [keycloak-user] RPT can not be issued to resource owner
Message-ID: <0bf40ff6-57c8-14a5-89da-f1ba980a127a@bosch-si.com>

Hi,

I have a user managed resource without any permissions.

If a user different from the resource owner tries to get an RPT the 
request fails with error "request_submitted" and a corresponding "need 
for approval" entry is displayed on the Account Management UI where the 
resource owner can approve the request. After approval the RPT is issued.

If the resource owner herself tries to acquire an RPT the request also 
fails with error "request_submitted". However, no "need for approval" 
entry is created.

Either the issuance of an RPT should succeed if the requesting party is 
the resource owner herself (preferred) or an approval entry should be 
created.


-- 

Best regards,

*Stefan Wachter
INST-ICM/BSV-BS*

Tel.??+49(711)811-58477

*Be**QIK
*


From chirdeep.tomar at gmail.com  Wed Jul 18 05:19:30 2018
From: chirdeep.tomar at gmail.com (Chirdeep Tomar)
Date: Wed, 18 Jul 2018 10:19:30 +0100
Subject: [keycloak-user] Microservices Auth with Keycloak
Message-ID: <CALy9ech0K+1GTnFTu74cM2fY-N8Ecp1BnGgmHqCB55kG0RmxDw@mail.gmail.com>

We are implementing a micro services architecture with services written in
Spring/Vertx and .NET Core.

So essentially these services are Resource Servers protecting resources and
according to documentation resource servers are also clients in Keycloak.

We have a few front end apps and 2 mobile apps for android and iphone which
will also be clients in Keycloak.

Questions
1) Should the front end apps and mobile apps be public client in Keycloak?
2) If each micro service which is a resource server is a client with
credentials, how does access token generated for single clientid work
across multiple micro services?

Not sure how to tie it all together, thanks for your help.

Chirdeep

From stefan.wachter at bosch-si.com  Wed Jul 18 05:30:06 2018
From: stefan.wachter at bosch-si.com (stefan.wachter)
Date: Wed, 18 Jul 2018 11:30:06 +0200
Subject: [keycloak-user] RPT can not be issued to resource owner
In-Reply-To: <0bf40ff6-57c8-14a5-89da-f1ba980a127a@bosch-si.com>
References: <0bf40ff6-57c8-14a5-89da-f1ba980a127a@bosch-si.com>
Message-ID: <5fbacece-5e83-7db8-cfd5-e905024523c6@bosch-si.com>

As a work-around I added a policy that authorizes resource owners:

if ($evaluation.getContext().getIdentity().getId() == 
$evaluation.getPermission().getResource().getOwner()) $evaluation.grant()

and a permission that uses that policy.




From psilva at redhat.com  Wed Jul 18 08:11:32 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 18 Jul 2018 09:11:32 -0300
Subject: [keycloak-user] RPT can not be issued to resource owner
In-Reply-To: <5fbacece-5e83-7db8-cfd5-e905024523c6@bosch-si.com>
References: <0bf40ff6-57c8-14a5-89da-f1ba980a127a@bosch-si.com>
	<5fbacece-5e83-7db8-cfd5-e905024523c6@bosch-si.com>
Message-ID: <CAJrcDBcYdMD25up=Vq4Nwv9iLhOgJT3T3M32r+PXJ58GtbNV8w@mail.gmail.com>

The owner of a resource does not grants necessarily access to the resource.
So, yeah, you need some policy to actually define who can access (the
owner) the resource. I'm not sure if makes sense to owners approve requests
to access their resources though.

On Wed, Jul 18, 2018 at 6:30 AM, stefan.wachter <stefan.wachter at bosch-si.com
> wrote:

> As a work-around I added a policy that authorizes resource owners:
>
> if ($evaluation.getContext().getIdentity().getId() ==
> $evaluation.getPermission().getResource().getOwner()) $evaluation.grant()
>
> and a permission that uses that policy.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Wed Jul 18 08:17:36 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 18 Jul 2018 09:17:36 -0300
Subject: [keycloak-user] Microservices Auth with Keycloak
In-Reply-To: <CALy9ech0K+1GTnFTu74cM2fY-N8Ecp1BnGgmHqCB55kG0RmxDw@mail.gmail.com>
References: <CALy9ech0K+1GTnFTu74cM2fY-N8Ecp1BnGgmHqCB55kG0RmxDw@mail.gmail.com>
Message-ID: <CAJrcDBeLg-i+UH7zM8YjM4gYikqA3CTKG7RLBcuw9bSV-FZ5kg@mail.gmail.com>

On Wed, Jul 18, 2018 at 6:19 AM, Chirdeep Tomar <chirdeep.tomar at gmail.com>
wrote:

> We are implementing a micro services architecture with services written in
> Spring/Vertx and .NET Core.
>
> So essentially these services are Resource Servers protecting resources and
> according to documentation resource servers are also clients in Keycloak.
>
> We have a few front end apps and 2 mobile apps for android and iphone which
> will also be clients in Keycloak.
>
> Questions
> 1) Should the front end apps and mobile apps be public client in Keycloak?
>

Yes.


> 2) If each micro service which is a resource server is a client with
> credentials, how does access token generated for single clientid work
> across multiple micro services?
>

I think you are talking about service chaining ? In case, Client A ->
Service A -> Service B ?

The expected flow is that once Client A is issued with an access token, the
token should have a specific set of audiences, for instance, Service A. In
case Service A needs to access Service B, you should be able to use token
exchange to obtain a new token to access Service B from Service A.

I think most people today is just re-using access tokens to access multiple
services, which is not correct. We also have some work being done to better
support audiences in token.


>
> Not sure how to tie it all together, thanks for your help.
>
> Chirdeep
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Wed Jul 18 08:20:29 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 18 Jul 2018 09:20:29 -0300
Subject: [keycloak-user] Policy-API - How to Set a User Policy
In-Reply-To: <f339ca23-60ab-750f-32b7-db8bfa69e1ef@bosch-si.com>
References: <f339ca23-60ab-750f-32b7-db8bfa69e1ef@bosch-si.com>
Message-ID: <CAJrcDBc52Co3Q3gnBXZPO+oC8QX6bdrBcyEWMhSQFgyNxs1W9Q@mail.gmail.com>

On Wed, Jul 18, 2018 at 5:43 AM, stefan.wachter <stefan.wachter at bosch-si.com
> wrote:

> Hi,
>
> how can one set a user policy, (i.e. a set of users) to a user managed
> resource? Looking at the class
> org.keycloak.representations.idm.authorization.UmaPermissionRepresentation
>
> I do not see a field that could be used for specifiying a set of user ids.
>

For users, the idea is that you would probably want to follow UMA flow. The
idea behind this endpoint is allow resource servers to define additional
permissions (in addition to users as provided by UMA flow) and still allow
users to revoke them.


>
>
> public class UmaPermissionRepresentationextends
> AbstractPolicyRepresentation {
>
>      private Stringid;
>      private Stringdescription;
>      private Set<String>roles;
>      private Set<String>groups;
>      private Set<String>clients;
>      private Stringcondition;
> ...
> }
>
> public class AbstractPolicyRepresentation {
>
>      private Stringid;
>      private Stringname;
>      private Stringdescription;
>      private Stringtype;
>      private Set<String>policies;
>      private Set<String>resources;
>      private Set<String>scopes;
>      private Logiclogic = Logic.POSITIVE;
>      private DecisionStrategydecisionStrategy =
> DecisionStrategy.UNANIMOUS;
>      private Stringowner;
> ...
>
> }
>
> BTW: Why does the derived UmaPermissionRepresentation class have an id
> and description field of its own? I think these fields are inherited
> from its base class AbstractPolicyRepresentation.
>

Good point. Need to refactor this.


>
> --
>
> Best regards,
>
> *Stefan Wachter
> INST-ICM/BSV-BS*
>
> Tel.  +49(711)811-58477
>
> *Be**QIK
> *
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From psilva at redhat.com  Wed Jul 18 08:28:01 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 18 Jul 2018 09:28:01 -0300
Subject: [keycloak-user] ABAC policy, attributes not avialable
In-Reply-To: <AM4PR0501MB27706B2E59C7C62711779636C1530@AM4PR0501MB2770.eurprd05.prod.outlook.com>
References: <AM4PR0501MB2770A5A1D8C1771812033894C15C0@AM4PR0501MB2770.eurprd05.prod.outlook.com>
	<CAJrcDBdqfCjbyTeXxuur9R74kcf1bE2nB4RSNYHU2i9ne1eoNA@mail.gmail.com>
	<AM4PR0501MB277012DAF6AAD1FD94AB13F9C15C0@AM4PR0501MB2770.eurprd05.prod.outlook.com>
	<CAJrcDBcSaVE36iydYCyue_mibL_h_eO0hfhKmz=4qgtjXrbYUg@mail.gmail.com>
	<AM4PR0501MB27706B2E59C7C62711779636C1530@AM4PR0501MB2770.eurprd05.prod.outlook.com>
Message-ID: <CAJrcDBfQ3LyYvnN1VV_am1R3_z_9eHwj4WsQLMD4Qib2aUDt7g@mail.gmail.com>

I run a quick test where I define an attribute to an user in admin console.
Then I used "print" to check for this attribute when accessing members of
the group in the "Users" UI. It worked for me.

I'm probably missing something in order to get the same behavior. If you
could create a JIRA and provide the steps to reproduce the issue (without a
custom SPI), I appreciate.

On Wed, Jul 18, 2018 at 5:50 AM, Nicolas Gillet <
nicolas.gillet at market-ip.com> wrote:

> Hello Pedro,
>
>
>
> To check if my SPI could be the problem, I created a user directly in KC
> admin and disabled my user federation.
>
> In the javascript I print all available attributes like follow :
>
>
>
> identity.getAttributes().toMap().keySet()
>
>
>
> My custom attributes are not there :-/
>
> All the attributes I have are :
>
>
>
> sub, kc.realm.roles, kc.client.account.roles, iss, typ,
> preferred_username, given_name, kc.client.realm-management.roles, aud,
> acr, nbf, azp, auth_time, name, exp, session_state, iat, family_name, jti,
> email
>
>
>
> Could this be a bug or a misconfiguration of keycloak ?
>
>
>
> Regards,
>
>
>
> Nicolas.
>
>
>
>
>
> *De :* Pedro Igor Silva <psilva at redhat.com>
> *Envoy? :* mardi 17 juillet 2018 17:39
>
> *? :* Nicolas Gillet <nicolas.gillet at market-ip.com>
> *Cc :* keycloak-user at lists.jboss.org
> *Objet :* Re: [keycloak-user] ABAC policy, attributes not avialable
>
>
>
>
>
>
>
> On Tue, Jul 17, 2018 at 12:32 PM, Nicolas Gillet <
> nicolas.gillet at market-ip.com> wrote:
>
> Hello Pedro,
>
>
>
> Thank you for your quick reply,
>
>
>
> For the user?s attributes, I have access to ?general? attributes like
> email, but not the ?custom? one. (My users are loaded from an home-made
> SPI, if that?s relevant)
>
> Any hint how I can debug why my other user?s attributes that are not there
> ?
>
>
>
> Hard to say, but I can tell you how it works. When evaluating permissions,
> the "identity" is basically an wrapper to the "user model". So, when you
> call "identity.getAttributes" you are basically accessing the attributes
> defined to the user. Maybe your implementation of the SPI is not setting
> the attributes correctly ?
>
>
>
>
>
> For the group, can you think of a workaround so that I can base my access
> decision on the group ?
>
>
>
> Are the limitations for javascript only ? Maybe writing a drool rule would
> do ?
>
>
>
> For this one we need to change how we pass the "resource" instance to
> policies. One solution would be to pass a wrapper to the group (just like
> we do for identity/usermodel) so you can have access to the attributes.
>
>
>
>
>
> Many thanks,
>
>
>
> Nicolas.
>
>
>
> *De :* Pedro Igor Silva <psilva at redhat.com>
> *Envoy? :* mardi 17 juillet 2018 17:06
> *? :* Nicolas Gillet <nicolas.gillet at market-ip.com>
> *Cc :* keycloak-user at lists.jboss.org
> *Objet :* Re: [keycloak-user] ABAC policy, attributes not avialable
>
>
>
> You should be able to obtain any attribute defined to the user.
>
>
>
> But regarding group attributes from the resource instance, it won't work
> because this functionality is not exposing group's attributes via the
> resource instance.
>
>
>
> There are other things we need to improve in this functionality of
> fine-grained permissions to admin console. There are a few things missing
> or too complicated to be done ...
>
>
>
> On Tue, Jul 17, 2018 at 11:08 AM, Nicolas Gillet <
> nicolas.gillet at market-ip.com> wrote:
>
> Hello
>
> I am trying to write a javascript Attribute Based Access Control (ABAC)
> policy.
> I want to control the access to group resource using the authenticated
> user's attributes and the attributes configured on the group.
> So I configured the policy via Groups > myGroup > permissions >
> view-members and select my javascript policy.
>
> Problem: in the script, neither my identity nor my group attributes are
> available.
> Here is my script:
>
> var context = $evaluation.getContext();
> var resourcePermission = $evaluation.getPermission();
> var identity = context.getIdentity();
> var idAttributes = identity.getAttributes();
> var ctxAttributes = context.getAttributes();
> var resource = resourcePermission.getResource();
>
> print('idAttributes.CUSTOM_PROP: ' + idAttributes.getValue('CUSTOM_
> PROP'));
> print('ctxAttributes.CUSTOM_PROP: ' + ctxAttributes.getValue('
> CUSTOM_PROP'));
> print('resource.getAttributes: ' + resource.getAttributes);
>
>
> $evaluation.grant();
>
> When I use the API end point as follow :
> http://keycloak.dev.local/auth/admin/realms/ngp/groups/myGroup/members/
> It triggers the script and prints the following in wildfly console :
>
> ESC[0mESC[0m15:36:13,000 INFO  [stdout] (default task-3)
> idAttributes.CUSTOM_PROP: null
> ESC[0mESC[0m15:36:13,011 INFO  [stdout] (default task-3)
> ctxAttributes.CUSTOM_PROP: null
> ESC[0mESC[0m15:36:13,011 INFO  [stdout] (default task-3)
> resource.getAttributes: undefined
>
> So my custom attribute is null. And worse, the resource does not even
> seems to have a getAttributes() method at all ?!
> I tripple checked, my user has the custom attribute "CUSTOM_PROP" defined
> with value "test" and my group has attributes as well.
>
> The documentation says the resource I retrieve that way should be an
> instance of org.keycloak.authorization.model.Resource
> which, according to the javadoc, must define a getAttributes() methods.
> However it's ... undefined ?!
>
> The keycloak version I use is 4.0.0.
>
> Can anyone help me find what's wrong with my script ?
>
> Many thanks,
>
>
> Nicolas GILLET
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>

From stefan.wachter at bosch-si.com  Wed Jul 18 08:53:52 2018
From: stefan.wachter at bosch-si.com (stefan.wachter)
Date: Wed, 18 Jul 2018 14:53:52 +0200
Subject: [keycloak-user] RPT can not be issued to resource owner
In-Reply-To: <CAJrcDBcYdMD25up=Vq4Nwv9iLhOgJT3T3M32r+PXJ58GtbNV8w@mail.gmail.com>
References: <0bf40ff6-57c8-14a5-89da-f1ba980a127a@bosch-si.com>
	<5fbacece-5e83-7db8-cfd5-e905024523c6@bosch-si.com>
	<CAJrcDBcYdMD25up=Vq4Nwv9iLhOgJT3T3M32r+PXJ58GtbNV8w@mail.gmail.com>
Message-ID: <b4a72cc3-5f50-e6c9-0129-464335e9354c@bosch-si.com>

Agree. However, if a resource owner does not have enough grants by 
default then the approval mechanism should kick in. This is at least 
what the response error "request_submitted" indicates.

Best regards,

*Stefan Wachter
INST-ICM/BSV-BS*

Tel.??+49(711)811-58477

*Be**QIK
*

Am 18.07.2018 um 14:11 schrieb Pedro Igor Silva:
> The owner of a resource does not grants necessarily access to the 
> resource. So, yeah, you need some policy to actually define who can 
> access (the owner) the resource. I'm not sure if makes sense to owners 
> approve requests to access their resources though.
>
> On Wed, Jul 18, 2018 at 6:30 AM, stefan.wachter 
> <stefan.wachter at bosch-si.com <mailto:stefan.wachter at bosch-si.com>> wrote:
>
>     As a work-around I added a policy that authorizes resource owners:
>
>     if ($evaluation.getContext().getIdentity().getId() ==
>     $evaluation.getPermission().getResource().getOwner())
>     $evaluation.grant()
>
>     and a permission that uses that policy.
>
>
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>


From stefan.wachter at bosch-si.com  Wed Jul 18 09:05:20 2018
From: stefan.wachter at bosch-si.com (stefan.wachter)
Date: Wed, 18 Jul 2018 15:05:20 +0200
Subject: [keycloak-user] Policy-API - How to Set a User Policy
In-Reply-To: <CAJrcDBc52Co3Q3gnBXZPO+oC8QX6bdrBcyEWMhSQFgyNxs1W9Q@mail.gmail.com>
References: <f339ca23-60ab-750f-32b7-db8bfa69e1ef@bosch-si.com>
	<CAJrcDBc52Co3Q3gnBXZPO+oC8QX6bdrBcyEWMhSQFgyNxs1W9Q@mail.gmail.com>
Message-ID: <361ec4bc-6aec-ea0b-a4a1-fabb27c57836@bosch-si.com>

Ok. I understand. However, I would like to set the policy that allows a 
certain user to access a resource upfront. For example when a resource 
owner decides to share a resource with someone by sending an email she 
wants to set the necessary policy at the same time (and not later on in 
a separate approval step). This is what the User Management UI already 
offers. But I would like to implement that functionality by API calls.

Best regards,

*Stefan Wachter
INST-ICM/BSV-BS*

Tel.??+49(711)811-58477

*Be**QIK
*

Am 18.07.2018 um 14:20 schrieb Pedro Igor Silva:
>
>
> On Wed, Jul 18, 2018 at 5:43 AM, stefan.wachter 
> <stefan.wachter at bosch-si.com <mailto:stefan.wachter at bosch-si.com>> wrote:
>
>     Hi,
>
>     how can one set a user policy, (i.e. a set of users) to a user
>     managed
>     resource? Looking at the class
>     org.keycloak.representations.idm.authorization.UmaPermissionRepresentation
>
>     I do not see a field that could be used for specifiying a set of
>     user ids.
>
>
> For users, the idea is that you would probably want to follow UMA 
> flow. The idea behind this endpoint is allow resource servers to 
> define additional permissions (in addition to users as provided by UMA 
> flow) and still allow users to revoke them.
>
>
>
>     public class UmaPermissionRepresentationextends
>     AbstractPolicyRepresentation {
>
>     ? ? ?private Stringid;
>     ? ? ?private Stringdescription;
>     ? ? ?private Set<String>roles;
>     ? ? ?private Set<String>groups;
>     ? ? ?private Set<String>clients;
>     ? ? ?private Stringcondition;
>     ...
>     }
>
>     public class AbstractPolicyRepresentation {
>
>     ? ? ?private Stringid;
>     ? ? ?private Stringname;
>     ? ? ?private Stringdescription;
>     ? ? ?private Stringtype;
>     ? ? ?private Set<String>policies;
>     ? ? ?private Set<String>resources;
>     ? ? ?private Set<String>scopes;
>     ? ? ?private Logiclogic = Logic.POSITIVE;
>     ? ? ?private DecisionStrategydecisionStrategy =
>     DecisionStrategy.UNANIMOUS;
>     ? ? ?private Stringowner;
>     ...
>
>     }
>
>     BTW: Why does the derived UmaPermissionRepresentation class have
>     an id
>     and description field of its own? I think these fields are inherited
>     from its base class AbstractPolicyRepresentation.
>
>
> Good point. Need to refactor this.
>
>
>     -- 
>
>     Best regards,
>
>     *Stefan Wachter
>     INST-ICM/BSV-BS*
>
>     Tel.??+49(711)811-58477
>
>     *Be**QIK
>     *
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>     <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
>


From psilva at redhat.com  Wed Jul 18 10:10:55 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 18 Jul 2018 11:10:55 -0300
Subject: [keycloak-user] RPT can not be issued to resource owner
In-Reply-To: <b4a72cc3-5f50-e6c9-0129-464335e9354c@bosch-si.com>
References: <0bf40ff6-57c8-14a5-89da-f1ba980a127a@bosch-si.com>
	<5fbacece-5e83-7db8-cfd5-e905024523c6@bosch-si.com>
	<CAJrcDBcYdMD25up=Vq4Nwv9iLhOgJT3T3M32r+PXJ58GtbNV8w@mail.gmail.com>
	<b4a72cc3-5f50-e6c9-0129-464335e9354c@bosch-si.com>
Message-ID: <CAJrcDBcF0Xkodwm8Uo4C3bVNK_22+ssj-17R6mbiKe7EmQdx1g@mail.gmail.com>

Could you file a JIRA for this, please ? Let's see what others thinks about
it ...

Thanks.

On Wed, Jul 18, 2018 at 9:53 AM, stefan.wachter <stefan.wachter at bosch-si.com
> wrote:

> Agree. However, if a resource owner does not have enough grants by default
> then the approval mechanism should kick in. This is at least what the
> response error "request_submitted" indicates.
>
> Best regards,
>
>
> *Stefan Wachter INST-ICM/BSV-BS*
>
> Tel.  +49(711)811-58477
>
> *Be*
> *QIK *
> Am 18.07.2018 um 14:11 schrieb Pedro Igor Silva:
>
> The owner of a resource does not grants necessarily access to the
> resource. So, yeah, you need some policy to actually define who can access
> (the owner) the resource. I'm not sure if makes sense to owners approve
> requests to access their resources though.
>
> On Wed, Jul 18, 2018 at 6:30 AM, stefan.wachter <
> stefan.wachter at bosch-si.com> wrote:
>
>> As a work-around I added a policy that authorizes resource owners:
>>
>> if ($evaluation.getContext().getIdentity().getId() ==
>> $evaluation.getPermission().getResource().getOwner()) $evaluation.grant()
>>
>> and a permission that uses that policy.
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>

From psilva at redhat.com  Wed Jul 18 10:14:34 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 18 Jul 2018 11:14:34 -0300
Subject: [keycloak-user] Policy-API - How to Set a User Policy
In-Reply-To: <361ec4bc-6aec-ea0b-a4a1-fabb27c57836@bosch-si.com>
References: <f339ca23-60ab-750f-32b7-db8bfa69e1ef@bosch-si.com>
	<CAJrcDBc52Co3Q3gnBXZPO+oC8QX6bdrBcyEWMhSQFgyNxs1W9Q@mail.gmail.com>
	<361ec4bc-6aec-ea0b-a4a1-fabb27c57836@bosch-si.com>
Message-ID: <CAJrcDBfz1nHGyY5uJ8C-bAkNc4uaftbdMyxRShi-5EKpHoL2sg@mail.gmail.com>

I see. Well, I think we can include this as it just adds support for
another policy type. Another JIRA, please ? :)

On Wed, Jul 18, 2018 at 10:05 AM, stefan.wachter <
stefan.wachter at bosch-si.com> wrote:

> Ok. I understand. However, I would like to set the policy that allows a
> certain user to access a resource upfront. For example when a resource
> owner decides to share a resource with someone by sending an email she
> wants to set the necessary policy at the same time (and not later on in a
> separate approval step). This is what the User Management UI already
> offers. But I would like to implement that functionality by API calls.
>
> Best regards,
>
>
> *Stefan Wachter INST-ICM/BSV-BS*
>
> Tel.  +49(711)811-58477
>
> *Be*
> *QIK *
> Am 18.07.2018 um 14:20 schrieb Pedro Igor Silva:
>
>
>
> On Wed, Jul 18, 2018 at 5:43 AM, stefan.wachter <
> stefan.wachter at bosch-si.com> wrote:
>
>> Hi,
>>
>> how can one set a user policy, (i.e. a set of users) to a user managed
>> resource? Looking at the class
>> org.keycloak.representations.idm.authorization.UmaPermissionRepresentation
>>
>> I do not see a field that could be used for specifiying a set of user ids.
>>
>
> For users, the idea is that you would probably want to follow UMA flow.
> The idea behind this endpoint is allow resource servers to define
> additional permissions (in addition to users as provided by UMA flow) and
> still allow users to revoke them.
>
>
>>
>>
>> public class UmaPermissionRepresentationextends
>> AbstractPolicyRepresentation {
>>
>>      private Stringid;
>>      private Stringdescription;
>>      private Set<String>roles;
>>      private Set<String>groups;
>>      private Set<String>clients;
>>      private Stringcondition;
>> ...
>> }
>>
>> public class AbstractPolicyRepresentation {
>>
>>      private Stringid;
>>      private Stringname;
>>      private Stringdescription;
>>      private Stringtype;
>>      private Set<String>policies;
>>      private Set<String>resources;
>>      private Set<String>scopes;
>>      private Logiclogic = Logic.POSITIVE;
>>      private DecisionStrategydecisionStrategy =
>> DecisionStrategy.UNANIMOUS;
>>      private Stringowner;
>> ...
>>
>> }
>>
>> BTW: Why does the derived UmaPermissionRepresentation class have an id
>> and description field of its own? I think these fields are inherited
>> from its base class AbstractPolicyRepresentation.
>>
>
> Good point. Need to refactor this.
>
>
>>
>> --
>>
>> Best regards,
>>
>> *Stefan Wachter
>> INST-ICM/BSV-BS*
>>
>> Tel.  +49(711)811-58477
>>
>> *Be**QIK
>> *
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>

From nikola.malenic at netsetglobal.rs  Wed Jul 18 10:35:35 2018
From: nikola.malenic at netsetglobal.rs (Nikola Malenic)
Date: Wed, 18 Jul 2018 16:35:35 +0200
Subject: [keycloak-user] Frontend and backend on separate servers
In-Reply-To: <005301d41a7e$02bfc230$083f4690$@netsetglobal.rs>
References: <005301d41a7e$02bfc230$083f4690$@netsetglobal.rs>
Message-ID: <003b01d41ea4$97210360$c5630a20$@netsetglobal.rs>

Is it possible to achieve this with Keycloak Security Proxy and how?
Also, I've seen it is deprecated now.

Many thanks,
Nikola

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org
[mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Nikola Malenic
Sent: Friday, July 13, 2018 9:49 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Frontend and backend on separate servers

I would like to host backend on secured network, i.e. it would be accessible
only from certain IPs.

Frontend (Angular application) would be served by different server in public
zone, which would have access to the secured network because requests from
it's IP would be allowed to go through firewall.

 

Is it possible to achieve this in an easy way? I wouldn't like to implement
proxy endpoints for all backend services in secured zone.

 

Many thanks,

Nikola

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From iali at an10.io  Wed Jul 18 10:42:05 2018
From: iali at an10.io (Irtiza Ali)
Date: Wed, 18 Jul 2018 19:42:05 +0500
Subject: [keycloak-user] Frontend and backend on separate servers
In-Reply-To: <003b01d41ea4$97210360$c5630a20$@netsetglobal.rs>
References: <005301d41a7e$02bfc230$083f4690$@netsetglobal.rs>
	<003b01d41ea4$97210360$c5630a20$@netsetglobal.rs>
Message-ID: <CAG3apS-ymSZV_jgZJ9WvMeq6rubyD6Uvct_0u+Ee81VRew-yeA@mail.gmail.com>

One way to acheive this is by using the keycloak's rest endpoints.

On Wed, 18 Jul 2018, 19:36 Nikola Malenic, <nikola.malenic at netsetglobal.rs>
wrote:

> Is it possible to achieve this with Keycloak Security Proxy and how?
> Also, I've seen it is deprecated now.
>
> Many thanks,
> Nikola
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org
> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Nikola Malenic
> Sent: Friday, July 13, 2018 9:49 AM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Frontend and backend on separate servers
>
> I would like to host backend on secured network, i.e. it would be
> accessible
> only from certain IPs.
>
> Frontend (Angular application) would be served by different server in
> public
> zone, which would have access to the secured network because requests from
> it's IP would be allowed to go through firewall.
>
>
>
> Is it possible to achieve this in an easy way? I wouldn't like to implement
> proxy endpoints for all backend services in secured zone.
>
>
>
> Many thanks,
>
> Nikola
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From nikola.malenic at netsetglobal.rs  Wed Jul 18 10:45:56 2018
From: nikola.malenic at netsetglobal.rs (Nikola Malenic)
Date: Wed, 18 Jul 2018 16:45:56 +0200
Subject: [keycloak-user] Frontend and backend on separate servers
In-Reply-To: <CAG3apS-ymSZV_jgZJ9WvMeq6rubyD6Uvct_0u+Ee81VRew-yeA@mail.gmail.com>
References: <005301d41a7e$02bfc230$083f4690$@netsetglobal.rs>
	<003b01d41ea4$97210360$c5630a20$@netsetglobal.rs>
	<CAG3apS-ymSZV_jgZJ9WvMeq6rubyD6Uvct_0u+Ee81VRew-yeA@mail.gmail.com>
Message-ID: <004801d41ea6$092d38b0$1b87aa10$@netsetglobal.rs>

Can you explain how? Just to be clear, when I said Frontend (Angular app) I had Keycloak?s frontend in mind.

 

From: Irtiza Ali [mailto:iali at an10.io] 
Sent: Wednesday, July 18, 2018 4:42 PM
To: Nikola Malenic <nikola.malenic at netsetglobal.rs>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Frontend and backend on separate servers

 

One way to acheive this is by using the keycloak's rest endpoints. 

 

On Wed, 18 Jul 2018, 19:36 Nikola Malenic, <nikola.malenic at netsetglobal.rs <mailto:nikola.malenic at netsetglobal.rs> > wrote:

Is it possible to achieve this with Keycloak Security Proxy and how?
Also, I've seen it is deprecated now.

Many thanks,
Nikola

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <mailto:keycloak-user-bounces at lists.jboss.org> 
[mailto:keycloak-user-bounces at lists.jboss.org <mailto:keycloak-user-bounces at lists.jboss.org> ] On Behalf Of Nikola Malenic
Sent: Friday, July 13, 2018 9:49 AM
To: keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> 
Subject: [keycloak-user] Frontend and backend on separate servers

I would like to host backend on secured network, i.e. it would be accessible
only from certain IPs.

Frontend (Angular application) would be served by different server in public
zone, which would have access to the secured network because requests from
it's IP would be allowed to go through firewall.



Is it possible to achieve this in an easy way? I wouldn't like to implement
proxy endpoints for all backend services in secured zone.



Many thanks,

Nikola

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> 
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> 
https://lists.jboss.org/mailman/listinfo/keycloak-user


From iali at an10.io  Wed Jul 18 10:54:49 2018
From: iali at an10.io (Irtiza Ali)
Date: Wed, 18 Jul 2018 19:54:49 +0500
Subject: [keycloak-user] Frontend and backend on separate servers
In-Reply-To: <004801d41ea6$092d38b0$1b87aa10$@netsetglobal.rs>
References: <005301d41a7e$02bfc230$083f4690$@netsetglobal.rs>
	<003b01d41ea4$97210360$c5630a20$@netsetglobal.rs>
	<CAG3apS-ymSZV_jgZJ9WvMeq6rubyD6Uvct_0u+Ee81VRew-yeA@mail.gmail.com>
	<004801d41ea6$092d38b0$1b87aa10$@netsetglobal.rs>
Message-ID: <CAG3apS9zY_ZwNzYMxwSBw=NngZJAVWV0eyJDn4GWkqUkffpjtQ@mail.gmail.com>

It is difficult to integrate keycloak frontend flow with application. It
work around is to use the keycloak rest endpoints.


My use case:

I have an app with frontend and backend running on different servers. I
have a login endpoint in backend, once called with user credentials from
frontend. That endpoint make another rest call to the keyclock auth
endpoint, if authenticated it returns a json containing user's basic info
and jwt based access_token. I used than token in subsequent requests to app
backend.

Feel free to ask if not clear.

IA

On Wed, 18 Jul 2018, 19:45 Nikola Malenic, <nikola.malenic at netsetglobal.rs>
wrote:

> Can you explain how? Just to be clear, when I said Frontend (Angular app)
> I had Keycloak?s frontend in mind.
>
>
>
> *From:* Irtiza Ali [mailto:iali at an10.io]
> *Sent:* Wednesday, July 18, 2018 4:42 PM
> *To:* Nikola Malenic <nikola.malenic at netsetglobal.rs>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user] Frontend and backend on separate servers
>
>
>
> One way to acheive this is by using the keycloak's rest endpoints.
>
>
>
> On Wed, 18 Jul 2018, 19:36 Nikola Malenic, <nikola.malenic at netsetglobal.rs>
> wrote:
>
> Is it possible to achieve this with Keycloak Security Proxy and how?
> Also, I've seen it is deprecated now.
>
> Many thanks,
> Nikola
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org
> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Nikola Malenic
> Sent: Friday, July 13, 2018 9:49 AM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Frontend and backend on separate servers
>
> I would like to host backend on secured network, i.e. it would be
> accessible
> only from certain IPs.
>
> Frontend (Angular application) would be served by different server in
> public
> zone, which would have access to the secured network because requests from
> it's IP would be allowed to go through firewall.
>
>
>
> Is it possible to achieve this in an easy way? I wouldn't like to implement
> proxy endpoints for all backend services in secured zone.
>
>
>
> Many thanks,
>
> Nikola
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From nikola.malenic at netsetglobal.rs  Wed Jul 18 11:01:09 2018
From: nikola.malenic at netsetglobal.rs (Nikola Malenic)
Date: Wed, 18 Jul 2018 17:01:09 +0200
Subject: [keycloak-user] Frontend and backend on separate servers
In-Reply-To: <CAG3apS9zY_ZwNzYMxwSBw=NngZJAVWV0eyJDn4GWkqUkffpjtQ@mail.gmail.com>
References: <005301d41a7e$02bfc230$083f4690$@netsetglobal.rs>
	<003b01d41ea4$97210360$c5630a20$@netsetglobal.rs>
	<CAG3apS-ymSZV_jgZJ9WvMeq6rubyD6Uvct_0u+Ee81VRew-yeA@mail.gmail.com>
	<004801d41ea6$092d38b0$1b87aa10$@netsetglobal.rs>
	<CAG3apS9zY_ZwNzYMxwSBw=NngZJAVWV0eyJDn4GWkqUkffpjtQ@mail.gmail.com>
Message-ID: <004f01d41ea8$29126f40$7b374dc0$@netsetglobal.rs>

If I understand correctly, what you proposed is to create one proxy backend application which would have same endpoints as Keycloak does and which would just pass requests from Keycloak frontend app to the Keycloak backend?

 

From: Irtiza Ali [mailto:iali at an10.io] 
Sent: Wednesday, July 18, 2018 4:55 PM
To: Nikola Malenic <nikola.malenic at netsetglobal.rs>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Frontend and backend on separate servers

 

It is difficult to integrate keycloak frontend flow with application. It work around is to use the keycloak rest endpoints.

 

 

My use case:

 

I have an app with frontend and backend running on different servers. I have a login endpoint in backend, once called with user credentials from frontend. That endpoint make another rest call to the keyclock auth endpoint, if authenticated it returns a json containing user's basic info and jwt based access_token. I used than token in subsequent requests to app backend. 

 

Feel free to ask if not clear.

 

IA

 

On Wed, 18 Jul 2018, 19:45 Nikola Malenic, <nikola.malenic at netsetglobal.rs <mailto:nikola.malenic at netsetglobal.rs> > wrote:

Can you explain how? Just to be clear, when I said Frontend (Angular app) I had Keycloak?s frontend in mind.

 

From: Irtiza Ali [mailto:iali at an10.io <mailto:iali at an10.io> ] 
Sent: Wednesday, July 18, 2018 4:42 PM
To: Nikola Malenic <nikola.malenic at netsetglobal.rs <mailto:nikola.malenic at netsetglobal.rs> >
Cc: keycloak-user <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> >
Subject: Re: [keycloak-user] Frontend and backend on separate servers

 

One way to acheive this is by using the keycloak's rest endpoints. 

 

On Wed, 18 Jul 2018, 19:36 Nikola Malenic, <nikola.malenic at netsetglobal.rs <mailto:nikola.malenic at netsetglobal.rs> > wrote:

Is it possible to achieve this with Keycloak Security Proxy and how?
Also, I've seen it is deprecated now.

Many thanks,
Nikola

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <mailto:keycloak-user-bounces at lists.jboss.org> 
[mailto:keycloak-user-bounces at lists.jboss.org <mailto:keycloak-user-bounces at lists.jboss.org> ] On Behalf Of Nikola Malenic
Sent: Friday, July 13, 2018 9:49 AM
To: keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> 
Subject: [keycloak-user] Frontend and backend on separate servers

I would like to host backend on secured network, i.e. it would be accessible
only from certain IPs.

Frontend (Angular application) would be served by different server in public
zone, which would have access to the secured network because requests from
it's IP would be allowed to go through firewall.



Is it possible to achieve this in an easy way? I wouldn't like to implement
proxy endpoints for all backend services in secured zone.



Many thanks,

Nikola

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> 
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> 
https://lists.jboss.org/mailman/listinfo/keycloak-user


From iali at an10.io  Wed Jul 18 11:08:23 2018
From: iali at an10.io (Irtiza Ali)
Date: Wed, 18 Jul 2018 20:08:23 +0500
Subject: [keycloak-user] Frontend and backend on separate servers
In-Reply-To: <004f01d41ea8$29126f40$7b374dc0$@netsetglobal.rs>
References: <005301d41a7e$02bfc230$083f4690$@netsetglobal.rs>
	<003b01d41ea4$97210360$c5630a20$@netsetglobal.rs>
	<CAG3apS-ymSZV_jgZJ9WvMeq6rubyD6Uvct_0u+Ee81VRew-yeA@mail.gmail.com>
	<004801d41ea6$092d38b0$1b87aa10$@netsetglobal.rs>
	<CAG3apS9zY_ZwNzYMxwSBw=NngZJAVWV0eyJDn4GWkqUkffpjtQ@mail.gmail.com>
	<004f01d41ea8$29126f40$7b374dc0$@netsetglobal.rs>
Message-ID: <CAG3apS8+_3Xgx6nP+7Ue0kbafzxyofKQ06wMXNmAYRwn0PDJXA@mail.gmail.com>

I am not using keycloak frontend instead i am using my own app frontend to
pass requests to my own app backend, that backend communicates with
keycloak backend using  keycloak rest endpoints.

On Wed, 18 Jul 2018, 20:01 Nikola Malenic, <nikola.malenic at netsetglobal.rs>
wrote:

> If I understand correctly, what you proposed is to create one proxy
> backend application which would have same endpoints as Keycloak does and
> which would just pass requests from Keycloak frontend app to the Keycloak
> backend?
>
>
>
> *From:* Irtiza Ali [mailto:iali at an10.io]
> *Sent:* Wednesday, July 18, 2018 4:55 PM
> *To:* Nikola Malenic <nikola.malenic at netsetglobal.rs>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user] Frontend and backend on separate servers
>
>
>
> It is difficult to integrate keycloak frontend flow with application. It
> work around is to use the keycloak rest endpoints.
>
>
>
>
>
> My use case:
>
>
>
> I have an app with frontend and backend running on different servers. I
> have a login endpoint in backend, once called with user credentials from
> frontend. That endpoint make another rest call to the keyclock auth
> endpoint, if authenticated it returns a json containing user's basic info
> and jwt based access_token. I used than token in subsequent requests to app
> backend.
>
>
>
> Feel free to ask if not clear.
>
>
>
> IA
>
>
>
> On Wed, 18 Jul 2018, 19:45 Nikola Malenic, <nikola.malenic at netsetglobal.rs>
> wrote:
>
> Can you explain how? Just to be clear, when I said Frontend (Angular app)
> I had Keycloak?s frontend in mind.
>
>
>
> *From:* Irtiza Ali [mailto:iali at an10.io]
> *Sent:* Wednesday, July 18, 2018 4:42 PM
> *To:* Nikola Malenic <nikola.malenic at netsetglobal.rs>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user] Frontend and backend on separate servers
>
>
>
> One way to acheive this is by using the keycloak's rest endpoints.
>
>
>
> On Wed, 18 Jul 2018, 19:36 Nikola Malenic, <nikola.malenic at netsetglobal.rs>
> wrote:
>
> Is it possible to achieve this with Keycloak Security Proxy and how?
> Also, I've seen it is deprecated now.
>
> Many thanks,
> Nikola
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org
> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Nikola Malenic
> Sent: Friday, July 13, 2018 9:49 AM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Frontend and backend on separate servers
>
> I would like to host backend on secured network, i.e. it would be
> accessible
> only from certain IPs.
>
> Frontend (Angular application) would be served by different server in
> public
> zone, which would have access to the secured network because requests from
> it's IP would be allowed to go through firewall.
>
>
>
> Is it possible to achieve this in an easy way? I wouldn't like to implement
> proxy endpoints for all backend services in secured zone.
>
>
>
> Many thanks,
>
> Nikola
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From nikola.malenic at netsetglobal.rs  Wed Jul 18 11:19:02 2018
From: nikola.malenic at netsetglobal.rs (Nikola Malenic)
Date: Wed, 18 Jul 2018 17:19:02 +0200
Subject: [keycloak-user] Frontend and backend on separate servers
In-Reply-To: <CAG3apS8+_3Xgx6nP+7Ue0kbafzxyofKQ06wMXNmAYRwn0PDJXA@mail.gmail.com>
References: <005301d41a7e$02bfc230$083f4690$@netsetglobal.rs>
	<003b01d41ea4$97210360$c5630a20$@netsetglobal.rs>
	<CAG3apS-ymSZV_jgZJ9WvMeq6rubyD6Uvct_0u+Ee81VRew-yeA@mail.gmail.com>
	<004801d41ea6$092d38b0$1b87aa10$@netsetglobal.rs>
	<CAG3apS9zY_ZwNzYMxwSBw=NngZJAVWV0eyJDn4GWkqUkffpjtQ@mail.gmail.com>
	<004f01d41ea8$29126f40$7b374dc0$@netsetglobal.rs>
	<CAG3apS8+_3Xgx6nP+7Ue0kbafzxyofKQ06wMXNmAYRwn0PDJXA@mail.gmail.com>
Message-ID: <005701d41eaa$a8f689b0$fae39d10$@netsetglobal.rs>

But this is not what I would like to achieve. In your situation, I think your frontend could easily use Keycloak?s endpoints for authentication and authorization instead of calling your backend for such things.

I would like to avoid writing proxy endpoints to Keycloak?s endpoints myself.

 

From: Irtiza Ali [mailto:iali at an10.io] 
Sent: Wednesday, July 18, 2018 5:08 PM
To: Nikola Malenic <nikola.malenic at netsetglobal.rs>
Cc: keycloak-user <keycloak-user at lists.jboss.org>
Subject: Re: [keycloak-user] Frontend and backend on separate servers

 

I am not using keycloak frontend instead i am using my own app frontend to pass requests to my own app backend, that backend communicates with keycloak backend using  keycloak rest endpoints. 

 

On Wed, 18 Jul 2018, 20:01 Nikola Malenic, <nikola.malenic at netsetglobal.rs <mailto:nikola.malenic at netsetglobal.rs> > wrote:

If I understand correctly, what you proposed is to create one proxy backend application which would have same endpoints as Keycloak does and which would just pass requests from Keycloak frontend app to the Keycloak backend?

 

From: Irtiza Ali [mailto:iali at an10.io <mailto:iali at an10.io> ] 
Sent: Wednesday, July 18, 2018 4:55 PM
To: Nikola Malenic <nikola.malenic at netsetglobal.rs <mailto:nikola.malenic at netsetglobal.rs> >
Cc: keycloak-user <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> >
Subject: Re: [keycloak-user] Frontend and backend on separate servers

 

It is difficult to integrate keycloak frontend flow with application. It work around is to use the keycloak rest endpoints.

 

 

My use case:

 

I have an app with frontend and backend running on different servers. I have a login endpoint in backend, once called with user credentials from frontend. That endpoint make another rest call to the keyclock auth endpoint, if authenticated it returns a json containing user's basic info and jwt based access_token. I used than token in subsequent requests to app backend. 

 

Feel free to ask if not clear.

 

IA

 

On Wed, 18 Jul 2018, 19:45 Nikola Malenic, <nikola.malenic at netsetglobal.rs <mailto:nikola.malenic at netsetglobal.rs> > wrote:

Can you explain how? Just to be clear, when I said Frontend (Angular app) I had Keycloak?s frontend in mind.

 

From: Irtiza Ali [mailto:iali at an10.io <mailto:iali at an10.io> ] 
Sent: Wednesday, July 18, 2018 4:42 PM
To: Nikola Malenic <nikola.malenic at netsetglobal.rs <mailto:nikola.malenic at netsetglobal.rs> >
Cc: keycloak-user <keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> >
Subject: Re: [keycloak-user] Frontend and backend on separate servers

 

One way to acheive this is by using the keycloak's rest endpoints. 

 

On Wed, 18 Jul 2018, 19:36 Nikola Malenic, <nikola.malenic at netsetglobal.rs <mailto:nikola.malenic at netsetglobal.rs> > wrote:

Is it possible to achieve this with Keycloak Security Proxy and how?
Also, I've seen it is deprecated now.

Many thanks,
Nikola

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <mailto:keycloak-user-bounces at lists.jboss.org> 
[mailto:keycloak-user-bounces at lists.jboss.org <mailto:keycloak-user-bounces at lists.jboss.org> ] On Behalf Of Nikola Malenic
Sent: Friday, July 13, 2018 9:49 AM
To: keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> 
Subject: [keycloak-user] Frontend and backend on separate servers

I would like to host backend on secured network, i.e. it would be accessible
only from certain IPs.

Frontend (Angular application) would be served by different server in public
zone, which would have access to the secured network because requests from
it's IP would be allowed to go through firewall.



Is it possible to achieve this in an easy way? I wouldn't like to implement
proxy endpoints for all backend services in secured zone.



Many thanks,

Nikola

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> 
https://lists.jboss.org/mailman/listinfo/keycloak-user

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org> 
https://lists.jboss.org/mailman/listinfo/keycloak-user


From iali at an10.io  Wed Jul 18 11:22:20 2018
From: iali at an10.io (Irtiza Ali)
Date: Wed, 18 Jul 2018 20:22:20 +0500
Subject: [keycloak-user] Frontend and backend on separate servers
In-Reply-To: <005701d41eaa$a8f689b0$fae39d10$@netsetglobal.rs>
References: <005301d41a7e$02bfc230$083f4690$@netsetglobal.rs>
	<003b01d41ea4$97210360$c5630a20$@netsetglobal.rs>
	<CAG3apS-ymSZV_jgZJ9WvMeq6rubyD6Uvct_0u+Ee81VRew-yeA@mail.gmail.com>
	<004801d41ea6$092d38b0$1b87aa10$@netsetglobal.rs>
	<CAG3apS9zY_ZwNzYMxwSBw=NngZJAVWV0eyJDn4GWkqUkffpjtQ@mail.gmail.com>
	<004f01d41ea8$29126f40$7b374dc0$@netsetglobal.rs>
	<CAG3apS8+_3Xgx6nP+7Ue0kbafzxyofKQ06wMXNmAYRwn0PDJXA@mail.gmail.com>
	<005701d41eaa$a8f689b0$fae39d10$@netsetglobal.rs>
Message-ID: <CAG3apS-bkPGhpBrVYrcy4zdMkoGR-mLe_2QL=oPg1jU1Fio6aA@mail.gmail.com>

I agree with you but i have to perform some operations thats why request go
through backend.

Its one of the ways to do it.

On Wed, 18 Jul 2018, 20:19 Nikola Malenic, <nikola.malenic at netsetglobal.rs>
wrote:

> But this is not what I would like to achieve. In your situation, I think
> your frontend could easily use Keycloak?s endpoints for authentication and
> authorization instead of calling your backend for such things.
>
> I would like to avoid writing proxy endpoints to Keycloak?s endpoints
> myself.
>
>
>
> *From:* Irtiza Ali [mailto:iali at an10.io]
> *Sent:* Wednesday, July 18, 2018 5:08 PM
> *To:* Nikola Malenic <nikola.malenic at netsetglobal.rs>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user] Frontend and backend on separate servers
>
>
>
> I am not using keycloak frontend instead i am using my own app frontend to
> pass requests to my own app backend, that backend communicates with
> keycloak backend using  keycloak rest endpoints.
>
>
>
> On Wed, 18 Jul 2018, 20:01 Nikola Malenic, <nikola.malenic at netsetglobal.rs>
> wrote:
>
> If I understand correctly, what you proposed is to create one proxy
> backend application which would have same endpoints as Keycloak does and
> which would just pass requests from Keycloak frontend app to the Keycloak
> backend?
>
>
>
> *From:* Irtiza Ali [mailto:iali at an10.io]
> *Sent:* Wednesday, July 18, 2018 4:55 PM
> *To:* Nikola Malenic <nikola.malenic at netsetglobal.rs>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user] Frontend and backend on separate servers
>
>
>
> It is difficult to integrate keycloak frontend flow with application. It
> work around is to use the keycloak rest endpoints.
>
>
>
>
>
> My use case:
>
>
>
> I have an app with frontend and backend running on different servers. I
> have a login endpoint in backend, once called with user credentials from
> frontend. That endpoint make another rest call to the keyclock auth
> endpoint, if authenticated it returns a json containing user's basic info
> and jwt based access_token. I used than token in subsequent requests to app
> backend.
>
>
>
> Feel free to ask if not clear.
>
>
>
> IA
>
>
>
> On Wed, 18 Jul 2018, 19:45 Nikola Malenic, <nikola.malenic at netsetglobal.rs>
> wrote:
>
> Can you explain how? Just to be clear, when I said Frontend (Angular app)
> I had Keycloak?s frontend in mind.
>
>
>
> *From:* Irtiza Ali [mailto:iali at an10.io]
> *Sent:* Wednesday, July 18, 2018 4:42 PM
> *To:* Nikola Malenic <nikola.malenic at netsetglobal.rs>
> *Cc:* keycloak-user <keycloak-user at lists.jboss.org>
> *Subject:* Re: [keycloak-user] Frontend and backend on separate servers
>
>
>
> One way to acheive this is by using the keycloak's rest endpoints.
>
>
>
> On Wed, 18 Jul 2018, 19:36 Nikola Malenic, <nikola.malenic at netsetglobal.rs>
> wrote:
>
> Is it possible to achieve this with Keycloak Security Proxy and how?
> Also, I've seen it is deprecated now.
>
> Many thanks,
> Nikola
>
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org
> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Nikola Malenic
> Sent: Friday, July 13, 2018 9:49 AM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Frontend and backend on separate servers
>
> I would like to host backend on secured network, i.e. it would be
> accessible
> only from certain IPs.
>
> Frontend (Angular application) would be served by different server in
> public
> zone, which would have access to the secured network because requests from
> it's IP would be allowed to go through firewall.
>
>
>
> Is it possible to achieve this in an easy way? I wouldn't like to implement
> proxy endpoints for all backend services in secured zone.
>
>
>
> Many thanks,
>
> Nikola
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From dt at acutus.pro  Wed Jul 18 11:55:40 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Wed, 18 Jul 2018 18:55:40 +0300
Subject: [keycloak-user] Frontend and backend on separate servers
In-Reply-To: <005301d41a7e$02bfc230$083f4690$@netsetglobal.rs>
References: <005301d41a7e$02bfc230$083f4690$@netsetglobal.rs>
Message-ID: <1531929340.6039.1.camel@acutus.pro>

Hi Nikola,

On Fri, 2018-07-13 at 09:49 +0200, Nikola Malenic wrote:
> I would like to host backend on secured network, i.e. it would be
> accessible
> only from certain IPs.
> 
> Frontend (Angular application) would be served by different server in
> public
> zone, which would have access to the secured network because requests
> from
> it's IP would be allowed to go through firewall.

I'm afraid that won't help you much since the actual requests to
Keycloak will originate from clients' browsers, not from your front-end 
server.

Could you please elaborate on the problem you're trying to solve?

If you simply want your Keycloak in DMZ, but accessible from public
network (in a controlled way), how it is different from the standard
HTTP reverse proxy scenario?

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

> 
> ?
> 
> Is it possible to achieve this in an easy way? I wouldn't like to
> implement
> proxy endpoints for all backend services in secured zone.
> 
> ?
> 
> Many thanks,
> 
> Nikola
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Wed Jul 18 12:00:43 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Wed, 18 Jul 2018 19:00:43 +0300
Subject: [keycloak-user] Frontend and backend on separate servers
In-Reply-To: <003b01d41ea4$97210360$c5630a20$@netsetglobal.rs>
References: <005301d41a7e$02bfc230$083f4690$@netsetglobal.rs>
	<003b01d41ea4$97210360$c5630a20$@netsetglobal.rs>
Message-ID: <1531929643.6039.3.camel@acutus.pro>

I'm afraid Keycloak Proxy is not relevant in your case, but just FYI -
indeed, the old proxy is deprecated, but the new one [1] is going to be
incorporated into Keycloak soon, under the tentative name "keycloak-
generic-adapter". See the keycloak-dev posting [2] for details.

Dmitry

[1] https://github.com/gambol99/keycloak-proxy
[2] http://lists.jboss.org/pipermail/keycloak-dev/2018-June/010958.html

On Wed, 2018-07-18 at 16:35 +0200, Nikola Malenic wrote:
> Is it possible to achieve this with Keycloak Security Proxy and how?
> Also, I've seen it is deprecated now.
> 
> Many thanks,
> Nikola
> 
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org
> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Nikola
> Malenic
> Sent: Friday, July 13, 2018 9:49 AM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Frontend and backend on separate servers
> 
> I would like to host backend on secured network, i.e. it would be
> accessible
> only from certain IPs.
> 
> Frontend (Angular application) would be served by different server in
> public
> zone, which would have access to the secured network because requests
> from
> it's IP would be allowed to go through firewall.
> 
> ?
> 
> Is it possible to achieve this in an easy way? I wouldn't like to
> implement
> proxy endpoints for all backend services in secured zone.
> 
> ?
> 
> Many thanks,
> 
> Nikola
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From stefan.wachter at bosch-si.com  Wed Jul 18 12:13:38 2018
From: stefan.wachter at bosch-si.com (stefan.wachter)
Date: Wed, 18 Jul 2018 18:13:38 +0200
Subject: [keycloak-user] Policy-API - How to Set a User Policy
In-Reply-To: <CAJrcDBfz1nHGyY5uJ8C-bAkNc4uaftbdMyxRShi-5EKpHoL2sg@mail.gmail.com>
References: <f339ca23-60ab-750f-32b7-db8bfa69e1ef@bosch-si.com>
	<CAJrcDBc52Co3Q3gnBXZPO+oC8QX6bdrBcyEWMhSQFgyNxs1W9Q@mail.gmail.com>
	<361ec4bc-6aec-ea0b-a4a1-fabb27c57836@bosch-si.com>
	<CAJrcDBfz1nHGyY5uJ8C-bAkNc4uaftbdMyxRShi-5EKpHoL2sg@mail.gmail.com>
Message-ID: <ace77ff3-4679-f961-91e0-f5e1c88e3845@bosch-si.com>

https://issues.jboss.org/browse/KEYCLOAK-7885

Best regards,

*Stefan Wachter
INST-ICM/BSV-BS*

Tel.??+49(711)811-58477

*Be**QIK
*

Am 18.07.2018 um 16:14 schrieb Pedro Igor Silva:
> I see. Well, I think we can include this as it just adds support for 
> another policy type. Another JIRA, please ??:)
>
> On Wed, Jul 18, 2018 at 10:05 AM, stefan.wachter 
> <stefan.wachter at bosch-si.com <mailto:stefan.wachter at bosch-si.com>> wrote:
>
>     Ok. I understand. However, I would like to set the policy that
>     allows a certain user to access a resource upfront. For example
>     when a resource owner decides to share a resource with someone by
>     sending an email she wants to set the necessary policy at the same
>     time (and not later on in a separate approval step). This is what
>     the User Management UI already offers. But I would like to
>     implement that functionality by API calls.
>
>     Best regards,
>
>     *Stefan Wachter
>     INST-ICM/BSV-BS*
>
>     Tel.??+49(711)811-58477
>
>     *Be**QIK
>     *
>
>     Am 18.07.2018 um 14:20 schrieb Pedro Igor Silva:
>>
>>
>>     On Wed, Jul 18, 2018 at 5:43 AM, stefan.wachter
>>     <stefan.wachter at bosch-si.com
>>     <mailto:stefan.wachter at bosch-si.com>> wrote:
>>
>>         Hi,
>>
>>         how can one set a user policy, (i.e. a set of users) to a
>>         user managed
>>         resource? Looking at the class
>>         org.keycloak.representations.idm.authorization.UmaPermissionRepresentation
>>
>>         I do not see a field that could be used for specifiying a set
>>         of user ids.
>>
>>
>>     For users, the idea is that you would probably want to follow UMA
>>     flow. The idea behind this endpoint is allow resource servers to
>>     define additional permissions (in addition to users as provided
>>     by UMA flow) and still allow users to revoke them.
>>
>>
>>
>>         public class UmaPermissionRepresentationextends
>>         AbstractPolicyRepresentation {
>>
>>         ? ? ?private Stringid;
>>         ? ? ?private Stringdescription;
>>         ? ? ?private Set<String>roles;
>>         ? ? ?private Set<String>groups;
>>         ? ? ?private Set<String>clients;
>>         ? ? ?private Stringcondition;
>>         ...
>>         }
>>
>>         public class AbstractPolicyRepresentation {
>>
>>         ? ? ?private Stringid;
>>         ? ? ?private Stringname;
>>         ? ? ?private Stringdescription;
>>         ? ? ?private Stringtype;
>>         ? ? ?private Set<String>policies;
>>         ? ? ?private Set<String>resources;
>>         ? ? ?private Set<String>scopes;
>>         ? ? ?private Logiclogic = Logic.POSITIVE;
>>         ? ? ?private DecisionStrategydecisionStrategy =
>>         DecisionStrategy.UNANIMOUS;
>>         ? ? ?private Stringowner;
>>         ...
>>
>>         }
>>
>>         BTW: Why does the derived UmaPermissionRepresentation class
>>         have an id
>>         and description field of its own? I think these fields are
>>         inherited
>>         from its base class AbstractPolicyRepresentation.
>>
>>
>>     Good point. Need to refactor this.
>>
>>
>>         -- 
>>
>>         Best regards,
>>
>>         *Stefan Wachter
>>         INST-ICM/BSV-BS*
>>
>>         Tel.??+49(711)811-58477
>>
>>         *Be**QIK
>>         *
>>
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>
>


From stefan.wachter at bosch-si.com  Wed Jul 18 12:14:06 2018
From: stefan.wachter at bosch-si.com (stefan.wachter)
Date: Wed, 18 Jul 2018 18:14:06 +0200
Subject: [keycloak-user] RPT can not be issued to resource owner
In-Reply-To: <CAJrcDBcF0Xkodwm8Uo4C3bVNK_22+ssj-17R6mbiKe7EmQdx1g@mail.gmail.com>
References: <0bf40ff6-57c8-14a5-89da-f1ba980a127a@bosch-si.com>
	<5fbacece-5e83-7db8-cfd5-e905024523c6@bosch-si.com>
	<CAJrcDBcYdMD25up=Vq4Nwv9iLhOgJT3T3M32r+PXJ58GtbNV8w@mail.gmail.com>
	<b4a72cc3-5f50-e6c9-0129-464335e9354c@bosch-si.com>
	<CAJrcDBcF0Xkodwm8Uo4C3bVNK_22+ssj-17R6mbiKe7EmQdx1g@mail.gmail.com>
Message-ID: <d17fad5d-df2f-ffcb-8559-765882ddb9f9@bosch-si.com>

https://issues.jboss.org/browse/KEYCLOAK-7886

Best regards,

*Stefan Wachter
INST-ICM/BSV-BS*

Tel.??+49(711)811-58477

*Be**QIK
*

Am 18.07.2018 um 16:10 schrieb Pedro Igor Silva:
> Could you file a JIRA for this, please ??Let's see what others?thinks 
> about it ...
>
> Thanks.
>
> On Wed, Jul 18, 2018 at 9:53 AM, stefan.wachter 
> <stefan.wachter at bosch-si.com <mailto:stefan.wachter at bosch-si.com>> wrote:
>
>     Agree. However, if a resource owner does not have enough grants by
>     default then the approval mechanism should kick in. This is at
>     least what the response error "request_submitted" indicates.
>
>     Best regards,
>
>     *Stefan Wachter
>     INST-ICM/BSV-BS*
>
>     Tel.??+49(711)811-58477
>
>     *Be**QIK
>     *
>
>     Am 18.07.2018 um 14:11 schrieb Pedro Igor Silva:
>>     The owner of a resource does not grants necessarily access to the
>>     resource. So, yeah, you need some policy to actually define who
>>     can access (the owner) the resource. I'm not sure if makes sense
>>     to owners approve requests to access their resources though.
>>
>>     On Wed, Jul 18, 2018 at 6:30 AM, stefan.wachter
>>     <stefan.wachter at bosch-si.com
>>     <mailto:stefan.wachter at bosch-si.com>> wrote:
>>
>>         As a work-around I added a policy that authorizes resource
>>         owners:
>>
>>         if ($evaluation.getContext().getIdentity().getId() ==
>>         $evaluation.getPermission().getResource().getOwner())
>>         $evaluation.grant()
>>
>>         and a permission that uses that policy.
>>
>>
>>
>>         _______________________________________________
>>         keycloak-user mailing list
>>         keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         https://lists.jboss.org/mailman/listinfo/keycloak-user
>>         <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>>
>>
>
>


From aechols at bfcsaz.com  Wed Jul 18 15:25:24 2018
From: aechols at bfcsaz.com (Aaron Echols)
Date: Wed, 18 Jul 2018 12:25:24 -0700
Subject: [keycloak-user] Sync Issues
In-Reply-To: <CAHj77GXchLykxa-r5MCpQfoYO69OXDU=e6fNZAFnSyPJUU49OQ@mail.gmail.com>
References: <CAHj77GVm=jVjc-dbePf+=dvhb8Dzf=9x-VDuQ8ok0UPAz1TECw@mail.gmail.com>
	<1531868284.4438.3.camel@acutus.pro>
	<CAHj77GXchLykxa-r5MCpQfoYO69OXDU=e6fNZAFnSyPJUU49OQ@mail.gmail.com>
Message-ID: <CAHj77GU+gU8oespdrEg2NfE=PWtcoHx5iFLJTq3vEAtrvRPzRw@mail.gmail.com>

Hi Dmitry,

I did as you suggested, but something seems amiss. When looking under:

MBeans > org.wildfly.clustering.infinispan > CacheManager > "keycloak" >
CacheManager > Attributes > clusterMembers

shows the same hosts 2x: [srv-iam-01, srv-iam-01], the later should be 02.
The other option you said to look it didn't seem to actually exist:

MBeans -> org.wildfly.clustering.infinispan -> Cache -> "keycloak" -> Cache

I'm still confused and looking through the configs to see if I can figure
out what is going on. Thanks :)
--
*Aaron Echols*
Lead Administrator (IT)
Benjamin Franklin Charter School | IT
Email: aechols at bfcsaz.com
Phone: (480) 677-8400
Website: http://www.bfcsaz.com
Support Email: techsupport at bfcsaz.com
Support Portal: https://bfcs.freshservice.com/support/home
Common Questions: https://bfcs.freshservice.com/support/solutions
Forgot your password: https://accounts.bfcsaz.com

<https://www.facebook.com/bfcsaz/>  <https://twitter.com/bfcs_k12>
<https://www.instagram.com/bfcs_k12>


*CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, copy, use, disclosure,
or distribution is prohibited. If you are not the intended recipient,
please contact the sender by reply e-mail and destroy all copies of the
original message.


On Tue, Jul 17, 2018 at 4:01 PM Aaron Echols <aechols at bfcsaz.com> wrote:

> Hi  Dmitry,
>
> Thanks for the reply!
>
> I just finished upgrading to 4.1.0 and the issue persists...
>
> Let me try running the console and take a look there and see what it
> shows. I'll post back shortly. Thanks for the help!
> --
> *Aaron Echols*
>
> On Tue, Jul 17, 2018 at 3:58 PM Dmitry Telegin <dt at acutus.pro> wrote:
>
>> Hi Aaron,
>>
>> This all sounds very weird. Off the top of my head:
>> - try latest Keycloak (4.1.0), is the issue reproducible?
>> - Infinispan exposes quite a lot of stuff via JMX. Run JMC or JConsole,
>> connect to the Keycloak process, go to MBeans ->
>> org.wildfly.clustering.infinispan -> Cache -> "keycloak" -> Cache. How
>> many caches are there? (should be 15 as of KC 4.1.0) Are they all
>> running? Are there any abnormalities? Entries under CacheManager might
>> be useful, too.
>>
>> Cheers,
>> Dmitry Telegin
>> CTO, Acutus s.r.o.
>> Keycloak Consulting and Training
>>
>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
>> +42 (022) 888-30-71
>> E-mail: info at acutus.pro
>>
>> On Tue, 2018-07-17 at 13:28 -0700, Aaron Echols wrote:
>> > Hello All,
>> >
>> > I've successfully setup a cluster with 2 nodes. Everything is working
>> > great, except for one issue I can't figure out. I'm starting to pull my
>> > hair out and wanted to see if anyone else has seen the issue and how to
>> > correct it.
>> >
>> > I've setup a user federation using Active Directory (Server 2016) using
>> > Keycloak 3.4.3. They are load balanced behind Netscaler 12.0.x.
>> Infinispan
>> > seems to be working correctly. It's backed by a MariaDB 10.1.x, 3 node
>> > cluster. Things I've noted:
>> >
>> >    - I can create a local user and it syncs instantly between the KC
>> 3.4.3
>> >    nodes
>> >    - Password syncs work, all changes to attributes sync, etc
>> >    - I change settings for the user federation I created and they DON'T
>> >    sync, so creating a mapper, changing a sync setting, etc, they have
>> to be
>> >    changed by hand manually on each node.
>> >    - Same with Role and realm-management. I can apply a permission to a
>> >    group or user and it doesn't sync.
>> >    - If I restart the wildfly server, the changes to propagate to the
>> >    opposite node everytime.
>> >
>> >
>> >
>> > I deleted a custom role in the realm-management client, and it deleted
>> it
>> > from the database. On the secondary node, I saw the file was still
>> listed,
>> > even with hard refreshes of the browser. I clicked to delete the custom
>> > role and got the following in the server.log:
>> >
>> >
>> >
>> > ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default
>> task-26)
>> > Uncaught server error: java.lang.IllegalStateException: Not found in
>> > database
>> >         at
>> >
>> org.keycloak.models.cache.infinispan.RoleAdapter.isUpdated(RoleAdapter.java:66)
>> >         at
>> >
>> org.keycloak.models.cache.infinispan.RoleAdapter.getId(RoleAdapter.java:105)
>> >         at
>> >
>> org.keycloak.models.cache.infinispan.RealmCacheSession.removeRole(RealmCacheSession.java:736)
>> >         at
>> >
>> org.keycloak.models.cache.infinispan.ClientAdapter.removeRole(ClientAdapter.java:587)
>> >         at
>> >
>> org.keycloak.services.resources.admin.RoleResource.deleteRole(RoleResource.java:53)
>> >         at
>> >
>> org.keycloak.services.resources.admin.RoleByIdResource.deleteRole(RoleByIdResource.java:115)
>> >         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> >         at
>> >
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>> >         at
>> >
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> >         at java.lang.reflect.Method.invoke(Method.java:498)
>> >         at
>> >
>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>> >         at
>> >
>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>> >         at
>> >
>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>> >         at
>> >
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>> >         at
>> >
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>> >         at
>> >
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>> >         at
>> >
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>> >         at
>> >
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>> >         at
>> >
>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>> >         at
>> >
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
>> >         at
>> >
>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
>> >         at
>> >
>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
>> >         at
>> >
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>> >         at
>> >
>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>> >         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>> >         at
>> >
>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>> >         at
>> >
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>> >         at
>> >
>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>> >         at
>> > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>> >         at
>> >
>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>> >         at
>> >
>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>> >         at
>> >
>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>> >         at
>> >
>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>> >         at
>> >
>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>> >         at
>> >
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> >         at
>> >
>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>> >         at
>> >
>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>> >         at
>> >
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> >         at
>> >
>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>> >         at
>> >
>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>> >         at
>> >
>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>> >         at
>> >
>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>> >         at
>> >
>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>> >         at
>> >
>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>> >         at
>> >
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> >         at
>> >
>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>> >         at
>> >
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> >         at
>> >
>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>> >         at
>> >
>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>> >         at
>> >
>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>> >         at
>> >
>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>> >         at
>> >
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>> >         at
>> >
>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>> >         at
>> >
>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>> >         at
>> >
>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>> >         at
>> >
>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>> >         at
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>> >         at
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>> >         at
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>> >         at
>> >
>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>> >         at
>> >
>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>> >         at
>> >
>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>> >         at
>> >
>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>> >         at
>> > io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>> >         at
>> > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
>> >         at
>> >
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>> >         at
>> >
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>> >         at java.lang.Thread.run(Thread.java:748)
>> >
>> >
>> >
>> > I'm not sure if there is an issue with Infinispan or a sql connection
>> > issue. I've included my SQL connection string as well:
>> >
>> >
>> >
>> >                 <datasource
>> jndi-name="java:jboss/datasources/KeycloakDS"
>> > pool-name="KeycloakDS" enabled="true" use-java-context="true">
>> >                     <connection-url>jdbc:mariadb://
>> >
>> 10.5.30.202:3306/keycloak?useUnicode=yes;characterEncoding=UTF-8;sessionVariables=wait_timeout=180;autoRe
>> > connect=true</connection-url>
>> >                     <driver>mariadb</driver>
>> >                     <pool>
>> >                         <max-pool-size>20</max-pool-size>
>> >                     </pool>
>> >                     <security>
>> >                         <user-name>keycloak_user</user-name>
>> >                         <password><some-passphrase></password>
>> >                     </security>
>> >                     <validation>
>> >                         <check-valid-connection-sql>select
>> > 1</check-valid-connection-sql>
>> >                         <validate-on-match>true</validate-on-match>
>> >
>>  <background-validation>true</background-validation>
>> >
>> > <background-validation-millis>10000</background-validation-millis>
>> >                     </validation>
>> >                 </datasource>
>> >                 <drivers>
>> >                     <!-- driver declaration -->
>> >                     <driver name="mariadb" module="org.mariadb">
>> >
>> > <xa-datasource-class>org.mariadb.jdbc.Driver</xa-datasource-class>
>> >                     </driver>
>> >                     <driver name="h2" module="com.h2database.h2">
>> >
>> > <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
>> >                     </driver>
>> >                 </drivers>
>> >             </datasources>
>> >
>> >
>> >
>> > I'm using the mariadb-java-client-2.2.3 driver.
>> >
>> >
>> >
>> > <?xml version="1.0" ?>
>> > <module xmlns="urn:jboss:module:1.3" name="org.mariadb">
>> >
>> >     <resources>
>> >         <resource-root path="mariadb-java-client-2.2.3.jar"/>
>> >     </resources>
>> >
>> >     <dependencies>
>> >         <module name="javax.api"/>
>> >         <module name="javax.transaction.api"/>
>> >     </dependencies>
>> > </module>
>> >
>> >
>> > Any assistance would be appreciated. I'll grab whatever information is
>> > needed. Thank you in advance. :)
>> > --
>> > *Aaron Echols*
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From aechols at bfcsaz.com  Wed Jul 18 15:32:16 2018
From: aechols at bfcsaz.com (Aaron Echols)
Date: Wed, 18 Jul 2018 12:32:16 -0700
Subject: [keycloak-user] Sync Issues
In-Reply-To: <CAHj77GU+gU8oespdrEg2NfE=PWtcoHx5iFLJTq3vEAtrvRPzRw@mail.gmail.com>
References: <CAHj77GVm=jVjc-dbePf+=dvhb8Dzf=9x-VDuQ8ok0UPAz1TECw@mail.gmail.com>
	<1531868284.4438.3.camel@acutus.pro>
	<CAHj77GXchLykxa-r5MCpQfoYO69OXDU=e6fNZAFnSyPJUU49OQ@mail.gmail.com>
	<CAHj77GU+gU8oespdrEg2NfE=PWtcoHx5iFLJTq3vEAtrvRPzRw@mail.gmail.com>
Message-ID: <CAHj77GVq2Bdk+_Q9rwO47JrriwTFJ5s4i8kBA1dtdCGG-N9rLw@mail.gmail.com>

Ok, I fixed a variable in my

/etc/default/wildfly.conf

Forgot to change the hostname in there:

# Hostname:
WILDFLY_HOST=srv-iam-02

Once I fixed that, the server started syncing immediately. Thanks for
helping point me in the right direction. :)
--
*Aaron Echols*


On Wed, Jul 18, 2018 at 12:25 PM Aaron Echols <aechols at bfcsaz.com> wrote:

> Hi Dmitry,
>
> I did as you suggested, but something seems amiss. When looking under:
>
> MBeans > org.wildfly.clustering.infinispan > CacheManager > "keycloak" >
> CacheManager > Attributes > clusterMembers
>
> shows the same hosts 2x: [srv-iam-01, srv-iam-01], the later should be 02.
> The other option you said to look it didn't seem to actually exist:
>
> MBeans -> org.wildfly.clustering.infinispan -> Cache -> "keycloak" -> Cache
>
> I'm still confused and looking through the configs to see if I can figure
> out what is going on. Thanks :)
> --
> *Aaron Echols*
> Lead Administrator (IT)
> Benjamin Franklin Charter School | IT
> Email: aechols at bfcsaz.com
> Phone: (480) 677-8400
> Website: http://www.bfcsaz.com
> Support Email: techsupport at bfcsaz.com
> Support Portal: https://bfcs.freshservice.com/support/home
> Common Questions: https://bfcs.freshservice.com/support/solutions
> Forgot your password: https://accounts.bfcsaz.com
>
> <https://www.facebook.com/bfcsaz/>  <https://twitter.com/bfcs_k12>
> <https://www.instagram.com/bfcs_k12>
>
>
> *CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information. Any unauthorized review, copy,
> use, disclosure, or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of the original message.
>
>
> On Tue, Jul 17, 2018 at 4:01 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>
>> Hi  Dmitry,
>>
>> Thanks for the reply!
>>
>> I just finished upgrading to 4.1.0 and the issue persists...
>>
>> Let me try running the console and take a look there and see what it
>> shows. I'll post back shortly. Thanks for the help!
>> --
>> *Aaron Echols*
>>
>> On Tue, Jul 17, 2018 at 3:58 PM Dmitry Telegin <dt at acutus.pro> wrote:
>>
>>> Hi Aaron,
>>>
>>> This all sounds very weird. Off the top of my head:
>>> - try latest Keycloak (4.1.0), is the issue reproducible?
>>> - Infinispan exposes quite a lot of stuff via JMX. Run JMC or JConsole,
>>> connect to the Keycloak process, go to MBeans ->
>>> org.wildfly.clustering.infinispan -> Cache -> "keycloak" -> Cache. How
>>> many caches are there? (should be 15 as of KC 4.1.0) Are they all
>>> running? Are there any abnormalities? Entries under CacheManager might
>>> be useful, too.
>>>
>>> Cheers,
>>> Dmitry Telegin
>>> CTO, Acutus s.r.o.
>>> Keycloak Consulting and Training
>>>
>>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
>>> +42 (022) 888-30-71
>>> E-mail: info at acutus.pro
>>>
>>> On Tue, 2018-07-17 at 13:28 -0700, Aaron Echols wrote:
>>> > Hello All,
>>> >
>>> > I've successfully setup a cluster with 2 nodes. Everything is working
>>> > great, except for one issue I can't figure out. I'm starting to pull my
>>> > hair out and wanted to see if anyone else has seen the issue and how to
>>> > correct it.
>>> >
>>> > I've setup a user federation using Active Directory (Server 2016) using
>>> > Keycloak 3.4.3. They are load balanced behind Netscaler 12.0.x.
>>> Infinispan
>>> > seems to be working correctly. It's backed by a MariaDB 10.1.x, 3 node
>>> > cluster. Things I've noted:
>>> >
>>> >    - I can create a local user and it syncs instantly between the KC
>>> 3.4.3
>>> >    nodes
>>> >    - Password syncs work, all changes to attributes sync, etc
>>> >    - I change settings for the user federation I created and they DON'T
>>> >    sync, so creating a mapper, changing a sync setting, etc, they have
>>> to be
>>> >    changed by hand manually on each node.
>>> >    - Same with Role and realm-management. I can apply a permission to a
>>> >    group or user and it doesn't sync.
>>> >    - If I restart the wildfly server, the changes to propagate to the
>>> >    opposite node everytime.
>>> >
>>> >
>>> >
>>> > I deleted a custom role in the realm-management client, and it deleted
>>> it
>>> > from the database. On the secondary node, I saw the file was still
>>> listed,
>>> > even with hard refreshes of the browser. I clicked to delete the custom
>>> > role and got the following in the server.log:
>>> >
>>> >
>>> >
>>> > ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default
>>> task-26)
>>> > Uncaught server error: java.lang.IllegalStateException: Not found in
>>> > database
>>> >         at
>>> >
>>> org.keycloak.models.cache.infinispan.RoleAdapter.isUpdated(RoleAdapter.java:66)
>>> >         at
>>> >
>>> org.keycloak.models.cache.infinispan.RoleAdapter.getId(RoleAdapter.java:105)
>>> >         at
>>> >
>>> org.keycloak.models.cache.infinispan.RealmCacheSession.removeRole(RealmCacheSession.java:736)
>>> >         at
>>> >
>>> org.keycloak.models.cache.infinispan.ClientAdapter.removeRole(ClientAdapter.java:587)
>>> >         at
>>> >
>>> org.keycloak.services.resources.admin.RoleResource.deleteRole(RoleResource.java:53)
>>> >         at
>>> >
>>> org.keycloak.services.resources.admin.RoleByIdResource.deleteRole(RoleByIdResource.java:115)
>>> >         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> >         at
>>> >
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>>> >         at
>>> >
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> >         at java.lang.reflect.Method.invoke(Method.java:498)
>>> >         at
>>> >
>>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
>>> >         at
>>> >
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
>>> >         at
>>> >
>>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
>>> >         at
>>> >
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
>>> >         at
>>> >
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>> >         at
>>> >
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>> >         at
>>> >
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
>>> >         at
>>> >
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
>>> >         at
>>> >
>>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
>>> >         at
>>> >
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
>>> >         at
>>> >
>>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
>>> >         at
>>> >
>>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
>>> >         at
>>> >
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>> >         at
>>> >
>>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>> >         at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>> >         at
>>> >
>>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>> >         at
>>> >
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>>> >         at
>>> >
>>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>>> >         at
>>> > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>>> >         at
>>> >
>>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>>> >         at
>>> >
>>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>>> >         at
>>> >
>>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>>> >         at
>>> >
>>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>> >         at
>>> >
>>> org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>> >         at
>>> >
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> >         at
>>> >
>>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
>>> >         at
>>> >
>>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>>> >         at
>>> >
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> >         at
>>> >
>>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>>> >         at
>>> >
>>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>>> >         at
>>> >
>>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>>> >         at
>>> >
>>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>>> >         at
>>> >
>>> io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>>> >         at
>>> >
>>> io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>>> >         at
>>> >
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> >         at
>>> >
>>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>> >         at
>>> >
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> >         at
>>> >
>>> org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>>> >         at
>>> >
>>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>>> >         at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>>> >         at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>>> >         at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>>> >         at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>>> >         at
>>> >
>>> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>>> >         at
>>> >
>>> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>>> >         at
>>> >
>>> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>>> >         at
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>>> >         at
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>>> >         at
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>>> >         at
>>> >
>>> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>>> >         at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>>> >         at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>>> >         at
>>> >
>>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>>> >         at
>>> > io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
>>> >         at
>>> >
>>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
>>> >         at
>>> >
>>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>>> >         at
>>> >
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>>> >         at java.lang.Thread.run(Thread.java:748)
>>> >
>>> >
>>> >
>>> > I'm not sure if there is an issue with Infinispan or a sql connection
>>> > issue. I've included my SQL connection string as well:
>>> >
>>> >
>>> >
>>> >                 <datasource
>>> jndi-name="java:jboss/datasources/KeycloakDS"
>>> > pool-name="KeycloakDS" enabled="true" use-java-context="true">
>>> >                     <connection-url>jdbc:mariadb://
>>> >
>>> 10.5.30.202:3306/keycloak?useUnicode=yes;characterEncoding=UTF-8;sessionVariables=wait_timeout=180;autoRe
>>> > connect=true</connection-url>
>>> >                     <driver>mariadb</driver>
>>> >                     <pool>
>>> >                         <max-pool-size>20</max-pool-size>
>>> >                     </pool>
>>> >                     <security>
>>> >                         <user-name>keycloak_user</user-name>
>>> >                         <password><some-passphrase></password>
>>> >                     </security>
>>> >                     <validation>
>>> >                         <check-valid-connection-sql>select
>>> > 1</check-valid-connection-sql>
>>> >                         <validate-on-match>true</validate-on-match>
>>> >
>>>  <background-validation>true</background-validation>
>>> >
>>> > <background-validation-millis>10000</background-validation-millis>
>>> >                     </validation>
>>> >                 </datasource>
>>> >                 <drivers>
>>> >                     <!-- driver declaration -->
>>> >                     <driver name="mariadb" module="org.mariadb">
>>> >
>>> > <xa-datasource-class>org.mariadb.jdbc.Driver</xa-datasource-class>
>>> >                     </driver>
>>> >                     <driver name="h2" module="com.h2database.h2">
>>> >
>>> > <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
>>> >                     </driver>
>>> >                 </drivers>
>>> >             </datasources>
>>> >
>>> >
>>> >
>>> > I'm using the mariadb-java-client-2.2.3 driver.
>>> >
>>> >
>>> >
>>> > <?xml version="1.0" ?>
>>> > <module xmlns="urn:jboss:module:1.3" name="org.mariadb">
>>> >
>>> >     <resources>
>>> >         <resource-root path="mariadb-java-client-2.2.3.jar"/>
>>> >     </resources>
>>> >
>>> >     <dependencies>
>>> >         <module name="javax.api"/>
>>> >         <module name="javax.transaction.api"/>
>>> >     </dependencies>
>>> > </module>
>>> >
>>> >
>>> > Any assistance would be appreciated. I'll grab whatever information is
>>> > needed. Thank you in advance. :)
>>> > --
>>> > *Aaron Echols*
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>

From matthew.evans at oracle.com  Thu Jul 19 00:42:26 2018
From: matthew.evans at oracle.com (Matt Evans)
Date: Wed, 18 Jul 2018 21:42:26 -0700 (PDT)
Subject: [keycloak-user] Passwords for keycloak
Message-ID: <172baf42-154e-451f-a252-8ec0609d3372@default>

Is it possible to extend keycloak to read its settings, specifically passwords, from a secure configuration store? For example, how would I go about having keycloak read the password for the database connection from a secure store, so it's not stored in the config files on the machine, or passed as command line parameters?

 

Thanks

 

Matt

From matthew.evans at oracle.com  Thu Jul 19 01:08:54 2018
From: matthew.evans at oracle.com (Matt Evans)
Date: Wed, 18 Jul 2018 22:08:54 -0700 (PDT)
Subject: [keycloak-user] Passwords for keycloak
In-Reply-To: <172baf42-154e-451f-a252-8ec0609d3372@default>
References: <172baf42-154e-451f-a252-8ec0609d3372@default>
Message-ID: <9dde4736-45d7-4cb3-b346-2dd4a604fd5e@default>

Doing a bit of further googling about jboss/wildfly, should I be looking at implementing the CredentialStoreSpi as detailed in section 4.1.8 of this article?

https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.1/html/how_to_configure_server_security/securely_storing_credentials

Could I then use that credential store to configure the data source?

Thanks

Matt

-----Original Message-----
From: Matt Evans 
Sent: Thursday, 19 July 2018 2:42 PM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Passwords for keycloak

Is it possible to extend keycloak to read its settings, specifically passwords, from a secure configuration store? For example, how would I go about having keycloak read the password for the database connection from a secure store, so it's not stored in the config files on the machine, or passed as command line parameters?

 

Thanks

 

Matt
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=8v1OAq8sCvoGRIPd-IGvCVHI6L8Cwvp2ANtoqmsCBYY&m=gHuodr78XcGcZlTriPKgtawh7WUFIrGFf3RLC2eQaBs&s=me9vViYHTZl_8XeCzceLxIAAY8M7Jq0VIjmPU4NEEuc&e=


From kkcmadhu at yahoo.com  Thu Jul 19 02:28:08 2018
From: kkcmadhu at yahoo.com (Madhu)
Date: Thu, 19 Jul 2018 06:28:08 +0000 (UTC)
Subject: [keycloak-user] Rest API for creating token exchange permission
References: <1267581731.6167130.1531981688655.ref@mail.yahoo.com>
Message-ID: <1267581731.6167130.1531981688655@mail.yahoo.com>

Hi is there an API for creating policies and binding polices to client permissions? E.g. I want to create token exchange permissions for an existing client.. how to go about it through rest API?
Madhu
Sent from Yahoo Mail on Android

From torsten.roemer at agfa.com  Thu Jul 19 09:10:58 2018
From: torsten.roemer at agfa.com (Torsten Roemer)
Date: Thu, 19 Jul 2018 13:10:58 +0000
Subject: [keycloak-user] WildFly adapter - dynamically added roles missing
	in access token
Message-ID: <VI1PR0102MB3183618D4B0A1FADFF18AD34FD520@VI1PR0102MB3183.eurprd01.prod.exchangelabs.com>

Following the "Example User Storage Provider with EJB and JPA" I've created a custom user storage provider.

In UserAdapter#getRoleMappings, I am returning the roles retrieved via JPA entity like this:

    @Override
    public Set<RoleModel> getRoleMappings() {
        final Set<RoleModel> roles = super.getRoleMappings();
        for (final GroupBean group : groups) {
            roles.add(new RoleAdapter(this, String.valueOf(group.getObjectID()), group.getName()));
        }

        return roles;
    }

RoleAdapter is my own (possibly incomplete!) implementation of RoleModel which I am using since I did not find a way to create an instance of i.e. org.keycloak.models.cache.infinispan.RoleAdapter so far.

In the Admin Console, the dynamically added roles are listed as "Assigned Roles" for a particular user but not as "Effective Roles", maybe already that is a problem.

When I request an access token for the user via the OIDC REST endpoint "/realms/{realm-name}/protocol/openid-connect/token" all roles are included in realm_access, roles.

However, when I log in to a Webapp deployed to WildFly secured with the KEYCLOAK auth-method using the WildFly adapter and have a look at the token obtained from the RefreshableKeycloakSecurityContext in the servlet session, the dynamically added roles are not included in the access token.

What could I be missing?

From max.bruchmann at hotmail.com  Thu Jul 19 10:37:05 2018
From: max.bruchmann at hotmail.com (Max Bruchmann)
Date: Thu, 19 Jul 2018 14:37:05 +0000
Subject: [keycloak-user] Keycloak Roles and Usergroups
In-Reply-To: <1531227488.7582.15.camel@acutus.pro>
References: <CAAgt2fXTCoRseMaNwEASS30dnFZQ925ZaZkvWpqXrQYAW8c17A@mail.gmail.com>
	<1531227488.7582.15.camel@acutus.pro>
Message-ID: <AM4P190MB0004C2CC27FE9C220253C4D0F7520@AM4P190MB0004.EURP190.PROD.OUTLOOK.COM>

Hi Dmitry,

do you know if there is any way to retrieve the group context of a role?

My use case would be that I have multiple sport clubs (group) with 
multiple teams (subgroup)

-club1

--team1_1

--team1_2

-club2

--team2_1

--team2_1


I have for example the role COACH but of course this role makes only 
sense in context of the team.

As far as I understand keycloak this is currently not possible


Kind Regards,

Max


Am 10.07.18 um 14:58 schrieb Dmitry Telegin:
> Hi Vinay,
>
>  From my experience, I'd tell that:
> - roles are more likely to reflect person's functions in the
> organization;
> - groups?are more likely to reflect organizational structure.
>
> For example, if there are offices and departments (like "NY Office",
> "IT Department"), that would normally map to nested groups.
>
> On the other hand, business functions would rather map to roles (like
> "managers", "developers", "sysadmins" etc.)
>
> There's also a number of technical differences:
> - akin to nested groups, there are composite roles. However, the logic
> is different: if you grant a composite role to a user, every child role
> would be granted, too (which is not true for groups);
> - you can assign a role to a group (not vice versa);
> - by default, Keycloak adapters can restrict access based on roles
> only. If you want to use groups for the same, you'll need to turn on
> authorization services and create corresponding policies.
>
> Could you please elaborate on your particular use case? If you describe
> it briefly, I think we'll be able decide what's better for you.
>
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Mon, 2018-07-09 at 12:39 -0400, Vinay wrote:
>> What is a difference between keycloak roles and usergroups ? are they
>> interchangeable i.e. can we use roles instead of groups or vice versa
>> to
>> address a problem ? Is it possible to have roles within roles, just
>> like
>> groups ?
>> A clear guidelines on how to use groups and roles will help.
>>
>> thanks
>> /Vinay
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From Tim.Benke at comlineag.de  Thu Jul 19 12:17:39 2018
From: Tim.Benke at comlineag.de (Benke, Tim)
Date: Thu, 19 Jul 2018 16:17:39 +0000
Subject: [keycloak-user] Using Keycloak 3.4 with Spring Boot 2 Adapter 4
Message-ID: <642202C7-A61F-4DEC-BF50-C61EF7B8D447@comlineag.de>

Hello everybody,

It?s intuitively clear to me that an outdated adapter communicating with a *newer* Keycloak isn?t a great idea and the documentation suggests importing the javascript adapter from the server itself.

What about the opposite case of a new backend adapter with version 4.0.0.Final and an older Keycloak 3.4.3. Is this insecure? We?re considering this option to reduce the hassle of updating keycloak itself and upgrading our custom theme.

Best regards,
Tim Benke

From vandana0242 at gmail.com  Thu Jul 19 17:24:37 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Thu, 19 Jul 2018 16:24:37 -0500
Subject: [keycloak-user] What contents from web.xml of .war file needs to be
	configure in keycloak
Message-ID: <CAL_K0eysp7Lp5JJipeq-UTDvvpJdbejOj9tF9ro9u0b2Sw8ydQ@mail.gmail.com>

Hello

Trying to configure SSO  for the application on wildfly with keycloak
What  contents from web.xml of .war file needs to be configure  in keycloak
console ?

why we need to take from web.xml file

What exactly  are they roles etc . ?



Thanks,
Vandana

From bphilips at redhat.com  Thu Jul 19 19:42:18 2018
From: bphilips at redhat.com (Brandon Philips)
Date: Thu, 19 Jul 2018 16:42:18 -0700
Subject: [keycloak-user] secret import/export
In-Reply-To: <CAHHNuYePeCOiSjJmy+p8AJLywwcWQL9e_WVwWDt7CVnEZWh8fQ@mail.gmail.com>
References: <CAHHNuYePeCOiSjJmy+p8AJLywwcWQL9e_WVwWDt7CVnEZWh8fQ@mail.gmail.com>
Message-ID: <CAHHNuYc1M6BAPRuQhSM5efcgq7L4g7Ed_6TJ1tZ8JXx46+=7XA@mail.gmail.com>

Hello-

I want to automate setup/teardown of keycloak on top of Kubernetes.
However, I was surprised that when I got the export JSON that all of the
secrets were replaced with "*******".

Is there a way to export the actual secrets in an automated fashion? And if
exported does the importer read them?

Sorry for the naive questions.

Thank You,

Brandon

From matthew.evans at oracle.com  Thu Jul 19 22:09:29 2018
From: matthew.evans at oracle.com (Matt Evans)
Date: Thu, 19 Jul 2018 19:09:29 -0700 (PDT)
Subject: [keycloak-user] secret import/export
In-Reply-To: <CAHHNuYc1M6BAPRuQhSM5efcgq7L4g7Ed_6TJ1tZ8JXx46+=7XA@mail.gmail.com>
References: <CAHHNuYePeCOiSjJmy+p8AJLywwcWQL9e_WVwWDt7CVnEZWh8fQ@mail.gmail.com>
	<CAHHNuYc1M6BAPRuQhSM5efcgq7L4g7Ed_6TJ1tZ8JXx46+=7XA@mail.gmail.com>
Message-ID: <71c22ff7-3b0b-40a7-b3db-9ee99e1b539b@default>

The importer does read them if they are correct in the import json.

We deploy our clients and idp providers using the json from the export, and we call the admin api to import, after we ensure the correct secrets are inserted into the import files.

Matt

-----Original Message-----
From: Brandon Philips [mailto:bphilips at redhat.com] 
Sent: Friday, 20 July 2018 9:42 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] secret import/export

Hello-

I want to automate setup/teardown of keycloak on top of Kubernetes.
However, I was surprised that when I got the export JSON that all of the secrets were replaced with "*******".

Is there a way to export the actual secrets in an automated fashion? And if exported does the importer read them?

Sorry for the naive questions.

Thank You,

Brandon
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Duser&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=8v1OAq8sCvoGRIPd-IGvCVHI6L8Cwvp2ANtoqmsCBYY&m=DPCPWDYkVFcl6_Fn-nAKGVfeXZU4HihETU4O1_8x9RQ&s=JpfVgVKxvPmpVlfIpoqNq6_N2W1n1Vib1NUHK9Rl3QA&e=


From lrozenblyum at gmail.com  Fri Jul 20 04:16:57 2018
From: lrozenblyum at gmail.com (Leonid Rozenblyum)
Date: Fri, 20 Jul 2018 11:16:57 +0300
Subject: [keycloak-user] SAML2.0: support for SessionNotOnOrAfter
Message-ID: <CANZPfwTfLZme4BH3JYfYC5PFXi_wPLTjhOXC=8tBcdAYt3xxcQ@mail.gmail.com>

Hello.
Does Keycloak support the attribute SessionNotOnOrAfter based on realm
settings of session timeout? Maybe some another way to inform Service
Provider about the desired session end time?

From lrozenblyum at gmail.com  Fri Jul 20 04:21:47 2018
From: lrozenblyum at gmail.com (Leonid Rozenblyum)
Date: Fri, 20 Jul 2018 11:21:47 +0300
Subject: [keycloak-user] Programmatical users authentication
In-Reply-To: <CAHvCgvwAzKBFVH+OOfTgx9deSLOP52JmYF-XHidy3_6qpn6SiA@mail.gmail.com>
References: <CANZPfwStEv3K01WvEBcC9HCqWj02S8xOQmdJOFkATaPbk9UHPw@mail.gmail.com>
	<CAHvCgvwAzKBFVH+OOfTgx9deSLOP52JmYF-XHidy3_6qpn6SiA@mail.gmail.com>
Message-ID: <CANZPfwScADaMotD27Sz2a82A5ZmYEMADMiD+2njVMQHF_7Bm2Q@mail.gmail.com>

We can programmatically authenticate users by the query:
http://localhost:8080/auth/realms/<your
realm>/protocol/openid-connect/token -d
"client_id=admin-cli&grant_type=password&username=user&password=pass"

On Tue, Jul 17, 2018 at 1:32 AM Daniel Teixeira <ddtxra at gmail.com> wrote:

> Not sure if this could help you, but this sshows how to get access tokens
> programmatically with python:
>
> https://github.com/ddtxra/python-console-keycloak-example
>
>
> On Mon, Jul 16, 2018 at 12:26 PM, Leonid Rozenblyum <lrozenblyum at gmail.com
> > wrote:
>
>> Thanks to REST API we can authentcate admin users who can work on behalf
>> of
>> 'admin-cli' account.
>>
>> Can we authenticate usual users programmatically?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
>
> --
> Daniel Teixeira
>

From manisha04.nandal at gmail.com  Fri Jul 20 06:39:36 2018
From: manisha04.nandal at gmail.com (Manisha Nandal)
Date: Fri, 20 Jul 2018 16:09:36 +0530
Subject: [keycloak-user] admin account custom theme not working
Message-ID: <CAP63w5SKjSv0hMeUA4YP9Y32VxTXNhuJ2Ey=4x4t8fs9q=AEuw@mail.gmail.com>

Hi,

I want to use custom theme for admin user.I tried creating a folder with
"mytheme/admin" and placed my new modified files. I also changed the
configuration from admin account - > realm settings - > theme. My modified
files are not picked.

Same process i followed for login theme changes and its working also.

Can you please guide my how to use custom theme for admin account. Another
thing i observed is that if change the theme for master realm and my own
realm both, then it works

Thanks
Manisha

From ddtxra at gmail.com  Fri Jul 20 08:26:13 2018
From: ddtxra at gmail.com (Daniel Teixeira)
Date: Fri, 20 Jul 2018 14:26:13 +0200
Subject: [keycloak-user] Groups as array of objects (Script Mapper ? )
Message-ID: <CAHvCgvwD307VVcu9bNws88vJ4pE+jjnGcRbkLdMAASmxuqaMCQ@mail.gmail.com>

Hello,
I am trying to configure my userinfo token to get the groups, as an array
of objects.
Currently if I add the "Group Membership" mapper in my client, an array of
Strings with the groups is returns.

{
  "name": "Dummy User",
  "groups": ["group1", "group2", "group3"]
   ...
}

But what I need for a SSO Confluence plugin to work is the following format:
(The name of the attributes don't matter, but I need an array of objects
for the groups)

{
  "name": "Dummy User",
  "groups": [ {"group_name": "group1"},
                   {"group_name": "group2"},
                   {"group_name": "group3"}  ]
 ...
}

So I have tried to created Script Mapper as follows:

*var groups = [];*
*user.getGroups().forEach(function(groupModel) {*
*    var groupName = groupModel.getName();*
*    groups.push({"group_name": groupName});*
*})*

*token.setOtherClaims("groups", groups);*


But this script produces a token as following:

{
  "name": "Dummy User",
  "groups": {
    "0": {
      "group_name": "group1"
    },
    "1": {
      "group_name": "group2"
    },
    "2": {
      "group_name": "group3"
    }
  },
  ....
}

Which is not an array of object, but a map of objects.
I have tried to toggle the option multivalued but it didn't change anything.

Is there a way to have an array?
Could someone help me with that?
Thanks in advance!

Cheers,
Daniel Teixeira

From paul at grebenc.ca  Fri Jul 20 15:47:48 2018
From: paul at grebenc.ca (Paul Grebenc)
Date: Fri, 20 Jul 2018 15:47:48 -0400
Subject: [keycloak-user] Role required to manage user consents from REST API
Message-ID: <CANJEuVc0SN+4dTcs_WN7duVrsk23feqA1DErcQss6NZxK8hnyg@mail.gmail.com>

I have been doing some investigation with Keycloak 3.4.3.Final, and have
noticed something that I am wondering about.

It is possible for me to request an offline token for a given user with a
password grant, and that consent will show up for the user under the user's
Consents tab in the admin console.

In terms of managing any granted consents (for the purpose of allowing a
user to revoke a consent that they have granted), I have been able to do
the following:

curl -X GET -H "Authorization: Bearer <authToken>"
http://localhost:8080/auth/admin/realms/master/users/<userId>/consents
<http://localhost:8080/auth/admin/realms/master/users/38454015-6ab7-4880-b54c-77c5780fd2ba/consents>


This returns all current consents granted by the user.  I can then also do
the following:


curl -X DELETE -H "Authorization: Bearer <authToken>"
http://localhost:8080/auth/admin/realms/master/users/<userId>/consents/<clientId>
<http://localhost:8080/auth/admin/realms/master/users/38454015-6ab7-4880-b54c-77c5780fd2ba/consents/agent-registration>


This revokes the consent granted by the specified user for the specified
client.


This is good so far, but I noticed that I was only authorized to perform
these operations as admin, and not as the user in question who has granted
these consents.  Through experimentation, I was able to determine that if I
add the role "admin" to the user, that user is then authorized for these
operations.


Is this intentional?  It was originally my expectation that a user who has
granted consents should be able to view or revoke their own consents
without having to have the admin role assigned.


Also, looking through the REST API documentation, I didn't see anything
related to roles and authorization.  Are all operations only accessible by
users with the admin role assigned?


Regards,

Paul

From vandana0242 at gmail.com  Fri Jul 20 16:44:15 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Fri, 20 Jul 2018 15:44:15 -0500
Subject: [keycloak-user] facing issue while having the single sign on flow
Message-ID: <CAL_K0eyb1LSNezDEC48O36sVDi2c7rYSr_Ba_ECe+igXBbhSrg@mail.gmail.com>

ERROR [org.keycloak.services.resources.IdentityBrokerService] (default
task-25) invalidRequestMessage

We are configuring the Single sign on for the application deployed on the
Wildfly instance by having keycloak , external IDP , SAML 2.0 standards
.Below is the flow .

There was an error at the flow while we are trying this flow . PFA It has
pictorial representation of the flow .
Wildfly app or servlet container -> (SP) SAML request to IdP -> Keycloak ->
(identify Okta IdP... may or may not need a username) -> (SP SAML Request
to Okta) -> Okta IdP (May or may not need user to login depends on if they
have an active okta session or not) -> IdP SAML Response -> Keycloak -> IdP
SAML Response Wildfly app / servlet container
-------------- next part --------------
A non-text attachment was scrubbed...
Name: WildflyKeycloakOktaSequence.png
Type: image/png
Size: 31308 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180720/30a40b8c/attachment-0001.png 

From caiyegui at gmail.com  Fri Jul 20 17:34:42 2018
From: caiyegui at gmail.com (Yegui Cai)
Date: Fri, 20 Jul 2018 17:34:42 -0400
Subject: [keycloak-user] Domain-extension example is not working for 4.x
Message-ID: <CAJYMFR6DyHxAVXuMkgx3Wwr_fe9vAM1KudqQ5Z_CZtmc1nPrbg@mail.gmail.com>

Hi.
The Domain-extension example is not fully working. The authorized rest API
is not working. With proper token, the client gets a 403 instead of 2XX.

Please kindly let me know how to make it work.

thanks,
Yegui

From dt at acutus.pro  Sun Jul 22 20:41:25 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 23 Jul 2018 03:41:25 +0300
Subject: [keycloak-user] Sync Issues
In-Reply-To: <CAHj77GVq2Bdk+_Q9rwO47JrriwTFJ5s4i8kBA1dtdCGG-N9rLw@mail.gmail.com>
References: <CAHj77GVm=jVjc-dbePf+=dvhb8Dzf=9x-VDuQ8ok0UPAz1TECw@mail.gmail.com>
	<1531868284.4438.3.camel@acutus.pro>
	<CAHj77GXchLykxa-r5MCpQfoYO69OXDU=e6fNZAFnSyPJUU49OQ@mail.gmail.com>
	<CAHj77GU+gU8oespdrEg2NfE=PWtcoHx5iFLJTq3vEAtrvRPzRw@mail.gmail.com>
	<CAHj77GVq2Bdk+_Q9rwO47JrriwTFJ5s4i8kBA1dtdCGG-N9rLw@mail.gmail.com>
Message-ID: <1532306485.2248.0.camel@acutus.pro>

You're welcome, glad it helped :) Good luck with Keycloak!

Dmitry

On Wed, 2018-07-18 at 12:32 -0700, Aaron Echols wrote:
> Ok, I fixed a variable in my
> 
> /etc/default/wildfly.conf
> 
> Forgot to change the hostname in there:
> 
> # Hostname:
> WILDFLY_HOST=srv-iam-02
> 
> Once I fixed that, the server started syncing immediately. Thanks for
> helping point me in the right direction. :)
> --
> Aaron?Echols
> 
> 
> On Wed, Jul 18, 2018 at 12:25 PM Aaron Echols <aechols at bfcsaz.com>
> wrote:
> > Hi Dmitry,
> > 
> > I did as you suggested, but something seems amiss. When looking
> > under:
> > 
> > MBeans > org.wildfly.clustering.infinispan > CacheManager >
> > "keycloak" > CacheManager > Attributes > clusterMembers
> > 
> > shows the same hosts 2x:?[srv-iam-01, srv-iam-01], the later should
> > be 02. The other option you said to look it didn't seem to actually
> > exist:
> > 
> > MBeans -> org.wildfly.clustering.infinispan -> Cache -> "keycloak"
> > -> Cache
> > 
> > I'm still confused and looking through the configs to see if I can
> > figure out what is going on. Thanks :)
> > --
> > Aaron?Echols
> > Lead Administrator (IT)
> > Benjamin Franklin Charter School |?IT
> > Email: aechols at bfcsaz.com
> > Phone: (480) 677-8400
> > Website:?http://www.bfcsaz.com
> > Support Email: techsupport at bfcsaz.com
> > Support Portal: https://bfcs.freshservice.com/support/home
> > Common Questions: https://bfcs.freshservice.com/support/solutions
> > Forgot your password: https://accounts.bfcsaz.com
> > 
> > ??
> > 
> > 
> > 
> > *CONFIDENTIALITY NOTICE: This e-mail message, including any
> > attachments, is for the sole use of the intended recipient(s) and
> > may contain confidential and privileged information. Any
> > unauthorized review, copy, use, disclosure, or distribution is
> > prohibited. If you are not the intended recipient, please contact
> > the sender by reply e-mail and destroy all copies of the original
> > message.
> > 
> > 
> > On Tue, Jul 17, 2018 at 4:01 PM Aaron Echols <aechols at bfcsaz.com>
> > wrote:
> > > Hi? Dmitry,
> > > 
> > > Thanks for the reply!
> > > 
> > > I just finished upgrading to 4.1.0 and the issue persists...
> > > 
> > > Let me try running the console and take a look there and see what
> > > it shows. I'll post back shortly. Thanks for the help!
> > > --
> > > Aaron?Echols
> > > 
> > > On Tue, Jul 17, 2018 at 3:58 PM Dmitry Telegin <dt at acutus.pro>
> > > wrote:
> > > > Hi Aaron,
> > > > 
> > > > This all sounds very weird. Off the top of my head:
> > > > - try latest Keycloak (4.1.0), is the issue reproducible?
> > > > - Infinispan exposes quite a lot of stuff via JMX. Run JMC or
> > > > JConsole,
> > > > connect to the Keycloak process, go to MBeans ->
> > > > org.wildfly.clustering.infinispan -> Cache -> "keycloak" ->
> > > > Cache. How
> > > > many caches are there? (should be 15 as of KC 4.1.0) Are they
> > > > all
> > > > running? Are there any abnormalities? Entries under
> > > > CacheManager might
> > > > be useful, too.
> > > > 
> > > > Cheers,
> > > > Dmitry Telegin
> > > > CTO, Acutus s.r.o.
> > > > Keycloak Consulting and Training
> > > > 
> > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > > +42 (022) 888-30-71
> > > > E-mail: info at acutus.pro
> > > > 
> > > > On Tue, 2018-07-17 at 13:28 -0700, Aaron Echols wrote:
> > > > > Hello All,
> > > > >?
> > > > > I've successfully setup a cluster with 2 nodes. Everything is
> > > > working
> > > > > great, except for one issue I can't figure out. I'm starting
> > > > to pull my
> > > > > hair out and wanted to see if anyone else has seen the issue
> > > > and how to
> > > > > correct it.
> > > > >?
> > > > > I've setup a user federation using Active Directory (Server
> > > > 2016) using
> > > > > Keycloak 3.4.3. They are load balanced behind Netscaler
> > > > 12.0.x. Infinispan
> > > > > seems to be working correctly. It's backed by a MariaDB
> > > > 10.1.x, 3 node
> > > > > cluster. Things I've noted:
> > > > >?
> > > > >? ? - I can create a local user and it syncs instantly between
> > > > the KC 3.4.3
> > > > >? ? nodes
> > > > >? ? - Password syncs work, all changes to attributes sync, etc
> > > > >? ? - I change settings for the user federation I created and
> > > > they DON'T
> > > > >? ? sync, so creating a mapper, changing a sync setting, etc,
> > > > they have to be
> > > > >? ? changed by hand manually on each node.
> > > > >? ? - Same with Role and realm-management. I can apply a
> > > > permission to a
> > > > >? ? group or user and it doesn't sync.
> > > > >? ? - If I restart the wildfly server, the changes to
> > > > propagate to the
> > > > >? ? opposite node everytime.
> > > > >?
> > > > >?
> > > > >?
> > > > > I deleted a custom role in the realm-management client, and
> > > > it deleted it
> > > > > from the database. On the secondary node, I saw the file was
> > > > still listed,
> > > > > even with hard refreshes of the browser. I clicked to delete
> > > > the custom
> > > > > role and got the following in the server.log:
> > > > >?
> > > > >?
> > > > >?
> > > > > ERROR [org.keycloak.services.error.KeycloakErrorHandler]
> > > > (default task-26)
> > > > > Uncaught server error: java.lang.IllegalStateException: Not
> > > > found in
> > > > > database
> > > > >? ? ? ? ?at
> > > > >
> > > > org.keycloak.models.cache.infinispan.RoleAdapter.isUpdated(Role
> > > > Adapter.java:66)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.keycloak.models.cache.infinispan.RoleAdapter.getId(RoleAdap
> > > > ter.java:105)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.keycloak.models.cache.infinispan.RealmCacheSession.removeRo
> > > > le(RealmCacheSession.java:736)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.keycloak.models.cache.infinispan.ClientAdapter.removeRole(C
> > > > lientAdapter.java:587)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.keycloak.services.resources.admin.RoleResource.deleteRole(R
> > > > oleResource.java:53)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.keycloak.services.resources.admin.RoleByIdResource.deleteRo
> > > > le(RoleByIdResource.java:115)
> > > > >? ? ? ? ?at
> > > > sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > > >? ? ? ? ?at
> > > > >
> > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccesso
> > > > rImpl.java:62)
> > > > >? ? ? ? ?at
> > > > >
> > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMetho
> > > > dAccessorImpl.java:43)
> > > > >? ? ? ? ?at java.lang.reflect.Method.invoke(Method.java:498)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjecto
> > > > rImpl.java:140)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Re
> > > > sourceMethodInvoker.java:295)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMe
> > > > thodInvoker.java:249)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetOb
> > > > ject(ResourceLocatorInvoker.java:138)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceL
> > > > ocatorInvoker.java:107)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetOb
> > > > ject(ResourceLocatorInvoker.java:133)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceL
> > > > ocatorInvoker.java:107)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetOb
> > > > ject(ResourceLocatorInvoker.java:133)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceL
> > > > ocatorInvoker.java:101)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchronou
> > > > sDispatcher.java:406)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.jboss.resteasy.core.SynchronousDispatcher.invoke(Synchronou
> > > > sDispatcher.java:213)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.jboss.resteasy.plugins.server.servlet.ServletContainerDispa
> > > > tcher.service(ServletContainerDispatcher.java:228)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher
> > > > .service(HttpServletDispatcher.java:56)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher
> > > > .service(HttpServletDispatcher.java:51)
> > > > >? ? ? ? ?at
> > > > javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.servlet.handlers.ServletHandler.handleRequest(Servl
> > > > etHandler.java:85)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFi
> > > > lter(FilterHandler.java:129)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.keycloak.services.filters.KeycloakSessionServletFilter.doFi
> > > > lter(KeycloakSessionServletFilter.java:90)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.j
> > > > ava:61)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFi
> > > > lter(FilterHandler.java:131)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.servlet.handlers.FilterHandler.handleRequest(Filter
> > > > Handler.java:84)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.servlet.handlers.security.ServletSecurityRoleHandle
> > > > r.handleRequest(ServletSecurityRoleHandler.java:62)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.servlet.handlers.ServletDispatchingHandler.handleRe
> > > > quest(ServletDispatchingHandler.java:36)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.wildfly.extension.undertow.security.SecurityContextAssociat
> > > > ionHandler.handleRequest(SecurityContextAssociationHandler.java
> > > > :78)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Pred
> > > > icateHandler.java:43)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.servlet.handlers.security.SSLInformationAssociation
> > > > Handler.handleRequest(SSLInformationAssociationHandler.java:131
> > > > )
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.servlet.handlers.security.ServletAuthenticationCall
> > > > Handler.handleRequest(ServletAuthenticationCallHandler.java:57)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Pred
> > > > icateHandler.java:43)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.security.handlers.AbstractConfidentialityHandler.ha
> > > > ndleRequest(AbstractConfidentialityHandler.java:46)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.servlet.handlers.security.ServletConfidentialityCon
> > > > straintHandler.handleRequest(ServletConfidentialityConstraintHa
> > > > ndler.java:64)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.security.handlers.AuthenticationMechanismsHandler.h
> > > > andleRequest(AuthenticationMechanismsHandler.java:60)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.servlet.handlers.security.CachedAuthenticatedSessio
> > > > nHandler.handleRequest(CachedAuthenticatedSessionHandler.java:7
> > > > 7)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.security.handlers.NotificationReceiverHandler.handl
> > > > eRequest(NotificationReceiverHandler.java:50)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.security.handlers.AbstractSecurityContextAssociatio
> > > > nHandler.handleRequest(AbstractSecurityContextAssociationHandle
> > > > r.java:43)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Pred
> > > > icateHandler.java:43)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.wildfly.extension.undertow.security.jacc.JACCContextIdHandl
> > > > er.handleRequest(JACCContextIdHandler.java:61)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Pred
> > > > icateHandler.java:43)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.wildfly.extension.undertow.deployment.GlobalRequestControll
> > > > erHandler.handleRequest(GlobalRequestControllerHandler.java:68)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.server.handlers.PredicateHandler.handleRequest(Pred
> > > > icateHandler.java:43)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.servlet.handlers.ServletInitialHandler.handleFirstR
> > > > equest(ServletInitialHandler.java:292)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.servlet.handlers.ServletInitialHandler.access$100(S
> > > > ervletInitialHandler.java:81)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.servlet.handlers.ServletInitialHandler$2.call(Servl
> > > > etInitialHandler.java:138)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.servlet.handlers.ServletInitialHandler$2.call(Servl
> > > > etInitialHandler.java:135)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.servlet.core.ServletRequestContextThreadSetupAction
> > > > $1.call(ServletRequestContextThreadSetupAction.java:48)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(C
> > > > ontextClassLoaderSetupAction.java:43)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.wildfly.extension.undertow.security.SecurityContextThreadSe
> > > > tupAction.lambda$create$0(SecurityContextThreadSetupAction.java
> > > > :105)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInf
> > > > oService$UndertowThreadSetupAction.lambda$create$0(UndertowDepl
> > > > oymentInfoService.java:1508)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInf
> > > > oService$UndertowThreadSetupAction.lambda$create$0(UndertowDepl
> > > > oymentInfoService.java:1508)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInf
> > > > oService$UndertowThreadSetupAction.lambda$create$0(UndertowDepl
> > > > oymentInfoService.java:1508)
> > > > >? ? ? ? ?at
> > > > >
> > > > org.wildfly.extension.undertow.deployment.UndertowDeploymentInf
> > > > oService$UndertowThreadSetupAction.lambda$create$0(UndertowDepl
> > > > oymentInfoService.java:1508)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequ
> > > > est(ServletInitialHandler.java:272)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.servlet.handlers.ServletInitialHandler.access$000(S
> > > > ervletInitialHandler.java:81)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequ
> > > > est(ServletInitialHandler.java:104)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.server.Connectors.executeRootHandler(Connectors.jav
> > > > a:326)
> > > > >? ? ? ? ?at
> > > > >
> > > > io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.
> > > > java:812)
> > > > >? ? ? ? ?at
> > > > >
> > > > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExe
> > > > cutor.java:1149)
> > > > >? ? ? ? ?at
> > > > >
> > > > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolEx
> > > > ecutor.java:624)
> > > > >? ? ? ? ?at java.lang.Thread.run(Thread.java:748)
> > > > >?
> > > > >?
> > > > >?
> > > > > I'm not sure if there is an issue with Infinispan or a sql
> > > > connection
> > > > > issue. I've included my SQL connection string as well:
> > > > >?
> > > > >?
> > > > >?
> > > > >? ? ? ? ? ? ? ? ?<datasource jndi-
> > > > name="java:jboss/datasources/KeycloakDS"
> > > > > pool-name="KeycloakDS" enabled="true" use-java-
> > > > context="true">
> > > > >? ? ? ? ? ? ? ? ? ? ?<connection-url>jdbc:mariadb://
> > > > >
> > > > 10.5.30.202:3306/keycloak?useUnicode=yes;characterEncoding=UTF-
> > > > 8;sessionVariables=wait_timeout=180;autoRe
> > > > > connect=true</connection-url>
> > > > >? ? ? ? ? ? ? ? ? ? ?<driver>mariadb</driver>
> > > > >? ? ? ? ? ? ? ? ? ? ?<pool>
> > > > >? ? ? ? ? ? ? ? ? ? ? ? ?<max-pool-size>20</max-pool-size>
> > > > >? ? ? ? ? ? ? ? ? ? ?</pool>
> > > > >? ? ? ? ? ? ? ? ? ? ?<security>
> > > > >? ? ? ? ? ? ? ? ? ? ? ? ?<user-name>keycloak_user</user-name>
> > > > >? ? ? ? ? ? ? ? ? ? ? ? ?<password><some-
> > > > passphrase></password>
> > > > >? ? ? ? ? ? ? ? ? ? ?</security>
> > > > >? ? ? ? ? ? ? ? ? ? ?<validation>
> > > > >? ? ? ? ? ? ? ? ? ? ? ? ?<check-valid-connection-sql>select
> > > > > 1</check-valid-connection-sql>
> > > > >? ? ? ? ? ? ? ? ? ? ? ? ?<validate-on-match>true</validate-on-
> > > > match>
> > > > >? ? ? ? ? ? ? ? ? ? ? ? ?<background-
> > > > validation>true</background-validation>
> > > > >?
> > > > > <background-validation-millis>10000</background-validation-
> > > > millis>
> > > > >? ? ? ? ? ? ? ? ? ? ?</validation>
> > > > >? ? ? ? ? ? ? ? ?</datasource>
> > > > >? ? ? ? ? ? ? ? ?<drivers>
> > > > >? ? ? ? ? ? ? ? ? ? ?<!-- driver declaration -->
> > > > >? ? ? ? ? ? ? ? ? ? ?<driver name="mariadb"
> > > > module="org.mariadb">
> > > > >?
> > > > > <xa-datasource-class>org.mariadb.jdbc.Driver</xa-datasource-
> > > > class>
> > > > >? ? ? ? ? ? ? ? ? ? ?</driver>
> > > > >? ? ? ? ? ? ? ? ? ? ?<driver name="h2"
> > > > module="com.h2database.h2">
> > > > >?
> > > > > <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-
> > > > datasource-class>
> > > > >? ? ? ? ? ? ? ? ? ? ?</driver>
> > > > >? ? ? ? ? ? ? ? ?</drivers>
> > > > >? ? ? ? ? ? ?</datasources>
> > > > >?
> > > > >?
> > > > >?
> > > > > I'm using the mariadb-java-client-2.2.3 driver.
> > > > >?
> > > > >?
> > > > >?
> > > > > <?xml version="1.0" ?>
> > > > > <module xmlns="urn:jboss:module:1.3" name="org.mariadb">
> > > > >?
> > > > >? ? ?<resources>
> > > > >? ? ? ? ?<resource-root path="mariadb-java-client-2.2.3.jar"/>
> > > > >? ? ?</resources>
> > > > >?
> > > > >? ? ?<dependencies>
> > > > >? ? ? ? ?<module name="javax.api"/>
> > > > >? ? ? ? ?<module name="javax.transaction.api"/>
> > > > >? ? ?</dependencies>
> > > > > </module>
> > > > >?
> > > > >?
> > > > > Any assistance would be appreciated. I'll grab whatever
> > > > information is
> > > > > needed. Thank you in advance. :)
> > > > > --
> > > > > *Aaron Echols*
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > 

From dt at acutus.pro  Sun Jul 22 20:48:19 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 23 Jul 2018 03:48:19 +0300
Subject: [keycloak-user] Passwords for keycloak
In-Reply-To: <9dde4736-45d7-4cb3-b346-2dd4a604fd5e@default>
References: <172baf42-154e-451f-a252-8ec0609d3372@default>
	<9dde4736-45d7-4cb3-b346-2dd4a604fd5e@default>
Message-ID: <1532306899.2248.2.camel@acutus.pro>

Hi Matt,

Seems like you've already figured out everything yourself :)

After you have your CredentialStoreSpi implemented, you should be able
to use "--credential-reference={store=my_store, alias=database-pw}"
instead of "--password" while configuring datasource via jboss-cli.sh.

How is it going with the implementation? BTW is it HashiCorp Vault
you're trying to integrate with?

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2018-07-18 at 22:08 -0700, Matt Evans wrote:
> Doing a bit of further googling about jboss/wildfly, should I be
> looking at implementing the CredentialStoreSpi as detailed in section
> 4.1.8 of this article?
> 
> https://access.redhat.com/documentation/en-us/red_hat_jboss_enterpris
> e_application_platform/7.1/html/how_to_configure_server_security/secu
> rely_storing_credentials
> 
> Could I then use that credential store to configure the data source?
> 
> Thanks
> 
> Matt
> 
> -----Original Message-----
> From: Matt Evans?
> Sent: Thursday, 19 July 2018 2:42 PM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Passwords for keycloak
> 
> Is it possible to extend keycloak to read its settings, specifically
> passwords, from a secure configuration store? For example, how would
> I go about having keycloak read the password for the database
> connection from a secure store, so it's not stored in the config
> files on the machine, or passed as command line parameters?
> 
> ?
> 
> Thanks
> 
> ?
> 
> Matt
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_
> mailman_listinfo_keycloak-
> 2Duser&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=8v1OA
> q8sCvoGRIPd-
> IGvCVHI6L8Cwvp2ANtoqmsCBYY&m=gHuodr78XcGcZlTriPKgtawh7WUFIrGFf3RLC2eQ
> aBs&s=me9vViYHTZl_8XeCzceLxIAAY8M7Jq0VIjmPU4NEEuc&e=
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Sun Jul 22 20:54:14 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 23 Jul 2018 03:54:14 +0300
Subject: [keycloak-user] Rest API for creating token exchange permission
In-Reply-To: <1267581731.6167130.1531981688655@mail.yahoo.com>
References: <1267581731.6167130.1531981688655.ref@mail.yahoo.com>
	<1267581731.6167130.1531981688655@mail.yahoo.com>
Message-ID: <1532307254.2248.4.camel@acutus.pro>

Hi Madhu,

On Thu, 2018-07-19 at 06:28 +0000, Madhu wrote:
> Hi is there an API for creating policies and binding polices to
> client permissions? E.g. I want to create token exchange permissions
> for an existing client.. how to go about it through rest API?

Generally speaking, if some piece of functionality is available in the
Admin Console, most likely it's also available via the REST API
(because that's how the Admin Console works). The problem is that the
actual calls might be undocumented.

That's how I do it:
- log into Admin Console with your browser;
- press F12 to open Development tools, then go to Network;
- perform the desired action(s) in the console (in your case, create
the necessary permissions);
- look into Network to find the actual REST API calls your actions have
resulted in.

Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

> Madhu
> Sent from Yahoo Mail on Android
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Sun Jul 22 21:07:31 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 23 Jul 2018 04:07:31 +0300
Subject: [keycloak-user] WildFly adapter - dynamically added roles
 missing in access token
In-Reply-To: <VI1PR0102MB3183618D4B0A1FADFF18AD34FD520@VI1PR0102MB3183.eurprd01.prod.exchangelabs.com>
References: <VI1PR0102MB3183618D4B0A1FADFF18AD34FD520@VI1PR0102MB3183.eurprd01.prod.exchangelabs.com>
Message-ID: <1532308051.2248.6.camel@acutus.pro>

Hi Torsten,

I'd suggest the following workflow to diagnose your issue. You've mentioned that the explicit call to "/realms/{realm-name}/protocol/openid-connect/token" gives you a valid token with all the roles included.
Could you try to determine which call is issued by the adapter to retrieve a token? How would that be different from the call above? Would it use code-to-token exchange?

As soon as you figure out how exactly the adapter retrieves the token, you'll be able to further debug it in Keycloak.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail:?info at acutus.pro

On Thu, 2018-07-19 at 13:10 +0000, Torsten Roemer wrote:
> Following the "Example User Storage Provider with EJB and JPA" I've created a custom user storage provider.
> 
> In UserAdapter#getRoleMappings, I am returning the roles retrieved via JPA entity like this:
> 
> ????@Override
> ????public Set<RoleModel> getRoleMappings() {
> ????????final Set<RoleModel> roles = super.getRoleMappings();
> ????????for (final GroupBean group : groups) {
> ????????????roles.add(new RoleAdapter(this, String.valueOf(group.getObjectID()), group.getName()));
> ????????}
> 
> ????????return roles;
> ????}
> 
> RoleAdapter is my own (possibly incomplete!) implementation of RoleModel which I am using since I did not find a way to create an instance of i.e. org.keycloak.models.cache.infinispan.RoleAdapter so far.
> 
> In the Admin Console, the dynamically added roles are listed as "Assigned Roles" for a particular user but not as "Effective Roles", maybe already that is a problem.
> 
> When I request an access token for the user via the OIDC REST endpoint "/realms/{realm-name}/protocol/openid-connect/token" all roles are included in realm_access, roles.
> 
> However, when I log in to a Webapp deployed to WildFly secured with the KEYCLOAK auth-method using the WildFly adapter and have a look at the token obtained from the RefreshableKeycloakSecurityContext in the servlet session, the dynamically added roles are not included in the access token.
> 
> What could I be missing?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Sun Jul 22 21:18:26 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 23 Jul 2018 04:18:26 +0300
Subject: [keycloak-user] Keycloak Roles and Usergroups
In-Reply-To: <AM4P190MB0004C2CC27FE9C220253C4D0F7520@AM4P190MB0004.EURP190.PROD.OUTLOOK.COM>
References: <CAAgt2fXTCoRseMaNwEASS30dnFZQ925ZaZkvWpqXrQYAW8c17A@mail.gmail.com>
	<1531227488.7582.15.camel@acutus.pro>
	<AM4P190MB0004C2CC27FE9C220253C4D0F7520@AM4P190MB0004.EURP190.PROD.OUTLOOK.COM>
Message-ID: <1532308706.2248.8.camel@acutus.pro>

Hi Max,

On Thu, 2018-07-19 at 14:37 +0000, Max Bruchmann wrote:
> Hi Dmitry,
> 
> do you know if there is any way to retrieve the group context of a
> role?

Could you please elaborate on the "group context of a role"? In
Keycloak, roles are not related to groups (however a group can
reference roles to be automatically assigned to group members).

> 
> My use case would be that I have multiple sport clubs (group) with?
> multiple teams (subgroup)
> 
> -club1
> 
> --team1_1
> 
> --team1_2
> 
> -club2
> 
> --team2_1
> 
> --team2_1
> 
> 
> I have for example the role COACH but of course this role makes only?
> sense in context of the team.

I agree with that, but what's the (bigger) problem you're trying to
solve?

I'd imagine that you want to grant coaches some privileged access to the players' data; the coach should manage only the team he is assigned to. If that's what you're trying to do, I'd suggest the following:

- create the "coach" role;
- grant this role to all coaches;
- put your coaches into the corresponding groups (teams);
- use fine-grained permissions to implement access rules (grant access to the players' data if the requester has the "coach" role and belongs to the same group as the player).

Hope it helps,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

> 
> As far as I understand keycloak this is currently not possible
> 
> 
> Kind Regards,
> 
> Max
> 
> 
> Am 10.07.18 um 14:58 schrieb Dmitry Telegin:
> > Hi Vinay,
> > 
> > ?From my experience, I'd tell that:
> > - roles are more likely to reflect person's functions in the
> > organization;
> > - groups?are more likely to reflect organizational structure.
> > 
> > For example, if there are offices and departments (like "NY
> > Office",
> > "IT Department"), that would normally map to nested groups.
> > 
> > On the other hand, business functions would rather map to roles
> > (like
> > "managers", "developers", "sysadmins" etc.)
> > 
> > There's also a number of technical differences:
> > - akin to nested groups, there are composite roles. However, the
> > logic
> > is different: if you grant a composite role to a user, every child
> > role
> > would be granted, too (which is not true for groups);
> > - you can assign a role to a group (not vice versa);
> > - by default, Keycloak adapters can restrict access based on roles
> > only. If you want to use groups for the same, you'll need to turn
> > on
> > authorization services and create corresponding policies.
> > 
> > Could you please elaborate on your particular use case? If you
> > describe
> > it briefly, I think we'll be able decide what's better for you.
> > 
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> > 
> > On Mon, 2018-07-09 at 12:39 -0400, Vinay wrote:
> > > What is a difference between keycloak roles and usergroups ? are
> > > they
> > > interchangeable i.e. can we use roles instead of groups or vice
> > > versa
> > > to
> > > address a problem ? Is it possible to have roles within roles,
> > > just
> > > like
> > > groups ?
> > > A clear guidelines on how to use groups and roles will help.
> > > 
> > > thanks
> > > /Vinay
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Sun Jul 22 21:21:28 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 23 Jul 2018 04:21:28 +0300
Subject: [keycloak-user] What contents from web.xml of .war file needs
 to be configure in keycloak
In-Reply-To: <CAL_K0eysp7Lp5JJipeq-UTDvvpJdbejOj9tF9ro9u0b2Sw8ydQ@mail.gmail.com>
References: <CAL_K0eysp7Lp5JJipeq-UTDvvpJdbejOj9tF9ro9u0b2Sw8ydQ@mail.gmail.com>
Message-ID: <1532308888.2248.10.camel@acutus.pro>

Hi Vandana,

The process of?configuring Keycloak Wildfly adapter is described in detail here, including the example of web.xml: https://www.keycloak.org/docs/latest/securing_apps/index.html#jboss-eap-wildfly-adapter

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Thu, 2018-07-19 at 16:24 -0500, vandana thota wrote:
> Hello
> 
> Trying to configure SSO??for the application on wildfly with keycloak
> What??contents from web.xml of .war file needs to be configure??in
> keycloak
> console ?
> 
> why we need to take from web.xml file
> 
> What exactly??are they roles etc . ?
> 
> 
> 
> Thanks,
> Vandana
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From vandana0242 at gmail.com  Sun Jul 22 21:38:36 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Sun, 22 Jul 2018 21:38:36 -0400
Subject: [keycloak-user] What contents from web.xml of .war file needs
 to be configure in keycloak
In-Reply-To: <1532308888.2248.10.camel@acutus.pro>
References: <CAL_K0eysp7Lp5JJipeq-UTDvvpJdbejOj9tF9ro9u0b2Sw8ydQ@mail.gmail.com>
	<1532308888.2248.10.camel@acutus.pro>
Message-ID: <CAL_K0ewf+kqBQFoCTRMf=ck453SZo5X0oc+-=OmaCjdmQYHUjQ@mail.gmail.com>

yes  we have those  in web.xml .

What exactly needs to be take from web.xml and put in keycloak ? for
single sign on configuration ?We tried to have  roles and username same as
in web.xml in keycloak also but it did not work .can you  able to  give us
a  scenario in detail ?




Thanks,


On Sun, Jul 22, 2018 at 9:21 PM Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Vandana,
>
> The process of configuring Keycloak Wildfly adapter is described in detail
> here, including the example of web.xml:
> https://www.keycloak.org/docs/latest/securing_apps/index.html#jboss-eap-wildfly-adapter
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Thu, 2018-07-19 at 16:24 -0500, vandana thota wrote:
> > Hello
> >
> > Trying to configure SSO  for the application on wildfly with keycloak
> > What  contents from web.xml of .war file needs to be configure  in
> > keycloak
> > console ?
> >
> > why we need to take from web.xml file
> >
> > What exactly  are they roles etc . ?
> >
> >
> >
> > Thanks,
> > Vandana
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From dt at acutus.pro  Sun Jul 22 21:48:01 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 23 Jul 2018 04:48:01 +0300
Subject: [keycloak-user] SAML2.0: support for SessionNotOnOrAfter
In-Reply-To: <CANZPfwTfLZme4BH3JYfYC5PFXi_wPLTjhOXC=8tBcdAYt3xxcQ@mail.gmail.com>
References: <CANZPfwTfLZme4BH3JYfYC5PFXi_wPLTjhOXC=8tBcdAYt3xxcQ@mail.gmail.com>
Message-ID: <1532310481.2248.12.camel@acutus.pro>

Hi Leonid,

Grepping the Keycloak code shows that it does "know" about
SessionNotOnOrAfter, that means is able to parse it from XML and
get/set the value in the model. But that's all, Keycloak doesn't
actually manipulate this attribute in any way. Seems like bug / missing
feature to me, but let's see what the Keycloak devs say.

Meanwhile, you could implement a custom ProtocolMapper to populate the
SessionNotOnOrAfter attribute. (This could have been even easier had
the script mapper existed for SAML, see KEYCLOAK-5520)

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-07-20 at 11:16 +0300, Leonid Rozenblyum wrote:
> Hello.
> Does Keycloak support the attribute SessionNotOnOrAfter based on
> realm
> settings of session timeout? Maybe some another way to inform Service
> Provider about the desired session end time?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Sun Jul 22 21:58:19 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 23 Jul 2018 04:58:19 +0300
Subject: [keycloak-user] admin account custom theme not working
In-Reply-To: <CAP63w5SKjSv0hMeUA4YP9Y32VxTXNhuJ2Ey=4x4t8fs9q=AEuw@mail.gmail.com>
References: <CAP63w5SKjSv0hMeUA4YP9Y32VxTXNhuJ2Ey=4x4t8fs9q=AEuw@mail.gmail.com>
Message-ID: <1532311099.2248.14.camel@acutus.pro>

Hi Manisha,

One thing you need to remember is that when you change a theme in the realm settings, that should change look and feel for the realm's dedicated admin console.
See https://www.keycloak.org/docs/latest/server_admin/index.html#_per_realm_admin_permissions for more info on dedicated admin consoles.

Another thing is theme caching. Did you disable it as per this document? https://www.keycloak.org/docs/latest/server_development/index.html#creating-a-theme

Cleaning browser cache also helps in some cases.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-07-20 at 16:09 +0530, Manisha Nandal wrote:
> Hi,
> 
> I want to use custom theme for admin user.I tried creating a folder
> with
> "mytheme/admin" and placed my new modified files. I also changed the
> configuration from admin account - > realm settings - > theme. My
> modified
> files are not picked.
> 
> Same process i followed for login theme changes and its working also.
> 
> Can you please guide my how to use custom theme for admin account.
> Another
> thing i observed is that if change the theme for master realm and my
> own
> realm both, then it works
> 
> Thanks
> Manisha
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Sun Jul 22 22:04:46 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 23 Jul 2018 05:04:46 +0300
Subject: [keycloak-user] Groups as array of objects (Script Mapper ? )
In-Reply-To: <CAHvCgvwD307VVcu9bNws88vJ4pE+jjnGcRbkLdMAASmxuqaMCQ@mail.gmail.com>
References: <CAHvCgvwD307VVcu9bNws88vJ4pE+jjnGcRbkLdMAASmxuqaMCQ@mail.gmail.com>
Message-ID: <1532311486.2248.16.camel@acutus.pro>

Hi Daniel,

Not sure if Script Mapper allows for that, but you could definitely
solve this with a custom ProtocolMapper. Use the "Group Membership"
mapper as a reference, but return an array of objects instead of an
array of strings.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-07-20 at 14:26 +0200, Daniel Teixeira wrote:
> Hello,
> I am trying to configure my userinfo token to get the groups, as an
> array
> of objects.
> Currently if I add the "Group Membership" mapper in my client, an
> array of
> Strings with the groups is returns.
> 
> {
> ? "name": "Dummy User",
> ? "groups": ["group1", "group2", "group3"]
> ???...
> }
> 
> But what I need for a SSO Confluence plugin to work is the following
> format:
> (The name of the attributes don't matter, but I need an array of
> objects
> for the groups)
> 
> {
> ? "name": "Dummy User",
> ? "groups": [ {"group_name": "group1"},
> ???????????????????{"group_name": "group2"},
> ???????????????????{"group_name": "group3"}??]
> ?...
> }
> 
> So I have tried to created Script Mapper as follows:
> 
> *var groups = [];*
> *user.getGroups().forEach(function(groupModel) {*
> *????var groupName = groupModel.getName();*
> *????groups.push({"group_name": groupName});*
> *})*
> 
> *token.setOtherClaims("groups", groups);*
> 
> 
> But this script produces a token as following:
> 
> {
> ? "name": "Dummy User",
> ? "groups": {
> ????"0": {
> ??????"group_name": "group1"
> ????},
> ????"1": {
> ??????"group_name": "group2"
> ????},
> ????"2": {
> ??????"group_name": "group3"
> ????}
> ? },
> ? ....
> }
> 
> Which is not an array of object, but a map of objects.
> I have tried to toggle the option multivalued but it didn't change
> anything.
> 
> Is there a way to have an array?
> Could someone help me with that?
> Thanks in advance!
> 
> Cheers,
> Daniel Teixeira
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Sun Jul 22 22:52:22 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 23 Jul 2018 05:52:22 +0300
Subject: [keycloak-user] Role required to manage user consents from REST
 API
In-Reply-To: <CANJEuVc0SN+4dTcs_WN7duVrsk23feqA1DErcQss6NZxK8hnyg@mail.gmail.com>
References: <CANJEuVc0SN+4dTcs_WN7duVrsk23feqA1DErcQss6NZxK8hnyg@mail.gmail.com>
Message-ID: <1532314342.2248.18.camel@acutus.pro>

Hi Paul,

Here's the method responsible for consent / offline token revocation:
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java#L480

This can be further traced to o.k.services.resources.admin.permissions.UserPermissions::canManage(UserModel):
https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java#L311

Long story short: currently, consents / offline tokens can be revoked
only by those allowed to manage all the users in the realm (either via
"admin" role membership or Realm > Users > Permissions) or by those
allowed to manage users in a particular group (Realm > Groups > (group)
> Permissions). That means, a user is not allowed to revoke his/her own
consents and offline tokens. This looks like a bug to me, but let's see
what the Keycloak devs say.

> Also, looking through the REST API documentation, I didn't see
> anything related to roles and authorization. Are all operations only
> accessible by users with the admin role assigned?

Not necessarily so; unfortunately, this topic is mostly undocumented,
so the only reliable way is to look into the sources (something we've
just done for consent revocation).

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-07-20 at 15:47 -0400, Paul Grebenc wrote:
> I have been doing some investigation with Keycloak 3.4.3.Final, and have
> noticed something that I am wondering about.
> 
> It is possible for me to request an offline token for a given user with a
> password grant, and that consent will show up for the user under the user's
> Consents tab in the admin console.
> 
> In terms of managing any granted consents (for the purpose of allowing a
> user to revoke a consent that they have granted), I have been able to do
> the following:
> 
> curl -X GET -H "Authorization: Bearer <authToken>"
> http://localhost:8080/auth/admin/realms/master/users/<userId>/consents
> <http://localhost:8080/auth/admin/realms/master/users/38454015-6ab7-4880-b54c-77c5780fd2ba/consents>
> 
> 
> This returns all current consents granted by the user.??I can then also do
> the following:
> 
> 
> curl -X DELETE -H "Authorization: Bearer <authToken>"
> http://localhost:8080/auth/admin/realms/master/users/<userId>/consents/<clientId>;
> <http://localhost:8080/auth/admin/realms/master/users/38454015-6ab7-4880-b54c-77c5780fd2ba/consents/agent-registration>
> 
> 
> This revokes the consent granted by the specified user for the specified
> client.
> 
> 
> This is good so far, but I noticed that I was only authorized to perform
> these operations as admin, and not as the user in question who has granted
> these consents.??Through experimentation, I was able to determine that if I
> add the role "admin" to the user, that user is then authorized for these
> operations.
> 
> 
> Is this intentional???It was originally my expectation that a user who has
> granted consents should be able to view or revoke their own consents
> without having to have the admin role assigned.
> 
> 
> Also, looking through the REST API documentation, I didn't see anything
> related to roles and authorization.??Are all operations only accessible by
> users with the admin role assigned?
> 
> 
> Regards,
> 
> Paul
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Sun Jul 22 23:10:49 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 23 Jul 2018 06:10:49 +0300
Subject: [keycloak-user] facing issue while having the single sign on
 flow
In-Reply-To: <CAL_K0eyb1LSNezDEC48O36sVDi2c7rYSr_Ba_ECe+igXBbhSrg@mail.gmail.com>
References: <CAL_K0eyb1LSNezDEC48O36sVDi2c7rYSr_Ba_ECe+igXBbhSrg@mail.gmail.com>
Message-ID: <1532315449.2248.20.camel@acutus.pro>

Hi Vandana,

Excellent diagram! However I'm afraid we'll need some additional info:
- as for you, from which transaction depicted in the diagram did the
error arise?
- there should have been a stack trace after "invalidRequestMessage",
could you please share it?
- what was the SAML payload of the request that lead to an error? You
can obtain it from F12 -> Network in your browser (but don't forget to
scrub any sensitive data)

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-07-20 at 15:44 -0500, vandana thota wrote:
> ERROR [org.keycloak.services.resources.IdentityBrokerService]
> (default
> task-25) invalidRequestMessage
> 
> We are configuring the Single sign on for the application deployed on
> the
> Wildfly instance by having keycloak , external IDP , SAML 2.0
> standards
> .Below is the flow .
> 
> There was an error at the flow while we are trying this flow . PFA It
> has
> pictorial representation of the flow .
> Wildfly app or servlet container -> (SP) SAML request to IdP ->
> Keycloak ->
> (identify Okta IdP... may or may not need a username) -> (SP SAML
> Request
> to Okta) -> Okta IdP (May or may not need user to login depends on if
> they
> have an active okta session or not) -> IdP SAML Response -> Keycloak
> -> IdP
> SAML Response Wildfly app / servlet container
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Sun Jul 22 23:22:12 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 23 Jul 2018 06:22:12 +0300
Subject: [keycloak-user] Domain-extension example is not working for 4.x
In-Reply-To: <CAJYMFR6DyHxAVXuMkgx3Wwr_fe9vAM1KudqQ5Z_CZtmc1nPrbg@mail.gmail.com>
References: <CAJYMFR6DyHxAVXuMkgx3Wwr_fe9vAM1KudqQ5Z_CZtmc1nPrbg@mail.gmail.com>
Message-ID: <1532316132.2248.22.camel@acutus.pro>

Hi Yegui,

Unfortunately, the domain-extension example is currently broken:
https://issues.jboss.org/browse/KEYCLOAK-5927

Meanwhile, you can use BeerCloak as a reference:
https://github.com/dteleguin/beercloak

It is working and maintained. Feel free to ask me any questions
regarding it.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-07-20 at 17:34 -0400, Yegui Cai wrote:
> Hi.
> The Domain-extension example is not fully working. The authorized
> rest API
> is not working. With proper token, the client gets a 403 instead of
> 2XX.
> 
> Please kindly let me know how to make it work.
> 
> thanks,
> Yegui
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From manisha04.nandal at gmail.com  Sun Jul 22 23:51:12 2018
From: manisha04.nandal at gmail.com (Manisha Nandal)
Date: Mon, 23 Jul 2018 09:21:12 +0530
Subject: [keycloak-user] admin account custom theme not working
In-Reply-To: <1532311099.2248.14.camel@acutus.pro>
References: <CAP63w5SKjSv0hMeUA4YP9Y32VxTXNhuJ2Ey=4x4t8fs9q=AEuw@mail.gmail.com>
	<1532311099.2248.14.camel@acutus.pro>
Message-ID: <CAP63w5QBAQ0beXEDisMP0nya6jLc05X3CNiG_KaTvdJyBS4hxw@mail.gmail.com>

Thanks for reply.

This is not related to caching. To be more specific I have modified these
files from base directory

themes\mytheme\admin\resources\partials\realm-identity-provider-social.html
themes\mytheme\admin\resources\partials\realm-identity-provider-saml.html

My changes are not picked. If i change the theme of master realm and my own
realm then it picks changes.

I have observed that,  in admin console theme is not picked specific to my
own realm. Rather it uses the theme of  master realm.

Please suggest how to proceed further.

Thanks.
Manisha








On Mon, Jul 23, 2018 at 7:28 AM, Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Manisha,
>
> One thing you need to remember is that when you change a theme in the
> realm settings, that should change look and feel for the realm's dedicated
> admin console.
> See https://www.keycloak.org/docs/latest/server_admin/index.
> html#_per_realm_admin_permissions for more info on dedicated admin
> consoles.
>
> Another thing is theme caching. Did you disable it as per this document?
> https://www.keycloak.org/docs/latest/server_development/
> index.html#creating-a-theme
>
> Cleaning browser cache also helps in some cases.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Fri, 2018-07-20 at 16:09 +0530, Manisha Nandal wrote:
> > Hi,
> >
> > I want to use custom theme for admin user.I tried creating a folder
> > with
> > "mytheme/admin" and placed my new modified files. I also changed the
> > configuration from admin account - > realm settings - > theme. My
> > modified
> > files are not picked.
> >
> > Same process i followed for login theme changes and its working also.
> >
> > Can you please guide my how to use custom theme for admin account.
> > Another
> > thing i observed is that if change the theme for master realm and my
> > own
> > realm both, then it works
> >
> > Thanks
> > Manisha
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From Leon.Graser at bosch-si.com  Mon Jul 23 02:32:23 2018
From: Leon.Graser at bosch-si.com (Graser Leon (INST-CSS/BSV-OS))
Date: Mon, 23 Jul 2018 06:32:23 +0000
Subject: [keycloak-user] enable/disable permissions via the Java API
Message-ID: <0888f649238f48779a4a80bb9f4dc914@bosch-si.com>

Hi all,

for a project we currently try to automate out Keycloak setup programmatically using the Java API. So far I figured out most of the requirements except for one feature. How can I enable/disable the permissions of an object such as a group or a role? In the web UI they have a tab called "Permissions" with a boolean switch to enable/disable them and if I have a look at the HTTP calls I find a PUT call to my group similar to <url>/auth/admin/realms/<realm-name>/groups/<id>/management/permission with a payload of { enabled: true }. As of now I extended the org.keycloak.admin.client.resource.GroupResource interface to make it happen using RESTeasy. Is there an already existing way in the Java API to accomplish that?

Thanks in advance for any ideas.

Regards,
Leon

From nikola.malenic at netsetglobal.rs  Mon Jul 23 03:25:01 2018
From: nikola.malenic at netsetglobal.rs (Nikola Malenic)
Date: Mon, 23 Jul 2018 09:25:01 +0200
Subject: [keycloak-user] Frontend and backend on separate servers
In-Reply-To: <1531929643.6039.3.camel@acutus.pro>
References: <005301d41a7e$02bfc230$083f4690$@netsetglobal.rs>	
	<003b01d41ea4$97210360$c5630a20$@netsetglobal.rs>
	<1531929643.6039.3.camel@acutus.pro>
Message-ID: <007b01d42256$448bc710$cda35530$@netsetglobal.rs>

Thank you very much. I am probably going to use reverse proxy.

-----Original Message-----
From: Dmitry Telegin [mailto:dt at acutus.pro] 
Sent: Wednesday, July 18, 2018 6:01 PM
To: Nikola Malenic <nikola.malenic at netsetglobal.rs>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Frontend and backend on separate servers

I'm afraid Keycloak Proxy is not relevant in your case, but just FYI - indeed, the old proxy is deprecated, but the new one [1] is going to be incorporated into Keycloak soon, under the tentative name "keycloak- generic-adapter". See the keycloak-dev posting [2] for details.

Dmitry

[1] https://github.com/gambol99/keycloak-proxy
[2] http://lists.jboss.org/pipermail/keycloak-dev/2018-June/010958.html

On Wed, 2018-07-18 at 16:35 +0200, Nikola Malenic wrote:
> Is it possible to achieve this with Keycloak Security Proxy and how?
> Also, I've seen it is deprecated now.
> 
> Many thanks,
> Nikola
> 
> -----Original Message-----
> From: keycloak-user-bounces at lists.jboss.org
> [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Nikola 
> Malenic
> Sent: Friday, July 13, 2018 9:49 AM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Frontend and backend on separate servers
> 
> I would like to host backend on secured network, i.e. it would be 
> accessible only from certain IPs.
> 
> Frontend (Angular application) would be served by different server in 
> public zone, which would have access to the secured network because 
> requests from it's IP would be allowed to go through firewall.
> 
>  
> 
> Is it possible to achieve this in an easy way? I wouldn't like to 
> implement proxy endpoints for all backend services in secured zone.
> 
>  
> 
> Many thanks,
> 
> Nikola
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From iali at an10.io  Mon Jul 23 03:28:22 2018
From: iali at an10.io (Irtiza Ali)
Date: Mon, 23 Jul 2018 12:28:22 +0500
Subject: [keycloak-user] Extract user roles from jwt auth token
Message-ID: <CAG3apS8VoGa55zBSEYRgjzpqTutg-nrY-wehMU=DfAua9gbThw@mail.gmail.com>

I am using this endpoint:

XXXXXXXXXX/protocol/openid-connect/token

to authenticate the user. Once the user is authenticated a json(jwt) is
returned from keyclock.

Decoded jwt json:

{
  "jti": "30d233b2-bba8-4f21-bc51-8c867cd5db8b",
  "exp": 1532326409,
  "nbf": 0,
  "iat": 1532325509,
  "iss": "http://localhost:8080/auth/realms/nodejs-example",
  "aud": "nodejs-connect",
  "sub": "faf3fc64-b96b-4e3f-8e86-4fc727e20d31",
  "typ": "Bearer",
  "azp": "nodejs-connect",
  "auth_time": 0,
  "session_state": "736f9570-a3c8-4180-927e-15b5e0f63764",
  "acr": "1",
  "allowed-origins": [],
  "resource_access": {
    "account": {
      "roles": [
        "view-profile"
      ]
    }
  },
  "name": "aaa bbb",
  "preferred_username": "ali123",
  "given_name": "aaa",
  "family_name": "bbb",
  "email": "a123 at yahoo.com"
}

How can I retrieve the user roles from that JWT token?

Thank you

Irtiza Ali

From lrozenblyum at gmail.com  Mon Jul 23 03:30:13 2018
From: lrozenblyum at gmail.com (Leonid Rozenblyum)
Date: Mon, 23 Jul 2018 10:30:13 +0300
Subject: [keycloak-user] SAML2.0: support for SessionNotOnOrAfter
In-Reply-To: <1532310481.2248.12.camel@acutus.pro>
References: <CANZPfwTfLZme4BH3JYfYC5PFXi_wPLTjhOXC=8tBcdAYt3xxcQ@mail.gmail.com>
	<1532310481.2248.12.camel@acutus.pro>
Message-ID: <CANZPfwTKxkDKRDeV19YEeEtu-wuJvTfjTS0AAT7oW5gnHXq6Xg@mail.gmail.com>

Thanks for the great explanation!
Actually I've found 1 more thread related to this question:
http://lists.jboss.org/pipermail/keycloak-user/2018-May/thread.html#14023


On Mon, Jul 23, 2018 at 4:48 AM Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Leonid,
>
> Grepping the Keycloak code shows that it does "know" about
> SessionNotOnOrAfter, that means is able to parse it from XML and
> get/set the value in the model. But that's all, Keycloak doesn't
> actually manipulate this attribute in any way. Seems like bug / missing
> feature to me, but let's see what the Keycloak devs say.
>
> Meanwhile, you could implement a custom ProtocolMapper to populate the
> SessionNotOnOrAfter attribute. (This could have been even easier had
> the script mapper existed for SAML, see KEYCLOAK-5520)
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Fri, 2018-07-20 at 11:16 +0300, Leonid Rozenblyum wrote:
> > Hello.
> > Does Keycloak support the attribute SessionNotOnOrAfter based on
> > realm
> > settings of session timeout? Maybe some another way to inform Service
> > Provider about the desired session end time?
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From lists at merit.unu.edu  Mon Jul 23 05:11:43 2018
From: lists at merit.unu.edu (mj)
Date: Mon, 23 Jul 2018 11:11:43 +0200
Subject: [keycloak-user] SAML2.0: support for SessionNotOnOrAfter
In-Reply-To: <CANZPfwTKxkDKRDeV19YEeEtu-wuJvTfjTS0AAT7oW5gnHXq6Xg@mail.gmail.com>
References: <CANZPfwTfLZme4BH3JYfYC5PFXi_wPLTjhOXC=8tBcdAYt3xxcQ@mail.gmail.com>
	<1532310481.2248.12.camel@acutus.pro>
	<CANZPfwTKxkDKRDeV19YEeEtu-wuJvTfjTS0AAT7oW5gnHXq6Xg@mail.gmail.com>
Message-ID: <699ff710-e01e-dbc2-4267-87bb38e05205@merit.unu.edu>

Hi Leonid,

That was me asking, yes.

On 07/23/2018 09:30 AM, Leonid Rozenblyum wrote:
> Thanks for the great explanation!
> Actually I've found 1 more thread related to this question:
> http://lists.jboss.org/pipermail/keycloak-user/2018-May/thread.html#14023

If you actually succeed implementing a custom ProtocolMapper, could you 
post a small howto here..?

This would help us :-)

MJ

From pfs at trifork.com  Mon Jul 23 05:57:26 2018
From: pfs at trifork.com (=?utf-8?B?UGV0ZXIgRmxpbnRob2xtIFPDuHJlbnNlbg==?=)
Date: Mon, 23 Jul 2018 09:57:26 +0000
Subject: [keycloak-user] Using custom client authenticator for clients
 created through OpenID Dynamic Client registration
Message-ID: <06E431B2-4DB6-4484-81E6-51C85DB904AF@trifork.com>

Hi,

I would like to create clients using the OpenID dynamic client registration, and I would like these clients to limit the number of wrong 'client_secret' authentiation attempts. 

For this purpose, I have implemented my own "revoking" ClientAuthenticator that disables the client after 3 wrong client_secret attempts.

Now the problem is how to configure this authenticator correctly in KeyCloak. 

First i tried to deploy the authenticator and create a new authentication flow based on the built-in "Clients" flow. In this new flow, I set the authenticator to my own authenticator. I then defined the realm authentication flow binding for clients to this new flow.

This almost works. My authenticator is invoked on newly created clients, but unfortunately the ClientAuthenticationFlow.processFlow() fails since the provider_id of the new clients is still expected to be "client-secret" (and I set the provider_id to "revoking-client-secret").

If I manually change the authenticator for the newly created clients (using the admin UI) to my own authenticator, it works perfectly fine. But I need this client to work without manual configuration.

I have also tried to change my authenticator provider_id to "client-secret". This makes it in effect overwrite the built-in client authenticator *everywhere* which i don't want.

It seems to me that KeyCloak only partially adopts the client authentication flow defined in the realm authentication binding when creating new clients. 

I hope someone can help - or perhaps lead me in another direction. Please aks if more information is needed!

Best regards,
Peter

(A little background information: The reason i would like to create these clients with limited number of client_secret guesses, is to use them as a sort of online PIN code authentification from a mobile app. The flow I would like is 
1. User logs in 
2. The app creates a client specifically for this installation of the app (authenticating with the users AT).
3. The user select a PIN code which is used to derive a key to encrypt the client_secret for this client. The encrypted client_secret is stored in the app.
4. The app reuses the session to log in through the new client, and gets a long-lived RT.
5. When the user wants to start the app again, the user enters the PIN code, derives the key and decrypts the client_secret. The app calls the token endpoint to get AT from the RT. 
It is of course important that the number of PIN guesses is limited online. Hence the need to revoked the client after a number of wrong client_secret guesses.)




From Dorit.Mari at audiocodes.com  Mon Jul 23 08:52:54 2018
From: Dorit.Mari at audiocodes.com (Dorit Mari)
Date: Mon, 23 Jul 2018 12:52:54 +0000
Subject: [keycloak-user] Keycloak - grant_type when getting a token and
	token introspection
Message-ID: <VI1PR06MB4062DB15A4AECAD5ED1FA5B2E0560@VI1PR06MB4062.eurprd06.prod.outlook.com>

Hi,

When an access_token is generated for grant_type authorization_code, can the token be introspected by keycloak server? When trying to introspect such a token, keycloak server constantly replies with { "active": false }. However, when the access_token is generated for grant_type password, introspection works correctly.
Also, if a token generated for grant_type authorization_code can be introspected, does the introspection procedure differs from the usual introspection (a POST request, with an Authorization header that has Basic scheme whose value fits the Client ID and Client Secret, a Content-Type header whose value is "application/x-www-form-urlencoded", and a body whose value is token="the access_token". In CURL: curl --user testApp:d7945c1b-7174-4ebb-a481-b3c0bf8991ef -d "token=ey.............NPJW71A" -X POST http://localhost:8080/auth/realms/demo/protocol/openid-connect/token/introspect).

Thanks,
Dorit
This email and any files transmitted with it are confidential material. They are intended solely for the use of the designated individual or entity to whom they are addressed. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful.

If you have received this email in error please immediately notify the sender and delete or destroy any copy of this message

From dt at acutus.pro  Mon Jul 23 09:08:43 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 23 Jul 2018 16:08:43 +0300
Subject: [keycloak-user] What contents from web.xml of .war file needs
 to be configure in keycloak
In-Reply-To: <CAL_K0ewf+kqBQFoCTRMf=ck453SZo5X0oc+-=OmaCjdmQYHUjQ@mail.gmail.com>
References: <CAL_K0eysp7Lp5JJipeq-UTDvvpJdbejOj9tF9ro9u0b2Sw8ydQ@mail.gmail.com>
	<1532308888.2248.10.camel@acutus.pro>
	<CAL_K0ewf+kqBQFoCTRMf=ck453SZo5X0oc+-=OmaCjdmQYHUjQ@mail.gmail.com>
Message-ID: <1532351323.2016.1.camel@acutus.pro>

Vandana,

Could you please check your WEB-INF/keycloak.json and add the following
key:

"use-resource-role-mappings": true

Then redeploy your application. Does it help?

Dmitry

> yes? we have those? in web.xml .
> 
> What exactly needs to be take from web.xml and put in keycloak???for?
> single sign on configuration ?We?tried to have? roles and username
> same as in web.xml in keycloak also but it did not work .can you?
> able to? give us a? scenario in detail ?
> 
> 
> 
> 
> Thanks,
> 
> 
> On Sun, Jul 22, 2018 at 9:21 PM Dmitry Telegin <dt at acutus.pro> wrote:
> > Hi Vandana,
> > 
> > The process of?configuring Keycloak Wildfly adapter is described in
> > detail here, including the example of web.xml: https://www.keycloak
> > .org/docs/latest/securing_apps/index.html#jboss-eap-wildfly-adapter
> > 
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> > 
> > On Thu, 2018-07-19 at 16:24 -0500, vandana thota wrote:
> > > Hello
> > >?
> > > Trying to configure SSO??for the application on wildfly with
> > keycloak
> > > What??contents from web.xml of .war file needs to be
> > configure??in
> > > keycloak
> > > console ?
> > >?
> > > why we need to take from web.xml file
> > >?
> > > What exactly??are they roles etc . ?
> > >?
> > >?
> > >?
> > > Thanks,
> > > Vandana
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 

From vandana0242 at gmail.com  Mon Jul 23 10:45:05 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Mon, 23 Jul 2018 09:45:05 -0500
Subject: [keycloak-user] What contents from web.xml of .war file needs
 to be configure in keycloak
In-Reply-To: <1532351323.2016.1.camel@acutus.pro>
References: <CAL_K0eysp7Lp5JJipeq-UTDvvpJdbejOj9tF9ro9u0b2Sw8ydQ@mail.gmail.com>
	<1532308888.2248.10.camel@acutus.pro>
	<CAL_K0ewf+kqBQFoCTRMf=ck453SZo5X0oc+-=OmaCjdmQYHUjQ@mail.gmail.com>
	<1532351323.2016.1.camel@acutus.pro>
Message-ID: <CAL_K0exih6UXSueUrLTZMfXfycHVFPSUXuT+L+L8ia--ARtXVw@mail.gmail.com>

Hello

I have choosen  to secure via app.

So we have below keycloak SAML Adapter keycloak Saml.xml file from
installation tab of client of keycloak :

You want  me to put the  line   "use-resource-role-mappings": true  in
this  file  if yes  where  exactly ?

<keycloak-saml-adapter>
    <SP entityID="http://nl005164.tst.kohls.com:19015/jenkins"
        sslPolicy="EXTERNAL"
        logoutPage="SPECIFY YOUR LOGOUT PAGE!">
        <Keys>
            <Key signing="true">
                <PrivateKeyPem>

MIIEpAIBAAKCAQEAm/PTR12jgLAJYbvVtEzQuCqq6QJ1OlTzatbV1nT0Jdcd+AXsh0bUhhTj6/R5la2rDofiOuB0nxgHAdE1I9euiWSelgWn4nK7z+twT+CPCwRJ9tbwd172Qurulor+xP86lqHqSHkrBYkyhOR83jf97ttr4aNXZMvzsVPdyTG0KnxyFdsdhX1Q9VMm5XWisv63y5Rnlzih1vnvq1VTCawEmuLOzSiFmC10JlUp860ogLoeXF2BpKYB20apKYkm+P5HQlEP+L3uxDHSxjDDjcxv8AJ3p8ShOfLx2D0+WXHH+GjMbo/uBgy5hYm5uBEsSkBt9asEljXpQTZhhaFFH1X4pQIDAQABAoIBACb/PaHm5G/VlUL/OV0wqDClWr+RgcboX0YkGqzZ6gNcW34d3RumtpYguy3RoGWxW8jyabvXTNJLq9Tkf6lK0bZBlvZky6pwjk5bzWXr/Vj/5Y74CIGRGXt6S9cRQsv4Fqp8Kp2czwk/WYaprB/VWIZWEBAITF5EMdfx5M/ewfKtb4oRgVMQR+ORQJThqvakQYgpgFVNGVgi03g3uUJcl48pfQQJnOrmIkMc3wpgdvzk3/wDjNyp7c7vmLLKQRzqFl5dr9uqRzIpFkaQI4ndwv29U6H8at9HSxHk85xcZ/nqr2LrR405F2sqtSNWUbBLmoTuX0P7TeOD35naSJLemTECgYEA2HLtyzFkdwZHeU7vmI/ZV6qQpDnfqyAReLqIiUwVx0vo3ZADq/d6cVucr0INCylaTp0lwFORmk+dQ3+AQGKANAev7jA5YKvkX95RgO+zRSlnM50jYgczrT3zZEnGlSZAoVoq+eN3wYUEmtK5dYYAX6vDTkFzqboQ/mxF7N5FWxsCgYEAuHL8I9S6ZAcFnV8AgxpZDDSWaDfVlFgdtTC8BOGMljpnCbWCz+9B5TeVJEoIkVqwJzYyLilruDMpTyHlmS6nw33MtinV7ZCUzLOo3ZxkEqobxoU5YkHFqs8mdkCoEarv+WEVfzfhEK3xxuKqDYRe4RqXGpUT8vCnvny9mGhxdz8CgYEArM3Ery51yNjIgz7T5nchy+2uoI5b1aE6kapKi2KlGIGwHgN2Cvr/VDURuJIBG+Id6RlpJE0Tt6DMKzFF0SFSvTdN69mwVU+meith4pB8DUFq1TglIYQia7ND99M2qajqfGciXHKQD34FGR4XVo5vCfJ1cKqsjtqv6o/Cm8Mwl/UCgYAToLjQH00OY+jnDDsDuIQNVnNC994UgSP4Kg13/4B0ZBae49/dvLooaDfIutAal6nzIkNIwkOiQF9++j5yhJJ5rSNhpyYKt7394ohvvLqxecSm5XpryE/+kzimkM7Rwnzy7q/Y79tVaQ03ettZwOJP1gKKY57R1WYkUSXj2AlrBQKBgQCzBWzcRtBiV/mTFqUwKMpZX9yeOZi/9+V9lKd7N6gKlAE1gcXMyYV23Af34Vt523mKZhxURZcAcfTcZW/NY61rhRdYTeBeBXjd0uKcfpGupigeJUOX/eH+GjKJkvh+bsr63nSaXzB+7vStyDs8Ap/H4rql1aWOhOXcMk+K5Y6ZAQ==
                </PrivateKeyPem>
                <CertificatePem>

MIICoTCCAYkCBgFkqM8/cTANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlzYW1wbC1hcHAwHhcNMTgwNzE3MTUxMzMxWhcNMjgwNzE3MTUxNTExWjAUMRIwEAYDVQQDDAlzYW1wbC1hcHAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCb89NHXaOAsAlhu9W0TNC4KqrpAnU6VPNq1tXWdPQl1x34BeyHRtSGFOPr9HmVrasOh+I64HSfGAcB0TUj166JZJ6WBaficrvP63BP4I8LBEn21vB3XvZC6u6Wiv7E/zqWoepIeSsFiTKE5HzeN/3u22vho1dky/OxU93JMbQqfHIV2x2FfVD1UybldaKy/rfLlGeXOKHW+e+rVVMJrASa4s7NKIWYLXQmVSnzrSiAuh5cXYGkpgHbRqkpiSb4/kdCUQ/4ve7EMdLGMMONzG/wAnenxKE58vHYPT5Zccf4aMxuj+4GDLmFibm4ESxKQG31qwSWNelBNmGFoUUfVfilAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAB8zH+XBes8n4+OdW8edDax/s2T4xAF+nHYkPn+d2G94X2h6oe8r20P8Wj9K1Z/iijwVSh6pbOEPssH6EHVBVQ8ImmO682TiLWvxu7wmxgWkgTAWyRZ5Hxqk2i/bU/ZKRLt5sDJcH9RlpZlgvI8d1lpyzWcWTn2o428s1FhBQ+cBUtuXPsbrQMcU8i+ODQ0HpHDbZxe1T3qbwevR9zXaQ3js67Jr7INYIHnrncpN+TxaBg4jClhwHEXQrqeIZAyLo6CZobwowpSqnRQ6Hut26zCPUYAVh2Tzq5JoOLC9duEzOUrL4/TVHvsQa+rlK4Cu7Qfe34P61yf+kXjYeATn2Xg=
                </CertificatePem>
            </Key>
        </Keys>
        <IDP entityID="idp"
             signatureAlgorithm="RSA_SHA256"
             signatureCanonicalizationMethod="
http://www.w3.org/2001/10/xml-exc-c14n#">
            <SingleSignOnService signRequest="true"
                                 validateResponseSignature="true"
                                 validateAssertionSignature="false"
                                 requestBinding="POST"
                                 bindingUrl="
http://nl005164.tst.kohls.com:19017/auth/realms/Demo-Realm/protocol/saml"/>
            <SingleLogoutService signRequest="true"
                                 signResponse="true"
                                 validateRequestSignature="true"
                                 validateResponseSignature="true"
                                 requestBinding="POST"
                                 responseBinding="POST"
                                 postBindingUrl="
http://nl005164.tst.kohls.com:19017/auth/realms/Demo-Realm/protocol/saml"
                                 redirectBindingUrl="
http://nl005164.tst.kohls.com:19017/auth/realms/Demo-Realm/protocol/saml"/>
        </IDP>
    </SP>
</keycloak-saml-adapter>


On Mon, Jul 23, 2018 at 8:08 AM Dmitry Telegin <dt at acutus.pro> wrote:

> Vandana,
>
> Could you please check your WEB-INF/keycloak.json and add the following
> key:
>
> "use-resource-role-mappings": true
>
> Then redeploy your application. Does it help?
>
> Dmitry
>
> > yes  we have those  in web.xml .
> >
> > What exactly needs to be take from web.xml and put in keycloak ? for
> > single sign on configuration ?We tried to have  roles and username
> > same as in web.xml in keycloak also but it did not work .can you
> > able to  give us a  scenario in detail ?
> >
> >
> >
> >
> > Thanks,
> >
> >
> > On Sun, Jul 22, 2018 at 9:21 PM Dmitry Telegin <dt at acutus.pro> wrote:
> > > Hi Vandana,
> > >
> > > The process of configuring Keycloak Wildfly adapter is described in
> > > detail here, including the example of web.xml: https://www.keycloak
> > > .org/docs/latest/securing_apps/index.html#jboss-eap-wildfly-adapter
> > >
> > > Cheers,
> > > Dmitry Telegin
> > > CTO, Acutus s.r.o.
> > > Keycloak Consulting and Training
> > >
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > +42 (022) 888-30-71
> > > E-mail: info at acutus.pro
> > >
> > > On Thu, 2018-07-19 at 16:24 -0500, vandana thota wrote:
> > > > Hello
> > > >
> > > > Trying to configure SSO  for the application on wildfly with
> > > keycloak
> > > > What  contents from web.xml of .war file needs to be
> > > configure  in
> > > > keycloak
> > > > console ?
> > > >
> > > > why we need to take from web.xml file
> > > >
> > > > What exactly  are they roles etc . ?
> > > >
> > > >
> > > >
> > > > Thanks,
> > > > Vandana
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
>

From vandana0242 at gmail.com  Mon Jul 23 10:47:41 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Mon, 23 Jul 2018 09:47:41 -0500
Subject: [keycloak-user] facing issue while having the single sign on
	flow
In-Reply-To: <CAL_K0eyk2KV=eodvOQ6ZQaXGxFxSkORu53g241SB-OCFfXJaxw@mail.gmail.com>
References: <CAL_K0eyb1LSNezDEC48O36sVDi2c7rYSr_Ba_ECe+igXBbhSrg@mail.gmail.com>
	<1532315449.2248.20.camel@acutus.pro>
	<CAL_K0eyk2KV=eodvOQ6ZQaXGxFxSkORu53g241SB-OCFfXJaxw@mail.gmail.com>
Message-ID: <CAL_K0exrA8bU+HrOrKrwbtoqO+cqgaUbusxBQTc2Mt9aVsTWZQ@mail.gmail.com>

Hello Dimtry ,

Have you checked the doc  which 24 pages and I have attached to my previous
email ?

Keycloa-user lists can not able to post as its  large .

Is your email id  can able  to  get that big file ?

Thanks.

On Sun, Jul 22, 2018 at 10:50 PM vandana thota <vandana0242 at gmail.com>
wrote:

>
>
>  as for you, from which transaction depicted in the diagram did the
> error arise?
> PFA  ( 23rd and 24th page )
> - there should have been a stack trace after "invalidRequestMessage",
> could you please share it?
>
> We could  see  keycloak  logs as below
> 14:10:39,362 WARN [org.hibernate.dialect.H2Dialect] (ServerService Thread
> Pool -- 47) HHH000431: Unable to determine H2 database version, certain
> features m work
>
> 14:11:30,567 WARN [org.keycloak.events] (default task-1)
> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null,
> userId=null, ipAddress=10.9.7.2,=invalidRequestMessage
>
> 14:11:30,568 ERROR [org.keycloak.services.resources.IdentityBrokerService]
> (default task-1) invalidRequestMessage
>
> 14:11:51,668 WARN [org.keycloak.events] (default task-2)
> type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=master, clientId=null,
> userId=null, ipAddress=10.9.7.2,=invalidRequestMessage
>
> 14:11:51,669 ERROR [org.keycloak.services.resources.IdentityBrokerService]
> (default task-2) invalidRequestMessage
>
>
> - what was the SAML payload of the request that lead to an error? You
> can obtain it from F12 -> Network in your browser (but don't forget to
> scrub any sensitive data)
>
> I did not understand what is SAML payload .we are using SAML 2.0 standrd.
>
> What is F12 .
>
> So far  we did not configure any load balancer yet
>
>
>
>
>
>
> On Sun, Jul 22, 2018 at 11:10 PM Dmitry Telegin <dt at acutus.pro> wrote:
>
>> Hi Vandana,
>>
>> Excellent diagram! However I'm afraid we'll need some additional info:
>> - as for you, from which transaction depicted in the diagram did the
>> error arise?
>> - there should have been a stack trace after "invalidRequestMessage",
>> could you please share it?
>> - what was the SAML payload of the request that lead to an error? You
>> can obtain it from F12 -> Network in your browser (but don't forget to
>> scrub any sensitive data)
>>
>> Cheers,
>> Dmitry Telegin
>> CTO, Acutus s.r.o.
>> Keycloak Consulting and Training
>>
>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
>> +42 (022) 888-30-71
>> E-mail: info at acutus.pro
>>
>> On Fri, 2018-07-20 at 15:44 -0500, vandana thota wrote:
>> > ERROR [org.keycloak.services.resources.IdentityBrokerService]
>> > (default
>> > task-25) invalidRequestMessage
>> >
>> > We are configuring the Single sign on for the application deployed on
>> > the
>> > Wildfly instance by having keycloak , external IDP , SAML 2.0
>> > standards
>> > .Below is the flow .
>> >
>> > There was an error at the flow while we are trying this flow . PFA It
>> > has
>> > pictorial representation of the flow .
>> > Wildfly app or servlet container -> (SP) SAML request to IdP ->
>> > Keycloak ->
>> > (identify Okta IdP... may or may not need a username) -> (SP SAML
>> > Request
>> > to Okta) -> Okta IdP (May or may not need user to login depends on if
>> > they
>> > have an active okta session or not) -> IdP SAML Response -> Keycloak
>> > -> IdP
>> > SAML Response Wildfly app / servlet container
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From vandana0242 at gmail.com  Mon Jul 23 11:09:10 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Mon, 23 Jul 2018 10:09:10 -0500
Subject: [keycloak-user] What contents from web.xml of .war file needs
 to be configure in keycloak
In-Reply-To: <CAL_K0exih6UXSueUrLTZMfXfycHVFPSUXuT+L+L8ia--ARtXVw@mail.gmail.com>
References: <CAL_K0eysp7Lp5JJipeq-UTDvvpJdbejOj9tF9ro9u0b2Sw8ydQ@mail.gmail.com>
	<1532308888.2248.10.camel@acutus.pro>
	<CAL_K0ewf+kqBQFoCTRMf=ck453SZo5X0oc+-=OmaCjdmQYHUjQ@mail.gmail.com>
	<1532351323.2016.1.camel@acutus.pro>
	<CAL_K0exih6UXSueUrLTZMfXfycHVFPSUXuT+L+L8ia--ARtXVw@mail.gmail.com>
Message-ID: <CAL_K0ey_C5-aR8nWVCF2hfASS0eTRahtao_jQJUA3Nh3_+gyLA@mail.gmail.com>

>From my previous email continuation .We have deployed jenkins.war file
which we  are using for our testing purpose .

We took that from  google

On Mon, Jul 23, 2018 at 9:45 AM vandana thota <vandana0242 at gmail.com> wrote:

> Hello
>
> I have choosen  to secure via app.
>
> So we have below keycloak SAML Adapter keycloak Saml.xml file from
> installation tab of client of keycloak :
>
> You want  me to put the  line   "use-resource-role-mappings": true  in
> this  file  if yes  where  exactly ?
>
> <keycloak-saml-adapter>
>     <SP entityID="http://nl005164.tst.kohls.com:19015/jenkins"
>         sslPolicy="EXTERNAL"
>         logoutPage="SPECIFY YOUR LOGOUT PAGE!">
>         <Keys>
>             <Key signing="true">
>                 <PrivateKeyPem>
>
> MIIEpAIBAAKCAQEAm/PTR12jgLAJYbvVtEzQuCqq6QJ1OlTzatbV1nT0Jdcd+AXsh0bUhhTj6/R5la2rDofiOuB0nxgHAdE1I9euiWSelgWn4nK7z+twT+CPCwRJ9tbwd172Qurulor+xP86lqHqSHkrBYkyhOR83jf97ttr4aNXZMvzsVPdyTG0KnxyFdsdhX1Q9VMm5XWisv63y5Rnlzih1vnvq1VTCawEmuLOzSiFmC10JlUp860ogLoeXF2BpKYB20apKYkm+P5HQlEP+L3uxDHSxjDDjcxv8AJ3p8ShOfLx2D0+WXHH+GjMbo/uBgy5hYm5uBEsSkBt9asEljXpQTZhhaFFH1X4pQIDAQABAoIBACb/PaHm5G/VlUL/OV0wqDClWr+RgcboX0YkGqzZ6gNcW34d3RumtpYguy3RoGWxW8jyabvXTNJLq9Tkf6lK0bZBlvZky6pwjk5bzWXr/Vj/5Y74CIGRGXt6S9cRQsv4Fqp8Kp2czwk/WYaprB/VWIZWEBAITF5EMdfx5M/ewfKtb4oRgVMQR+ORQJThqvakQYgpgFVNGVgi03g3uUJcl48pfQQJnOrmIkMc3wpgdvzk3/wDjNyp7c7vmLLKQRzqFl5dr9uqRzIpFkaQI4ndwv29U6H8at9HSxHk85xcZ/nqr2LrR405F2sqtSNWUbBLmoTuX0P7TeOD35naSJLemTECgYEA2HLtyzFkdwZHeU7vmI/ZV6qQpDnfqyAReLqIiUwVx0vo3ZADq/d6cVucr0INCylaTp0lwFORmk+dQ3+AQGKANAev7jA5YKvkX95RgO+zRSlnM50jYgczrT3zZEnGlSZAoVoq+eN3wYUEmtK5dYYAX6vDTkFzqboQ/mxF7N5FWxsCgYEAuHL8I9S6ZAcFnV8AgxpZDDSWaDfVlFgdtTC8BOGMljpnCbWCz+9B5TeVJEoIkVqwJzYyLilruDMpTyHlmS6nw33MtinV7ZCUzLOo3ZxkEqobxoU5YkHFqs8mdkCoEarv+WEVfzfhEK3xxuKqDYRe4RqXGpUT8vCnvny9mGhxdz8CgYEArM3Ery51yNjIgz7T5nchy+2uoI5b1aE6kapKi2KlGIGwHgN2Cvr/VDURuJIBG+Id6RlpJE0Tt6DMKzFF0SFSvTdN69mwVU+meith4pB8DUFq1TglIYQia7ND99M2qajqfGciXHKQD34FGR4XVo5vCfJ1cKqsjtqv6o/Cm8Mwl/UCgYAToLjQH00OY+jnDDsDuIQNVnNC994UgSP4Kg13/4B0ZBae49/dvLooaDfIutAal6nzIkNIwkOiQF9++j5yhJJ5rSNhpyYKt7394ohvvLqxecSm5XpryE/+kzimkM7Rwnzy7q/Y79tVaQ03ettZwOJP1gKKY57R1WYkUSXj2AlrBQKBgQCzBWzcRtBiV/mTFqUwKMpZX9yeOZi/9+V9lKd7N6gKlAE1gcXMyYV23Af34Vt523mKZhxURZcAcfTcZW/NY61rhRdYTeBeBXjd0uKcfpGupigeJUOX/eH+GjKJkvh+bsr63nSaXzB+7vStyDs8Ap/H4rql1aWOhOXcMk+K5Y6ZAQ==
>                 </PrivateKeyPem>
>                 <CertificatePem>
>
> MIICoTCCAYkCBgFkqM8/cTANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAlzYW1wbC1hcHAwHhcNMTgwNzE3MTUxMzMxWhcNMjgwNzE3MTUxNTExWjAUMRIwEAYDVQQDDAlzYW1wbC1hcHAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCb89NHXaOAsAlhu9W0TNC4KqrpAnU6VPNq1tXWdPQl1x34BeyHRtSGFOPr9HmVrasOh+I64HSfGAcB0TUj166JZJ6WBaficrvP63BP4I8LBEn21vB3XvZC6u6Wiv7E/zqWoepIeSsFiTKE5HzeN/3u22vho1dky/OxU93JMbQqfHIV2x2FfVD1UybldaKy/rfLlGeXOKHW+e+rVVMJrASa4s7NKIWYLXQmVSnzrSiAuh5cXYGkpgHbRqkpiSb4/kdCUQ/4ve7EMdLGMMONzG/wAnenxKE58vHYPT5Zccf4aMxuj+4GDLmFibm4ESxKQG31qwSWNelBNmGFoUUfVfilAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAB8zH+XBes8n4+OdW8edDax/s2T4xAF+nHYkPn+d2G94X2h6oe8r20P8Wj9K1Z/iijwVSh6pbOEPssH6EHVBVQ8ImmO682TiLWvxu7wmxgWkgTAWyRZ5Hxqk2i/bU/ZKRLt5sDJcH9RlpZlgvI8d1lpyzWcWTn2o428s1FhBQ+cBUtuXPsbrQMcU8i+ODQ0HpHDbZxe1T3qbwevR9zXaQ3js67Jr7INYIHnrncpN+TxaBg4jClhwHEXQrqeIZAyLo6CZobwowpSqnRQ6Hut26zCPUYAVh2Tzq5JoOLC9duEzOUrL4/TVHvsQa+rlK4Cu7Qfe34P61yf+kXjYeATn2Xg=
>                 </CertificatePem>
>             </Key>
>         </Keys>
>         <IDP entityID="idp"
>              signatureAlgorithm="RSA_SHA256"
>              signatureCanonicalizationMethod="
> http://www.w3.org/2001/10/xml-exc-c14n#">
>             <SingleSignOnService signRequest="true"
>                                  validateResponseSignature="true"
>                                  validateAssertionSignature="false"
>                                  requestBinding="POST"
>                                  bindingUrl="
> http://nl005164.tst.kohls.com:19017/auth/realms/Demo-Realm/protocol/saml
> "/>
>             <SingleLogoutService signRequest="true"
>                                  signResponse="true"
>                                  validateRequestSignature="true"
>                                  validateResponseSignature="true"
>                                  requestBinding="POST"
>                                  responseBinding="POST"
>                                  postBindingUrl="
> http://nl005164.tst.kohls.com:19017/auth/realms/Demo-Realm/protocol/saml"
>                                  redirectBindingUrl="
> http://nl005164.tst.kohls.com:19017/auth/realms/Demo-Realm/protocol/saml
> "/>
>         </IDP>
>     </SP>
> </keycloak-saml-adapter>
>
>
> On Mon, Jul 23, 2018 at 8:08 AM Dmitry Telegin <dt at acutus.pro> wrote:
>
>> Vandana,
>>
>> Could you please check your WEB-INF/keycloak.json and add the following
>> key:
>>
>> "use-resource-role-mappings": true
>>
>> Then redeploy your application. Does it help?
>>
>> Dmitry
>>
>> > yes  we have those  in web.xml .
>> >
>> > What exactly needs to be take from web.xml and put in keycloak ? for
>> > single sign on configuration ?We tried to have  roles and username
>> > same as in web.xml in keycloak also but it did not work .can you
>> > able to  give us a  scenario in detail ?
>> >
>> >
>> >
>> >
>> > Thanks,
>> >
>> >
>> > On Sun, Jul 22, 2018 at 9:21 PM Dmitry Telegin <dt at acutus.pro> wrote:
>> > > Hi Vandana,
>> > >
>> > > The process of configuring Keycloak Wildfly adapter is described in
>> > > detail here, including the example of web.xml: https://www.keycloak
>> > > .org/docs/latest/securing_apps/index.html#jboss-eap-wildfly-adapter
>> > >
>> > > Cheers,
>> > > Dmitry Telegin
>> > > CTO, Acutus s.r.o.
>> > > Keycloak Consulting and Training
>> > >
>> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
>> > > +42 (022) 888-30-71
>> > > E-mail: info at acutus.pro
>> > >
>> > > On Thu, 2018-07-19 at 16:24 -0500, vandana thota wrote:
>> > > > Hello
>> > > >
>> > > > Trying to configure SSO  for the application on wildfly with
>> > > keycloak
>> > > > What  contents from web.xml of .war file needs to be
>> > > configure  in
>> > > > keycloak
>> > > > console ?
>> > > >
>> > > > why we need to take from web.xml file
>> > > >
>> > > > What exactly  are they roles etc . ?
>> > > >
>> > > >
>> > > >
>> > > > Thanks,
>> > > > Vandana
>> > > > _______________________________________________
>> > > > keycloak-user mailing list
>> > > > keycloak-user at lists.jboss.org
>> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> > >
>>
>

From byron.chris at gmail.com  Mon Jul 23 11:37:33 2018
From: byron.chris at gmail.com (Chris Byron)
Date: Mon, 23 Jul 2018 08:37:33 -0700
Subject: [keycloak-user] SAMLResponse missing InResponseTo
Message-ID: <CAMG9nQWYRhCcBjj0TL_0uc9jDy3a=UpKdx2wT-ZRkzdmm_pLHw@mail.gmail.com>

Good morning. I'm trying to debug an issue where my Keycloak IdP does not
include an InResponseTo attribute in the SAMLResponse after an SP-initiated
login. Are there certain conditions in the Request that need to be
satisfied before it will be included? Or certain client configurations in
Keycloak?

The SAMLRequest from the SP:
```
<saml2p:AuthnRequest
  AssertionConsumerServiceURL="
https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
  AttributeConsumingServiceIndex="0"
  Destination="
https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx"
  ID="idda5349fbbbf9483a91ec1531e52933a6"
IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
  xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
  xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
<saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>
</saml2p:AuthnRequest>
```

Keycloak client configuration:
```
{
  "id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
  "clientId": "https://checkmarx.corp.net",
  "rootUrl": "",
  "adminUrl": "https://checkmarx.corp.net/cxrestapi/auth/samlAcs",
  "baseUrl": "/auth/realms/Corp/protocol/saml/clients/checkmarx",
  "surrogateAuthRequired": false,
  "enabled": true,
  "clientAuthenticatorType": "client-secret",
  "redirectUris": [],
  "webOrigins": [],
  "notBefore": 0,
  "bearerOnly": false,
  "consentRequired": false,
  "standardFlowEnabled": true,
  "implicitFlowEnabled": false,
  "directAccessGrantsEnabled": false,
  "serviceAccountsEnabled": false,
  "authorizationServicesEnabled": false,
  "publicClient": false,
  "frontchannelLogout": true,
  "protocol": "saml",
  "attributes": {
    "saml.assertion.signature": "false",
    "saml.force.post.binding": "true",
    "saml.multivalued.roles": "false",
    "saml.encrypt": "false",
    "saml.server.signature": "true",
    "saml_idp_initiated_sso_url_name": "checkmarx",
    "saml.server.signature.keyinfo.ext": "false",
    "saml.signature.algorithm": "RSA_SHA256",
    "saml_force_name_id_format": "false",
    "saml.client.signature": "false",
    "saml.authnstatement": "true",
    "saml_name_id_format": "email",
    "saml.onetimeuse.condition": "false",
    "saml_signature_canonicalization_method": "
http://www.w3.org/2001/10/xml-exc-c14n#",
    "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer":
"KEY_ID"
  },
  "fullScopeAllowed": false,
  "nodeReRegistrationTimeout": -1,
  "useTemplateConfig": false,
  "useTemplateScope": false,
  "useTemplateMappers": false,
  "access": {
    "view": true,
    "configure": true,
    "manage": true
  }
```

Thank you for any help or advice on this! Cheers,
Chris Byron

From dt at acutus.pro  Mon Jul 23 12:11:15 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 23 Jul 2018 19:11:15 +0300
Subject: [keycloak-user] SAMLResponse missing InResponseTo
In-Reply-To: <CAMG9nQWYRhCcBjj0TL_0uc9jDy3a=UpKdx2wT-ZRkzdmm_pLHw@mail.gmail.com>
References: <CAMG9nQWYRhCcBjj0TL_0uc9jDy3a=UpKdx2wT-ZRkzdmm_pLHw@mail.gmail.com>
Message-ID: <1532362275.12643.2.camel@acutus.pro>

Hi Chris,

According to the code, an InResponseTo attribute should be added to the response unconditionally:
https://github.com/keycloak/keycloak/blob/master/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java#L168

If you're familiar with debugging, could you please check if this code point is reached? If yes, is the InResponseTo value not null?

Also, which version of Keycloak are you using?

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-07-23 at 08:37 -0700, Chris Byron wrote:
> Good morning. I'm trying to debug an issue where my Keycloak IdP does not
> include an InResponseTo attribute in the SAMLResponse after an SP-initiated
> login. Are there certain conditions in the Request that need to be
> satisfied before it will be included? Or certain client configurations in
> Keycloak?
> 
> The SAMLRequest from the SP:
> ```
> <saml2p:AuthnRequest
> ? AssertionConsumerServiceURL="
> https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> ? AttributeConsumingServiceIndex="0"
> ? Destination="
> https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx"
> ? ID="idda5349fbbbf9483a91ec1531e52933a6"
> IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
> ? xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> ? xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> > <saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>;
> </saml2p:AuthnRequest>
> ```
> 
> Keycloak client configuration:
> ```
> {
> ? "id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
> > ? "clientId": "https://checkmarx.corp.net",
> ? "rootUrl": "",
> > ? "adminUrl": "https://checkmarx.corp.net/cxrestapi/auth/samlAcs",
> ? "baseUrl": "/auth/realms/Corp/protocol/saml/clients/checkmarx",
> ? "surrogateAuthRequired": false,
> ? "enabled": true,
> ? "clientAuthenticatorType": "client-secret",
> ? "redirectUris": [],
> ? "webOrigins": [],
> ? "notBefore": 0,
> ? "bearerOnly": false,
> ? "consentRequired": false,
> ? "standardFlowEnabled": true,
> ? "implicitFlowEnabled": false,
> ? "directAccessGrantsEnabled": false,
> ? "serviceAccountsEnabled": false,
> ? "authorizationServicesEnabled": false,
> ? "publicClient": false,
> ? "frontchannelLogout": true,
> ? "protocol": "saml",
> ? "attributes": {
> ????"saml.assertion.signature": "false",
> ????"saml.force.post.binding": "true",
> ????"saml.multivalued.roles": "false",
> ????"saml.encrypt": "false",
> ????"saml.server.signature": "true",
> ????"saml_idp_initiated_sso_url_name": "checkmarx",
> ????"saml.server.signature.keyinfo.ext": "false",
> ????"saml.signature.algorithm": "RSA_SHA256",
> ????"saml_force_name_id_format": "false",
> ????"saml.client.signature": "false",
> ????"saml.authnstatement": "true",
> ????"saml_name_id_format": "email",
> ????"saml.onetimeuse.condition": "false",
> ????"saml_signature_canonicalization_method": "
> http://www.w3.org/2001/10/xml-exc-c14n#",
> ????"saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer":
> "KEY_ID"
> ? },
> ? "fullScopeAllowed": false,
> ? "nodeReRegistrationTimeout": -1,
> ? "useTemplateConfig": false,
> ? "useTemplateScope": false,
> ? "useTemplateMappers": false,
> ? "access": {
> ????"view": true,
> ????"configure": true,
> ????"manage": true
> ? }
> ```
> 
> Thank you for any help or advice on this! Cheers,
> Chris Byron
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Mon Jul 23 12:13:44 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 23 Jul 2018 19:13:44 +0300
Subject: [keycloak-user] SAML2.0: support for SessionNotOnOrAfter
In-Reply-To: <CANZPfwTKxkDKRDeV19YEeEtu-wuJvTfjTS0AAT7oW5gnHXq6Xg@mail.gmail.com>
References: <CANZPfwTfLZme4BH3JYfYC5PFXi_wPLTjhOXC=8tBcdAYt3xxcQ@mail.gmail.com>
	<1532310481.2248.12.camel@acutus.pro>
	<CANZPfwTKxkDKRDeV19YEeEtu-wuJvTfjTS0AAT7oW5gnHXq6Xg@mail.gmail.com>
Message-ID: <1532362424.12643.4.camel@acutus.pro>

Wow, I should have grepped the ML archives first, not the code :-D

Basically, that's it: as a quick fix, try custom protocol mapper; as a
long-term solution, you could revive that abandoned PR (rebase to
master, add tests, check everything and resubmit).

Good luck! :)
Dmitry

On Mon, 2018-07-23 at 10:30 +0300, Leonid Rozenblyum wrote:
> Thanks for the great explanation!?
> Actually I've found 1 more thread related to this question:?http://li
> sts.jboss.org/pipermail/keycloak-user/2018-May/thread.html#14023
> 
> 
> On Mon, Jul 23, 2018 at 4:48 AM Dmitry Telegin <dt at acutus.pro> wrote:
> > Hi Leonid,
> > 
> > Grepping the Keycloak code shows that it does "know" about
> > SessionNotOnOrAfter, that means is able to parse it from XML and
> > get/set the value in the model. But that's all, Keycloak doesn't
> > actually manipulate this attribute in any way. Seems like bug /
> > missing
> > feature to me, but let's see what the Keycloak devs say.
> > 
> > Meanwhile, you could implement a custom ProtocolMapper to populate
> > the
> > SessionNotOnOrAfter attribute. (This could have been even easier
> > had
> > the script mapper existed for SAML, see KEYCLOAK-5520)
> > 
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> > 
> > On Fri, 2018-07-20 at 11:16 +0300, Leonid Rozenblyum wrote:
> > > Hello.
> > > Does Keycloak support the attribute SessionNotOnOrAfter based on
> > > realm
> > > settings of session timeout? Maybe some another way to inform
> > Service
> > > Provider about the desired session end time?
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 

From byron.chris at gmail.com  Mon Jul 23 12:21:24 2018
From: byron.chris at gmail.com (Chris Byron)
Date: Mon, 23 Jul 2018 09:21:24 -0700
Subject: [keycloak-user] SAMLResponse missing InResponseTo
In-Reply-To: <1532362275.12643.2.camel@acutus.pro>
References: <CAMG9nQWYRhCcBjj0TL_0uc9jDy3a=UpKdx2wT-ZRkzdmm_pLHw@mail.gmail.com>
	<1532362275.12643.2.camel@acutus.pro>
Message-ID: <CAMG9nQUWCq5CvSeCgK8g2jqmbYwx4FtpZcm=tsxBL=7Lstr78A@mail.gmail.com>

Hi Dmitry, thanks for the response. I am on 3.4.3.Final (I should have said
up front!)

I am familiar with changing logging levels of the running service using the
jboss cli, but I don't have the ability to build and step through or set
breakpoints. (If it is possible to attach a CLI debugger to a running
instance, please let me know! I have root on the host.)

I doubt this helps, but here is the SAMLResponse from the Request posted
previously:
```
<samlp:Response Destination="
https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
    ID="ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd"
IssueInstant="2018-07-20T23:39:37.055Z" Version="2.0"
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
    xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
    <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp</saml:Issuer>
    <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        <dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="
http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="
http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
            <dsig:Reference URI="#ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd">
                <dsig:Transforms><dsig:Transform Algorithm="
http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod
Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>

<dsig:DigestValue>G3+MQLAAUiO5k9FzuZOsQmWL8Xw4luj7yjOkGUf9s2Y=</dsig:DigestValue>
            </dsig:Reference>
        </dsig:SignedInfo>

<dsig:SignatureValue>VK3qLPoXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXQI2A==</dsig:SignatureValue>
        <dsig:KeyInfo>

<dsig:KeyName>3uFDBuktcAtr5KTpkvaeDXT2kqzWmh80OvN6OpIrrJc</dsig:KeyName>
            <dsig:X509Data>

<dsig:X509Certificate>MIICnzCCAYcCBgFgaqUo1jANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhNdWxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXL0lBQA0KCW7luEtVZhft1gtc1O</dsig:X509Certificate>
            </dsig:X509Data>
            <dsig:KeyValue>
                <dsig:RSAKeyValue>

<dsig:Modulus>qKnj408ReXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXrDew==</dsig:Modulus>
                    <dsig:Exponent>AQAB</dsig:Exponent>
                </dsig:RSAKeyValue>
            </dsig:KeyValue>
        </dsig:KeyInfo>
    </dsig:Signature>
    <samlp:Status><samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
    <saml:Assertion ID="ID_3ffd4d57-6e3d-4d86-830e-4a37a48c0046"
IssueInstant="2018-07-20T23:39:37.055Z"
        Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp
</saml:Issuer>
        <saml:Subject>
            <saml:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
chris.byron at corp.com</saml:NameID>
            <saml:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData
NotOnOrAfter="2018-07-20T23:44:35.055Z"
                Recipient="https://checkmarx.corp.net/cxrestapi/auth/samlAcs
"/></saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2018-07-20T23:39:35.055Z"
NotOnOrAfter="2018-07-20T23:40:35.055Z">
            <saml:AudienceRestriction>
                <saml:Audience>https://checkmarx.corp.net</saml:Audience>
            </saml:AudienceRestriction>
        </saml:Conditions>
        <saml:AuthnStatement AuthnInstant="2018-07-20T23:39:37.055Z"

SessionIndex="3de9fb38-c443-4d9a-a8c2-26f104e07f58::9e57cb71-6dc1-46fd-9c7e-44db7af97e25">
            <saml:AuthnContext>

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
            </saml:AuthnContext>
        </saml:AuthnStatement>
        <saml:AttributeStatement>
            <saml:Attribute FriendlyName="Last name" Name="Last_Name"

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="
http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Byron</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute FriendlyName="First name" Name="First_Name"

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="
http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">Chris</saml:AttributeValue>
            </saml:Attribute>
            <saml:Attribute FriendlyName="Email" Name="Email"

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue xmlns:xs="
http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:type="xs:string">chris.byron at corp.com</saml:AttributeValue>
            </saml:Attribute>
        </saml:AttributeStatement>
    </saml:Assertion>
</samlp:Response>
```

On Mon, Jul 23, 2018 at 9:11 AM Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Chris,
>
> According to the code, an InResponseTo attribute should be added to the
> response unconditionally:
>
> https://github.com/keycloak/keycloak/blob/master/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java#L168
>
> If you're familiar with debugging, could you please check if this code
> point is reached? If yes, is the InResponseTo value not null?
>
> Also, which version of Keycloak are you using?
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> <https://maps.google.com/?q=Pod+lipami+street+339/52,+130+00+Prague+3,+Czech+Republic&entry=gmail&source=g>
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Mon, 2018-07-23 at 08:37 -0700, Chris Byron wrote:
> > Good morning. I'm trying to debug an issue where my Keycloak IdP does not
> > include an InResponseTo attribute in the SAMLResponse after an
> SP-initiated
> > login. Are there certain conditions in the Request that need to be
> > satisfied before it will be included? Or certain client configurations in
> > Keycloak?
> >
> > The SAMLRequest from the SP:
> > ```
> > <saml2p:AuthnRequest
> >   AssertionConsumerServiceURL="
> > https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> >   AttributeConsumingServiceIndex="0"
> >   Destination="
> >
> https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx"
> >   ID="idda5349fbbbf9483a91ec1531e52933a6"
> > IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
> >   xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> >   xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> > > <saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>;
> > </saml2p:AuthnRequest>
> > ```
> >
> > Keycloak client configuration:
> > ```
> > {
> >   "id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
> > >   "clientId": "https://checkmarx.corp.net",
> >   "rootUrl": "",
> > >   "adminUrl": "https://checkmarx.corp.net/cxrestapi/auth/samlAcs",
> >   "baseUrl": "/auth/realms/Corp/protocol/saml/clients/checkmarx",
> >   "surrogateAuthRequired": false,
> >   "enabled": true,
> >   "clientAuthenticatorType": "client-secret",
> >   "redirectUris": [],
> >   "webOrigins": [],
> >   "notBefore": 0,
> >   "bearerOnly": false,
> >   "consentRequired": false,
> >   "standardFlowEnabled": true,
> >   "implicitFlowEnabled": false,
> >   "directAccessGrantsEnabled": false,
> >   "serviceAccountsEnabled": false,
> >   "authorizationServicesEnabled": false,
> >   "publicClient": false,
> >   "frontchannelLogout": true,
> >   "protocol": "saml",
> >   "attributes": {
> >     "saml.assertion.signature": "false",
> >     "saml.force.post.binding": "true",
> >     "saml.multivalued.roles": "false",
> >     "saml.encrypt": "false",
> >     "saml.server.signature": "true",
> >     "saml_idp_initiated_sso_url_name": "checkmarx",
> >     "saml.server.signature.keyinfo.ext": "false",
> >     "saml.signature.algorithm": "RSA_SHA256",
> >     "saml_force_name_id_format": "false",
> >     "saml.client.signature": "false",
> >     "saml.authnstatement": "true",
> >     "saml_name_id_format": "email",
> >     "saml.onetimeuse.condition": "false",
> >     "saml_signature_canonicalization_method": "
> > http://www.w3.org/2001/10/xml-exc-c14n#",
> >     "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer":
> > "KEY_ID"
> >   },
> >   "fullScopeAllowed": false,
> >   "nodeReRegistrationTimeout": -1,
> >   "useTemplateConfig": false,
> >   "useTemplateScope": false,
> >   "useTemplateMappers": false,
> >   "access": {
> >     "view": true,
> >     "configure": true,
> >     "manage": true
> >   }
> > ```
> >
> > Thank you for any help or advice on this! Cheers,
> > Chris Byron
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From ddtxra at gmail.com  Mon Jul 23 12:31:29 2018
From: ddtxra at gmail.com (Daniel Teixeira)
Date: Mon, 23 Jul 2018 18:31:29 +0200
Subject: [keycloak-user] Groups as array of objects (Script Mapper ? )
In-Reply-To: <1532311486.2248.16.camel@acutus.pro>
References: <CAHvCgvwD307VVcu9bNws88vJ4pE+jjnGcRbkLdMAASmxuqaMCQ@mail.gmail.com>
	<1532311486.2248.16.camel@acutus.pro>
Message-ID: <CAHvCgvxs3syT6DmPzwBEqcEz16ZHJY6K-g25n1nAX+Ai_wbDsw@mail.gmail.com>

Thank you Dmitry,
I was trying to see if there was an option without writing a java module. What
you are suggesting is to create a module, correct?

I gave a try to my first "module" but couldn't find very much info or
examples about how to write custom protocol mappers.
Are they configured the same was as Authentication Providers?

I tried to configure it, but I get a ModuleNotFoundException, here is what
I did:
https://github.com/ddtxra/sib-group-membership-mapper

Can someone spot the problem?
Thanks very much for your help!


On Mon, Jul 23, 2018 at 4:04 AM, Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Daniel,
>
> Not sure if Script Mapper allows for that, but you could definitely
> solve this with a custom ProtocolMapper. Use the "Group Membership"
> mapper as a reference, but return an array of objects instead of an
> array of strings.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Fri, 2018-07-20 at 14:26 +0200, Daniel Teixeira wrote:
> > Hello,
> > I am trying to configure my userinfo token to get the groups, as an
> > array
> > of objects.
> > Currently if I add the "Group Membership" mapper in my client, an
> > array of
> > Strings with the groups is returns.
> >
> > {
> >   "name": "Dummy User",
> >   "groups": ["group1", "group2", "group3"]
> >    ...
> > }
> >
> > But what I need for a SSO Confluence plugin to work is the following
> > format:
> > (The name of the attributes don't matter, but I need an array of
> > objects
> > for the groups)
> >
> > {
> >   "name": "Dummy User",
> >   "groups": [ {"group_name": "group1"},
> >                    {"group_name": "group2"},
> >                    {"group_name": "group3"}  ]
> >  ...
> > }
> >
> > So I have tried to created Script Mapper as follows:
> >
> > *var groups = [];*
> > *user.getGroups().forEach(function(groupModel) {*
> > *    var groupName = groupModel.getName();*
> > *    groups.push({"group_name": groupName});*
> > *})*
> >
> > *token.setOtherClaims("groups", groups);*
> >
> >
> > But this script produces a token as following:
> >
> > {
> >   "name": "Dummy User",
> >   "groups": {
> >     "0": {
> >       "group_name": "group1"
> >     },
> >     "1": {
> >       "group_name": "group2"
> >     },
> >     "2": {
> >       "group_name": "group3"
> >     }
> >   },
> >   ....
> > }
> >
> > Which is not an array of object, but a map of objects.
> > I have tried to toggle the option multivalued but it didn't change
> > anything.
> >
> > Is there a way to have an array?
> > Could someone help me with that?
> > Thanks in advance!
> >
> > Cheers,
> > Daniel Teixeira
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 
Daniel Teixeira

From cedric.vidaillac at gmail.com  Mon Jul 23 12:36:52 2018
From: cedric.vidaillac at gmail.com (Cedric Vidaillac)
Date: Mon, 23 Jul 2018 18:36:52 +0200
Subject: [keycloak-user] Problem while getting users
Message-ID: <CAHzNUnvbQGYD8mJeP6YV_KyffP=-XKPSP7QsLobGg2jU76=2Bw@mail.gmail.com>

Hi all,

I'm trying things with the admin CLI, I want to get all users that have a
specified role,

So I'm using this :

GET /{realm}/clients/{id}/roles/{role-name}/users

Then, we decided it was really easier to manage users by assigning them to
a default group, then assigning roles to my default group... than assigning
 roles for each users everytime...

So when I lookup any user now, on the "role mapping" tab, I can see the
desired role on the "*Effective Roles*" column, good.

However, the API above only return users which have the role in the "Assigned
Roles", even though my user have the role through the group.

So I this normal or is it a bug ?
As the goal of the API is to " Return List of Users that have the specified
role name" I'd say it's a bug, but maybe I'm not seeing clear.

Thanks for reading.

Cedric.

From dt at acutus.pro  Mon Jul 23 12:53:35 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 23 Jul 2018 19:53:35 +0300
Subject: [keycloak-user] SAMLResponse missing InResponseTo
In-Reply-To: <CAMG9nQUWCq5CvSeCgK8g2jqmbYwx4FtpZcm=tsxBL=7Lstr78A@mail.gmail.com>
References: <CAMG9nQWYRhCcBjj0TL_0uc9jDy3a=UpKdx2wT-ZRkzdmm_pLHw@mail.gmail.com>
	<1532362275.12643.2.camel@acutus.pro>
	<CAMG9nQUWCq5CvSeCgK8g2jqmbYwx4FtpZcm=tsxBL=7Lstr78A@mail.gmail.com>
Message-ID: <1532364815.12643.8.camel@acutus.pro>

On Mon, 2018-07-23 at 09:21 -0700, Chris Byron wrote:
> Hi Dmitry, thanks for the response. I am on 3.4.3.Final (I should have said up front!)

First and foremost, could you please try latest Keycloak (4.1.0)? Maybe not upgrading your main instance, but rather installing in parallel. There have been some changes to the SAML subsystem since 3.4.X.

> I am familiar with changing logging levels of the running service using the jboss?cli, but I don't have the ability to build and step through or set breakpoints. (If it is possible to attach a CLI debugger to a running instance, please let me know! I have root on the host.)

Yes, this is possible - just rerun Keycloak with the "--debug" option, it will open a listener on port 8787 (use "--debug <port>" to override).

Then forward this port to your box via SSH and use your favorite IDE to?attach debugger to localhost:8787 using dt_socket transport (it could be also called "SocketAttach connector"). Also, obviously, you'll need to checkout the source tree.

Basically, you'll need to determine which code path Keycloak takes to generate the response, and, after that, try to understand why the attribute is omitted.

Good luck!
Dmitry

> 
> I doubt this helps, but here is the SAMLResponse from the Request?posted previously:
> ```
> <samlp:Response Destination="https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> ? ? ID="ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd" IssueInstant="2018-07-20T23:39:37.055Z" Version="2.0"
> ? ? xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ? ? xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
> ? ? <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp</saml:Issuer>;
> > ? ? <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">;
> ? ? ? ? <dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> ? ? ? ? ? ? <dsig:Reference URI="#ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd">
> ? ? ? ? ? ? ? ? <dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> ? ? ? ? ? ? ? ? <dsig:DigestValue>G3+MQLAAUiO5k9FzuZOsQmWL8Xw4luj7yjOkGUf9s2Y=</dsig:DigestValue>
> ? ? ? ? ? ? </dsig:Reference>
> ? ? ? ? </dsig:SignedInfo>
> ? ? ? ? <dsig:SignatureValue>VK3qLPoXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXQI2A==</dsig:SignatureValue>
> ? ? ? ? <dsig:KeyInfo>
> ? ? ? ? ? ? <dsig:KeyName>3uFDBuktcAtr5KTpkvaeDXT2kqzWmh80OvN6OpIrrJc</dsig:KeyName>
> ? ? ? ? ? ? <dsig:X509Data>
> ? ? ? ? ? ? ? ? <dsig:X509Certificate>MIICnzCCAYcCBgFgaqUo1jANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhNdWxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXL0lBQA0KCW7luEtVZhft1gtc1O</dsig:X509Certificate>
> ? ? ? ? ? ? </dsig:X509Data>
> ? ? ? ? ? ? <dsig:KeyValue>
> ? ? ? ? ? ? ? ? <dsig:RSAKeyValue>
> ? ? ? ? ? ? ? ? ? ? <dsig:Modulus>qKnj408ReXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXrDew==</dsig:Modulus>
> ? ? ? ? ? ? ? ? ? ? <dsig:Exponent>AQAB</dsig:Exponent>
> ? ? ? ? ? ? ? ? </dsig:RSAKeyValue>
> ? ? ? ? ? ? </dsig:KeyValue>
> ? ? ? ? </dsig:KeyInfo>
> ? ? </dsig:Signature>
> ? ? <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
> ? ? <saml:Assertion ID="ID_3ffd4d57-6e3d-4d86-830e-4a37a48c0046" IssueInstant="2018-07-20T23:39:37.055Z"
> ? ? ? ? Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> ? ? ? ? <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp</saml:Issuer>;
> ? ? ? ? <saml:Subject>
> > ? ? ? ? ? ? <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">chris.byron at corp.com</saml:NameID>
> ? ? ? ? ? ? <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2018-07-20T23:44:35.055Z"
> ? ? ? ? ? ? ? ? Recipient="https://checkmarx.corp.net/cxrestapi/auth/samlAcs"/></saml:SubjectConfirmation>;
> ? ? ? ? </saml:Subject>
> ? ? ? ? <saml:Conditions NotBefore="2018-07-20T23:39:35.055Z" NotOnOrAfter="2018-07-20T23:40:35.055Z">
> ? ? ? ? ? ? <saml:AudienceRestriction>
> ? ? ? ? ? ? ? ? <saml:Audience>https://checkmarx.corp.net</saml:Audience>;
> ? ? ? ? ? ? </saml:AudienceRestriction>
> ? ? ? ? </saml:Conditions>
> ? ? ? ? <saml:AuthnStatement AuthnInstant="2018-07-20T23:39:37.055Z"
> ? ? ? ? ? ? SessionIndex="3de9fb38-c443-4d9a-a8c2-26f104e07f58::9e57cb71-6dc1-46fd-9c7e-44db7af97e25">
> ? ? ? ? ? ? <saml:AuthnContext>
> ? ? ? ? ? ? ? ? <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
> ? ? ? ? ? ? </saml:AuthnContext>
> ? ? ? ? </saml:AuthnStatement>
> ? ? ? ? <saml:AttributeStatement>
> ? ? ? ? ? ? <saml:Attribute FriendlyName="Last name" Name="Last_Name"
> ? ? ? ? ? ? ? ? NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> ? ? ? ? ? ? ? ? <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
> ? ? ? ? ? ? ? ? ? ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Byron</saml:AttributeValue>
> ? ? ? ? ? ? </saml:Attribute>
> ? ? ? ? ? ? <saml:Attribute FriendlyName="First name" Name="First_Name"
> ? ? ? ? ? ? ? ? NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> ? ? ? ? ? ? ? ? <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
> ? ? ? ? ? ? ? ? ? ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Chris</saml:AttributeValue>
> ? ? ? ? ? ? </saml:Attribute>
> ? ? ? ? ? ? <saml:Attribute FriendlyName="Email" Name="Email"
> ? ? ? ? ? ? ? ? NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> ? ? ? ? ? ? ? ? <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
> ? ? ? ? ? ? ? ? ? ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">chris.byron at corp.com</saml:AttributeValue>
> ? ? ? ? ? ? </saml:Attribute>
> ? ? ? ? </saml:AttributeStatement>
> ? ? </saml:Assertion>
> </samlp:Response>
> ```
> 
> > On Mon, Jul 23, 2018 at 9:11 AM Dmitry Telegin <dt at acutus.pro> wrote:
> > Hi Chris,
> > 
> > According to the code, an InResponseTo attribute should be added to the response unconditionally:
> > https://github.com/keycloak/keycloak/blob/master/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java#L168
> > 
> > If you're familiar with debugging, could you please check if this code point is reached? If yes, is the InResponseTo value not null?
> > 
> > Also, which version of Keycloak are you using?
> > 
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> > 
> > On Mon, 2018-07-23 at 08:37 -0700, Chris Byron wrote:
> > > Good morning. I'm trying to debug an issue where my Keycloak IdP does not
> > > include an InResponseTo attribute in the SAMLResponse after an SP-initiated
> > > login. Are there certain conditions in the Request that need to be
> > > satisfied before it will be included? Or certain client configurations in
> > > Keycloak?
> > >?
> > > The SAMLRequest from the SP:
> > > ```
> > > <saml2p:AuthnRequest
> > > ? AssertionConsumerServiceURL="
> > > > > https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> > > ? AttributeConsumingServiceIndex="0"
> > > ? Destination="
> > > https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx"
> > > ? ID="idda5349fbbbf9483a91ec1531e52933a6"
> > > IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
> > > ? xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> > > ? xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> > > > > > <saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>;;
> > > </saml2p:AuthnRequest>
> > > ```
> > >?
> > > Keycloak client configuration:
> > > ```
> > > {
> > > ? "id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
> > > > > > ? "clientId": "https://checkmarx.corp.net",
> > > ? "rootUrl": "",
> > > > ? "adminUrl": "https://checkmarx.corp.net/cxrestapi/auth/samlAcs",
> > > ? "baseUrl": "/auth/realms/Corp/protocol/saml/clients/checkmarx",
> > > ? "surrogateAuthRequired": false,
> > > ? "enabled": true,
> > > ? "clientAuthenticatorType": "client-secret",
> > > ? "redirectUris": [],
> > > ? "webOrigins": [],
> > > ? "notBefore": 0,
> > > ? "bearerOnly": false,
> > > ? "consentRequired": false,
> > > ? "standardFlowEnabled": true,
> > > ? "implicitFlowEnabled": false,
> > > ? "directAccessGrantsEnabled": false,
> > > ? "serviceAccountsEnabled": false,
> > > ? "authorizationServicesEnabled": false,
> > > ? "publicClient": false,
> > > ? "frontchannelLogout": true,
> > > ? "protocol": "saml",
> > > ? "attributes": {
> > > ????"saml.assertion.signature": "false",
> > > ????"saml.force.post.binding": "true",
> > > ????"saml.multivalued.roles": "false",
> > > ????"saml.encrypt": "false",
> > > ????"saml.server.signature": "true",
> > > ????"saml_idp_initiated_sso_url_name": "checkmarx",
> > > ????"saml.server.signature.keyinfo.ext": "false",
> > > ????"saml.signature.algorithm": "RSA_SHA256",
> > > ????"saml_force_name_id_format": "false",
> > > ????"saml.client.signature": "false",
> > > ????"saml.authnstatement": "true",
> > > ????"saml_name_id_format": "email",
> > > ????"saml.onetimeuse.condition": "false",
> > > ????"saml_signature_canonicalization_method": "
> > > > > http://www.w3.org/2001/10/xml-exc-c14n#",
> > > ????"saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer":
> > > "KEY_ID"
> > > ? },
> > > ? "fullScopeAllowed": false,
> > > ? "nodeReRegistrationTimeout": -1,
> > > ? "useTemplateConfig": false,
> > > ? "useTemplateScope": false,
> > > ? "useTemplateMappers": false,
> > > ? "access": {
> > > ????"view": true,
> > > ????"configure": true,
> > > ????"manage": true
> > > ? }
> > > ```
> > >?
> > > Thank you for any help or advice on this! Cheers,
> > > Chris Byron
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 

From dt at acutus.pro  Mon Jul 23 13:50:24 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Mon, 23 Jul 2018 20:50:24 +0300
Subject: [keycloak-user] Groups as array of objects (Script Mapper ? )
In-Reply-To: <CAHvCgvxs3syT6DmPzwBEqcEz16ZHJY6K-g25n1nAX+Ai_wbDsw@mail.gmail.com>
References: <CAHvCgvwD307VVcu9bNws88vJ4pE+jjnGcRbkLdMAASmxuqaMCQ@mail.gmail.com>
	<1532311486.2248.16.camel@acutus.pro>
	<CAHvCgvxs3syT6DmPzwBEqcEz16ZHJY6K-g25n1nAX+Ai_wbDsw@mail.gmail.com>
Message-ID: <1532368224.12643.10.camel@acutus.pro>

Hi Daniel,

On Mon, 2018-07-23 at 18:31 +0200, Daniel Teixeira wrote:
> Thank you?Dmitry,?
> I was trying to see if there was an option without writing a java module.?What you are suggesting is to create a module, correct?

Yep you're right, from my experience it's easier to create a Java extension rather then dive deep into the guts of ScriptMapper trying to make it return what you want :)

> I gave a try to my first "module" but couldn't find very much info or examples about how to write custom protocol mappers.
> Are they configured the same was as Authentication Providers??
> 
> I tried to configure it, but?I get a ModuleNotFoundException, here is what I did:?
> https://github.com/ddtxra/sib-group-membership-mapper

You did everything right. The only missing piece is deployment descriptor. If you're?hot deploying (via standalone/deployments directory), put this into your META-INF/jboss-deployment-structure.xml:

<?xml version="1.0" encoding="UTF-8"?>
<jboss-deployment-structure>
  <deployment>
    <dependencies>
        <module name="org.keycloak.keycloak-services"/>
    </dependencies>
  </deployment>
</jboss-deployment-structure>

...then recompile and redeploy. Or, if you'd like to deploy it as a Wildfly/JBoss module, do the following in jboss-cli:

module add --name=sib-group-membership-mapper --resources=/path/to/sib-group-membership-mapper.jar --dependencies=org.keycloak.keycloak-services

...so that it creates the descriptor (yet a different one) for you.

Good luck!
Dmitry

> 
> Can someone spot the problem?
> Thanks very much for your help!
> 
> 
> > On Mon, Jul 23, 2018 at 4:04 AM, Dmitry Telegin <dt at acutus.pro> wrote:
> > Hi Daniel,
> > 
> > Not sure if Script Mapper allows for that, but you could definitely
> > solve this with a custom ProtocolMapper. Use the "Group Membership"
> > mapper as a reference, but return an array of objects instead of an
> > array of strings.
> > 
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> > 
> > On Fri, 2018-07-20 at 14:26 +0200, Daniel Teixeira wrote:
> > > Hello,
> > > I am trying to configure my userinfo token to get the groups, as an
> > > array
> > > of objects.
> > > Currently if I add the "Group Membership" mapper in my client, an
> > > array of
> > > Strings with the groups is returns.
> > >?
> > > {
> > > ? "name": "Dummy User",
> > > ? "groups": ["group1", "group2", "group3"]
> > > ???...
> > > }
> > >?
> > > But what I need for a SSO Confluence plugin to work is the following
> > > format:
> > > (The name of the attributes don't matter, but I need an array of
> > > objects
> > > for the groups)
> > >?
> > > {
> > > ? "name": "Dummy User",
> > > ? "groups": [ {"group_name": "group1"},
> > > ???????????????????{"group_name": "group2"},
> > > ???????????????????{"group_name": "group3"}??]
> > > ?...
> > > }
> > >?
> > > So I have tried to created Script Mapper as follows:
> > >?
> > > *var groups = [];*
> > > *user.getGroups().forEach(function(groupModel) {*
> > > *????var groupName = groupModel.getName();*
> > > *????groups.push({"group_name": groupName});*
> > > *})*
> > >?
> > > *token.setOtherClaims("groups", groups);*
> > >?
> > >?
> > > But this script produces a token as following:
> > >?
> > > {
> > > ? "name": "Dummy User",
> > > ? "groups": {
> > > ????"0": {
> > > ??????"group_name": "group1"
> > > ????},
> > > ????"1": {
> > > ??????"group_name": "group2"
> > > ????},
> > > ????"2": {
> > > ??????"group_name": "group3"
> > > ????}
> > > ? },
> > > ? ....
> > > }
> > >?
> > > Which is not an array of object, but a map of objects.
> > > I have tried to toggle the option multivalued but it didn't change
> > > anything.
> > >?
> > > Is there a way to have an array?
> > > Could someone help me with that?
> > > Thanks in advance!
> > >?
> > > Cheers,
> > > Daniel Teixeira
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
> 
> 
> --?
> Daniel Teixeira

From hans.zandbelt at zmartzone.eu  Mon Jul 23 14:34:27 2018
From: hans.zandbelt at zmartzone.eu (Hans Zandbelt)
Date: Mon, 23 Jul 2018 20:34:27 +0200
Subject: [keycloak-user] Keycloak - grant_type when getting a token and
	token introspection
Message-ID: <CA+iA6uhePzFM9WhmqH55yUVGj=fWTpTnn=x55pqRnzahTnsP-g@mail.gmail.com>

Check that you're calling the introspection endpoint using the same
<host>:<port> combo as the one that was used when the token was obtained by
the client in the call to the token endpoint otherwise the introspection
result will always be { "active": "false" }.

Hans.

-- 
hans.zandbelt at zmartzone.eu
ZmartZone IAM - www.zmartzone.eu

From zitrone at gmx-topmail.de  Mon Jul 23 15:44:05 2018
From: zitrone at gmx-topmail.de (zitrone at gmx-topmail.de)
Date: Mon, 23 Jul 2018 21:44:05 +0200
Subject: [keycloak-user] Custom Email Validation
Message-ID: <dd754f20-769c-92db-35c0-1e819ebc6643@gmx-topmail.de>

Hi,

is there a way to do a custom email validation befor changing/creating 
an email via the admin rest api?

I already tried to use an eventlistener to catch the adminevents create 
and update on an usertype, but i think they are fired after changing the 
accountdata. I also did not find a way to canncel the event from inside 
the listener.

Regards


From byron.chris at gmail.com  Mon Jul 23 18:22:10 2018
From: byron.chris at gmail.com (Chris Byron)
Date: Mon, 23 Jul 2018 15:22:10 -0700
Subject: [keycloak-user] SAMLResponse missing InResponseTo
In-Reply-To: <1532364815.12643.8.camel@acutus.pro>
References: <CAMG9nQWYRhCcBjj0TL_0uc9jDy3a=UpKdx2wT-ZRkzdmm_pLHw@mail.gmail.com>
	<1532362275.12643.2.camel@acutus.pro>
	<CAMG9nQUWCq5CvSeCgK8g2jqmbYwx4FtpZcm=tsxBL=7Lstr78A@mail.gmail.com>
	<1532364815.12643.8.camel@acutus.pro>
Message-ID: <CAMG9nQUbfDomwR69pykQFBskYiFnoDeOq3Gg9OcOxjdagA156A@mail.gmail.com>

That's a bit too advanced for me. After a few hours spent trying to learn
how to do remote debugging, I returned to code examination, and found the
problem!

I was sending the SAMLRequest to the IdP initiated URL. So Keycloak ignored
the SAMLRequest in the URL and treated it like an IdP initiated login. I
should have been sending to /{realm}/protocol/saml, not
/{realm}/protocol/saml/clients/checkmarx .

On Mon, Jul 23, 2018 at 9:53 AM Dmitry Telegin <dt at acutus.pro> wrote:

> On Mon, 2018-07-23 at 09:21 -0700, Chris Byron wrote:
> > Hi Dmitry, thanks for the response. I am on 3.4.3.Final (I should have
> said up front!)
>
> First and foremost, could you please try latest Keycloak (4.1.0)? Maybe
> not upgrading your main instance, but rather installing in parallel. There
> have been some changes to the SAML subsystem since 3.4.X.
>
> > I am familiar with changing logging levels of the running service using
> the jboss cli, but I don't have the ability to build and step through or
> set breakpoints. (If it is possible to attach a CLI debugger to a running
> instance, please let me know! I have root on the host.)
>
> Yes, this is possible - just rerun Keycloak with the "--debug" option, it
> will open a listener on port 8787 (use "--debug <port>" to override).
>
> Then forward this port to your box via SSH and use your favorite IDE
> to attach debugger to localhost:8787 using dt_socket transport (it could be
> also called "SocketAttach connector"). Also, obviously, you'll need to
> checkout the source tree.
>
> Basically, you'll need to determine which code path Keycloak takes to
> generate the response, and, after that, try to understand why the attribute
> is omitted.
>
> Good luck!
> Dmitry
>
> >
> > I doubt this helps, but here is the SAMLResponse from the Request posted
> previously:
> > ```
> > <samlp:Response Destination="
> https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> >     ID="ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd"
> IssueInstant="2018-07-20T23:39:37.055Z" Version="2.0"
> >     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> >     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
> >     <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp
> </saml:Issuer>;
> > >     <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">;
> >         <dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod
> Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> >             <dsig:Reference
> URI="#ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd">
> >                 <dsig:Transforms><dsig:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> >
> <dsig:DigestValue>G3+MQLAAUiO5k9FzuZOsQmWL8Xw4luj7yjOkGUf9s2Y=</dsig:DigestValue>
> >             </dsig:Reference>
> >         </dsig:SignedInfo>
> >
> <dsig:SignatureValue>VK3qLPoXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXQI2A==</dsig:SignatureValue>
> >         <dsig:KeyInfo>
> >
> <dsig:KeyName>3uFDBuktcAtr5KTpkvaeDXT2kqzWmh80OvN6OpIrrJc</dsig:KeyName>
> >             <dsig:X509Data>
> >
> <dsig:X509Certificate>MIICnzCCAYcCBgFgaqUo1jANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhNdWxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXL0lBQA0KCW7luEtVZhft1gtc1O</dsig:X509Certificate>
> >             </dsig:X509Data>
> >             <dsig:KeyValue>
> >                 <dsig:RSAKeyValue>
> >
> <dsig:Modulus>qKnj408ReXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXrDew==</dsig:Modulus>
> >                     <dsig:Exponent>AQAB</dsig:Exponent>
> >                 </dsig:RSAKeyValue>
> >             </dsig:KeyValue>
> >         </dsig:KeyInfo>
> >     </dsig:Signature>
> >     <samlp:Status><samlp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
> >     <saml:Assertion ID="ID_3ffd4d57-6e3d-4d86-830e-4a37a48c0046"
> IssueInstant="2018-07-20T23:39:37.055Z"
> >         Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> >         <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp
> </saml:Issuer>;
> >         <saml:Subject>
> > >             <saml:NameID
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
> chris.byron at corp.com</saml:NameID>
> >             <saml:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData
> NotOnOrAfter="2018-07-20T23:44:35.055Z"
> >                 Recipient="
> https://checkmarx.corp.net/cxrestapi/auth/samlAcs
> "/></saml:SubjectConfirmation>;
> >         </saml:Subject>
> >         <saml:Conditions NotBefore="2018-07-20T23:39:35.055Z"
> NotOnOrAfter="2018-07-20T23:40:35.055Z">
> >             <saml:AudienceRestriction>
> >                 <saml:Audience>https://checkmarx.corp.net
> </saml:Audience>;
> >             </saml:AudienceRestriction>
> >         </saml:Conditions>
> >         <saml:AuthnStatement AuthnInstant="2018-07-20T23:39:37.055Z"
> >
> SessionIndex="3de9fb38-c443-4d9a-a8c2-26f104e07f58::9e57cb71-6dc1-46fd-9c7e-44db7af97e25">
> >             <saml:AuthnContext>
> >
> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
> >             </saml:AuthnContext>
> >         </saml:AuthnStatement>
> >         <saml:AttributeStatement>
> >             <saml:Attribute FriendlyName="Last name" Name="Last_Name"
> >
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> >                 <saml:AttributeValue xmlns:xs="
> http://www.w3.org/2001/XMLSchema"
> >                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">Byron</saml:AttributeValue>
> >             </saml:Attribute>
> >             <saml:Attribute FriendlyName="First name" Name="First_Name"
> >
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> >                 <saml:AttributeValue xmlns:xs="
> http://www.w3.org/2001/XMLSchema"
> >                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">Chris</saml:AttributeValue>
> >             </saml:Attribute>
> >             <saml:Attribute FriendlyName="Email" Name="Email"
> >
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> >                 <saml:AttributeValue xmlns:xs="
> http://www.w3.org/2001/XMLSchema"
> >                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">chris.byron at corp.com</saml:AttributeValue>
> >             </saml:Attribute>
> >         </saml:AttributeStatement>
> >     </saml:Assertion>
> > </samlp:Response>
> > ```
> >
> > > On Mon, Jul 23, 2018 at 9:11 AM Dmitry Telegin <dt at acutus.pro> wrote:
> > > Hi Chris,
> > >
> > > According to the code, an InResponseTo attribute should be added to
> the response unconditionally:
> > >
> https://github.com/keycloak/keycloak/blob/master/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java#L168
> > >
> > > If you're familiar with debugging, could you please check if this code
> point is reached? If yes, is the InResponseTo value not null?
> > >
> > > Also, which version of Keycloak are you using?
> > >
> > > Cheers,
> > > Dmitry Telegin
> > > CTO, Acutus s.r.o.
> > > Keycloak Consulting and Training
> > >
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > +42 (022) 888-30-71
> > > E-mail: info at acutus.pro
> > >
> > > On Mon, 2018-07-23 at 08:37 -0700, Chris Byron wrote:
> > > > Good morning. I'm trying to debug an issue where my Keycloak IdP
> does not
> > > > include an InResponseTo attribute in the SAMLResponse after an
> SP-initiated
> > > > login. Are there certain conditions in the Request that need to be
> > > > satisfied before it will be included? Or certain client
> configurations in
> > > > Keycloak?
> > > >
> > > > The SAMLRequest from the SP:
> > > > ```
> > > > <saml2p:AuthnRequest
> > > >   AssertionConsumerServiceURL="
> > > > > > https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> > > >   AttributeConsumingServiceIndex="0"
> > > >   Destination="
> > > >
> https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx"
> > > >   ID="idda5349fbbbf9483a91ec1531e52933a6"
> > > > IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
> > > >   xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> > > >   xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> > > > > > > <saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>;;
> > > > </saml2p:AuthnRequest>
> > > > ```
> > > >
> > > > Keycloak client configuration:
> > > > ```
> > > > {
> > > >   "id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
> > > > > > >   "clientId": "https://checkmarx.corp.net",
> > > >   "rootUrl": "",
> > > > >   "adminUrl": "https://checkmarx.corp.net/cxrestapi/auth/samlAcs",
> > > >   "baseUrl": "/auth/realms/Corp/protocol/saml/clients/checkmarx",
> > > >   "surrogateAuthRequired": false,
> > > >   "enabled": true,
> > > >   "clientAuthenticatorType": "client-secret",
> > > >   "redirectUris": [],
> > > >   "webOrigins": [],
> > > >   "notBefore": 0,
> > > >   "bearerOnly": false,
> > > >   "consentRequired": false,
> > > >   "standardFlowEnabled": true,
> > > >   "implicitFlowEnabled": false,
> > > >   "directAccessGrantsEnabled": false,
> > > >   "serviceAccountsEnabled": false,
> > > >   "authorizationServicesEnabled": false,
> > > >   "publicClient": false,
> > > >   "frontchannelLogout": true,
> > > >   "protocol": "saml",
> > > >   "attributes": {
> > > >     "saml.assertion.signature": "false",
> > > >     "saml.force.post.binding": "true",
> > > >     "saml.multivalued.roles": "false",
> > > >     "saml.encrypt": "false",
> > > >     "saml.server.signature": "true",
> > > >     "saml_idp_initiated_sso_url_name": "checkmarx",
> > > >     "saml.server.signature.keyinfo.ext": "false",
> > > >     "saml.signature.algorithm": "RSA_SHA256",
> > > >     "saml_force_name_id_format": "false",
> > > >     "saml.client.signature": "false",
> > > >     "saml.authnstatement": "true",
> > > >     "saml_name_id_format": "email",
> > > >     "saml.onetimeuse.condition": "false",
> > > >     "saml_signature_canonicalization_method": "
> > > > > > http://www.w3.org/2001/10/xml-exc-c14n#",
> > > >     "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer":
> > > > "KEY_ID"
> > > >   },
> > > >   "fullScopeAllowed": false,
> > > >   "nodeReRegistrationTimeout": -1,
> > > >   "useTemplateConfig": false,
> > > >   "useTemplateScope": false,
> > > >   "useTemplateMappers": false,
> > > >   "access": {
> > > >     "view": true,
> > > >     "configure": true,
> > > >     "manage": true
> > > >   }
> > > > ```
> > > >
> > > > Thank you for any help or advice on this! Cheers,
> > > > Chris Byron
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
>

From dt at acutus.pro  Mon Jul 23 18:52:32 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 24 Jul 2018 01:52:32 +0300
Subject: [keycloak-user] SAMLResponse missing InResponseTo
In-Reply-To: <CAMG9nQUbfDomwR69pykQFBskYiFnoDeOq3Gg9OcOxjdagA156A@mail.gmail.com>
References: <CAMG9nQWYRhCcBjj0TL_0uc9jDy3a=UpKdx2wT-ZRkzdmm_pLHw@mail.gmail.com>
	<1532362275.12643.2.camel@acutus.pro>
	<CAMG9nQUWCq5CvSeCgK8g2jqmbYwx4FtpZcm=tsxBL=7Lstr78A@mail.gmail.com>
	<1532364815.12643.8.camel@acutus.pro>
	<CAMG9nQUbfDomwR69pykQFBskYiFnoDeOq3Gg9OcOxjdagA156A@mail.gmail.com>
Message-ID: <1532386352.2635.1.camel@acutus.pro>

On Mon, 2018-07-23 at 15:22 -0700, Chris Byron wrote:
> That's a bit too advanced for me. After a few hours spent trying to
> learn how to do remote debugging, I returned to code examination, and
> found the problem!

Glad you've found the answer, and sorry for having mislead you.
Nevertheless, remote debugging is a must-have skill, I hope one day
you'll make use of it and remember this day :)
> I was sending the SAMLRequest to the IdP initiated URL. So
> Keycloak?ignored the SAMLRequest in the URL and treated it like an
> IdP initiated login. I should have been sending to
> /{realm}/protocol/saml, not
> /{realm}/protocol/saml/clients/checkmarx?.

My bad, it was easy to overlook the suspicious Destination="..." in all
that XML. As the doc says, "SAML tends to be a bit more verbose than
OIDC." (is that "a bit" an irony?) :-D
Cheers and good luck with Keycloak,Dmitry
> On Mon, Jul 23, 2018 at 9:53 AM Dmitry Telegin <dt at acutus.pro> wrote:
> > On Mon, 2018-07-23 at 09:21 -0700, Chris Byron wrote:
> > > Hi Dmitry, thanks for the response. I am on 3.4.3.Final (I should
> > have said up front!)
> > 
> > First and foremost, could you please try latest Keycloak (4.1.0)?
> > Maybe not upgrading your main instance, but rather installing in
> > parallel. There have been some changes to the SAML subsystem since
> > 3.4.X.
> > 
> > > I am familiar with changing logging levels of the running service
> > using the jboss?cli, but I don't have the ability to build and step
> > through or set breakpoints. (If it is possible to attach a CLI
> > debugger to a running instance, please let me know! I have root on
> > the host.)
> > 
> > Yes, this is possible - just rerun Keycloak with the "--debug"
> > option, it will open a listener on port 8787 (use "--debug <port>"
> > to override).
> > 
> > Then forward this port to your box via SSH and use your favorite
> > IDE to?attach debugger to localhost:8787 using dt_socket transport
> > (it could be also called "SocketAttach connector"). Also,
> > obviously, you'll need to checkout the source tree.
> > 
> > Basically, you'll need to determine which code path Keycloak takes
> > to generate the response, and, after that, try to understand why
> > the attribute is omitted.
> > 
> > Good luck!
> > Dmitry
> > 
> > >?
> > > I doubt this helps, but here is the SAMLResponse from the
> > Request?posted previously:
> > > ```
> > > <samlp:Response Destination="https://checkmarx.corp.net/cxrestapi
> > /auth/samlAcs"
> > > ? ? ID="ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd"
> > IssueInstant="2018-07-20T23:39:37.055Z" Version="2.0"
> > > ? ? xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> > > ? ? xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
> > > ? ? <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp</saml
> > :Issuer>;;;
> > > > ? ? <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmlds
> > ig#">;;;
> > > ? ? ? ? <dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod
> > Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> > > ? ? ? ? ? ? <dsig:Reference URI="#ID_56969c1e-9957-4611-a145-
> > 5f4a0e3ee7bd">
> > > ? ? ? ? ? ? ? ? <dsig:Transforms><dsig:Transform Algorithm="http:
> > //www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform
> > Algorithm="http://www.w3.org/2001/10/xml-exc-
> > c14n#"/></dsig:Transforms><dsig:DigestMethod
> > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> > > ? ? ? ? ? ? ? ?
> > <dsig:DigestValue>G3+MQLAAUiO5k9FzuZOsQmWL8Xw4luj7yjOkGUf9s2Y=</dsi
> > g:DigestValue>
> > > ? ? ? ? ? ? </dsig:Reference>
> > > ? ? ? ? </dsig:SignedInfo>
> > > ? ? ? ?
> > <dsig:SignatureValue>VK3qLPoXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXQI2A
> > ==</dsig:SignatureValue>
> > > ? ? ? ? <dsig:KeyInfo>
> > > ? ? ? ? ? ?
> > <dsig:KeyName>3uFDBuktcAtr5KTpkvaeDXT2kqzWmh80OvN6OpIrrJc</dsig:Key
> > Name>
> > > ? ? ? ? ? ? <dsig:X509Data>
> > > ? ? ? ? ? ? ? ?
> > <dsig:X509Certificate>MIICnzCCAYcCBgFgaqUo1jANBgkqhkiG9w0BAQsFADATM
> > REwDwYDVQQDDAhNdWxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> > XXXXXXXXL0lBQA0KCW7luEtVZhft1gtc1O</dsig:X509Certificate>
> > > ? ? ? ? ? ? </dsig:X509Data>
> > > ? ? ? ? ? ? <dsig:KeyValue>
> > > ? ? ? ? ? ? ? ? <dsig:RSAKeyValue>
> > > ? ? ? ? ? ? ? ? ? ?
> > <dsig:Modulus>qKnj408ReXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXrDew==</dsig:M
> > odulus>
> > > ? ? ? ? ? ? ? ? ? ? <dsig:Exponent>AQAB</dsig:Exponent>
> > > ? ? ? ? ? ? ? ? </dsig:RSAKeyValue>
> > > ? ? ? ? ? ? </dsig:KeyValue>
> > > ? ? ? ? </dsig:KeyInfo>
> > > ? ? </dsig:Signature>
> > > ? ? <samlp:Status><samlp:StatusCode
> > Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
> > > ? ? <saml:Assertion ID="ID_3ffd4d57-6e3d-4d86-830e-4a37a48c0046"
> > IssueInstant="2018-07-20T23:39:37.055Z"
> > > ? ? ? ? Version="2.0"
> > xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> > > ? ? ? ? <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp</
> > saml:Issuer>;;;
> > > ? ? ? ? <saml:Subject>
> > > > ? ? ? ? ? ? <saml:NameID
> > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">chr
> > is.byron at corp.com</saml:NameID>
> > > ? ? ? ? ? ? <saml:SubjectConfirmation
> > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirm
> > ationData NotOnOrAfter="2018-07-20T23:44:35.055Z"
> > > ? ? ? ? ? ? ? ? Recipient="https://checkmarx.corp.net/cxrestapi/a
> > uth/samlAcs"/></saml:SubjectConfirmation>;;;
> > > ? ? ? ? </saml:Subject>
> > > ? ? ? ? <saml:Conditions NotBefore="2018-07-20T23:39:35.055Z"
> > NotOnOrAfter="2018-07-20T23:40:35.055Z">
> > > ? ? ? ? ? ? <saml:AudienceRestriction>
> > > ? ? ? ? ? ? ? ? <saml:Audience>https://checkmarx.corp.net</saml:A
> > udience>;;;
> > > ? ? ? ? ? ? </saml:AudienceRestriction>
> > > ? ? ? ? </saml:Conditions>
> > > ? ? ? ? <saml:AuthnStatement AuthnInstant="2018-07-
> > 20T23:39:37.055Z"
> > > ? ? ? ? ? ? SessionIndex="3de9fb38-c443-4d9a-a8c2-
> > 26f104e07f58::9e57cb71-6dc1-46fd-9c7e-44db7af97e25">
> > > ? ? ? ? ? ? <saml:AuthnContext>
> > > ? ? ? ? ? ? ? ?
> > <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:u
> > nspecified</saml:AuthnContextClassRef>
> > > ? ? ? ? ? ? </saml:AuthnContext>
> > > ? ? ? ? </saml:AuthnStatement>
> > > ? ? ? ? <saml:AttributeStatement>
> > > ? ? ? ? ? ? <saml:Attribute FriendlyName="Last name"
> > Name="Last_Name"
> > > ? ? ? ? ? ? ? ? NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
> > format:basic">
> > > ? ? ? ? ? ? ? ? <saml:AttributeValue xmlns:xs="http://www.w3.org/
> > 2001/XMLSchema"
> > > ? ? ? ? ? ? ? ? ? ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-i
> > nstance" xsi:type="xs:string">Byron</saml:AttributeValue>
> > > ? ? ? ? ? ? </saml:Attribute>
> > > ? ? ? ? ? ? <saml:Attribute FriendlyName="First name"
> > Name="First_Name"
> > > ? ? ? ? ? ? ? ? NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
> > format:basic">
> > > ? ? ? ? ? ? ? ? <saml:AttributeValue xmlns:xs="http://www.w3.org/
> > 2001/XMLSchema"
> > > ? ? ? ? ? ? ? ? ? ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-i
> > nstance" xsi:type="xs:string">Chris</saml:AttributeValue>
> > > ? ? ? ? ? ? </saml:Attribute>
> > > ? ? ? ? ? ? <saml:Attribute FriendlyName="Email" Name="Email"
> > > ? ? ? ? ? ? ? ? NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-
> > format:basic">
> > > ? ? ? ? ? ? ? ? <saml:AttributeValue xmlns:xs="http://www.w3.org/
> > 2001/XMLSchema"
> > > ? ? ? ? ? ? ? ? ? ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-i
> > nstance"
> > xsi:type="xs:string">chris.byron at corp.com</saml:AttributeValue>
> > > ? ? ? ? ? ? </saml:Attribute>
> > > ? ? ? ? </saml:AttributeStatement>
> > > ? ? </saml:Assertion>
> > > </samlp:Response>
> > > ```
> > >?
> > > > On Mon, Jul 23, 2018 at 9:11 AM Dmitry Telegin <dt at acutus.pro>
> > wrote:
> > > > Hi Chris,
> > > >?
> > > > According to the code, an InResponseTo attribute should be
> > added to the response unconditionally:
> > > > https://github.com/keycloak/keycloak/blob/master/saml-core/src/
> > main/java/org/keycloak/saml/processing/api/saml/v2/response/SAML2Re
> > sponse.java#L168
> > > >?
> > > > If you're familiar with debugging, could you please check if
> > this code point is reached? If yes, is the InResponseTo value not
> > null?
> > > >?
> > > > Also, which version of Keycloak are you using?
> > > >?
> > > > Cheers,
> > > > Dmitry Telegin
> > > > CTO, Acutus s.r.o.
> > > > Keycloak Consulting and Training
> > > >?
> > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > > +42 (022) 888-30-71
> > > > E-mail: info at acutus.pro
> > > >?
> > > > On Mon, 2018-07-23 at 08:37 -0700, Chris Byron wrote:
> > > > > Good morning. I'm trying to debug an issue where my Keycloak
> > IdP does not
> > > > > include an InResponseTo attribute in the SAMLResponse after
> > an SP-initiated
> > > > > login. Are there certain conditions in the Request that need
> > to be
> > > > > satisfied before it will be included? Or certain client
> > configurations in
> > > > > Keycloak?
> > > > >?
> > > > > The SAMLRequest from the SP:
> > > > > ```
> > > > > <saml2p:AuthnRequest
> > > > > ? AssertionConsumerServiceURL="
> > > > > > > https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> > > > > ? AttributeConsumingServiceIndex="0"
> > > > > ? Destination="
> > > > > https://keycloak.corp.netauth/realms/Corp/protocol/saml/clien
> > ts/checkmarx"
> > > > > ? ID="idda5349fbbbf9483a91ec1531e52933a6"
> > > > > IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
> > > > > ? xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> > > > > ? xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> > > > > > > > <saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>
> > ;;;;
> > > > > </saml2p:AuthnRequest>
> > > > > ```
> > > > >?
> > > > > Keycloak client configuration:
> > > > > ```
> > > > > {
> > > > > ? "id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
> > > > > > > > ? "clientId": "https://checkmarx.corp.net",
> > > > > ? "rootUrl": "",
> > > > > > ? "adminUrl": "https://checkmarx.corp.net/cxrestapi/auth/sa
> > mlAcs",
> > > > > ? "baseUrl":
> > "/auth/realms/Corp/protocol/saml/clients/checkmarx",
> > > > > ? "surrogateAuthRequired": false,
> > > > > ? "enabled": true,
> > > > > ? "clientAuthenticatorType": "client-secret",
> > > > > ? "redirectUris": [],
> > > > > ? "webOrigins": [],
> > > > > ? "notBefore": 0,
> > > > > ? "bearerOnly": false,
> > > > > ? "consentRequired": false,
> > > > > ? "standardFlowEnabled": true,
> > > > > ? "implicitFlowEnabled": false,
> > > > > ? "directAccessGrantsEnabled": false,
> > > > > ? "serviceAccountsEnabled": false,
> > > > > ? "authorizationServicesEnabled": false,
> > > > > ? "publicClient": false,
> > > > > ? "frontchannelLogout": true,
> > > > > ? "protocol": "saml",
> > > > > ? "attributes": {
> > > > > ????"saml.assertion.signature": "false",
> > > > > ????"saml.force.post.binding": "true",
> > > > > ????"saml.multivalued.roles": "false",
> > > > > ????"saml.encrypt": "false",
> > > > > ????"saml.server.signature": "true",
> > > > > ????"saml_idp_initiated_sso_url_name": "checkmarx",
> > > > > ????"saml.server.signature.keyinfo.ext": "false",
> > > > > ????"saml.signature.algorithm": "RSA_SHA256",
> > > > > ????"saml_force_name_id_format": "false",
> > > > > ????"saml.client.signature": "false",
> > > > > ????"saml.authnstatement": "true",
> > > > > ????"saml_name_id_format": "email",
> > > > > ????"saml.onetimeuse.condition": "false",
> > > > > ????"saml_signature_canonicalization_method": "
> > > > > > > http://www.w3.org/2001/10/xml-exc-c14n#",
> > > > >
> > ????"saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer"
> > :
> > > > > "KEY_ID"
> > > > > ? },
> > > > > ? "fullScopeAllowed": false,
> > > > > ? "nodeReRegistrationTimeout": -1,
> > > > > ? "useTemplateConfig": false,
> > > > > ? "useTemplateScope": false,
> > > > > ? "useTemplateMappers": false,
> > > > > ? "access": {
> > > > > ????"view": true,
> > > > > ????"configure": true,
> > > > > ????"manage": true
> > > > > ? }
> > > > > ```
> > > > >?
> > > > > Thank you for any help or advice on this! Cheers,
> > > > > Chris Byron
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >?
> > 

From byron.chris at gmail.com  Mon Jul 23 19:25:03 2018
From: byron.chris at gmail.com (Chris Byron)
Date: Mon, 23 Jul 2018 16:25:03 -0700
Subject: [keycloak-user] SAMLResponse missing InResponseTo
In-Reply-To: <1532386352.2635.1.camel@acutus.pro>
References: <CAMG9nQWYRhCcBjj0TL_0uc9jDy3a=UpKdx2wT-ZRkzdmm_pLHw@mail.gmail.com>
	<1532362275.12643.2.camel@acutus.pro>
	<CAMG9nQUWCq5CvSeCgK8g2jqmbYwx4FtpZcm=tsxBL=7Lstr78A@mail.gmail.com>
	<1532364815.12643.8.camel@acutus.pro>
	<CAMG9nQUbfDomwR69pykQFBskYiFnoDeOq3Gg9OcOxjdagA156A@mail.gmail.com>
	<1532386352.2635.1.camel@acutus.pro>
Message-ID: <CAMG9nQUKjqMtX-5NTcQ8XXR09Xi1oLXFB+VOMeAgh+51nRpFFg@mail.gmail.com>

Thanks, Dmitry. That said, as soon as I verified that SP-initiated was
working, the opposite failure started! After doing an SP-init login, I can
no longer perform IdP-init login because it sends the InResponseTo
attribute when it should not!

When I first log in to Keycloak I can do IdP-initiated login. If I log out
of the service I can also do SP-initiated. But after doing a successful
SP-initiated login, the Keycloak server seems to remember the SAMLRequest
ID and sends it for each subsequent IdP initiated login, that is, when I
use ` /{realm}/protocol/saml/clients/checkmarx`.

This persists until I log out of Keycloak. I assume it's something obvious,
but any help would be appreciated.

Cheers,
Chris

On Mon, Jul 23, 2018 at 4:00 PM Dmitry Telegin <dt at acutus.pro> wrote:

> On Mon, 2018-07-23 at 15:22 -0700, Chris Byron wrote:
>
> That's a bit too advanced for me. After a few hours spent trying to learn
> how to do remote debugging, I returned to code examination, and found the
> problem!
>
>
> Glad you've found the answer, and sorry for having mislead you.
> Nevertheless, remote debugging is a must-have skill, I hope one day you'll
> make use of it and remember this day :)
>
> I was sending the SAMLRequest to the IdP initiated URL. So
> Keycloak ignored the SAMLRequest in the URL and treated it like an IdP
> initiated login. I should have been sending to /{realm}/protocol/saml, not
> /{realm}/protocol/saml/clients/checkmarx .
>
>
> My bad, it was easy to overlook the suspicious Destination="..." in all
> that XML. As the doc says, "SAML tends to be *a bit* more verbose than
> OIDC." (is that "a bit" an irony?) :-D
>
> Cheers and good luck with Keycloak,
> Dmitry
>
>
> On Mon, Jul 23, 2018 at 9:53 AM Dmitry Telegin <dt at acutus.pro> wrote:
>
> On Mon, 2018-07-23 at 09:21 -0700, Chris Byron wrote:
> > Hi Dmitry, thanks for the response. I am on 3.4.3.Final (I should have
> said up front!)
>
> First and foremost, could you please try latest Keycloak (4.1.0)? Maybe
> not upgrading your main instance, but rather installing in parallel. There
> have been some changes to the SAML subsystem since 3.4.X.
>
> > I am familiar with changing logging levels of the running service using
> the jboss cli, but I don't have the ability to build and step through or
> set breakpoints. (If it is possible to attach a CLI debugger to a running
> instance, please let me know! I have root on the host.)
>
> Yes, this is possible - just rerun Keycloak with the "--debug" option, it
> will open a listener on port 8787 (use "--debug <port>" to override).
>
> Then forward this port to your box via SSH and use your favorite IDE
> to attach debugger to localhost:8787 using dt_socket transport (it could be
> also called "SocketAttach connector"). Also, obviously, you'll need to
> checkout the source tree.
>
> Basically, you'll need to determine which code path Keycloak takes to
> generate the response, and, after that, try to understand why the attribute
> is omitted.
>
> Good luck!
> Dmitry
>
> >
> > I doubt this helps, but here is the SAMLResponse from the Request posted
> previously:
> > ```
> > <samlp:Response Destination="
> https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> >     ID="ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd"
> IssueInstant="2018-07-20T23:39:37.055Z" Version="2.0"
> >     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> >     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
> >     <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp
> </saml:Issuer>;;
> > >     <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">;;
> >         <dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="
> http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod
> <http://www.w3.org/2001/10/xml-exc-c14n#> Algorithm="
> http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> >             <dsig:Reference
> URI="#ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd">
> >                 <dsig:Transforms><dsig:Transform Algorithm="
> http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform
> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod
> Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> >
> <dsig:DigestValue>G3+MQLAAUiO5k9FzuZOsQmWL8Xw4luj7yjOkGUf9s2Y=</dsig:DigestValue>
> >             </dsig:Reference>
> >         </dsig:SignedInfo>
> >
> <dsig:SignatureValue>VK3qLPoXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXQI2A==</dsig:SignatureValue>
> >         <dsig:KeyInfo>
> >
> <dsig:KeyName>3uFDBuktcAtr5KTpkvaeDXT2kqzWmh80OvN6OpIrrJc</dsig:KeyName>
> >             <dsig:X509Data>
> >
> <dsig:X509Certificate>MIICnzCCAYcCBgFgaqUo1jANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhNdWxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXL0lBQA0KCW7luEtVZhft1gtc1O</dsig:X509Certificate>
> >             </dsig:X509Data>
> >             <dsig:KeyValue>
> >                 <dsig:RSAKeyValue>
> >
> <dsig:Modulus>qKnj408ReXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXrDew==</dsig:Modulus>
> >                     <dsig:Exponent>AQAB</dsig:Exponent>
> >                 </dsig:RSAKeyValue>
> >             </dsig:KeyValue>
> >         </dsig:KeyInfo>
> >     </dsig:Signature>
> >     <samlp:Status><samlp:StatusCode
> Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
> >     <saml:Assertion ID="ID_3ffd4d57-6e3d-4d86-830e-4a37a48c0046"
> IssueInstant="2018-07-20T23:39:37.055Z"
> >         Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> >         <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp
> </saml:Issuer>;;
> >         <saml:Subject>
> > >             <saml:NameID
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
> chris.byron at corp.com</saml:NameID>
> >             <saml:SubjectConfirmation
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData
> NotOnOrAfter="2018-07-20T23:44:35.055Z"
> >                 Recipient="
> https://checkmarx.corp.net/cxrestapi/auth/samlAcs
> "/></saml:SubjectConfirmation>;;
> >         </saml:Subject>
> >         <saml:Conditions NotBefore="2018-07-20T23:39:35.055Z"
> NotOnOrAfter="2018-07-20T23:40:35.055Z">
> >             <saml:AudienceRestriction>
> >                 <saml:Audience>https://checkmarx.corp.net
> </saml:Audience>;;
> >             </saml:AudienceRestriction>
> >         </saml:Conditions>
> >         <saml:AuthnStatement AuthnInstant="2018-07-20T23:39:37.055Z"
> >
> SessionIndex="3de9fb38-c443-4d9a-a8c2-26f104e07f58::9e57cb71-6dc1-46fd-9c7e-44db7af97e25">
> >             <saml:AuthnContext>
> >
> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
> >             </saml:AuthnContext>
> >         </saml:AuthnStatement>
> >         <saml:AttributeStatement>
> >             <saml:Attribute FriendlyName="Last name" Name="Last_Name"
> >
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> >                 <saml:AttributeValue xmlns:xs="
> http://www.w3.org/2001/XMLSchema"
> >                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">Byron</saml:AttributeValue>
> >             </saml:Attribute>
> >             <saml:Attribute FriendlyName="First name" Name="First_Name"
> >
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> >                 <saml:AttributeValue xmlns:xs="
> http://www.w3.org/2001/XMLSchema"
> >                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">Chris</saml:AttributeValue>
> >             </saml:Attribute>
> >             <saml:Attribute FriendlyName="Email" Name="Email"
> >
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> >                 <saml:AttributeValue xmlns:xs="
> http://www.w3.org/2001/XMLSchema"
> >                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:type="xs:string">chris.byron at corp.com</saml:AttributeValue>
> >             </saml:Attribute>
> >         </saml:AttributeStatement>
> >     </saml:Assertion>
> > </samlp:Response>
> > ```
> >
> > > On Mon, Jul 23, 2018 at 9:11 AM Dmitry Telegin <dt at acutus.pro> wrote:
> > > Hi Chris,
> > >
> > > According to the code, an InResponseTo attribute should be added to
> the response unconditionally:
> > >
> https://github.com/keycloak/keycloak/blob/master/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java#L168
> > >
> > > If you're familiar with debugging, could you please check if this code
> point is reached? If yes, is the InResponseTo value not null?
> > >
> > > Also, which version of Keycloak are you using?
> > >
> > > Cheers,
> > > Dmitry Telegin
> > > CTO, Acutus s.r.o.
> > > Keycloak Consulting and Training
> > >
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> <https://maps.google.com/?q=Pod+lipami+street+339/52,+130+00+Prague+3,+Czech+Republic&entry=gmail&source=g>
> > > +42 (022) 888-30-71
> > > E-mail: info at acutus.pro
> > >
> > > On Mon, 2018-07-23 at 08:37 -0700, Chris Byron wrote:
> > > > Good morning. I'm trying to debug an issue where my Keycloak IdP
> does not
> > > > include an InResponseTo attribute in the SAMLResponse after an
> SP-initiated
> > > > login. Are there certain conditions in the Request that need to be
> > > > satisfied before it will be included? Or certain client
> configurations in
> > > > Keycloak?
> > > >
> > > > The SAMLRequest from the SP:
> > > > ```
> > > > <saml2p:AuthnRequest
> > > >   AssertionConsumerServiceURL="
> > > > > > https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> > > >   AttributeConsumingServiceIndex="0"
> > > >   Destination="
> > > >
> https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx"
> > > >   ID="idda5349fbbbf9483a91ec1531e52933a6"
> > > > IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
> > > >   xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> > > >   xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> > > > > > > <saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>;;;
> > > > </saml2p:AuthnRequest>
> > > > ```
> > > >
> > > > Keycloak client configuration:
> > > > ```
> > > > {
> > > >   "id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
> > > > > > >   "clientId": "https://checkmarx.corp.net",
> > > >   "rootUrl": "",
> > > > >   "adminUrl": "https://checkmarx.corp.net/cxrestapi/auth/samlAcs",
> > > >   "baseUrl": "/auth/realms/Corp/protocol/saml/clients/checkmarx",
> > > >   "surrogateAuthRequired": false,
> > > >   "enabled": true,
> > > >   "clientAuthenticatorType": "client-secret",
> > > >   "redirectUris": [],
> > > >   "webOrigins": [],
> > > >   "notBefore": 0,
> > > >   "bearerOnly": false,
> > > >   "consentRequired": false,
> > > >   "standardFlowEnabled": true,
> > > >   "implicitFlowEnabled": false,
> > > >   "directAccessGrantsEnabled": false,
> > > >   "serviceAccountsEnabled": false,
> > > >   "authorizationServicesEnabled": false,
> > > >   "publicClient": false,
> > > >   "frontchannelLogout": true,
> > > >   "protocol": "saml",
> > > >   "attributes": {
> > > >     "saml.assertion.signature": "false",
> > > >     "saml.force.post.binding": "true",
> > > >     "saml.multivalued.roles": "false",
> > > >     "saml.encrypt": "false",
> > > >     "saml.server.signature": "true",
> > > >     "saml_idp_initiated_sso_url_name": "checkmarx",
> > > >     "saml.server.signature.keyinfo.ext": "false",
> > > >     "saml.signature.algorithm": "RSA_SHA256",
> > > >     "saml_force_name_id_format": "false",
> > > >     "saml.client.signature": "false",
> > > >     "saml.authnstatement": "true",
> > > >     "saml_name_id_format": "email",
> > > >     "saml.onetimeuse.condition": "false",
> > > >     "saml_signature_canonicalization_method": "
> > > > > > http://www.w3.org/2001/10/xml-exc-c14n#",
> > > >     "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer":
> > > > "KEY_ID"
> > > >   },
> > > >   "fullScopeAllowed": false,
> > > >   "nodeReRegistrationTimeout": -1,
> > > >   "useTemplateConfig": false,
> > > >   "useTemplateScope": false,
> > > >   "useTemplateMappers": false,
> > > >   "access": {
> > > >     "view": true,
> > > >     "configure": true,
> > > >     "manage": true
> > > >   }
> > > > ```
> > > >
> > > > Thank you for any help or advice on this! Cheers,
> > > > Chris Byron
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
>
>

From dt at acutus.pro  Mon Jul 23 21:10:06 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 24 Jul 2018 04:10:06 +0300
Subject: [keycloak-user] SAMLResponse missing InResponseTo
In-Reply-To: <CAMG9nQUKjqMtX-5NTcQ8XXR09Xi1oLXFB+VOMeAgh+51nRpFFg@mail.gmail.com>
References: <CAMG9nQWYRhCcBjj0TL_0uc9jDy3a=UpKdx2wT-ZRkzdmm_pLHw@mail.gmail.com>
	<1532362275.12643.2.camel@acutus.pro>
	<CAMG9nQUWCq5CvSeCgK8g2jqmbYwx4FtpZcm=tsxBL=7Lstr78A@mail.gmail.com>
	<1532364815.12643.8.camel@acutus.pro>
	<CAMG9nQUbfDomwR69pykQFBskYiFnoDeOq3Gg9OcOxjdagA156A@mail.gmail.com>
	<1532386352.2635.1.camel@acutus.pro>
	<CAMG9nQUKjqMtX-5NTcQ8XXR09Xi1oLXFB+VOMeAgh+51nRpFFg@mail.gmail.com>
Message-ID: <1532394606.2635.4.camel@acutus.pro>

On Mon, 2018-07-23 at 16:25 -0700, Chris Byron wrote:
> Thanks, Dmitry. That said, as soon as I verified that SP-initiated was working, the opposite failure started! After doing an SP-init login, I can no longer perform IdP-init login because it sends the InResponseTo attribute when it should not!

Oh ZOMG. Do I get it right that:
- you're able to successfully login via SP-initiated SSO;
- then you try IDP-initiated via the " /{realm}/protocol/saml/clients/checkmarx" special URL;
- this results in Keycloak sending SAML response with assertion to your SP (specifically, to SP's assertion consumer URL);
- SP barfs on the irrelevant InResponseTo?

If so, probably you've found a bug. CCing our SAML guru Hynek Mlnarik.

And BTW, the situation seems to be known to other SAML implementors: https://github.com/onelogin/java-saml/issues/62

Interesting part is:

> The SAML Core spec (line 1605), and the SAML profiles spec (line 634)
> say that if the InResponseAttribute is present it MUST match the
> value of the corresponding request's ID attribute. Further section
> 4.1.5 of the SAML profiles spec says that an unsolicited response
> (i.e. IdP initiated), MUST NOT contain a InResposeTo attribute (line
> 694)

Dmitry

> 
> When I first log in to Keycloak I can do IdP-initiated login. If I log out of the service I can also do SP-initiated. But after doing a successful SP-initiated login, the Keycloak server seems to remember the SAMLRequest ID and sends it for each subsequent IdP initiated login, that is, when I use ` /{realm}/protocol/saml/clients/checkmarx`.
> 
> This persists until I log out of Keycloak. I assume it's something obvious, but any help would be appreciated.
> 
> Cheers,
> Chris
> 
> > On Mon, Jul 23, 2018 at 4:00 PM Dmitry Telegin <dt at acutus.pro> wrote:
> > On Mon, 2018-07-23 at 15:22 -0700, Chris Byron wrote:
> > > That's a bit too advanced for me. After a few hours spent trying to learn how to do remote debugging, I returned to code examination, and found the problem!
> > 
> > Glad you've found the answer, and sorry for having mislead you. Nevertheless, remote debugging is a must-have skill, I hope one day you'll make use of it and remember this day :)
> > 
> > > I was sending the SAMLRequest to the IdP initiated URL. So Keycloak?ignored the SAMLRequest in the URL and treated it like an IdP initiated login. I should have been sending to /{realm}/protocol/saml, not /{realm}/protocol/saml/clients/checkmarx?.
> > 
> > My bad, it was easy to overlook the suspicious Destination="..." in all that XML. As the doc says, "SAML tends to be a bit more verbose than OIDC." (is that "a bit" an irony?) :-D
> > 
> > Cheers and good luck with Keycloak,
> > Dmitry
> > 
> > > > > > On Mon, Jul 23, 2018 at 9:53 AM Dmitry Telegin <dt at acutus.pro> wrote:
> > > > On Mon, 2018-07-23 at 09:21 -0700, Chris Byron wrote:
> > > > > Hi Dmitry, thanks for the response. I am on 3.4.3.Final (I should have said up front!)
> > > > 
> > > > First and foremost, could you please try latest Keycloak (4.1.0)? Maybe not upgrading your main instance, but rather installing in parallel. There have been some changes to the SAML subsystem since 3.4.X.
> > > > 
> > > > > I am familiar with changing logging levels of the running service using the jboss?cli, but I don't have the ability to build and step through or set breakpoints. (If it is possible to attach a CLI debugger to a running instance, please let me know! I have root on the host.)
> > > > 
> > > > Yes, this is possible - just rerun Keycloak with the "--debug" option, it will open a listener on port 8787 (use "--debug <port>" to override).
> > > > 
> > > > Then forward this port to your box via SSH and use your favorite IDE to?attach debugger to localhost:8787 using dt_socket transport (it could be also called "SocketAttach connector"). Also, obviously, you'll need to checkout the source tree.
> > > > 
> > > > Basically, you'll need to determine which code path Keycloak takes to generate the response, and, after that, try to understand why the attribute is omitted.
> > > > 
> > > > Good luck!
> > > > Dmitry
> > > > 
> > > > >?
> > > > > I doubt this helps, but here is the SAMLResponse from the Request?posted previously:
> > > > > ```
> > > > > <samlp:Response Destination="https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> > > > > ? ? ID="ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd" IssueInstant="2018-07-20T23:39:37.055Z" Version="2.0"
> > > > > ? ? xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> > > > > ? ? xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
> > > > > ? ? <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp</saml:Issuer>;;;
> > > > > > ? ? <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">;;;
> > > > > ? ? ? ? <dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> > > > > ? ? ? ? ? ? <dsig:Reference URI="#ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd">
> > > > > ? ? ? ? ? ? ? ? <dsig:Transforms><dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></dsig:Transforms><dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> > > > > ? ? ? ? ? ? ? ? <dsig:DigestValue>G3+MQLAAUiO5k9FzuZOsQmWL8Xw4luj7yjOkGUf9s2Y=</dsig:DigestValue>
> > > > > ? ? ? ? ? ? </dsig:Reference>
> > > > > ? ? ? ? </dsig:SignedInfo>
> > > > > ? ? ? ? <dsig:SignatureValue>VK3qLPoXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXQI2A==</dsig:SignatureValue>
> > > > > ? ? ? ? <dsig:KeyInfo>
> > > > > ? ? ? ? ? ? <dsig:KeyName>3uFDBuktcAtr5KTpkvaeDXT2kqzWmh80OvN6OpIrrJc</dsig:KeyName>
> > > > > ? ? ? ? ? ? <dsig:X509Data>
> > > > > ? ? ? ? ? ? ? ? <dsig:X509Certificate>MIICnzCCAYcCBgFgaqUo1jANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhNdWxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXL0lBQA0KCW7luEtVZhft1gtc1O</dsig:X509Certificate>
> > > > > ? ? ? ? ? ? </dsig:X509Data>
> > > > > ? ? ? ? ? ? <dsig:KeyValue>
> > > > > ? ? ? ? ? ? ? ? <dsig:RSAKeyValue>
> > > > > ? ? ? ? ? ? ? ? ? ? <dsig:Modulus>qKnj408ReXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXrDew==</dsig:Modulus>
> > > > > ? ? ? ? ? ? ? ? ? ? <dsig:Exponent>AQAB</dsig:Exponent>
> > > > > ? ? ? ? ? ? ? ? </dsig:RSAKeyValue>
> > > > > ? ? ? ? ? ? </dsig:KeyValue>
> > > > > ? ? ? ? </dsig:KeyInfo>
> > > > > ? ? </dsig:Signature>
> > > > > ? ? <samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
> > > > > ? ? <saml:Assertion ID="ID_3ffd4d57-6e3d-4d86-830e-4a37a48c0046" IssueInstant="2018-07-20T23:39:37.055Z"
> > > > > ? ? ? ? Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> > > > > ? ? ? ? <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp</saml:Issuer>;;;
> > > > > ? ? ? ? <saml:Subject>
> > > > > > > > > > ? ? ? ? ? ? <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">chris.byron at corp.com</saml:NameID>
> > > > > ? ? ? ? ? ? <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData NotOnOrAfter="2018-07-20T23:44:35.055Z"
> > > > > ? ? ? ? ? ? ? ? Recipient="https://checkmarx.corp.net/cxrestapi/auth/samlAcs"/></saml:SubjectConfirmation>;;;
> > > > > ? ? ? ? </saml:Subject>
> > > > > ? ? ? ? <saml:Conditions NotBefore="2018-07-20T23:39:35.055Z" NotOnOrAfter="2018-07-20T23:40:35.055Z">
> > > > > ? ? ? ? ? ? <saml:AudienceRestriction>
> > > > > ? ? ? ? ? ? ? ? <saml:Audience>https://checkmarx.corp.net</saml:Audience>;;;
> > > > > ? ? ? ? ? ? </saml:AudienceRestriction>
> > > > > ? ? ? ? </saml:Conditions>
> > > > > ? ? ? ? <saml:AuthnStatement AuthnInstant="2018-07-20T23:39:37.055Z"
> > > > > ? ? ? ? ? ? SessionIndex="3de9fb38-c443-4d9a-a8c2-26f104e07f58::9e57cb71-6dc1-46fd-9c7e-44db7af97e25">
> > > > > ? ? ? ? ? ? <saml:AuthnContext>
> > > > > ? ? ? ? ? ? ? ? <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
> > > > > ? ? ? ? ? ? </saml:AuthnContext>
> > > > > ? ? ? ? </saml:AuthnStatement>
> > > > > ? ? ? ? <saml:AttributeStatement>
> > > > > ? ? ? ? ? ? <saml:Attribute FriendlyName="Last name" Name="Last_Name"
> > > > > ? ? ? ? ? ? ? ? NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> > > > > ? ? ? ? ? ? ? ? <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
> > > > > ? ? ? ? ? ? ? ? ? ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Byron</saml:AttributeValue>
> > > > > ? ? ? ? ? ? </saml:Attribute>
> > > > > ? ? ? ? ? ? <saml:Attribute FriendlyName="First name" Name="First_Name"
> > > > > ? ? ? ? ? ? ? ? NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> > > > > ? ? ? ? ? ? ? ? <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
> > > > > ? ? ? ? ? ? ? ? ? ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Chris</saml:AttributeValue>
> > > > > ? ? ? ? ? ? </saml:Attribute>
> > > > > ? ? ? ? ? ? <saml:Attribute FriendlyName="Email" Name="Email"
> > > > > ? ? ? ? ? ? ? ? NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> > > > > ? ? ? ? ? ? ? ? <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema"
> > > > > ? ? ? ? ? ? ? ? ? ? xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">chris.byron at corp.com</saml:AttributeValue>
> > > > > ? ? ? ? ? ? </saml:Attribute>
> > > > > ? ? ? ? </saml:AttributeStatement>
> > > > > ? ? </saml:Assertion>
> > > > > </samlp:Response>
> > > > > ```
> > > > >?
> > > > > > On Mon, Jul 23, 2018 at 9:11 AM Dmitry Telegin <dt at acutus.pro> wrote:
> > > > > > Hi Chris,
> > > > > >?
> > > > > > According to the code, an InResponseTo attribute should be added to the response unconditionally:
> > > > > > https://github.com/keycloak/keycloak/blob/master/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java#L168
> > > > > >?
> > > > > > If you're familiar with debugging, could you please check if this code point is reached? If yes, is the InResponseTo value not null?
> > > > > >?
> > > > > > Also, which version of Keycloak are you using?
> > > > > >?
> > > > > > Cheers,
> > > > > > Dmitry Telegin
> > > > > > CTO, Acutus s.r.o.
> > > > > > Keycloak Consulting and Training
> > > > > >?
> > > > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > > > > +42 (022) 888-30-71
> > > > > > E-mail: info at acutus.pro
> > > > > >?
> > > > > > On Mon, 2018-07-23 at 08:37 -0700, Chris Byron wrote:
> > > > > > > Good morning. I'm trying to debug an issue where my Keycloak IdP does not
> > > > > > > include an InResponseTo attribute in the SAMLResponse after an SP-initiated
> > > > > > > login. Are there certain conditions in the Request that need to be
> > > > > > > satisfied before it will be included? Or certain client configurations in
> > > > > > > Keycloak?
> > > > > > >?
> > > > > > > The SAMLRequest from the SP:
> > > > > > > ```
> > > > > > > <saml2p:AuthnRequest
> > > > > > > ? AssertionConsumerServiceURL="
> > > > > > > > > > > > > https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> > > > > > > ? AttributeConsumingServiceIndex="0"
> > > > > > > ? Destination="
> > > > > > > https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx"
> > > > > > > ? ID="idda5349fbbbf9483a91ec1531e52933a6"
> > > > > > > IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
> > > > > > > ? xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> > > > > > > ? xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> > > > > > > > > > <saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>;;;;
> > > > > > > </saml2p:AuthnRequest>
> > > > > > > ```
> > > > > > >?
> > > > > > > Keycloak client configuration:
> > > > > > > ```
> > > > > > > {
> > > > > > > ? "id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
> > > > > > > > > > > > > > ? "clientId": "https://checkmarx.corp.net",
> > > > > > > ? "rootUrl": "",
> > > > > > > > ? "adminUrl": "https://checkmarx.corp.net/cxrestapi/auth/samlAcs",
> > > > > > > ? "baseUrl": "/auth/realms/Corp/protocol/saml/clients/checkmarx",
> > > > > > > ? "surrogateAuthRequired": false,
> > > > > > > ? "enabled": true,
> > > > > > > ? "clientAuthenticatorType": "client-secret",
> > > > > > > ? "redirectUris": [],
> > > > > > > ? "webOrigins": [],
> > > > > > > ? "notBefore": 0,
> > > > > > > ? "bearerOnly": false,
> > > > > > > ? "consentRequired": false,
> > > > > > > ? "standardFlowEnabled": true,
> > > > > > > ? "implicitFlowEnabled": false,
> > > > > > > ? "directAccessGrantsEnabled": false,
> > > > > > > ? "serviceAccountsEnabled": false,
> > > > > > > ? "authorizationServicesEnabled": false,
> > > > > > > ? "publicClient": false,
> > > > > > > ? "frontchannelLogout": true,
> > > > > > > ? "protocol": "saml",
> > > > > > > ? "attributes": {
> > > > > > > ????"saml.assertion.signature": "false",
> > > > > > > ????"saml.force.post.binding": "true",
> > > > > > > ????"saml.multivalued.roles": "false",
> > > > > > > ????"saml.encrypt": "false",
> > > > > > > ????"saml.server.signature": "true",
> > > > > > > ????"saml_idp_initiated_sso_url_name": "checkmarx",
> > > > > > > ????"saml.server.signature.keyinfo.ext": "false",
> > > > > > > ????"saml.signature.algorithm": "RSA_SHA256",
> > > > > > > ????"saml_force_name_id_format": "false",
> > > > > > > ????"saml.client.signature": "false",
> > > > > > > ????"saml.authnstatement": "true",
> > > > > > > ????"saml_name_id_format": "email",
> > > > > > > ????"saml.onetimeuse.condition": "false",
> > > > > > > ????"saml_signature_canonicalization_method": "
> > > > > > > > > > > > > http://www.w3.org/2001/10/xml-exc-c14n#",
> > > > > > > ????"saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer":
> > > > > > > "KEY_ID"
> > > > > > > ? },
> > > > > > > ? "fullScopeAllowed": false,
> > > > > > > ? "nodeReRegistrationTimeout": -1,
> > > > > > > ? "useTemplateConfig": false,
> > > > > > > ? "useTemplateScope": false,
> > > > > > > ? "useTemplateMappers": false,
> > > > > > > ? "access": {
> > > > > > > ????"view": true,
> > > > > > > ????"configure": true,
> > > > > > > ????"manage": true
> > > > > > > ? }
> > > > > > > ```
> > > > > > >?
> > > > > > > Thank you for any help or advice on this! Cheers,
> > > > > > > Chris Byron
> > > > > > > _______________________________________________
> > > > > > > keycloak-user mailing list
> > > > > > > keycloak-user at lists.jboss.org
> > > > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > > >?
> > > > 

From manisha04.nandal at gmail.com  Mon Jul 23 23:50:51 2018
From: manisha04.nandal at gmail.com (Manisha Nandal)
Date: Tue, 24 Jul 2018 09:20:51 +0530
Subject: [keycloak-user] admin account custom theme not working
In-Reply-To: <CAP63w5SKjSv0hMeUA4YP9Y32VxTXNhuJ2Ey=4x4t8fs9q=AEuw@mail.gmail.com>
References: <CAP63w5SKjSv0hMeUA4YP9Y32VxTXNhuJ2Ey=4x4t8fs9q=AEuw@mail.gmail.com>
Message-ID: <CAP63w5Sen0EJT59_DVCegVLAvubKe+OwPH9Vqn8SbgXjSuiMRA@mail.gmail.com>

Please update

On Fri, Jul 20, 2018 at 4:09 PM, Manisha Nandal <manisha04.nandal at gmail.com>
wrote:

> Hi,
>
> I want to use custom theme for admin user.I tried creating a folder with
> "mytheme/admin" and placed my new modified files. I also changed the
> configuration from admin account - > realm settings - > theme. My modified
> files are not picked.
>
> Same process i followed for login theme changes and its working also.
>
> Can you please guide my how to use custom theme for admin account. Another
> thing i observed is that if change the theme for master realm and my own
> realm both, then it works
>
> Thanks
> Manisha
>

From nikola.malenic at netsetglobal.rs  Tue Jul 24 04:52:22 2018
From: nikola.malenic at netsetglobal.rs (Nikola Malenic)
Date: Tue, 24 Jul 2018 10:52:22 +0200
Subject: [keycloak-user] User chooses authentication flow on login
Message-ID: <00ae01d4232b$a319cd10$e94d6730$@netsetglobal.rs>

I would like to let user choose between various alternative authentication
flows on login page. For example, I have this configuration: 

 



 

Is there a way to let him choose the flow? What should I
configure/implement?

 

Thanks,

Nikola

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/jpeg
Size: 35597 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180724/a945c011/attachment-0001.jpe 

From henning.waack at codecentric.de  Tue Jul 24 05:18:08 2018
From: henning.waack at codecentric.de (Henning Waack)
Date: Tue, 24 Jul 2018 11:18:08 +0200
Subject: [keycloak-user] Outbound SSL Connection in SPI
Message-ID: <CAGqTYaw8SpFqzPXhLXtCuZ8yV_6orOCig=XEnPixmzUdNH2sew@mail.gmail.com>

Hi.

I am implementing a custom OIDC Protocol Mapper. Within I have to make a
https connection, which currently fails because I do not have a truststore
configured on my http connection.

I have added a truststore SPI to my standalone.xml:

            <spi name="truststore">
                <provider name="file" enabled="true">
                    <properties>
                        <property name="file"
value="${jboss.server.config.dir}/nak.test.jks"/>
                        <property name="password" value="****"/>
                        <property name="hostname-verification-policy"
value="WILDCARD"/>
                        <property name="disabled" value="false"/>
                    </properties>
                </provider>
            </spi>


But I do not know how to get a HttpClient instance which uses this
truststore. I have tried with:


org.apache.http.client.HttpClient httpClient = new
org.keycloak.connections.httpclient.HttpClientBuilder().build();

and

DefaultHttpClientFactory factory = new DefaultHttpClientFactory();
HttpClientProvider httpClientProvider =
factory.create((KeycloakSession)session);
return httpClientProvider.getHttpClient();

whereas the first just does not have the truststore configured, and the
second fails with a NPE.

So how do I get an outbound http connection which uses my truststore SPI?

Thanks & greetings

Henning
-- 


-----------

Henning Waack | IT Consultant


codecentric AG | Hochstra?e 11
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
|
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>

<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
Solingen
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
 |Deutschland
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>


tel: +49 (0)151 108 515 29

www.codecentric.de | blog.codecentric.de | www.meettheexperts.de

Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal

Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns
Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz

Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche
und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige
Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie
bitte sofort den Absender und l?schen Sie diese E-Mail und evtl.
beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen
evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist
nicht gestattet.

From hmlnarik at redhat.com  Tue Jul 24 06:19:06 2018
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Tue, 24 Jul 2018 12:19:06 +0200
Subject: [keycloak-user] SAMLResponse missing InResponseTo
In-Reply-To: <CAMG9nQUKjqMtX-5NTcQ8XXR09Xi1oLXFB+VOMeAgh+51nRpFFg@mail.gmail.com>
References: <CAMG9nQWYRhCcBjj0TL_0uc9jDy3a=UpKdx2wT-ZRkzdmm_pLHw@mail.gmail.com>
	<1532362275.12643.2.camel@acutus.pro>
	<CAMG9nQUWCq5CvSeCgK8g2jqmbYwx4FtpZcm=tsxBL=7Lstr78A@mail.gmail.com>
	<1532364815.12643.8.camel@acutus.pro>
	<CAMG9nQUbfDomwR69pykQFBskYiFnoDeOq3Gg9OcOxjdagA156A@mail.gmail.com>
	<1532386352.2635.1.camel@acutus.pro>
	<CAMG9nQUKjqMtX-5NTcQ8XXR09Xi1oLXFB+VOMeAgh+51nRpFFg@mail.gmail.com>
Message-ID: <CAMvXD=GVuOpou48K6L7iUYo8JkoD_KJVKyZetJwW3dEkKeZKkA@mail.gmail.com>

Hi Chris,

you seem to have hit a bug. Could you please file a JIRA with this
description and set its Component to Protocol - SAML?

And thanks for your help so far, Dmitry

--Hynek

On Tue, Jul 24, 2018 at 1:33 AM Chris Byron <byron.chris at gmail.com> wrote:

> Thanks, Dmitry. That said, as soon as I verified that SP-initiated was
> working, the opposite failure started! After doing an SP-init login, I can
> no longer perform IdP-init login because it sends the InResponseTo
> attribute when it should not!
>
> When I first log in to Keycloak I can do IdP-initiated login. If I log out
> of the service I can also do SP-initiated. But after doing a successful
> SP-initiated login, the Keycloak server seems to remember the SAMLRequest
> ID and sends it for each subsequent IdP initiated login, that is, when I
> use ` /{realm}/protocol/saml/clients/checkmarx`.
>
> This persists until I log out of Keycloak. I assume it's something obvious,
> but any help would be appreciated.
>
> Cheers,
> Chris
>
> On Mon, Jul 23, 2018 at 4:00 PM Dmitry Telegin <dt at acutus.pro> wrote:
>
> > On Mon, 2018-07-23 at 15:22 -0700, Chris Byron wrote:
> >
> > That's a bit too advanced for me. After a few hours spent trying to learn
> > how to do remote debugging, I returned to code examination, and found the
> > problem!
> >
> >
> > Glad you've found the answer, and sorry for having mislead you.
> > Nevertheless, remote debugging is a must-have skill, I hope one day
> you'll
> > make use of it and remember this day :)
> >
> > I was sending the SAMLRequest to the IdP initiated URL. So
> > Keycloak ignored the SAMLRequest in the URL and treated it like an IdP
> > initiated login. I should have been sending to /{realm}/protocol/saml,
> not
> > /{realm}/protocol/saml/clients/checkmarx .
> >
> >
> > My bad, it was easy to overlook the suspicious Destination="..." in all
> > that XML. As the doc says, "SAML tends to be *a bit* more verbose than
> > OIDC." (is that "a bit" an irony?) :-D
> >
> > Cheers and good luck with Keycloak,
> > Dmitry
> >
> >
> > On Mon, Jul 23, 2018 at 9:53 AM Dmitry Telegin <dt at acutus.pro> wrote:
> >
> > On Mon, 2018-07-23 at 09:21 -0700, Chris Byron wrote:
> > > Hi Dmitry, thanks for the response. I am on 3.4.3.Final (I should have
> > said up front!)
> >
> > First and foremost, could you please try latest Keycloak (4.1.0)? Maybe
> > not upgrading your main instance, but rather installing in parallel.
> There
> > have been some changes to the SAML subsystem since 3.4.X.
> >
> > > I am familiar with changing logging levels of the running service using
> > the jboss cli, but I don't have the ability to build and step through or
> > set breakpoints. (If it is possible to attach a CLI debugger to a running
> > instance, please let me know! I have root on the host.)
> >
> > Yes, this is possible - just rerun Keycloak with the "--debug" option, it
> > will open a listener on port 8787 (use "--debug <port>" to override).
> >
> > Then forward this port to your box via SSH and use your favorite IDE
> > to attach debugger to localhost:8787 using dt_socket transport (it could
> be
> > also called "SocketAttach connector"). Also, obviously, you'll need to
> > checkout the source tree.
> >
> > Basically, you'll need to determine which code path Keycloak takes to
> > generate the response, and, after that, try to understand why the
> attribute
> > is omitted.
> >
> > Good luck!
> > Dmitry
> >
> > >
> > > I doubt this helps, but here is the SAMLResponse from the Request
> posted
> > previously:
> > > ```
> > > <samlp:Response Destination="
> > https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> > >     ID="ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd"
> > IssueInstant="2018-07-20T23:39:37.055Z" Version="2.0"
> > >     xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> > >     xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
> > >     <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp
> > </saml:Issuer>;;
> > > >     <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#
> ">;;
> > >         <dsig:SignedInfo><dsig:CanonicalizationMethod Algorithm="
> > http://www.w3.org/2001/10/xml-exc-c14n#"/><dsig:SignatureMethod
> > <http://www.w3.org/2001/10/xml-exc-c14n#> Algorithm="
> > http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/>
> > >             <dsig:Reference
> > URI="#ID_56969c1e-9957-4611-a145-5f4a0e3ee7bd">
> > >                 <dsig:Transforms><dsig:Transform Algorithm="
> > http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><dsig:Transform
> > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#
> "/></dsig:Transforms><dsig:DigestMethod
> > Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
> > >
> >
> <dsig:DigestValue>G3+MQLAAUiO5k9FzuZOsQmWL8Xw4luj7yjOkGUf9s2Y=</dsig:DigestValue>
> > >             </dsig:Reference>
> > >         </dsig:SignedInfo>
> > >
> >
> <dsig:SignatureValue>VK3qLPoXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXQI2A==</dsig:SignatureValue>
> > >         <dsig:KeyInfo>
> > >
> > <dsig:KeyName>3uFDBuktcAtr5KTpkvaeDXT2kqzWmh80OvN6OpIrrJc</dsig:KeyName>
> > >             <dsig:X509Data>
> > >
> >
> <dsig:X509Certificate>MIICnzCCAYcCBgFgaqUo1jANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhNdWxXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXL0lBQA0KCW7luEtVZhft1gtc1O</dsig:X509Certificate>
> > >             </dsig:X509Data>
> > >             <dsig:KeyValue>
> > >                 <dsig:RSAKeyValue>
> > >
> >
> <dsig:Modulus>qKnj408ReXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXrDew==</dsig:Modulus>
> > >                     <dsig:Exponent>AQAB</dsig:Exponent>
> > >                 </dsig:RSAKeyValue>
> > >             </dsig:KeyValue>
> > >         </dsig:KeyInfo>
> > >     </dsig:Signature>
> > >     <samlp:Status><samlp:StatusCode
> > Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></samlp:Status>
> > >     <saml:Assertion ID="ID_3ffd4d57-6e3d-4d86-830e-4a37a48c0046"
> > IssueInstant="2018-07-20T23:39:37.055Z"
> > >         Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
> > >         <saml:Issuer>https://keycloak.corp.net/auth/realms/Corp
> > </saml:Issuer>;;
> > >         <saml:Subject>
> > > >             <saml:NameID
> > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">
> > chris.byron at corp.com</saml:NameID>
> > >             <saml:SubjectConfirmation
> >
> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData
> > NotOnOrAfter="2018-07-20T23:44:35.055Z"
> > >                 Recipient="
> > https://checkmarx.corp.net/cxrestapi/auth/samlAcs
> > "/></saml:SubjectConfirmation>;;
> > >         </saml:Subject>
> > >         <saml:Conditions NotBefore="2018-07-20T23:39:35.055Z"
> > NotOnOrAfter="2018-07-20T23:40:35.055Z">
> > >             <saml:AudienceRestriction>
> > >                 <saml:Audience>https://checkmarx.corp.net
> > </saml:Audience>;;
> > >             </saml:AudienceRestriction>
> > >         </saml:Conditions>
> > >         <saml:AuthnStatement AuthnInstant="2018-07-20T23:39:37.055Z"
> > >
> >
> SessionIndex="3de9fb38-c443-4d9a-a8c2-26f104e07f58::9e57cb71-6dc1-46fd-9c7e-44db7af97e25">
> > >             <saml:AuthnContext>
> > >
> >
> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
> > >             </saml:AuthnContext>
> > >         </saml:AuthnStatement>
> > >         <saml:AttributeStatement>
> > >             <saml:Attribute FriendlyName="Last name" Name="Last_Name"
> > >
> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> > >                 <saml:AttributeValue xmlns:xs="
> > http://www.w3.org/2001/XMLSchema"
> > >                     xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"
> > xsi:type="xs:string">Byron</saml:AttributeValue>
> > >             </saml:Attribute>
> > >             <saml:Attribute FriendlyName="First name" Name="First_Name"
> > >
> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> > >                 <saml:AttributeValue xmlns:xs="
> > http://www.w3.org/2001/XMLSchema"
> > >                     xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"
> > xsi:type="xs:string">Chris</saml:AttributeValue>
> > >             </saml:Attribute>
> > >             <saml:Attribute FriendlyName="Email" Name="Email"
> > >
> > NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
> > >                 <saml:AttributeValue xmlns:xs="
> > http://www.w3.org/2001/XMLSchema"
> > >                     xmlns:xsi="
> http://www.w3.org/2001/XMLSchema-instance"
> > xsi:type="xs:string">chris.byron at corp.com</saml:AttributeValue>
> > >             </saml:Attribute>
> > >         </saml:AttributeStatement>
> > >     </saml:Assertion>
> > > </samlp:Response>
> > > ```
> > >
> > > > On Mon, Jul 23, 2018 at 9:11 AM Dmitry Telegin <dt at acutus.pro>
> wrote:
> > > > Hi Chris,
> > > >
> > > > According to the code, an InResponseTo attribute should be added to
> > the response unconditionally:
> > > >
> >
> https://github.com/keycloak/keycloak/blob/master/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java#L168
> > > >
> > > > If you're familiar with debugging, could you please check if this
> code
> > point is reached? If yes, is the InResponseTo value not null?
> > > >
> > > > Also, which version of Keycloak are you using?
> > > >
> > > > Cheers,
> > > > Dmitry Telegin
> > > > CTO, Acutus s.r.o.
> > > > Keycloak Consulting and Training
> > > >
> > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > <
> https://maps.google.com/?q=Pod+lipami+street+339/52,+130+00+Prague+3,+Czech+Republic&entry=gmail&source=g
> >
> > > > +42 (022) 888-30-71
> > > > E-mail: info at acutus.pro
> > > >
> > > > On Mon, 2018-07-23 at 08:37 -0700, Chris Byron wrote:
> > > > > Good morning. I'm trying to debug an issue where my Keycloak IdP
> > does not
> > > > > include an InResponseTo attribute in the SAMLResponse after an
> > SP-initiated
> > > > > login. Are there certain conditions in the Request that need to be
> > > > > satisfied before it will be included? Or certain client
> > configurations in
> > > > > Keycloak?
> > > > >
> > > > > The SAMLRequest from the SP:
> > > > > ```
> > > > > <saml2p:AuthnRequest
> > > > >   AssertionConsumerServiceURL="
> > > > > > > https://checkmarx.corp.net/cxrestapi/auth/samlAcs"
> > > > >   AttributeConsumingServiceIndex="0"
> > > > >   Destination="
> > > > >
> >
> https://keycloak.corp.netauth/realms/Corp/protocol/saml/clients/checkmarx"
> > > > >   ID="idda5349fbbbf9483a91ec1531e52933a6"
> > > > > IssueInstant="2018-07-20T23:39:36Z" Version="2.0"
> > > > >   xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
> > > > >   xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol">
> > > > > > > > <saml2:Issuer>https://checkmarx.corp.net</saml2:Issuer>;;;
> > > > > </saml2p:AuthnRequest>
> > > > > ```
> > > > >
> > > > > Keycloak client configuration:
> > > > > ```
> > > > > {
> > > > >   "id": "9e57cb71-6dc1-46fd-9c7e-44db7af97e25",
> > > > > > > >   "clientId": "https://checkmarx.corp.net",
> > > > >   "rootUrl": "",
> > > > > >   "adminUrl": "https://checkmarx.corp.net/cxrestapi/auth/samlAcs
> ",
> > > > >   "baseUrl": "/auth/realms/Corp/protocol/saml/clients/checkmarx",
> > > > >   "surrogateAuthRequired": false,
> > > > >   "enabled": true,
> > > > >   "clientAuthenticatorType": "client-secret",
> > > > >   "redirectUris": [],
> > > > >   "webOrigins": [],
> > > > >   "notBefore": 0,
> > > > >   "bearerOnly": false,
> > > > >   "consentRequired": false,
> > > > >   "standardFlowEnabled": true,
> > > > >   "implicitFlowEnabled": false,
> > > > >   "directAccessGrantsEnabled": false,
> > > > >   "serviceAccountsEnabled": false,
> > > > >   "authorizationServicesEnabled": false,
> > > > >   "publicClient": false,
> > > > >   "frontchannelLogout": true,
> > > > >   "protocol": "saml",
> > > > >   "attributes": {
> > > > >     "saml.assertion.signature": "false",
> > > > >     "saml.force.post.binding": "true",
> > > > >     "saml.multivalued.roles": "false",
> > > > >     "saml.encrypt": "false",
> > > > >     "saml.server.signature": "true",
> > > > >     "saml_idp_initiated_sso_url_name": "checkmarx",
> > > > >     "saml.server.signature.keyinfo.ext": "false",
> > > > >     "saml.signature.algorithm": "RSA_SHA256",
> > > > >     "saml_force_name_id_format": "false",
> > > > >     "saml.client.signature": "false",
> > > > >     "saml.authnstatement": "true",
> > > > >     "saml_name_id_format": "email",
> > > > >     "saml.onetimeuse.condition": "false",
> > > > >     "saml_signature_canonicalization_method": "
> > > > > > > http://www.w3.org/2001/10/xml-exc-c14n#",
> > > > >
>  "saml.server.signature.keyinfo.xmlSigKeyInfoKeyNameTransformer":
> > > > > "KEY_ID"
> > > > >   },
> > > > >   "fullScopeAllowed": false,
> > > > >   "nodeReRegistrationTimeout": -1,
> > > > >   "useTemplateConfig": false,
> > > > >   "useTemplateScope": false,
> > > > >   "useTemplateMappers": false,
> > > > >   "access": {
> > > > >     "view": true,
> > > > >     "configure": true,
> > > > >     "manage": true
> > > > >   }
> > > > > ```
> > > > >
> > > > > Thank you for any help or advice on this! Cheers,
> > > > > Chris Byron
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >
> >
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From corentin.dupont at gmail.com  Tue Jul 24 06:54:35 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 24 Jul 2018 10:54:35 +0000
Subject: [keycloak-user] Permissions: Slow/complex interactions
Message-ID: <CAEyhvmoxjs_Micvn00LVuem784VwGXd51OZ2rNRSCnx2ms7zRg@mail.gmail.com>

Hi guys,
I experience some performance issue on my API server using Keycloak.
After someone issue a GET on my API server, here is what happens:

- API server -> DB server: get requested resources
- API server -> Keycloak: get client token (to get resources)
- API server -> Keycloak: get resources (to complement DB server with
resource owner & visibility)
- API server -> Keycloak: get user token (to get permission)
- API server -> Keycloak: get permission (to filter resources)
At this point the filtered resources are returned.

But this process is quite slow. I noticed a call to KC can take up to 100ms.
The complete call on the API server can take up to 600ms on my laptop, in
localhost setting.
The delays become noticeable on my UI...

With a resource SPI strategy (if developed), it should be:

- API server -> DB server: get requested resources
- API server -> Keycloak: get user token (to get permission)
- API server -> Keycloak: get permission (to filter resources)
- Keycloak -> DB server: get resources

There is a little less requests. Additional gain is that resources are not
split between 2 databases.

I wonder if resources could be pushed during the permission request? Like a
"pushed claim".
This would be even more straightforward:

- API server -> DB server: get requested resources
- API server -> Keycloak: get user token (to get permission)
- API server -> Keycloak: get permission and push resources

Can this work?

From psilva at redhat.com  Tue Jul 24 07:51:51 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 24 Jul 2018 08:51:51 -0300
Subject: [keycloak-user] Permissions: Slow/complex interactions
In-Reply-To: <CAEyhvmoxjs_Micvn00LVuem784VwGXd51OZ2rNRSCnx2ms7zRg@mail.gmail.com>
References: <CAEyhvmoxjs_Micvn00LVuem784VwGXd51OZ2rNRSCnx2ms7zRg@mail.gmail.com>
Message-ID: <CAJrcDBdBtFt3JRSn5j0k9vRQiadpy_7a03ZuL__4La3A=YOGjw@mail.gmail.com>

On Tue, Jul 24, 2018 at 7:54 AM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

> Hi guys,
> I experience some performance issue on my API server using Keycloak.
> After someone issue a GET on my API server, here is what happens:
>
> - API server -> DB server: get requested resources
> - API server -> Keycloak: get client token (to get resources)
> - API server -> Keycloak: get resources (to complement DB server with
> resource owner & visibility)
> - API server -> Keycloak: get user token (to get permission)
> - API server -> Keycloak: get permission (to filter resources)
> At this point the filtered resources are returned.
>
> But this process is quite slow. I noticed a call to KC can take up to
> 100ms.
> The complete call on the API server can take up to 600ms on my laptop, in
> localhost setting.
> The delays become noticeable on my UI...
>

Are you able to confirm the step(s) spending more time to process ? If when
obtaining client tokens, resources or during evaluation ?

Also, could you elaborate more what this step is doing: "- API server ->
Keycloak: get resources (to complement DB server with
resource owner & visibility)" ?


>
> With a resource SPI strategy (if developed), it should be:
>
> - API server -> DB server: get requested resources
> - API server -> Keycloak: get user token (to get permission)
> - API server -> Keycloak: get permission (to filter resources)
> - Keycloak -> DB server: get resources
>
> There is a little less requests. Additional gain is that resources are not
> split between 2 databases.
>
> I wonder if resources could be pushed during the permission request? Like a
> "pushed claim".
> This would be even more straightforward:
>
> - API server -> DB server: get requested resources
> - API server -> Keycloak: get user token (to get permission)
> - API server -> Keycloak: get permission and push resources


> Can this work?
>

I think this is an area we might want to improve in order to allow
evaluating permissions solely based on claims pushed to the server. That
means you won't need to manage resources in the server but rely on policies
to process the "pushed claims".

+1



> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From jlord87 at gmail.com  Tue Jul 24 08:15:31 2018
From: jlord87 at gmail.com (jlord87 at gmail.com)
Date: Tue, 24 Jul 2018 14:15:31 +0200
Subject: [keycloak-user] Is keycloak the tool I'm looking for? selective AD
	user sync
Message-ID: <91e80618fc3dc0c8f5965a29a64b8d012680d912.camel@gmail.com>

Hello guys,

I'm really new to keycloak and I need your help to understand if this
is what I'm really looking for;
I am the IT administrator in a non-profit environment, managing servers
and services for several non-profit organization.

What I'm trying to achive is the centralization of the authentication
and authorization process: every user should just have one password and
one "username".
The difficult part is that the environment I work in is really "fluid":
there are a lot of person working or volunteering in one or more
different organization. Every organization has its own active directory
server (to manage desktop authentication and some CIFS share), its own
gsuite (for emails) and at the same time, there are services shared by
all (or some) of these organization (like a redmine ticketing system,
nextcloud file server and so on).

What I'm dreaming of is to manage everything from a single software (I
tried gluu but it had some annual fees we cannot afford to pay): I
would like to create an user (something like name.surname) and add to
this user "permissions", something like "user1 should be able to access
gsuite 1, gsuite2, nextcloud and active directory 1".
I've uploaded a scheme in this pdf: 
https://mega.nz/#!z4InTCaa!ngyWks8yoN7rrW-NR6RXnPJ32tCKSz0snWB1c7lFEbg

Do you think keycloak is capable of this? I played around a bit, read a
lot of documentation and what I wasn't able to achive was a selective
active directory user sync...
Maybe my error was trying to do everything in the same realm, what do
you think about it?

Thank you for any hint

Francesco


From nikola.malenic at netsetglobal.rs  Tue Jul 24 09:22:09 2018
From: nikola.malenic at netsetglobal.rs (Nikola Malenic)
Date: Tue, 24 Jul 2018 15:22:09 +0200
Subject: [keycloak-user] Alternative client-cert authentication
Message-ID: <00c301d42351$537f93e0$fa7ebba0$@netsetglobal.rs>

I am configuring browser flow and would like to provide users with
certificates with capability to login immediately.

Users which don't have (send) certificate should be able to login with
username+password (form would be presented to them).

 

I configured two ALTERNATIVE subflows inside browser flow. First subflow has
X509/Validate Username Form execution as ALTERNATIVE and second flow has
Username Password Form as REQUIRED.

 

The problem is that when I access admin console I am not shown form to enter
username and password since I didn't send certificate. I get this error:
"Invalid username or password.".

It seems that the second flow is automatically executed, but since I didn't
send username and password it finishes unsuccessfully.

Do you have any idea how to configure this.

 

Many thanks,

Nikola


From bejond at 163.com  Tue Jul 24 09:24:30 2018
From: bejond at 163.com (bejond)
Date: Tue, 24 Jul 2018 21:24:30 +0800 (CST)
Subject: [keycloak-user] How to login without username and password
Message-ID: <805d30e.dd83.164cc766c52.Coremail.bejond@163.com>

Hi developers,
    I want to use mobile number and SMS text code to login to keycloak. But keycloak requires username and password to login. I copy Authentication of Browser, and remove "Username Password Form", and I add my own "Mobile OTP" SPI. When I open login page, it shows "Invalid username or password", the log says



" 21:00:03,638 WARN  [org.keycloak.events] (default task-106) type=LOGIN_ERROR, realmId=test1, clientId=security-admin-console, userId=null, ipAddress=127.0.0.1, error=invalid_redirect_uri, redirect_uri=http://localhost:8080/auth/admin/master/console/
21:00:45,711 WARN  [org.keycloak.services] (default task-107) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException: authenticator: mobile-otp-authenticator"


   Is there a way to remove "Username and Password Form" and login with my own SPI? Or can I override default "Username and Password Form" with my own logic? I mean "override" is: I write a new SPI without changing keycloak source code.
   If I can't achieve this, I think I need to use other OAuth open source application and bind to keycloak as an Identity Provider and change the source of OAuth application to achieve my goal. It will be better if I can achieve my goal without another IdP.
   Thanks in advance.

From Dorit.Mari at audiocodes.com  Tue Jul 24 09:45:46 2018
From: Dorit.Mari at audiocodes.com (Dorit Mari)
Date: Tue, 24 Jul 2018 13:45:46 +0000
Subject: [keycloak-user] Keycloak - grant_type when getting a token
	and	token introspection
In-Reply-To: <CA+iA6uhePzFM9WhmqH55yUVGj=fWTpTnn=x55pqRnzahTnsP-g@mail.gmail.com>
References: <CA+iA6uhePzFM9WhmqH55yUVGj=fWTpTnn=x55pqRnzahTnsP-g@mail.gmail.com>
Message-ID: <VI1PR06MB40629E253F17DFAB85A77C1FE0550@VI1PR06MB4062.eurprd06.prod.outlook.com>

Many thanks Hans!
I very much appreciate your help. Introspection now works for me; turns out I did indeed have a few problems of inconsistent <host>:<port> combinations:
1. In one case, the token was obtained using HTTPS and port 443, but the Introspection was done using HTTP and port 80.
2. The Host header in the HTTP introspection request contained the resolved IP address of the keycloak server (and not its domain name), while the destination for the POST request for obtaining the token was the domain name itself.
3. In another case, the token was obtained from keycloak server at port 8080, but the Host header in the introspection request didn't include the port (which isn't HTTP default port, so it is needed).

Thanks,
Dorit


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Hans Zandbelt
Sent: Monday, July 23, 2018 21:34
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Keycloak - grant_type when getting a token and token introspection

Check that you're calling the introspection endpoint using the same <host>:<port> combo as the one that was used when the token was obtained by the client in the call to the token endpoint otherwise the introspection result will always be { "active": "false" }.

Hans.

--
hans.zandbelt at zmartzone.eu
ZmartZone IAM - https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwebdefence.global.blackspider.com%2Furlwrap%2F%3Fq%3DAXicE2RmqPnKwCDwlIGhKKfSwChJr7ioTC83MTMnOT-vpCg_Ry85P5eh3MzPyzTU0NTA2NTI2JwhJb8oswSoqCjTIbE0JTM_OT8ltRisMKOkpMBKX7-8vFyvCihfUpWfl6qXWsrAwMD8jIEBAIK4I1M%26Z&amp;data=02%7C01%7Cdorit.mari%40audiocodes.com%7C838ac447fe464411001608d5f0cf4590%7C1911c65c893b42f983fa66c1b86fdf85%7C1%7C0%7C636679695390930397&amp;sdata=tTXOSfjjxV%2FsFruEi9rmMQBiLCnT1hPkSFZ74r0uOaM%3D&amp;reserved=0
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&amp;data=02%7C01%7Cdorit.mari%40audiocodes.com%7C838ac447fe464411001608d5f0cf4590%7C1911c65c893b42f983fa66c1b86fdf85%7C1%7C0%7C636679695390930397&amp;sdata=hp9mJaGLSNBONidvz247CvRnKhlDsO4oLzz3jniirRg%3D&amp;reserved=0
This email and any files transmitted with it are confidential material. They are intended solely for the use of the designated individual or entity to whom they are addressed. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful.

If you have received this email in error please immediately notify the sender and delete or destroy any copy of this message


From ddtxra at gmail.com  Tue Jul 24 10:12:53 2018
From: ddtxra at gmail.com (Daniel Teixeira)
Date: Tue, 24 Jul 2018 16:12:53 +0200
Subject: [keycloak-user] Groups as array of objects (Script Mapper ? )
In-Reply-To: <1532368224.12643.10.camel@acutus.pro>
References: <CAHvCgvwD307VVcu9bNws88vJ4pE+jjnGcRbkLdMAASmxuqaMCQ@mail.gmail.com>
	<1532311486.2248.16.camel@acutus.pro>
	<CAHvCgvxs3syT6DmPzwBEqcEz16ZHJY6K-g25n1nAX+Ai_wbDsw@mail.gmail.com>
	<1532368224.12643.10.camel@acutus.pro>
Message-ID: <CAHvCgvxCOuu2LROKUqa6K=xt-am5T17QvW63ckumWudWipsJ1w@mail.gmail.com>

Thank you for your answer Dmitry.

Indeed the dependencies org.keycloak.keycloak-services was missing! I have
added that one on the module.xml and it worked :)


<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.3"
name="swiss.sib.keycloak.sib-group-membership-mapper">
    <resources>
        <resource-root path="sib-group-membership-mapper.jar"/>
    </resources>
    <dependencies>
        <module name="org.keycloak.keycloak-core"/>
        <module name="org.keycloak.keycloak-server-spi"/>
        <module name="org.keycloak.keycloak-server-spi-private"/>
        <module name="org.keycloak.keycloak-services"/>
    </dependencies>
</module>

Also there was another error, my directory structured was missing the
module name (sib-group-membership-mapper):
mkdir -p modules/swiss/sib/keycloak/***sib-group-membership-mapper***/main/


If others have the same trouble, all the configuration can be accomplished
with the single command:
./bin/jboss-cli.sh --command="module add
--name=swiss.sib.keycloak.sib-group-membership-mapper
--resources=/tmp/sib-group-membership-mapper.jar
--dependencies=org.keycloak.keycloak-core,org.keycloak.keycloak-server-spi,org.keycloak.keycloak-server-spi-private,org.keycloak.keycloak-services"

and I leave this repo as a reference:
https://github.com/ddtxra/sib-group-membership-mapper

Thanks again Dmitry.



On Mon, Jul 23, 2018 at 7:50 PM, Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Daniel,
>
> On Mon, 2018-07-23 at 18:31 +0200, Daniel Teixeira wrote:
> > Thank you Dmitry,
> > I was trying to see if there was an option without writing a java
> module. What you are suggesting is to create a module, correct?
>
> Yep you're right, from my experience it's easier to create a Java
> extension rather then dive deep into the guts of ScriptMapper trying to
> make it return what you want :)
>
> > I gave a try to my first "module" but couldn't find very much info or
> examples about how to write custom protocol mappers.
> > Are they configured the same was as Authentication Providers?
> >
> > I tried to configure it, but I get a ModuleNotFoundException, here is
> what I did:
> > https://github.com/ddtxra/sib-group-membership-mapper
>
> You did everything right. The only missing piece is deployment descriptor.
> If you're hot deploying (via standalone/deployments directory), put this
> into your META-INF/jboss-deployment-structure.xml:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <jboss-deployment-structure>
>   <deployment>
>     <dependencies>
>         <module name="org.keycloak.keycloak-services"/>
>     </dependencies>
>   </deployment>
> </jboss-deployment-structure>
>
> ...then recompile and redeploy. Or, if you'd like to deploy it as a
> Wildfly/JBoss module, do the following in jboss-cli:
>
> module add --name=sib-group-membership-mapper --resources=/path/to/sib-group-membership-mapper.jar
> --dependencies=org.keycloak.keycloak-services
>
> ...so that it creates the descriptor (yet a different one) for you.
>
> Good luck!
> Dmitry
>
> >
> > Can someone spot the problem?
> > Thanks very much for your help!
> >
> >
> > > On Mon, Jul 23, 2018 at 4:04 AM, Dmitry Telegin <dt at acutus.pro> wrote:
> > > Hi Daniel,
> > >
> > > Not sure if Script Mapper allows for that, but you could definitely
> > > solve this with a custom ProtocolMapper. Use the "Group Membership"
> > > mapper as a reference, but return an array of objects instead of an
> > > array of strings.
> > >
> > > Cheers,
> > > Dmitry Telegin
> > > CTO, Acutus s.r.o.
> > > Keycloak Consulting and Training
> > >
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > +42 (022) 888-30-71
> > > E-mail: info at acutus.pro
> > >
> > > On Fri, 2018-07-20 at 14:26 +0200, Daniel Teixeira wrote:
> > > > Hello,
> > > > I am trying to configure my userinfo token to get the groups, as an
> > > > array
> > > > of objects.
> > > > Currently if I add the "Group Membership" mapper in my client, an
> > > > array of
> > > > Strings with the groups is returns.
> > > >
> > > > {
> > > >   "name": "Dummy User",
> > > >   "groups": ["group1", "group2", "group3"]
> > > >    ...
> > > > }
> > > >
> > > > But what I need for a SSO Confluence plugin to work is the following
> > > > format:
> > > > (The name of the attributes don't matter, but I need an array of
> > > > objects
> > > > for the groups)
> > > >
> > > > {
> > > >   "name": "Dummy User",
> > > >   "groups": [ {"group_name": "group1"},
> > > >                    {"group_name": "group2"},
> > > >                    {"group_name": "group3"}  ]
> > > >  ...
> > > > }
> > > >
> > > > So I have tried to created Script Mapper as follows:
> > > >
> > > > *var groups = [];*
> > > > *user.getGroups().forEach(function(groupModel) {*
> > > > *    var groupName = groupModel.getName();*
> > > > *    groups.push({"group_name": groupName});*
> > > > *})*
> > > >
> > > > *token.setOtherClaims("groups", groups);*
> > > >
> > > >
> > > > But this script produces a token as following:
> > > >
> > > > {
> > > >   "name": "Dummy User",
> > > >   "groups": {
> > > >     "0": {
> > > >       "group_name": "group1"
> > > >     },
> > > >     "1": {
> > > >       "group_name": "group2"
> > > >     },
> > > >     "2": {
> > > >       "group_name": "group3"
> > > >     }
> > > >   },
> > > >   ....
> > > > }
> > > >
> > > > Which is not an array of object, but a map of objects.
> > > > I have tried to toggle the option multivalued but it didn't change
> > > > anything.
> > > >
> > > > Is there a way to have an array?
> > > > Could someone help me with that?
> > > > Thanks in advance!
> > > >
> > > > Cheers,
> > > > Daniel Teixeira
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> >
> >
> > --
> > Daniel Teixeira
>



-- 
Daniel Teixeira

From dt at acutus.pro  Tue Jul 24 11:22:08 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 24 Jul 2018 18:22:08 +0300
Subject: [keycloak-user] Groups as array of objects (Script Mapper ? )
In-Reply-To: <CAHvCgvxCOuu2LROKUqa6K=xt-am5T17QvW63ckumWudWipsJ1w@mail.gmail.com>
References: <CAHvCgvwD307VVcu9bNws88vJ4pE+jjnGcRbkLdMAASmxuqaMCQ@mail.gmail.com>
	<1532311486.2248.16.camel@acutus.pro>
	<CAHvCgvxs3syT6DmPzwBEqcEz16ZHJY6K-g25n1nAX+Ai_wbDsw@mail.gmail.com>
	<1532368224.12643.10.camel@acutus.pro>
	<CAHvCgvxCOuu2LROKUqa6K=xt-am5T17QvW63ckumWudWipsJ1w@mail.gmail.com>
Message-ID: <1532445728.3425.2.camel@acutus.pro>

Hi Daniel, you're welcome :)

So finally you've managed to get your groups mapped as desired in a JWT
token? Does it work with Confluence?

Dmitry

On Tue, 2018-07-24 at 16:12 +0200, Daniel Teixeira wrote:
> Thank you for your answer Dmitry.
> 
> Indeed the dependencies?org.keycloak.keycloak-services was missing! I
> have added that one on the module.xml and it worked :)
> 
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <module xmlns="urn:jboss:module:1.3" name="swiss.sib.keycloak.sib-
> group-membership-mapper">
> ? ? <resources>
> ? ? ? ? <resource-root path="sib-group-membership-mapper.jar"/>
> ? ? </resources>
> ? ? <dependencies>
> ? ? ? ? <module name="org.keycloak.keycloak-core"/>
> ? ? ? ? <module name="org.keycloak.keycloak-server-spi"/>
> ? ? ? ? <module name="org.keycloak.keycloak-server-spi-private"/>
> ? ? ? ? <module name="org.keycloak.keycloak-services"/>
> ? ? </dependencies>
> </module>
> 
> Also there was another error, my directory structured was missing the
> module name (sib-group-membership-mapper):
> mkdir -p modules/swiss/sib/keycloak/***sib-group-membership-
> mapper***/main/
> 
> 
> If others have the same trouble, all the configuration can be
> accomplished with the single command:
> ./bin/jboss-cli.sh --command="module add --
> name=swiss.sib.keycloak.sib-group-membership-mapper --
> resources=/tmp/sib-group-membership-mapper.jar --
> dependencies=org.keycloak.keycloak-core,org.keycloak.keycloak-server-
> spi,org.keycloak.keycloak-server-spi-private,org.keycloak.keycloak-
> services"
> 
> and I leave this repo as a reference:
> https://github.com/ddtxra/sib-group-membership-mapper
> 
> Thanks again?Dmitry.
> 
> 
> 
> On Mon, Jul 23, 2018 at 7:50 PM, Dmitry Telegin <dt at acutus.pro>
> wrote:
> > Hi Daniel,
> > 
> > On Mon, 2018-07-23 at 18:31 +0200, Daniel Teixeira wrote:
> > > Thank you?Dmitry,?
> > > I was trying to see if there was an option without writing a java
> > module.?What you are suggesting is to create a module, correct?
> > 
> > Yep you're right, from my experience it's easier to create a Java
> > extension rather then dive deep into the guts of ScriptMapper
> > trying to make it return what you want :)
> > 
> > > I gave a try to my first "module" but couldn't find very much
> > info or examples about how to write custom protocol mappers.
> > > Are they configured the same was as Authentication Providers??
> > >?
> > > I tried to configure it, but?I get a ModuleNotFoundException,
> > here is what I did:?
> > > https://github.com/ddtxra/sib-group-membership-mapper
> > 
> > You did everything right. The only missing piece is deployment
> > descriptor. If you're?hot deploying (via standalone/deployments
> > directory), put this into your META-INF/jboss-deployment-
> > structure.xml:
> > 
> > <?xml version="1.0" encoding="UTF-8"?>
> > <jboss-deployment-structure>
> > ? <deployment>
> > ? ? <dependencies>
> > ? ? ? ? <module name="org.keycloak.keycloak-services"/>
> > ? ? </dependencies>
> > ? </deployment>
> > </jboss-deployment-structure>
> > 
> > ...then recompile and redeploy. Or, if you'd like to deploy it as a
> > Wildfly/JBoss module, do the following in jboss-cli:
> > 
> > module add --name=sib-group-membership-mapper --
> > resources=/path/to/sib-group-membership-mapper.jar --
> > dependencies=org.keycloak.keycloak-services
> > 
> > ...so that it creates the descriptor (yet a different one) for you.
> > 
> > Good luck!
> > Dmitry
> > 
> > >?
> > > Can someone spot the problem?
> > > Thanks very much for your help!
> > >?
> > >?
> > > > On Mon, Jul 23, 2018 at 4:04 AM, Dmitry Telegin <dt at acutus.pro>
> > wrote:
> > > > Hi Daniel,
> > > >?
> > > > Not sure if Script Mapper allows for that, but you could
> > definitely
> > > > solve this with a custom ProtocolMapper. Use the "Group
> > Membership"
> > > > mapper as a reference, but return an array of objects instead
> > of an
> > > > array of strings.
> > > >?
> > > > Cheers,
> > > > Dmitry Telegin
> > > > CTO, Acutus s.r.o.
> > > > Keycloak Consulting and Training
> > > >?
> > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > > +42 (022) 888-30-71
> > > > E-mail: info at acutus.pro
> > > >?
> > > > On Fri, 2018-07-20 at 14:26 +0200, Daniel Teixeira wrote:
> > > > > Hello,
> > > > > I am trying to configure my userinfo token to get the groups,
> > as an
> > > > > array
> > > > > of objects.
> > > > > Currently if I add the "Group Membership" mapper in my
> > client, an
> > > > > array of
> > > > > Strings with the groups is returns.
> > > > >?
> > > > > {
> > > > > ? "name": "Dummy User",
> > > > > ? "groups": ["group1", "group2", "group3"]
> > > > > ???...
> > > > > }
> > > > >?
> > > > > But what I need for a SSO Confluence plugin to work is the
> > following
> > > > > format:
> > > > > (The name of the attributes don't matter, but I need an array
> > of
> > > > > objects
> > > > > for the groups)
> > > > >?
> > > > > {
> > > > > ? "name": "Dummy User",
> > > > > ? "groups": [ {"group_name": "group1"},
> > > > > ???????????????????{"group_name": "group2"},
> > > > > ???????????????????{"group_name": "group3"}??]
> > > > > ?...
> > > > > }
> > > > >?
> > > > > So I have tried to created Script Mapper as follows:
> > > > >?
> > > > > *var groups = [];*
> > > > > *user.getGroups().forEach(function(groupModel) {*
> > > > > *????var groupName = groupModel.getName();*
> > > > > *????groups.push({"group_name": groupName});*
> > > > > *})*
> > > > >?
> > > > > *token.setOtherClaims("groups", groups);*
> > > > >?
> > > > >?
> > > > > But this script produces a token as following:
> > > > >?
> > > > > {
> > > > > ? "name": "Dummy User",
> > > > > ? "groups": {
> > > > > ????"0": {
> > > > > ??????"group_name": "group1"
> > > > > ????},
> > > > > ????"1": {
> > > > > ??????"group_name": "group2"
> > > > > ????},
> > > > > ????"2": {
> > > > > ??????"group_name": "group3"
> > > > > ????}
> > > > > ? },
> > > > > ? ....
> > > > > }
> > > > >?
> > > > > Which is not an array of object, but a map of objects.
> > > > > I have tried to toggle the option multivalued but it didn't
> > change
> > > > > anything.
> > > > >?
> > > > > Is there a way to have an array?
> > > > > Could someone help me with that?
> > > > > Thanks in advance!
> > > > >?
> > > > > Cheers,
> > > > > Daniel Teixeira
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > >?
> > >?
> > >?
> > >?
> > > --?
> > > Daniel Teixeira
> > 
> 
> 
> 
> --?
> Daniel Teixeira

From orivat at janua.fr  Tue Jul 24 12:46:39 2018
From: orivat at janua.fr (Olivier Rivat)
Date: Tue, 24 Jul 2018 18:46:39 +0200
Subject: [keycloak-user] Saas muti-tenant architecture with multi-step
	authentication process
Message-ID: <d1fc7b40-cb90-f481-c4d0-8884f415af4e@janua.fr>


Hi,


*1) introduction*

I have a multi-tenant architecture deployed with keycloak.
At first, to investigate multi-tenant architecture, I have followed what 
is available within keycloak:

documentation

  * https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy



examples:

  * https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant


The same application is deployed in both tenants with

  *  ?http://localhost:8080/multitenant/tenant1 and login as
    user-tenant1, password user-tenant1
  * http://localhost:8080/multitenant/tenant2 and login as user-tenant2,
    password user-tenant2


When you specify http://localhost:8080/multitenant/tenant1, you are 
redirected to tenant1, and you need to authenticate.


*2) description of the problem*

The issue I am facing, is that I have a customer client application, 
which can redirected to several diffrent realms.

The realm selction is based on the email address.

  * user1 at foo.com ---> should redirect to realm foo
  * user2 at bar.com ---> shou0dl redirect to realm bar


In fact, the email analsys shoudl redirect to the correct realm (foo or 
bar , or more).

Once I have the login screen of the corresponding realm1, it is the as 
in /introduction/, where user authenticates normally in his specific 
tenant.


*3) Authentication workflow requirement*

In fact the authentication workflow process should be as follows:

*step1*

  * General welcome panel
  * the user enter his email address
  * based on the analysis of his welcome address, the users is
    redirected to a specific authentication realm (foo or bar or more)


*step 2*

  * The user enter is login/password in realm login authentication screen



After analysis, it sounds like that the keycloak authentication process 
needs to be updated/modified with

    1. adding an extra additional step (which is a general form asking
    for email)

    2. based on teh email analysis, the corresponding tenant login
    screen is presented to the tenant
    3. the user authenticates to the tenant with his login/password. 



*4) How to move forward*


For information, Azure and atlassian already implements such a 
redirection mechanism in SAAS multi tenant architecture.
Keycloak documentation does not seem to mention about such a possibility 
to tailor "out of the box" the authentication workflow to our needs.

Could the mechanism described above being achieved by customizing the 
authentication workflow by developing a specific authentication SPI 
plugin which could handles the both steps mentioned above ?

Does this approach sounds correct to you, or is it something to rule out ?

Or woudl you advise another approach ?

Tkx for your help.


Regards,

Olivier




-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>



From pnalyvayko at agi.com  Tue Jul 24 13:03:12 2018
From: pnalyvayko at agi.com (Nalyvayko, Peter)
Date: Tue, 24 Jul 2018 17:03:12 +0000
Subject: [keycloak-user] Alternative client-cert authentication
In-Reply-To: <00c301d42351$537f93e0$fa7ebba0$@netsetglobal.rs>
References: <00c301d42351$537f93e0$fa7ebba0$@netsetglobal.rs>
Message-ID: <BL0PR07MB50099DC2B52E06E97DD60092DA550@BL0PR07MB5009.namprd07.prod.outlook.com>

Hi Nikola,

Try this:

Auth type                  Requirement                                             Type
X509                        ALTERNATIVE            Flow
  ==>  X509/Validate Username Form    ALTERNATIVE     (execution step, X509 flow)
  ==> Browser Forms                                 ALTERNATIVE     (sub-flow, X509 flow)
         ====> Username Password Form    REQUIRED        (execution step, Browser Forms flow)

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Nikola Malenic
Sent: Tuesday, July 24, 2018 9:22 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Alternative client-cert authentication

I am configuring browser flow and would like to provide users with certificates with capability to login immediately.

Users which don't have (send) certificate should be able to login with
username+password (form would be presented to them).

 

I configured two ALTERNATIVE subflows inside browser flow. First subflow has X509/Validate Username Form execution as ALTERNATIVE and second flow has Username Password Form as REQUIRED.

 

The problem is that when I access admin console I am not shown form to enter username and password since I didn't send certificate. I get this error:
"Invalid username or password.".

It seems that the second flow is automatically executed, but since I didn't send username and password it finishes unsuccessfully.

Do you have any idea how to configure this.

 

Many thanks,

Nikola

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From paul at grebenc.ca  Tue Jul 24 14:20:17 2018
From: paul at grebenc.ca (Paul Grebenc)
Date: Tue, 24 Jul 2018 14:20:17 -0400
Subject: [keycloak-user] Role required to manage user consents from REST
	API
In-Reply-To: <1532314342.2248.18.camel@acutus.pro>
References: <CANJEuVc0SN+4dTcs_WN7duVrsk23feqA1DErcQss6NZxK8hnyg@mail.gmail.com>
	<1532314342.2248.18.camel@acutus.pro>
Message-ID: <CANJEuVeQ0rr8s=dFkUJ4iYsV=PrCsr0jABEf-acn-kFBZ9q0BA@mail.gmail.com>

 Thank you, this is useful information.

If it is currently not possible for a normal user to view or revoke
consents on their own authority, a workaround could probably be to set up a
service associated with a client in Keycloak that does have the authority
to perform these operations, and then it will be responsible for
restricting what it allows based on the identity of its callers.

Regards,
Paul


On Sun, Jul 22, 2018 at 10:52 PM, Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Paul,
>
> Here's the method responsible for consent / offline token revocation:
> https://github.com/keycloak/keycloak/blob/master/services/
> src/main/java/org/keycloak/services/resources/admin/UserResource.java#L480
>
> This can be further traced to o.k.services.resources.admin.
> permissions.UserPermissions::canManage(UserModel):
> https://github.com/keycloak/keycloak/blob/master/services/
> src/main/java/org/keycloak/services/resources/admin/
> permissions/UserPermissions.java#L311
>
> Long story short: currently, consents / offline tokens can be revoked
> only by those allowed to manage all the users in the realm (either via
> "admin" role membership or Realm > Users > Permissions) or by those
> allowed to manage users in a particular group (Realm > Groups > (group)
> > Permissions). That means, a user is not allowed to revoke his/her own
> consents and offline tokens. This looks like a bug to me, but let's see
> what the Keycloak devs say.
>
> > Also, looking through the REST API documentation, I didn't see
> > anything related to roles and authorization. Are all operations only
> > accessible by users with the admin role assigned?
>
> Not necessarily so; unfortunately, this topic is mostly undocumented,
> so the only reliable way is to look into the sources (something we've
> just done for consent revocation).
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Fri, 2018-07-20 at 15:47 -0400, Paul Grebenc wrote:
> > I have been doing some investigation with Keycloak 3.4.3.Final, and have
> > noticed something that I am wondering about.
> >
> > It is possible for me to request an offline token for a given user with a
> > password grant, and that consent will show up for the user under the
> user's
> > Consents tab in the admin console.
> >
> > In terms of managing any granted consents (for the purpose of allowing a
> > user to revoke a consent that they have granted), I have been able to do
> > the following:
> >
> > curl -X GET -H "Authorization: Bearer <authToken>"
> > http://localhost:8080/auth/admin/realms/master/users/<userId>/consents
> > <http://localhost:8080/auth/admin/realms/master/users/
> 38454015-6ab7-4880-b54c-77c5780fd2ba/consents>
> >
> >
> > This returns all current consents granted by the user.  I can then also
> do
> > the following:
> >
> >
> > curl -X DELETE -H "Authorization: Bearer <authToken>"
> > http://localhost:8080/auth/admin/realms/master/users/<
> userId>/consents/<clientId>;
> > <http://localhost:8080/auth/admin/realms/master/users/
> 38454015-6ab7-4880-b54c-77c5780fd2ba/consents/agent-registration>
> >
> >
> > This revokes the consent granted by the specified user for the specified
> > client.
> >
> >
> > This is good so far, but I noticed that I was only authorized to perform
> > these operations as admin, and not as the user in question who has
> granted
> > these consents.  Through experimentation, I was able to determine that
> if I
> > add the role "admin" to the user, that user is then authorized for these
> > operations.
> >
> >
> > Is this intentional?  It was originally my expectation that a user who
> has
> > granted consents should be able to view or revoke their own consents
> > without having to have the admin role assigned.
> >
> >
> > Also, looking through the REST API documentation, I didn't see anything
> > related to roles and authorization.  Are all operations only accessible
> by
> > users with the admin role assigned?
> >
> >
> > Regards,
> >
> > Paul
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From dt at acutus.pro  Tue Jul 24 17:59:53 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Wed, 25 Jul 2018 00:59:53 +0300
Subject: [keycloak-user] Role required to manage user consents from REST
 API
In-Reply-To: <CANJEuVeQ0rr8s=dFkUJ4iYsV=PrCsr0jABEf-acn-kFBZ9q0BA@mail.gmail.com>
References: <CANJEuVc0SN+4dTcs_WN7duVrsk23feqA1DErcQss6NZxK8hnyg@mail.gmail.com>
	<1532314342.2248.18.camel@acutus.pro>
	<CANJEuVeQ0rr8s=dFkUJ4iYsV=PrCsr0jABEf-acn-kFBZ9q0BA@mail.gmail.com>
Message-ID: <1532469593.2705.5.camel@acutus.pro>

Hi Paul,
Indeed, there exists a workaround you're writing about. You can create
a custom REST endpoint inside Keycloak that will do exactly the
following: 1) check the user's identity, 2) check that the requested
consent belongs to the user, 3) perform actions on the consent.
To do this, you'll need to?implement a RealmResourceProvider: https://w
ww.keycloak.org/docs/latest/server_development/index.html#_extensions_r
est
examples/providers/rest is a good start. The hard part is
authentication/authorization: custom REST resources are public by
default, so you'll need to take some efforts to secure your
resource.There's some sort of authorization in
examples/providers/domain-extension, but unfortunately it's currently
broken: https://issues.jboss.org/browse/KEYCLOAK-5927
I'd suggest that you rather take a look at BeerCloak (it's working and
maintained): https://github.com/dteleguin/beercloak
In BeerCloak, the user is checked for "view-beer" and "manage-beer"
roles membership; in your case, you'll need to compare the user against
the consent, but that shouldn't be difficult.
Good luck, and feel free to ask questions regarding BeerCloak,Dmitry
Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail:?info at acutus.pro
On Tue, 2018-07-24 at 14:20 -0400, Paul Grebenc wrote:
> Thank you, this is useful information.
> 
> If it is currently not possible for a normal user to view or revoke
> consents on their own authority, a workaround could probably be to
> set up a service associated with a client in Keycloak that does have
> the authority to perform these operations, and then it will be
> responsible for restricting what it allows based on the identity of
> its callers.
> 
> Regards,
> Paul
> 
> 
> On Sun, Jul 22, 2018 at 10:52 PM, Dmitry Telegin <dt at acutus.pro>
> wrote:
> > Hi Paul,
> > 
> > Here's the method responsible for consent / offline token
> > revocation:
> > https://github.com/keycloak/keycloak/blob/master/services/src/main/
> > java/org/keycloak/services/resources/admin/UserResource.java#L480
> > 
> > This can be further traced to
> > o.k.services.resources.admin.permissions.UserPermissions::canManage
> > (UserModel):
> > https://github.com/keycloak/keycloak/blob/master/services/src/main/
> > java/org/keycloak/services/resources/admin/permissions/UserPermissi
> > ons.java#L311
> > 
> > Long story short: currently, consents / offline tokens can be
> > revoked
> > only by those allowed to manage all the users in the realm (either
> > via
> > "admin" role membership or Realm > Users > Permissions) or by those
> > allowed to manage users in a particular group (Realm > Groups >
> > (group)
> > > Permissions). That means, a user is not allowed to revoke his/her
> > own
> > consents and offline tokens. This looks like a bug to me, but let's
> > see
> > what the Keycloak devs say.
> > 
> > > Also, looking through the REST API documentation, I didn't see
> > > anything related to roles and authorization. Are all operations
> > only
> > > accessible by users with the admin role assigned?
> > 
> > Not necessarily so; unfortunately, this topic is mostly
> > undocumented,
> > so the only reliable way is to look into the sources (something
> > we've
> > just done for consent revocation).
> > 
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> > 
> > On Fri, 2018-07-20 at 15:47 -0400, Paul Grebenc wrote:
> > > I have been doing some investigation with Keycloak 3.4.3.Final,
> > and have
> > > noticed something that I am wondering about.
> > >?
> > > It is possible for me to request an offline token for a given
> > user with a
> > > password grant, and that consent will show up for the user under
> > the user's
> > > Consents tab in the admin console.
> > >?
> > > In terms of managing any granted consents (for the purpose of
> > allowing a
> > > user to revoke a consent that they have granted), I have been
> > able to do
> > > the following:
> > >?
> > > curl -X GET -H "Authorization: Bearer <authToken>"
> > > http://localhost:8080/auth/admin/realms/master/users/<userId>/con
> > sents
> > > <http://localhost:8080/auth/admin/realms/master/users/38454015-6a
> > b7-4880-b54c-77c5780fd2ba/consents>
> > >?
> > >?
> > > This returns all current consents granted by the user.??I can
> > then also do
> > > the following:
> > >?
> > >?
> > > curl -X DELETE -H "Authorization: Bearer <authToken>"
> > > http://localhost:8080/auth/admin/realms/master/users/<userId>/con
> > sents/<clientId>;;;
> > > <http://localhost:8080/auth/admin/realms/master/users/38454015-6a
> > b7-4880-b54c-77c5780fd2ba/consents/agent-registration>
> > >?
> > >?
> > > This revokes the consent granted by the specified user for the
> > specified
> > > client.
> > >?
> > >?
> > > This is good so far, but I noticed that I was only authorized to
> > perform
> > > these operations as admin, and not as the user in question who
> > has granted
> > > these consents.??Through experimentation, I was able to determine
> > that if I
> > > add the role "admin" to the user, that user is then authorized
> > for these
> > > operations.
> > >?
> > >?
> > > Is this intentional???It was originally my expectation that a
> > user who has
> > > granted consents should be able to view or revoke their own
> > consents
> > > without having to have the admin role assigned.
> > >?
> > >?
> > > Also, looking through the REST API documentation, I didn't see
> > anything
> > > related to roles and authorization.??Are all operations only
> > accessible by
> > > users with the admin role assigned?
> > >?
> > >?
> > > Regards,
> > >?
> > > Paul
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 

From corentin.dupont at gmail.com  Tue Jul 24 18:24:27 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Tue, 24 Jul 2018 22:24:27 +0000
Subject: [keycloak-user] Permissions: Slow/complex interactions
In-Reply-To: <CAJrcDBdBtFt3JRSn5j0k9vRQiadpy_7a03ZuL__4La3A=YOGjw@mail.gmail.com>
References: <CAEyhvmoxjs_Micvn00LVuem784VwGXd51OZ2rNRSCnx2ms7zRg@mail.gmail.com>
	<CAJrcDBdBtFt3JRSn5j0k9vRQiadpy_7a03ZuL__4La3A=YOGjw@mail.gmail.com>
Message-ID: <CAEyhvmqh13nD9-CXFZrv9HVBio4p7gCLxWwTzQFpvL-oygF4=A@mail.gmail.com>

On Tue, Jul 24, 2018 at 11:51 AM, Pedro Igor Silva <psilva at redhat.com>
wrote:

>
>
> On Tue, Jul 24, 2018 at 7:54 AM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>> Hi guys,
>> I experience some performance issue on my API server using Keycloak.
>> After someone issue a GET on my API server, here is what happens:
>>
>> - API server -> DB server: get requested resources
>> - API server -> Keycloak: get client token (to get resources)
>> - API server -> Keycloak: get resources (to complement DB server with
>> resource owner & visibility)
>> - API server -> Keycloak: get user token (to get permission)
>> - API server -> Keycloak: get permission (to filter resources)
>> At this point the filtered resources are returned.
>>
>> But this process is quite slow. I noticed a call to KC can take up to
>> 100ms.
>> The complete call on the API server can take up to 600ms on my laptop, in
>> localhost setting.
>> The delays become noticeable on my UI...
>>
>
> Are you able to confirm the step(s) spending more time to process ? If
> when obtaining client tokens, resources or during evaluation ?
>

I made a quick benchmark, here is the result:

- API server -> Keycloak: get client token: 400ms
- API server -> Keycloak: get resources: 1356ms
- API server -> Keycloak: get user token: 162ms
- API server -> Keycloak: get permission: 2400ms
Total: 4366ms

However, this timings are obtained only on the first try after I reboot the
server.
The next calls are faster. Maybe it's due to caching?

- API server -> Keycloak: get client token: 17ms
- API server -> Keycloak: get resources: 19ms
- API server -> Keycloak: get user token: 92ms
- API server -> Keycloak: get permission: 314ms
Total: 476ms

So yes, it's the evaluation taking time (and user token on a lesser extent).
On this call, I need to get permissions for all resources on one scope:
permissions=#sensors:view
Because I need to filter out the resources the user cannot see.
There are around 70 resources and 3 policies (one user policy and 2
javascript).
Keycloak is in a docker container.



>
> Also, could you elaborate more what this step is doing: "- API server ->
> Keycloak: get resources (to complement DB server with
> resource owner & visibility)" ?
>

I read the resources from Keycloak (authz/protection/resource_set/) because
I need to return the owner of the resource in my server response.



>
>
>>
>> With a resource SPI strategy (if developed), it should be:
>>
>> - API server -> DB server: get requested resources
>> - API server -> Keycloak: get user token (to get permission)
>> - API server -> Keycloak: get permission (to filter resources)
>> - Keycloak -> DB server: get resources
>>
>> There is a little less requests. Additional gain is that resources are not
>> split between 2 databases.
>>
>> I wonder if resources could be pushed during the permission request? Like
>> a
>> "pushed claim".
>> This would be even more straightforward:
>>
>> - API server -> DB server: get requested resources
>> - API server -> Keycloak: get user token (to get permission)
>> - API server -> Keycloak: get permission and push resources
>
>
>> Can this work?
>>
>
> I think this is an area we might want to improve in order to allow
> evaluating permissions solely based on claims pushed to the server. That
> means you won't need to manage resources in the server but rely on policies
> to process the "pushed claims".
>

Yes that would be great. Let me open a Jira to track this.


>
> +1
>
>
>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From psilva at redhat.com  Tue Jul 24 19:11:44 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 24 Jul 2018 20:11:44 -0300
Subject: [keycloak-user] Permissions: Slow/complex interactions
In-Reply-To: <CAEyhvmqh13nD9-CXFZrv9HVBio4p7gCLxWwTzQFpvL-oygF4=A@mail.gmail.com>
References: <CAEyhvmoxjs_Micvn00LVuem784VwGXd51OZ2rNRSCnx2ms7zRg@mail.gmail.com>
	<CAJrcDBdBtFt3JRSn5j0k9vRQiadpy_7a03ZuL__4La3A=YOGjw@mail.gmail.com>
	<CAEyhvmqh13nD9-CXFZrv9HVBio4p7gCLxWwTzQFpvL-oygF4=A@mail.gmail.com>
Message-ID: <CAJrcDBcGy14Wc+DhP0irOfpdfS470MeevQJeNd7drToVbu=Fhg@mail.gmail.com>

We have now a performance testsuite (thanks to Tomaz) that can generate
also generate datasets to cover different scenarios. I'm the middle of
checking Tomaz work and preparing some datasets to include in our testsuite.

I'm going to give a try to your use case and see if I can get the same
numbers. Not sure if this is your case, but I found some performance issues
when defining multiple resources with a type where the owner is the
resource server itself. This causes an overhead during evaluation where the
engine tries to consider permissions granted to any of these typed
resources. Someone reported this some time ago, and IMO, this is an invalid
usage of resource types ... Not sure if this is your case though.

More answers inline.

On Tue, Jul 24, 2018 at 7:24 PM, Corentin Dupont <corentin.dupont at gmail.com>
wrote:

>
>
> On Tue, Jul 24, 2018 at 11:51 AM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>>
>>
>> On Tue, Jul 24, 2018 at 7:54 AM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>> Hi guys,
>>> I experience some performance issue on my API server using Keycloak.
>>> After someone issue a GET on my API server, here is what happens:
>>>
>>> - API server -> DB server: get requested resources
>>> - API server -> Keycloak: get client token (to get resources)
>>> - API server -> Keycloak: get resources (to complement DB server with
>>> resource owner & visibility)
>>> - API server -> Keycloak: get user token (to get permission)
>>> - API server -> Keycloak: get permission (to filter resources)
>>> At this point the filtered resources are returned.
>>>
>>> But this process is quite slow. I noticed a call to KC can take up to
>>> 100ms.
>>> The complete call on the API server can take up to 600ms on my laptop, in
>>> localhost setting.
>>> The delays become noticeable on my UI...
>>>
>>
>> Are you able to confirm the step(s) spending more time to process ? If
>> when obtaining client tokens, resources or during evaluation ?
>>
>
> I made a quick benchmark, here is the result:
>
> - API server -> Keycloak: get client token: 400ms
> - API server -> Keycloak: get resources: 1356ms
> - API server -> Keycloak: get user token: 162ms
> - API server -> Keycloak: get permission: 2400ms
> Total: 4366ms
>
> However, this timings are obtained only on the first try after I reboot
> the server.
> The next calls are faster. Maybe it's due to caching?
>

> - API server -> Keycloak: get client token: 17ms
> - API server -> Keycloak: get resources: 19ms
> - API server -> Keycloak: get user token: 92ms
> - API server -> Keycloak: get permission: 314ms
> Total: 476ms
>

Yeah, it is caching. But numbers for steps #2 and #4 are high. Will see
what we can improve.

Thanks for the numbers. Wondering if you have percentiles for these
requests ? Or this happens when you send a single request ?


>
> So yes, it's the evaluation taking time (and user token on a lesser
> extent).
> On this call, I need to get permissions for all resources on one scope:
> permissions=#sensors:view
> Because I need to filter out the resources the user cannot see.
> There are around 70 resources and 3 policies (one user policy and 2
> javascript).
> Keycloak is in a docker container.
>

I'm working with more aggresive numbers, and results are better than yours.
However, all depends on how you are setting up your settings. Need to check
your setup and see if I can create a dataset based on it.

Could you send me an example of those javascript policies ? Are they doing
much ? Do you have more than one user per user policy ?


>
>
>
>>
>> Also, could you elaborate more what this step is doing: "- API server ->
>> Keycloak: get resources (to complement DB server with
>> resource owner & visibility)" ?
>>
>
> I read the resources from Keycloak (authz/protection/resource_set/)
> because I need to return the owner of the resource in my server response.
>

>
>
>>
>>
>>>
>>> With a resource SPI strategy (if developed), it should be:
>>>
>>> - API server -> DB server: get requested resources
>>> - API server -> Keycloak: get user token (to get permission)
>>> - API server -> Keycloak: get permission (to filter resources)
>>> - Keycloak -> DB server: get resources
>>>
>>> There is a little less requests. Additional gain is that resources are
>>> not
>>> split between 2 databases.
>>>
>>> I wonder if resources could be pushed during the permission request?
>>> Like a
>>> "pushed claim".
>>> This would be even more straightforward:
>>>
>>> - API server -> DB server: get requested resources
>>> - API server -> Keycloak: get user token (to get permission)
>>> - API server -> Keycloak: get permission and push resources
>>
>>
>>> Can this work?
>>>
>>
>> I think this is an area we might want to improve in order to allow
>> evaluating permissions solely based on claims pushed to the server. That
>> means you won't need to manage resources in the server but rely on policies
>> to process the "pushed claims".
>>
>
> Yes that would be great. Let me open a Jira to track this.
>
>
>>
>> +1
>>
>>
>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>

From psilva at redhat.com  Tue Jul 24 19:21:44 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 24 Jul 2018 20:21:44 -0300
Subject: [keycloak-user] Permissions: Slow/complex interactions
In-Reply-To: <CAJrcDBcGy14Wc+DhP0irOfpdfS470MeevQJeNd7drToVbu=Fhg@mail.gmail.com>
References: <CAEyhvmoxjs_Micvn00LVuem784VwGXd51OZ2rNRSCnx2ms7zRg@mail.gmail.com>
	<CAJrcDBdBtFt3JRSn5j0k9vRQiadpy_7a03ZuL__4La3A=YOGjw@mail.gmail.com>
	<CAEyhvmqh13nD9-CXFZrv9HVBio4p7gCLxWwTzQFpvL-oygF4=A@mail.gmail.com>
	<CAJrcDBcGy14Wc+DhP0irOfpdfS470MeevQJeNd7drToVbu=Fhg@mail.gmail.com>
Message-ID: <CAJrcDBc9pdXKsZpA609Fm7b59MkK17cWTspKQb5u3ef=K=j43A@mail.gmail.com>

Btw, how much you set your heap?

Do you have limitations on cpu ?

Could you share your JVM settings ?

On Tue, Jul 24, 2018 at 8:11 PM, Pedro Igor Silva <psilva at redhat.com> wrote:

> We have now a performance testsuite (thanks to Tomaz) that can generate
> also generate datasets to cover different scenarios. I'm the middle of
> checking Tomaz work and preparing some datasets to include in our testsuite.
>
> I'm going to give a try to your use case and see if I can get the same
> numbers. Not sure if this is your case, but I found some performance issues
> when defining multiple resources with a type where the owner is the
> resource server itself. This causes an overhead during evaluation where the
> engine tries to consider permissions granted to any of these typed
> resources. Someone reported this some time ago, and IMO, this is an invalid
> usage of resource types ... Not sure if this is your case though.
>
> More answers inline.
>
> On Tue, Jul 24, 2018 at 7:24 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>>
>>
>> On Tue, Jul 24, 2018 at 11:51 AM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>>
>>>
>>> On Tue, Jul 24, 2018 at 7:54 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Hi guys,
>>>> I experience some performance issue on my API server using Keycloak.
>>>> After someone issue a GET on my API server, here is what happens:
>>>>
>>>> - API server -> DB server: get requested resources
>>>> - API server -> Keycloak: get client token (to get resources)
>>>> - API server -> Keycloak: get resources (to complement DB server with
>>>> resource owner & visibility)
>>>> - API server -> Keycloak: get user token (to get permission)
>>>> - API server -> Keycloak: get permission (to filter resources)
>>>> At this point the filtered resources are returned.
>>>>
>>>> But this process is quite slow. I noticed a call to KC can take up to
>>>> 100ms.
>>>> The complete call on the API server can take up to 600ms on my laptop,
>>>> in
>>>> localhost setting.
>>>> The delays become noticeable on my UI...
>>>>
>>>
>>> Are you able to confirm the step(s) spending more time to process ? If
>>> when obtaining client tokens, resources or during evaluation ?
>>>
>>
>> I made a quick benchmark, here is the result:
>>
>> - API server -> Keycloak: get client token: 400ms
>> - API server -> Keycloak: get resources: 1356ms
>> - API server -> Keycloak: get user token: 162ms
>> - API server -> Keycloak: get permission: 2400ms
>> Total: 4366ms
>>
>> However, this timings are obtained only on the first try after I reboot
>> the server.
>> The next calls are faster. Maybe it's due to caching?
>>
>
>> - API server -> Keycloak: get client token: 17ms
>> - API server -> Keycloak: get resources: 19ms
>> - API server -> Keycloak: get user token: 92ms
>> - API server -> Keycloak: get permission: 314ms
>> Total: 476ms
>>
>
> Yeah, it is caching. But numbers for steps #2 and #4 are high. Will see
> what we can improve.
>
> Thanks for the numbers. Wondering if you have percentiles for these
> requests ? Or this happens when you send a single request ?
>
>
>>
>> So yes, it's the evaluation taking time (and user token on a lesser
>> extent).
>> On this call, I need to get permissions for all resources on one scope:
>> permissions=#sensors:view
>> Because I need to filter out the resources the user cannot see.
>> There are around 70 resources and 3 policies (one user policy and 2
>> javascript).
>> Keycloak is in a docker container.
>>
>
> I'm working with more aggresive numbers, and results are better than
> yours. However, all depends on how you are setting up your settings. Need
> to check your setup and see if I can create a dataset based on it.
>
> Could you send me an example of those javascript policies ? Are they doing
> much ? Do you have more than one user per user policy ?
>
>
>>
>>
>>
>>>
>>> Also, could you elaborate more what this step is doing: "- API server
>>> -> Keycloak: get resources (to complement DB server with
>>> resource owner & visibility)" ?
>>>
>>
>> I read the resources from Keycloak (authz/protection/resource_set/)
>> because I need to return the owner of the resource in my server response.
>>
>
>>
>>
>>>
>>>
>>>>
>>>> With a resource SPI strategy (if developed), it should be:
>>>>
>>>> - API server -> DB server: get requested resources
>>>> - API server -> Keycloak: get user token (to get permission)
>>>> - API server -> Keycloak: get permission (to filter resources)
>>>> - Keycloak -> DB server: get resources
>>>>
>>>> There is a little less requests. Additional gain is that resources are
>>>> not
>>>> split between 2 databases.
>>>>
>>>> I wonder if resources could be pushed during the permission request?
>>>> Like a
>>>> "pushed claim".
>>>> This would be even more straightforward:
>>>>
>>>> - API server -> DB server: get requested resources
>>>> - API server -> Keycloak: get user token (to get permission)
>>>> - API server -> Keycloak: get permission and push resources
>>>
>>>
>>>> Can this work?
>>>>
>>>
>>> I think this is an area we might want to improve in order to allow
>>> evaluating permissions solely based on claims pushed to the server. That
>>> means you won't need to manage resources in the server but rely on policies
>>> to process the "pushed claims".
>>>
>>
>> Yes that would be great. Let me open a Jira to track this.
>>
>>
>>>
>>> +1
>>>
>>>
>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>

From manisha04.nandal at gmail.com  Tue Jul 24 23:52:46 2018
From: manisha04.nandal at gmail.com (Manisha Nandal)
Date: Wed, 25 Jul 2018 09:22:46 +0530
Subject: [keycloak-user] admin account custom theme not working
In-Reply-To: <CAP63w5Sen0EJT59_DVCegVLAvubKe+OwPH9Vqn8SbgXjSuiMRA@mail.gmail.com>
References: <CAP63w5SKjSv0hMeUA4YP9Y32VxTXNhuJ2Ey=4x4t8fs9q=AEuw@mail.gmail.com>
	<CAP63w5Sen0EJT59_DVCegVLAvubKe+OwPH9Vqn8SbgXjSuiMRA@mail.gmail.com>
Message-ID: <CAP63w5T=ne+G8QGzi4hQkvA1Te_BnYEnDkMkp3vQ_OzqQOWGPA@mail.gmail.com>

issue is still open. Please provide your inputs

On Tue, Jul 24, 2018 at 9:20 AM, Manisha Nandal <manisha04.nandal at gmail.com>
wrote:

> Please update
>
> On Fri, Jul 20, 2018 at 4:09 PM, Manisha Nandal <
> manisha04.nandal at gmail.com> wrote:
>
>> Hi,
>>
>> I want to use custom theme for admin user.I tried creating a folder with
>> "mytheme/admin" and placed my new modified files. I also changed the
>> configuration from admin account - > realm settings - > theme. My modified
>> files are not picked.
>>
>> Same process i followed for login theme changes and its working also.
>>
>> Can you please guide my how to use custom theme for admin account.
>> Another thing i observed is that if change the theme for master realm and
>> my own realm both, then it works
>>
>> Thanks
>> Manisha
>>
>
>

From testoauth55 at gmail.com  Wed Jul 25 02:47:01 2018
From: testoauth55 at gmail.com (Test Oauth)
Date: Wed, 25 Jul 2018 12:17:01 +0530
Subject: [keycloak-user] Sharing default configuration for keycloak
	deployment
Message-ID: <CANAVTmMZzVYW7g2KUtwG9oBS48M9Vgo-CQTPpx4m6_dL6w9e4Q@mail.gmail.com>

I am shipping Keycloak with my application and there is some default
configuration that I have done. I want to ship this default configuration
(like admin name/password, realm names etc) with my application so that the
customers can bring the basic authentication flow up with a single click
(of probably a batch file).

Is there a way to do this?

From dean.wyns at aptus.be  Wed Jul 25 03:21:24 2018
From: dean.wyns at aptus.be (Wyns Dean)
Date: Wed, 25 Jul 2018 07:21:24 +0000
Subject: [keycloak-user] FW: Access control and client setup
In-Reply-To: <CC7F9E69ED13DD478810F42866C6FAA1A6CB50F4@CBW-MHEXCH-C.iconos.be>
References: <CC7F9E69ED13DD478810F42866C6FAA1A6CB50F4@CBW-MHEXCH-C.iconos.be>
Message-ID: <CC7F9E69ED13DD478810F42866C6FAA1A6CB5146@CBW-MHEXCH-C.iconos.be>

Hi

I'm evaluating Keycloak as our IAM and SSO and it seems very powerful, but I can't seem to wrap my head around some things.

We want to separate our APIs from the IAM. The sole purpose of Keycloak is to provide an identity and access token, primarily using the implicit flow. The client-side application (usually SPAs) uses the access token in all API calls and the resource server checks the signature of the access token but does not access Keycloak at all.

Each backend has a few operations, and each operation gets its own "permission". For example one API can manage "items", so there are four permissions:
- create:item
- read:item
- update:item
- delete:item

Is it best practice with Keycloak to model these permissions as scopes? And then use roles/permissions/policies to limit the scope of the user? The backend can then just decode the access token and read the granted scopes.

Also, in a SPA + API set-up, do I create two clients in Keycloak, one for each? This is only useful when the API needs resource protection, right? I guess in my case I only need one client for the SPA because the API only needs the scope from the access token by decoding it.

Thanks for any feedback

Kind regards
Dean



From henning.waack at codecentric.de  Wed Jul 25 03:45:20 2018
From: henning.waack at codecentric.de (Henning Waack)
Date: Wed, 25 Jul 2018 09:45:20 +0200
Subject: [keycloak-user] Outbound SSL Connection in SPI
In-Reply-To: <CAGqTYaw8SpFqzPXhLXtCuZ8yV_6orOCig=XEnPixmzUdNH2sew@mail.gmail.com>
References: <CAGqTYaw8SpFqzPXhLXtCuZ8yV_6orOCig=XEnPixmzUdNH2sew@mail.gmail.com>
Message-ID: <CAGqTYaxV0x1FSnedqrynqQ8QuGqM9MWF5rD7V2ZDJ4OaYAiJ_Q@mail.gmail.com>

Any input on this? Kinda stuck with this issue... Thanks!

Am 24. Juli 2018 um 11:18 schrieb Henning Waack <
henning.waack at codecentric.de>:

> Hi.
>
> I am implementing a custom OIDC Protocol Mapper. Within I have to make a
> https connection, which currently fails because I do not have a truststore
> configured on my http connection.
>
> I have added a truststore SPI to my standalone.xml:
>
>             <spi name="truststore">
>                 <provider name="file" enabled="true">
>                     <properties>
>                         <property name="file" value="${jboss.server.config.
> dir}/nak.test.jks"/>
>                         <property name="password" value="****"/>
>                         <property name="hostname-verification-policy"
> value="WILDCARD"/>
>                         <property name="disabled" value="false"/>
>                     </properties>
>                 </provider>
>             </spi>
>
>
> But I do not know how to get a HttpClient instance which uses this
> truststore. I have tried with:
>
>
> org.apache.http.client.HttpClient httpClient = new
> org.keycloak.connections.httpclient.HttpClientBuilder().build();
>
> and
>
> DefaultHttpClientFactory factory = new DefaultHttpClientFactory();
> HttpClientProvider httpClientProvider = factory.create((
> KeycloakSession)session);
> return httpClientProvider.getHttpClient();
>
> whereas the first just does not have the truststore configured, and the
> second fails with a NPE.
>
> So how do I get an outbound http connection which uses my truststore SPI?
>
> Thanks & greetings
>
> Henning
> --
>
>
> -----------
>
> Henning Waack | IT Consultant
>
>
> codecentric AG | Hochstra?e 11
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
> |
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
> Solingen
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>  |Deutschland
> <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
>
>
> tel: +49 (0)151 108 515 29
>
> www.codecentric.de | blog.codecentric.de | www.meettheexperts.de
>
> Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal
>
> Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns
> Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz
>
> Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche
> und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige
> Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie
> bitte sofort den Absender und l?schen Sie diese E-Mail und evtl.
> beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen
> evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist
> nicht gestattet.
>



-- 


-----------

Henning Waack | IT Consultant


codecentric AG | Hochstra?e 11
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
|
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>

<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
Solingen
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
 |Deutschland
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>


tel: +49 (0)151 108 515 29

www.codecentric.de | blog.codecentric.de | www.meettheexperts.de

Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal

Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns
Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz

Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche
und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige
Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie
bitte sofort den Absender und l?schen Sie diese E-Mail und evtl.
beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen
evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist
nicht gestattet.

From nikola.malenic at netsetglobal.rs  Wed Jul 25 03:48:53 2018
From: nikola.malenic at netsetglobal.rs (Nikola Malenic)
Date: Wed, 25 Jul 2018 09:48:53 +0200
Subject: [keycloak-user] Alternative client-cert authentication
In-Reply-To: <BL0PR07MB50099DC2B52E06E97DD60092DA550@BL0PR07MB5009.namprd07.prod.outlook.com>
References: <00c301d42351$537f93e0$fa7ebba0$@netsetglobal.rs>
	<BL0PR07MB50099DC2B52E06E97DD60092DA550@BL0PR07MB5009.namprd07.prod.outlook.com>
Message-ID: <00d101d423eb$ef0388e0$cd0a9aa0$@netsetglobal.rs>

Thank you very much. It seems it works. At least, I am getting form for
user-pass, since I didn't configure certificates. 

Can you tell what I have done wrong? This is my configuration:

Auth type                  			Requirement
Type
Flow1                   			ALTERNATIVE
Flow
  ==>  X509/Validate Username Form   	ALTERNATIVE
(execution step, Flow1)
Flow2					ALTERNATIVE
Flow
  ==> Username Password Form		REQUIRED
(sub-flow, Flow2)

-----Original Message-----
From: Nalyvayko, Peter [mailto:pnalyvayko at agi.com] 
Sent: Tuesday, July 24, 2018 7:03 PM
To: Nikola Malenic <nikola.malenic at netsetglobal.rs>;
keycloak-user at lists.jboss.org
Subject: RE: [keycloak-user] Alternative client-cert authentication

Hi Nikola,

Try this:

Auth type                  Requirement
Type
X509                        ALTERNATIVE            Flow
  ==>  X509/Validate Username Form    ALTERNATIVE     (execution step, X509
flow)
  ==> Browser Forms                                 ALTERNATIVE
(sub-flow, X509 flow)
         ====> Username Password Form    REQUIRED        (execution step,
Browser Forms flow)

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org
<keycloak-user-bounces at lists.jboss.org> On Behalf Of Nikola Malenic
Sent: Tuesday, July 24, 2018 9:22 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Alternative client-cert authentication

I am configuring browser flow and would like to provide users with
certificates with capability to login immediately.

Users which don't have (send) certificate should be able to login with
username+password (form would be presented to them).

 

I configured two ALTERNATIVE subflows inside browser flow. First subflow has
X509/Validate Username Form execution as ALTERNATIVE and second flow has
Username Password Form as REQUIRED.

 

The problem is that when I access admin console I am not shown form to enter
username and password since I didn't send certificate. I get this error:
"Invalid username or password.".

It seems that the second flow is automatically executed, but since I didn't
send username and password it finishes unsuccessfully.

Do you have any idea how to configure this.

 

Many thanks,

Nikola

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From ddtxra at gmail.com  Wed Jul 25 04:46:10 2018
From: ddtxra at gmail.com (Daniel Teixeira)
Date: Wed, 25 Jul 2018 10:46:10 +0200
Subject: [keycloak-user] Groups as array of objects (Script Mapper ? )
In-Reply-To: <1532445728.3425.2.camel@acutus.pro>
References: <CAHvCgvwD307VVcu9bNws88vJ4pE+jjnGcRbkLdMAASmxuqaMCQ@mail.gmail.com>
	<1532311486.2248.16.camel@acutus.pro>
	<CAHvCgvxs3syT6DmPzwBEqcEz16ZHJY6K-g25n1nAX+Ai_wbDsw@mail.gmail.com>
	<1532368224.12643.10.camel@acutus.pro>
	<CAHvCgvxCOuu2LROKUqa6K=xt-am5T17QvW63ckumWudWipsJ1w@mail.gmail.com>
	<1532445728.3425.2.camel@acutus.pro>
Message-ID: <CAHvCgvxj9ZTQvnWJbmAN3__pmTLcJTZ30-x3PuLkGuR2_df-9g@mail.gmail.com>

Yes with the module I created, the group mapping works as expected :)
Thanks again for your help!

For anyone else interested, the plugin I tested is this one:
https://marketplace.atlassian.com/apps/1218360/oauth-client-for-confluence



On Tue, Jul 24, 2018 at 5:22 PM, Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Daniel, you're welcome :)
>
> So finally you've managed to get your groups mapped as desired in a JWT
> token? Does it work with Confluence?
>
> Dmitry
>
> On Tue, 2018-07-24 at 16:12 +0200, Daniel Teixeira wrote:
>
> Thank you for your answer Dmitry.
>
> Indeed the dependencies org.keycloak.keycloak-services was missing! I
> have added that one on the module.xml and it worked :)
>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <module xmlns="urn:jboss:module:1.3" name="swiss.sib.keycloak.sib-
> group-membership-mapper">
>     <resources>
>         <resource-root path="sib-group-membership-mapper.jar"/>
>     </resources>
>     <dependencies>
>         <module name="org.keycloak.keycloak-core"/>
>         <module name="org.keycloak.keycloak-server-spi"/>
>         <module name="org.keycloak.keycloak-server-spi-private"/>
>         <module name="org.keycloak.keycloak-services"/>
>     </dependencies>
> </module>
>
> Also there was another error, my directory structured was missing the
> module name (sib-group-membership-mapper):
> mkdir -p modules/swiss/sib/keycloak/***sib-group-membership-mapper***
> /main/
>
>
> If others have the same trouble, all the configuration can be accomplished
> with the single command:
> ./bin/jboss-cli.sh --command="module add --name=swiss.sib.keycloak.sib-group-membership-mapper
> --resources=/tmp/sib-group-membership-mapper.jar
> --dependencies=org.keycloak.keycloak-core,org.keycloak.
> keycloak-server-spi,org.keycloak.keycloak-server-spi-
> private,org.keycloak.keycloak-services"
>
> and I leave this repo as a reference:
> https://github.com/ddtxra/sib-group-membership-mapper
>
> Thanks again Dmitry.
>
>
>
> On Mon, Jul 23, 2018 at 7:50 PM, Dmitry Telegin <dt at acutus.pro> wrote:
>
> Hi Daniel,
>
> On Mon, 2018-07-23 at 18:31 +0200, Daniel Teixeira wrote:
> > Thank you Dmitry,
> > I was trying to see if there was an option without writing a java
> module. What you are suggesting is to create a module, correct?
>
> Yep you're right, from my experience it's easier to create a Java
> extension rather then dive deep into the guts of ScriptMapper trying to
> make it return what you want :)
>
> > I gave a try to my first "module" but couldn't find very much info or
> examples about how to write custom protocol mappers.
> > Are they configured the same was as Authentication Providers?
> >
> > I tried to configure it, but I get a ModuleNotFoundException, here is
> what I did:
> > https://github.com/ddtxra/sib-group-membership-mapper
>
> You did everything right. The only missing piece is deployment descriptor.
> If you're hot deploying (via standalone/deployments directory), put this
> into your META-INF/jboss-deployment-structure.xml:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <jboss-deployment-structure>
>   <deployment>
>     <dependencies>
>         <module name="org.keycloak.keycloak-services"/>
>     </dependencies>
>   </deployment>
> </jboss-deployment-structure>
>
> ...then recompile and redeploy. Or, if you'd like to deploy it as a
> Wildfly/JBoss module, do the following in jboss-cli:
>
> module add --name=sib-group-membership-mapper --resources=/path/to/sib-group-membership-mapper.jar
> --dependencies=org.keycloak.keycloak-services
>
> ...so that it creates the descriptor (yet a different one) for you.
>
> Good luck!
> Dmitry
>
> >
> > Can someone spot the problem?
> > Thanks very much for your help!
> >
> >
> > > On Mon, Jul 23, 2018 at 4:04 AM, Dmitry Telegin <dt at acutus.pro> wrote:
> > > Hi Daniel,
> > >
> > > Not sure if Script Mapper allows for that, but you could definitely
> > > solve this with a custom ProtocolMapper. Use the "Group Membership"
> > > mapper as a reference, but return an array of objects instead of an
> > > array of strings.
> > >
> > > Cheers,
> > > Dmitry Telegin
> > > CTO, Acutus s.r.o.
> > > Keycloak Consulting and Training
> > >
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> <https://maps.google.com/?q=Pod+lipami+street+339/52,+130+00+Prague+3,+Czech+Republic&entry=gmail&source=g>
> > > +42 (022) 888-30-71
> > > E-mail: info at acutus.pro
> > >
> > > On Fri, 2018-07-20 at 14:26 +0200, Daniel Teixeira wrote:
> > > > Hello,
> > > > I am trying to configure my userinfo token to get the groups, as an
> > > > array
> > > > of objects.
> > > > Currently if I add the "Group Membership" mapper in my client, an
> > > > array of
> > > > Strings with the groups is returns.
> > > >
> > > > {
> > > >   "name": "Dummy User",
> > > >   "groups": ["group1", "group2", "group3"]
> > > >    ...
> > > > }
> > > >
> > > > But what I need for a SSO Confluence plugin to work is the following
> > > > format:
> > > > (The name of the attributes don't matter, but I need an array of
> > > > objects
> > > > for the groups)
> > > >
> > > > {
> > > >   "name": "Dummy User",
> > > >   "groups": [ {"group_name": "group1"},
> > > >                    {"group_name": "group2"},
> > > >                    {"group_name": "group3"}  ]
> > > >  ...
> > > > }
> > > >
> > > > So I have tried to created Script Mapper as follows:
> > > >
> > > > *var groups = [];*
> > > > *user.getGroups().forEach(function(groupModel) {*
> > > > *    var groupName = groupModel.getName();*
> > > > *    groups.push({"group_name": groupName});*
> > > > *})*
> > > >
> > > > *token.setOtherClaims("groups", groups);*
> > > >
> > > >
> > > > But this script produces a token as following:
> > > >
> > > > {
> > > >   "name": "Dummy User",
> > > >   "groups": {
> > > >     "0": {
> > > >       "group_name": "group1"
> > > >     },
> > > >     "1": {
> > > >       "group_name": "group2"
> > > >     },
> > > >     "2": {
> > > >       "group_name": "group3"
> > > >     }
> > > >   },
> > > >   ....
> > > > }
> > > >
> > > > Which is not an array of object, but a map of objects.
> > > > I have tried to toggle the option multivalued but it didn't change
> > > > anything.
> > > >
> > > > Is there a way to have an array?
> > > > Could someone help me with that?
> > > > Thanks in advance!
> > > >
> > > > Cheers,
> > > > Daniel Teixeira
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> >
> >
> > --
> > Daniel Teixeira
>
>
>
>
> --
> Daniel Teixeira
>
>


-- 
Daniel Teixeira

From max.bruchmann at hotmail.com  Wed Jul 25 05:06:35 2018
From: max.bruchmann at hotmail.com (Max Bruchmann)
Date: Wed, 25 Jul 2018 09:06:35 +0000
Subject: [keycloak-user] Keycloak Roles and Usergroups
In-Reply-To: <1532308706.2248.8.camel@acutus.pro>
References: <CAAgt2fXTCoRseMaNwEASS30dnFZQ925ZaZkvWpqXrQYAW8c17A@mail.gmail.com>
	<1531227488.7582.15.camel@acutus.pro>
	<AM4P190MB0004C2CC27FE9C220253C4D0F7520@AM4P190MB0004.EURP190.PROD.OUTLOOK.COM>
	<1532308706.2248.8.camel@acutus.pro>
Message-ID: <AM4P190MB00047713EA8CE4F98D38904BF7540@AM4P190MB0004.EURP190.PROD.OUTLOOK.COM>

Hi Dmitry,

thank you for your reply

> Keycloak, roles are not related to groups (however a group can reference roles to be automatically assigned to group members).

Yes I just was not sure if I overlooked something here.

Regarding the fine grained approach. The problem would be that an User may be a PLAYER in a certain team/group but a COACH in a different team/group.

I was thinking about creating roles like for example COACH at team1_1 and PLAYER at team_1_2. So during the permission evaulation I could parse this information.

Unfortunatelly Keycloak has neither paging query support for Roles nor Groups and therefore this approach currently would not scale as you may generate a few thousand roles.

My current idea is that I handle this hierachical role concept in a custom application and just use keycloak for authentication and global role management


Kind Regards,
Max

Am 23.07.18 um 03:18 schrieb Dmitry Telegin:
> Hi Max,
>
> On Thu, 2018-07-19 at 14:37 +0000, Max Bruchmann wrote:
>> Hi Dmitry,
>>
>> do you know if there is any way to retrieve the group context of a
>> role?
> Could you please elaborate on the "group context of a role"? In
> Keycloak, roles are not related to groups (however a group can
> reference roles to be automatically assigned to group members).
>
>> My use case would be that I have multiple sport clubs (group) with
>> multiple teams (subgroup)
>>
>> -club1
>>
>> --team1_1
>>
>> --team1_2
>>
>> -club2
>>
>> --team2_1
>>
>> --team2_1
>>
>>
>> I have for example the role COACH but of course this role makes only
>> sense in context of the team.
> I agree with that, but what's the (bigger) problem you're trying to
> solve?
>
> I'd imagine that you want to grant coaches some privileged access to the players' data; the coach should manage only the team he is assigned to. If that's what you're trying to do, I'd suggest the following:
>
> - create the "coach" role;
> - grant this role to all coaches;
> - put your coaches into the corresponding groups (teams);
> - use fine-grained permissions to implement access rules (grant access to the players' data if the requester has the "coach" role and belongs to the same group as the player).
>
> Hope it helps,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
>> As far as I understand keycloak this is currently not possible
>>
>>
>> Kind Regards,
>>
>> Max
>>
>>
>> Am 10.07.18 um 14:58 schrieb Dmitry Telegin:
>>> Hi Vinay,
>>>
>>>  ?From my experience, I'd tell that:
>>> - roles are more likely to reflect person's functions in the
>>> organization;
>>> - groups?are more likely to reflect organizational structure.
>>>
>>> For example, if there are offices and departments (like "NY
>>> Office",
>>> "IT Department"), that would normally map to nested groups.
>>>
>>> On the other hand, business functions would rather map to roles
>>> (like
>>> "managers", "developers", "sysadmins" etc.)
>>>
>>> There's also a number of technical differences:
>>> - akin to nested groups, there are composite roles. However, the
>>> logic
>>> is different: if you grant a composite role to a user, every child
>>> role
>>> would be granted, too (which is not true for groups);
>>> - you can assign a role to a group (not vice versa);
>>> - by default, Keycloak adapters can restrict access based on roles
>>> only. If you want to use groups for the same, you'll need to turn
>>> on
>>> authorization services and create corresponding policies.
>>>
>>> Could you please elaborate on your particular use case? If you
>>> describe
>>> it briefly, I think we'll be able decide what's better for you.
>>>
>>> Dmitry Telegin
>>> CTO, Acutus s.r.o.
>>> Keycloak Consulting and Training
>>>
>>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
>>> +42 (022) 888-30-71
>>> E-mail: info at acutus.pro
>>>
>>> On Mon, 2018-07-09 at 12:39 -0400, Vinay wrote:
>>>> What is a difference between keycloak roles and usergroups ? are
>>>> they
>>>> interchangeable i.e. can we use roles instead of groups or vice
>>>> versa
>>>> to
>>>> address a problem ? Is it possible to have roles within roles,
>>>> just
>>>> like
>>>> groups ?
>>>> A clear guidelines on how to use groups and roles will help.
>>>>
>>>> thanks
>>>> /Vinay
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user



From ddtxra at gmail.com  Wed Jul 25 05:27:14 2018
From: ddtxra at gmail.com (Daniel Teixeira)
Date: Wed, 25 Jul 2018 11:27:14 +0200
Subject: [keycloak-user] Federated Identity linking custom attribute
Message-ID: <CAHvCgvz-viQgEF_dooEsrPr0dDoh1=koRwu4iAda36Kux2GJ9g@mail.gmail.com>

Hello,
When using a SAML Identity Provider to link to existing keycloak users.
Keycloak uses the NameID to do the linking.
How can I use another SAML attribute to do the linking?

I have tried the "Username Template Importer" in the identity provider, but
this only works when creating new users. In my case the user is already
created and I just need to do the linking.

Thanks in advance for your help,
Daniel

From corentin.dupont at gmail.com  Wed Jul 25 06:07:30 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Wed, 25 Jul 2018 10:07:30 +0000
Subject: [keycloak-user] Permissions: Slow/complex interactions
In-Reply-To: <CAJrcDBc9pdXKsZpA609Fm7b59MkK17cWTspKQb5u3ef=K=j43A@mail.gmail.com>
References: <CAEyhvmoxjs_Micvn00LVuem784VwGXd51OZ2rNRSCnx2ms7zRg@mail.gmail.com>
	<CAJrcDBdBtFt3JRSn5j0k9vRQiadpy_7a03ZuL__4La3A=YOGjw@mail.gmail.com>
	<CAEyhvmqh13nD9-CXFZrv9HVBio4p7gCLxWwTzQFpvL-oygF4=A@mail.gmail.com>
	<CAJrcDBcGy14Wc+DhP0irOfpdfS470MeevQJeNd7drToVbu=Fhg@mail.gmail.com>
	<CAJrcDBc9pdXKsZpA609Fm7b59MkK17cWTspKQb5u3ef=K=j43A@mail.gmail.com>
Message-ID: <CAEyhvmrpAEqa1v8LmmPHMfzbCaCtFbsCPfyZFiFk37r1D3f89g@mail.gmail.com>

This is what I have:
JAVA_OPTS:  -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M
-XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
-Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true

On Tue, Jul 24, 2018 at 11:21 PM, Pedro Igor Silva <psilva at redhat.com>
wrote:

> Btw, how much you set your heap?
>
> Do you have limitations on cpu ?
>
> Could you share your JVM settings ?
>
> On Tue, Jul 24, 2018 at 8:11 PM, Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> We have now a performance testsuite (thanks to Tomaz) that can generate
>> also generate datasets to cover different scenarios. I'm the middle of
>> checking Tomaz work and preparing some datasets to include in our testsuite.
>>
>> I'm going to give a try to your use case and see if I can get the same
>> numbers. Not sure if this is your case, but I found some performance issues
>> when defining multiple resources with a type where the owner is the
>> resource server itself. This causes an overhead during evaluation where the
>> engine tries to consider permissions granted to any of these typed
>> resources. Someone reported this some time ago, and IMO, this is an invalid
>> usage of resource types ... Not sure if this is your case though.
>>
>> More answers inline.
>>
>> On Tue, Jul 24, 2018 at 7:24 PM, Corentin Dupont <
>> corentin.dupont at gmail.com> wrote:
>>
>>>
>>>
>>> On Tue, Jul 24, 2018 at 11:51 AM, Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Tue, Jul 24, 2018 at 7:54 AM, Corentin Dupont <
>>>> corentin.dupont at gmail.com> wrote:
>>>>
>>>>> Hi guys,
>>>>> I experience some performance issue on my API server using Keycloak.
>>>>> After someone issue a GET on my API server, here is what happens:
>>>>>
>>>>> - API server -> DB server: get requested resources
>>>>> - API server -> Keycloak: get client token (to get resources)
>>>>> - API server -> Keycloak: get resources (to complement DB server with
>>>>> resource owner & visibility)
>>>>> - API server -> Keycloak: get user token (to get permission)
>>>>> - API server -> Keycloak: get permission (to filter resources)
>>>>> At this point the filtered resources are returned.
>>>>>
>>>>> But this process is quite slow. I noticed a call to KC can take up to
>>>>> 100ms.
>>>>> The complete call on the API server can take up to 600ms on my laptop,
>>>>> in
>>>>> localhost setting.
>>>>> The delays become noticeable on my UI...
>>>>>
>>>>
>>>> Are you able to confirm the step(s) spending more time to process ? If
>>>> when obtaining client tokens, resources or during evaluation ?
>>>>
>>>
>>> I made a quick benchmark, here is the result:
>>>
>>> - API server -> Keycloak: get client token: 400ms
>>> - API server -> Keycloak: get resources: 1356ms
>>> - API server -> Keycloak: get user token: 162ms
>>> - API server -> Keycloak: get permission: 2400ms
>>> Total: 4366ms
>>>
>>> However, this timings are obtained only on the first try after I reboot
>>> the server.
>>> The next calls are faster. Maybe it's due to caching?
>>>
>>
>>> - API server -> Keycloak: get client token: 17ms
>>> - API server -> Keycloak: get resources: 19ms
>>> - API server -> Keycloak: get user token: 92ms
>>> - API server -> Keycloak: get permission: 314ms
>>> Total: 476ms
>>>
>>
>> Yeah, it is caching. But numbers for steps #2 and #4 are high. Will see
>> what we can improve.
>>
>> Thanks for the numbers. Wondering if you have percentiles for these
>> requests ? Or this happens when you send a single request ?
>>
>>
>>>
>>> So yes, it's the evaluation taking time (and user token on a lesser
>>> extent).
>>> On this call, I need to get permissions for all resources on one scope:
>>> permissions=#sensors:view
>>> Because I need to filter out the resources the user cannot see.
>>> There are around 70 resources and 3 policies (one user policy and 2
>>> javascript).
>>> Keycloak is in a docker container.
>>>
>>
>> I'm working with more aggresive numbers, and results are better than
>> yours. However, all depends on how you are setting up your settings. Need
>> to check your setup and see if I can create a dataset based on it.
>>
>> Could you send me an example of those javascript policies ? Are they
>> doing much ? Do you have more than one user per user policy ?
>>
>>
>>>
>>>
>>>
>>>>
>>>> Also, could you elaborate more what this step is doing: "- API server
>>>> -> Keycloak: get resources (to complement DB server with
>>>> resource owner & visibility)" ?
>>>>
>>>
>>> I read the resources from Keycloak (authz/protection/resource_set/)
>>> because I need to return the owner of the resource in my server response.
>>>
>>
>>>
>>>
>>>>
>>>>
>>>>>
>>>>> With a resource SPI strategy (if developed), it should be:
>>>>>
>>>>> - API server -> DB server: get requested resources
>>>>> - API server -> Keycloak: get user token (to get permission)
>>>>> - API server -> Keycloak: get permission (to filter resources)
>>>>> - Keycloak -> DB server: get resources
>>>>>
>>>>> There is a little less requests. Additional gain is that resources are
>>>>> not
>>>>> split between 2 databases.
>>>>>
>>>>> I wonder if resources could be pushed during the permission request?
>>>>> Like a
>>>>> "pushed claim".
>>>>> This would be even more straightforward:
>>>>>
>>>>> - API server -> DB server: get requested resources
>>>>> - API server -> Keycloak: get user token (to get permission)
>>>>> - API server -> Keycloak: get permission and push resources
>>>>
>>>>
>>>>> Can this work?
>>>>>
>>>>
>>>> I think this is an area we might want to improve in order to allow
>>>> evaluating permissions solely based on claims pushed to the server. That
>>>> means you won't need to manage resources in the server but rely on policies
>>>> to process the "pushed claims".
>>>>
>>>
>>> Yes that would be great. Let me open a Jira to track this.
>>>
>>>
>>>>
>>>> +1
>>>>
>>>>
>>>>
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>>>
>>>
>>
>

From corentin.dupont at gmail.com  Wed Jul 25 06:58:17 2018
From: corentin.dupont at gmail.com (Corentin Dupont)
Date: Wed, 25 Jul 2018 10:58:17 +0000
Subject: [keycloak-user] Permissions: Slow/complex interactions
In-Reply-To: <CAJrcDBcGy14Wc+DhP0irOfpdfS470MeevQJeNd7drToVbu=Fhg@mail.gmail.com>
References: <CAEyhvmoxjs_Micvn00LVuem784VwGXd51OZ2rNRSCnx2ms7zRg@mail.gmail.com>
	<CAJrcDBdBtFt3JRSn5j0k9vRQiadpy_7a03ZuL__4La3A=YOGjw@mail.gmail.com>
	<CAEyhvmqh13nD9-CXFZrv9HVBio4p7gCLxWwTzQFpvL-oygF4=A@mail.gmail.com>
	<CAJrcDBcGy14Wc+DhP0irOfpdfS470MeevQJeNd7drToVbu=Fhg@mail.gmail.com>
Message-ID: <CAEyhvmq=FXfnnqocwp4zDhpVt6VTtCzS9Wu+Z9NZ3UQtyi6ijw@mail.gmail.com>

On Tue, Jul 24, 2018 at 11:11 PM, Pedro Igor Silva <psilva at redhat.com>
wrote:

> We have now a performance testsuite (thanks to Tomaz) that can generate
> also generate datasets to cover different scenarios. I'm the middle of
> checking Tomaz work and preparing some datasets to include in our testsuite.
>

Great!


>
> I'm going to give a try to your use case and see if I can get the same
> numbers. Not sure if this is your case, but I found some performance issues
> when defining multiple resources with a type where the owner is the
> resource server itself. This causes an overhead during evaluation where the
> engine tries to consider permissions granted to any of these typed
> resources. Someone reported this some time ago, and IMO, this is an invalid
> usage of resource types ... Not sure if this is your case though.
>

I don't really use the type of resource, actually... How do you make a
permission request based on types?



>
> More answers inline.
>
> On Tue, Jul 24, 2018 at 7:24 PM, Corentin Dupont <
> corentin.dupont at gmail.com> wrote:
>
>>
>>
>> On Tue, Jul 24, 2018 at 11:51 AM, Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>>
>>>
>>> On Tue, Jul 24, 2018 at 7:54 AM, Corentin Dupont <
>>> corentin.dupont at gmail.com> wrote:
>>>
>>>> Hi guys,
>>>> I experience some performance issue on my API server using Keycloak.
>>>> After someone issue a GET on my API server, here is what happens:
>>>>
>>>> - API server -> DB server: get requested resources
>>>> - API server -> Keycloak: get client token (to get resources)
>>>> - API server -> Keycloak: get resources (to complement DB server with
>>>> resource owner & visibility)
>>>> - API server -> Keycloak: get user token (to get permission)
>>>> - API server -> Keycloak: get permission (to filter resources)
>>>> At this point the filtered resources are returned.
>>>>
>>>> But this process is quite slow. I noticed a call to KC can take up to
>>>> 100ms.
>>>> The complete call on the API server can take up to 600ms on my laptop,
>>>> in
>>>> localhost setting.
>>>> The delays become noticeable on my UI...
>>>>
>>>
>>> Are you able to confirm the step(s) spending more time to process ? If
>>> when obtaining client tokens, resources or during evaluation ?
>>>
>>
>> I made a quick benchmark, here is the result:
>>
>> - API server -> Keycloak: get client token: 400ms
>> - API server -> Keycloak: get resources: 1356ms
>> - API server -> Keycloak: get user token: 162ms
>> - API server -> Keycloak: get permission: 2400ms
>> Total: 4366ms
>>
>> However, this timings are obtained only on the first try after I reboot
>> the server.
>> The next calls are faster. Maybe it's due to caching?
>>
>
>> - API server -> Keycloak: get client token: 17ms
>> - API server -> Keycloak: get resources: 19ms
>> - API server -> Keycloak: get user token: 92ms
>> - API server -> Keycloak: get permission: 314ms
>> Total: 476ms
>>
>
> Yeah, it is caching. But numbers for steps #2 and #4 are high. Will see
> what we can improve.
>
> Thanks for the numbers. Wondering if you have percentiles for these
> requests ? Or this happens when you send a single request ?
>

This is a single request... I scrapped the timestamps in my traces.



>
>
>>
>> So yes, it's the evaluation taking time (and user token on a lesser
>> extent).
>> On this call, I need to get permissions for all resources on one scope:
>> permissions=#sensors:view
>> Because I need to filter out the resources the user cannot see.
>> There are around 70 resources and 3 policies (one user policy and 2
>> javascript).
>> Keycloak is in a docker container.
>>
>
> I'm working with more aggresive numbers, and results are better than
> yours. However, all depends on how you are setting up your settings. Need
> to check your setup and see if I can create a dataset based on it.
>
> Could you send me an example of those javascript policies ? Are they doing
> much ? Do you have more than one user per user policy ?
>

I attach my 2 javascript policies. They are very simple, should be O(1).
The user policy has 3 users.







>
>
>>
>>
>>
>>>
>>> Also, could you elaborate more what this step is doing: "- API server
>>> -> Keycloak: get resources (to complement DB server with
>>> resource owner & visibility)" ?
>>>
>>
>> I read the resources from Keycloak (authz/protection/resource_set/)
>> because I need to return the owner of the resource in my server response.
>>
>
>>
>>
>>>
>>>
>>>>
>>>> With a resource SPI strategy (if developed), it should be:
>>>>
>>>> - API server -> DB server: get requested resources
>>>> - API server -> Keycloak: get user token (to get permission)
>>>> - API server -> Keycloak: get permission (to filter resources)
>>>> - Keycloak -> DB server: get resources
>>>>
>>>> There is a little less requests. Additional gain is that resources are
>>>> not
>>>> split between 2 databases.
>>>>
>>>> I wonder if resources could be pushed during the permission request?
>>>> Like a
>>>> "pushed claim".
>>>> This would be even more straightforward:
>>>>
>>>> - API server -> DB server: get requested resources
>>>> - API server -> Keycloak: get user token (to get permission)
>>>> - API server -> Keycloak: get permission and push resources
>>>
>>>
>>>> Can this work?
>>>>
>>>
>>> I think this is an area we might want to improve in order to allow
>>> evaluating permissions solely based on claims pushed to the server. That
>>> means you won't need to manage resources in the server but rely on policies
>>> to process the "pushed claims".
>>>
>>
>> Yes that would be great. Let me open a Jira to track this.
>>
>>
>>>
>>> +1
>>>
>>>
>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: resourceOwner
Type: application/octet-stream
Size: 240 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180725/8503f864/attachment.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: publicResource
Type: application/octet-stream
Size: 329 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180725/8503f864/attachment-0001.obj 

From Yann.Jouanin at witbe.net  Wed Jul 25 09:10:36 2018
From: Yann.Jouanin at witbe.net (Yann Jouanin)
Date: Wed, 25 Jul 2018 13:10:36 +0000
Subject: [keycloak-user] IdP selection based on email address
Message-ID: <dba15758c41b4f0aa58828ebcc1c8a57@witbe.net>

Hello,

We are using keycloak with multiple IdP from our customers. Because we don't want to offer a list of Idp (customer A can't use the idp of customer B), I would like to prompt the user for the email address first and decide then to redirect to a specific IdP based on the domain as an example.

Does somebody here can advise me on the greatest way to implement this behavior?
My first thought was to use a custom flow with a script, but I can't find how to specify the idp to use using script.


Best regards,
Yann Jouanin


From pnalyvayko at agi.com  Wed Jul 25 13:46:18 2018
From: pnalyvayko at agi.com (Nalyvayko, Peter)
Date: Wed, 25 Jul 2018 17:46:18 +0000
Subject: [keycloak-user] Alternative client-cert authentication
In-Reply-To: <00d101d423eb$ef0388e0$cd0a9aa0$@netsetglobal.rs>
References: <00c301d42351$537f93e0$fa7ebba0$@netsetglobal.rs>
	<BL0PR07MB50099DC2B52E06E97DD60092DA550@BL0PR07MB5009.namprd07.prod.outlook.com>
	<00d101d423eb$ef0388e0$cd0a9aa0$@netsetglobal.rs>
Message-ID: <BL0PR07MB5009062E07EE977F03CA2D0BDA540@BL0PR07MB5009.namprd07.prod.outlook.com>

Nikola,

It seems your authentication config has two flows at the same level, whereas in my case I have a top level flow with x509 step and the browser forms at the same level.

-----Original Message-----
From: Nikola Malenic <nikola.malenic at netsetglobal.rs> 
Sent: Wednesday, July 25, 2018 3:49 AM
To: Nalyvayko, Peter <pnalyvayko at agi.com>; keycloak-user at lists.jboss.org
Subject: RE: [keycloak-user] Alternative client-cert authentication

Thank you very much. It seems it works. At least, I am getting form for user-pass, since I didn't configure certificates. 

Can you tell what I have done wrong? This is my configuration:

Auth type                  			Requirement
Type
Flow1                   			ALTERNATIVE
Flow
  ==>  X509/Validate Username Form   	ALTERNATIVE
(execution step, Flow1)
Flow2					ALTERNATIVE
Flow
  ==> Username Password Form		REQUIRED
(sub-flow, Flow2)

-----Original Message-----
From: Nalyvayko, Peter [mailto:pnalyvayko at agi.com]
Sent: Tuesday, July 24, 2018 7:03 PM
To: Nikola Malenic <nikola.malenic at netsetglobal.rs>; keycloak-user at lists.jboss.org
Subject: RE: [keycloak-user] Alternative client-cert authentication

Hi Nikola,

Try this:

Auth type                  Requirement
Type
X509                        ALTERNATIVE            Flow
  ==>  X509/Validate Username Form    ALTERNATIVE     (execution step, X509
flow)
  ==> Browser Forms                                 ALTERNATIVE
(sub-flow, X509 flow)
         ====> Username Password Form    REQUIRED        (execution step,
Browser Forms flow)

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org
<keycloak-user-bounces at lists.jboss.org> On Behalf Of Nikola Malenic
Sent: Tuesday, July 24, 2018 9:22 AM
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Alternative client-cert authentication

I am configuring browser flow and would like to provide users with certificates with capability to login immediately.

Users which don't have (send) certificate should be able to login with
username+password (form would be presented to them).

 

I configured two ALTERNATIVE subflows inside browser flow. First subflow has X509/Validate Username Form execution as ALTERNATIVE and second flow has Username Password Form as REQUIRED.

 

The problem is that when I access admin console I am not shown form to enter username and password since I didn't send certificate. I get this error:
"Invalid username or password.".

It seems that the second flow is automatically executed, but since I didn't send username and password it finishes unsuccessfully.

Do you have any idea how to configure this.

 

Many thanks,

Nikola

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user



From orivat at janua.fr  Wed Jul 25 18:04:04 2018
From: orivat at janua.fr (Olivier Rivat)
Date: Thu, 26 Jul 2018 00:04:04 +0200
Subject: [keycloak-user] Saas muti-tenant architecture with multi-step
 authentication process
In-Reply-To: <d1fc7b40-cb90-f481-c4d0-8884f415af4e@janua.fr>
References: <d1fc7b40-cb90-f481-c4d0-8884f415af4e@janua.fr>
Message-ID: <f7561c17-8953-47e1-be93-5d93c4848c44@janua.fr>

Hi,

Any update/feedback ?


Regards,

Olivier



Le 24/07/2018 ? 18:46, Olivier Rivat a ?crit?:
>
>
> Hi,
>
>
> *1) introduction*
>
> I have a multi-tenant architecture deployed with keycloak.
> At first, to investigate multi-tenant architecture, I have followed 
> what is available within keycloak:
>
> documentation
>
>   * https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy
>
>
>
> examples:
>
>   * https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant
>
>
> The same application is deployed in both tenants with
>
>   * http://localhost:8080/multitenant/tenant1 and login as
>     user-tenant1, password user-tenant1
>   * http://localhost:8080/multitenant/tenant2 and login as
>     user-tenant2, password user-tenant2
>
>
> When you specify http://localhost:8080/multitenant/tenant1, you are 
> redirected to tenant1, and you need to authenticate.
>
>
> *2) description of the problem*
>
> The issue I am facing, is that I have a customer client application, 
> which can redirected to several diffrent realms.
>
> The realm selction is based on the email address.
>
>   * user1 at foo.com ---> should redirect to realm foo
>   * user2 at bar.com ---> shou0dl redirect to realm bar
>
>
> In fact, the email analsys shoudl redirect to the correct realm (foo 
> or bar , or more).
>
> Once I have the login screen of the corresponding realm1, it is the as 
> in /introduction/, where user authenticates normally in his specific 
> tenant.
>
>
> *3) Authentication workflow requirement*
>
> In fact the authentication workflow process should be as follows:
>
> *step1*
>
>   * General welcome panel
>   * the user enter his email address
>   * based on the analysis of his welcome address, the users is
>     redirected to a specific authentication realm (foo or bar or more)
>
>
> *step 2*
>
>   * The user enter is login/password in realm login authentication screen
>
>
>
> After analysis, it sounds like that the keycloak authentication 
> process needs to be updated/modified with
>
>     1. adding an extra additional step (which is a general form asking
>     for email)
>
>     2. based on teh email analysis, the corresponding tenant login
>     screen is presented to the tenant
>     3. the user authenticates to the tenant with his login/password. 
>
>
>
> *4) How to move forward*
>
>
> For information, Azure and atlassian already implements such a 
> redirection mechanism in SAAS multi tenant architecture.
> Keycloak documentation does not seem to mention about such a 
> possibility to tailor "out of the box" the authentication workflow to 
> our needs.
>
> Could the mechanism described above being achieved by customizing the 
> authentication workflow by developing a specific authentication SPI 
> plugin which could handles the both steps mentioned above ?
>
> Does this approach sounds correct to you, or is it something to rule out ?
>
> Or woudl you advise another approach ?
>
> Tkx for your help.
>
>
> Regards,
>
> Olivier
>
>
>
>
> -- 
>
>
> <http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
>
> 	<http://www.janua.fr/images/6g_top.gif>
> 	
> Olivier Rivat
> CTO
> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
> Gsm: +33(0)682 801 609
> T?l: +33(0)489 829 238
> Fax: +33(0)955 260 370
> http://www.janua.fr <http://www.janua.fr/>
> 	<http://www.janua.fr/images/6g_top.gif>
>
>

-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>



From ushanas at gmail.com  Wed Jul 25 18:36:43 2018
From: ushanas at gmail.com (Ushanas Shastri)
Date: Thu, 26 Jul 2018 04:06:43 +0530
Subject: [keycloak-user] SSO with multiple domains
Message-ID: <CAB+XyjRLwHsZM6toO7LvA6SGpus6h5dySd8ds9BMWX1_8FFXSQ@mail.gmail.com>

Hello,

We have 4 different applications, hosted on 3 unique servers.  All
applications are protected by KeyCloak. All apps are built on AngularJS.

 In cases where we have multiple tabs open (one for each application) in
Chrome.

When users logout from one Tab, the other tabs don't always logout. Post
this, applications that we login to keep getting unauthorized, and I assume
that the tokens have been invalidated.

I've tried version 3.0 and 3.2.1.

I'm looking for any guidance and best practices to handle such cases.



Regards, Ushanas.

From dt at acutus.pro  Wed Jul 25 19:08:54 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Thu, 26 Jul 2018 02:08:54 +0300
Subject: [keycloak-user] Saas muti-tenant architecture with multi-step
 authentication process
In-Reply-To: <d1fc7b40-cb90-f481-c4d0-8884f415af4e@janua.fr>
References: <d1fc7b40-cb90-f481-c4d0-8884f415af4e@janua.fr>
Message-ID: <1532560134.2078.1.camel@acutus.pro>

Hi Olivier,

The situation is more or less clear. Off the top of my head, there's one caveat here.

In Keycloak, almost everything is per-realm. Login screens, authentication flows, custom authenticators etc. - all of them are defined per realm.
So, if you decide to build email -> tenant realm translation logic into Keycloak, you will have to bind it to some well-known realm (different from tenant realms).

Master realm seems a perfect candidate here; however, there's yet another caveat, because there were rumors that the concept of master realm can be deprecated/removed in the future.
This of course needs to be checked with Keycloak devs. If it's true, you can create a dedicated dummy realm just for these purposes; but for now I think it's OK to use master realm. I'd suggest the following:
- implement custom authenticator, named e.g. "Tenant Redirector";
- using the new Theme Resource SPI, make this authenticator inject an additional screen into the login theme, that will be email form;
- implement tenant resolution & redirection. To improve user experience, you can extract login from email and pass it to the target realm as a parameter, so that the user won't need to enter login name, and will be immediately taken to the password entry.
- configure master realm to use your authenticator. However, you will have to preserve the ability for your admins to log into master realm in a traditional way. (This won't be relevant if non-master dummy realm is used.)

Another approach is not to use custom authenticator at all, but rather implement custom REST resource that will serve a single page (email form) upon GET and process it upon POST.
Benefits are that custom REST resources are automatically published in all realms, so no matter which realm you'll use for redirection.

So do these scenarios address your problem?

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Tue, 2018-07-24 at 18:46 +0200, Olivier Rivat wrote:
> Hi,
> 
> 
> *1) introduction*
> 
> I have a multi-tenant architecture deployed with keycloak.
> At first, to investigate multi-tenant architecture, I have followed what?
> is available within keycloak:
> 
> documentation
> 
> ? * https://www.keycloak.org/docs/latest/securing_apps/index.html#_multi_tenancy
> 
> 
> 
> examples:
> 
> ? * https://github.com/keycloak/keycloak/tree/master/examples/multi-tenant
> 
> 
> The same application is deployed in both tenants with
> 
> > ? *???http://localhost:8080/multitenant/tenant1 and login as
> ????user-tenant1, password user-tenant1
> > ? * http://localhost:8080/multitenant/tenant2 and login as user-tenant2,
> ????password user-tenant2
> 
> 
> > When you specify http://localhost:8080/multitenant/tenant1, you are?
> redirected to tenant1, and you need to authenticate.
> 
> 
> *2) description of the problem*
> 
> The issue I am facing, is that I have a customer client application,?
> which can redirected to several diffrent realms.
> 
> The realm selction is based on the email address.
> 
> > ? * user1 at foo.com ---> should redirect to realm foo
> > ? * user2 at bar.com ---> shou0dl redirect to realm bar
> 
> 
> In fact, the email analsys shoudl redirect to the correct realm (foo or?
> bar , or more).
> 
> Once I have the login screen of the corresponding realm1, it is the as?
> in /introduction/, where user authenticates normally in his specific?
> tenant.
> 
> 
> *3) Authentication workflow requirement*
> 
> In fact the authentication workflow process should be as follows:
> 
> *step1*
> 
> ? * General welcome panel
> ? * the user enter his email address
> ? * based on the analysis of his welcome address, the users is
> ????redirected to a specific authentication realm (foo or bar or more)
> 
> 
> *step 2*
> 
> ? * The user enter is login/password in realm login authentication screen
> 
> 
> 
> After analysis, it sounds like that the keycloak authentication process?
> needs to be updated/modified with
> 
> ????1. adding an extra additional step (which is a general form asking
> ????for email)
> 
> ????2. based on teh email analysis, the corresponding tenant login
> ????screen is presented to the tenant
> ????3. the user authenticates to the tenant with his login/password.?
> 
> 
> 
> *4) How to move forward*
> 
> 
> For information, Azure and atlassian already implements such a?
> redirection mechanism in SAAS multi tenant architecture.
> Keycloak documentation does not seem to mention about such a possibility?
> to tailor "out of the box" the authentication workflow to our needs.
> 
> Could the mechanism described above being achieved by customizing the?
> authentication workflow by developing a specific authentication SPI?
> plugin which could handles the both steps mentioned above ?
> 
> Does this approach sounds correct to you, or is it something to rule out ?
> 
> Or woudl you advise another approach ?
> 
> Tkx for your help.
> 
> 
> Regards,
> 
> Olivier
> 
> 
> 
> 

From dt at acutus.pro  Wed Jul 25 19:49:27 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Thu, 26 Jul 2018 02:49:27 +0300
Subject: [keycloak-user] IdP selection based on email address
In-Reply-To: <dba15758c41b4f0aa58828ebcc1c8a57@witbe.net>
References: <dba15758c41b4f0aa58828ebcc1c8a57@witbe.net>
Message-ID: <1532562567.2078.7.camel@acutus.pro>

Hi Yann,

Script-based authenticator should be perfect here. For how to implement redirection to IdP, take a look at how it is done in IdentityProviderAuthenticator (that shows in the GUI as "Identity Provider Redirector"):

List<IdentityProviderModel> identityProviders = context.getRealm().getIdentityProviders();

https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/authentication/authenticators/browser/IdentityProviderAuthenticator.java#L66

Basically, you'll need to implement the same in JavaScript.

Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2018-07-25 at 13:10 +0000, Yann Jouanin wrote:
> Hello,
> 
> We are using keycloak with multiple IdP from our customers. Because
> we don't want to offer a list of Idp (customer A can't use the idp of
> customer B), I would like to prompt the user for the email address
> first and decide then to redirect to a specific IdP based on the
> domain as an example.
> 
> Does somebody here can advise me on the greatest way to implement
> this behavior?
> My first thought was to use a custom flow with a script, but I can't
> find how to specify the idp to use using script.
> 
> 
> Best regards,
> Yann Jouanin
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Wed Jul 25 19:58:24 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Thu, 26 Jul 2018 02:58:24 +0300
Subject: [keycloak-user] Keycloak Roles and Usergroups
In-Reply-To: <AM4P190MB00047713EA8CE4F98D38904BF7540@AM4P190MB0004.EURP190.PROD.OUTLOOK.COM>
References: <CAAgt2fXTCoRseMaNwEASS30dnFZQ925ZaZkvWpqXrQYAW8c17A@mail.gmail.com>
	<1531227488.7582.15.camel@acutus.pro>
	<AM4P190MB0004C2CC27FE9C220253C4D0F7520@AM4P190MB0004.EURP190.PROD.OUTLOOK.COM>
	<1532308706.2248.8.camel@acutus.pro>
	<AM4P190MB00047713EA8CE4F98D38904BF7540@AM4P190MB0004.EURP190.PROD.OUTLOOK.COM>
Message-ID: <1532563104.2078.9.camel@acutus.pro>

Hi Max,

What about user attributes?

No matter which team/group the Coach is in, you can go to User > Attributes, and add a multivalued attribute describing teams/groups this coach should have access to. (The values should be separated with ##)

After that, you'll be able (hopefully :) to use this info in a JavaScript policy for permission evaulation.

Cheers,
Dmitry

On Wed, 2018-07-25 at 09:06 +0000, Max Bruchmann wrote:
> Hi Dmitry,
> 
> thank you for your reply
> 
> > Keycloak, roles are not related to groups (however a group can reference roles to be automatically assigned to group members).
> 
> Yes I just was not sure if I overlooked something here.
> 
> Regarding the fine grained approach. The problem would be that an User may be a PLAYER in a certain team/group but a COACH in a different team/group.
> 
> > > I was thinking about creating roles like for example COACH at team1_1 and PLAYER at team_1_2. So during the permission evaulation I could parse this information.
> 
> Unfortunatelly Keycloak has neither paging query support for Roles nor Groups and therefore this approach currently would not scale as you may generate a few thousand roles.
> 
> My current idea is that I handle this hierachical role concept in a custom application and just use keycloak for authentication and global role management
> 
> 
> Kind Regards,
> Max
> 
> Am 23.07.18 um 03:18 schrieb Dmitry Telegin:
> > Hi Max,
> > 
> > On Thu, 2018-07-19 at 14:37 +0000, Max Bruchmann wrote:
> > > Hi Dmitry,
> > > 
> > > do you know if there is any way to retrieve the group context of a
> > > role?
> > 
> > Could you please elaborate on the "group context of a role"? In
> > Keycloak, roles are not related to groups (however a group can
> > reference roles to be automatically assigned to group members).
> > 
> > > My use case would be that I have multiple sport clubs (group) with
> > > multiple teams (subgroup)
> > > 
> > > -club1
> > > 
> > > --team1_1
> > > 
> > > --team1_2
> > > 
> > > -club2
> > > 
> > > --team2_1
> > > 
> > > --team2_1
> > > 
> > > 
> > > I have for example the role COACH but of course this role makes only
> > > sense in context of the team.
> > 
> > I agree with that, but what's the (bigger) problem you're trying to
> > solve?
> > 
> > I'd imagine that you want to grant coaches some privileged access to the players' data; the coach should manage only the team he is assigned to. If that's what you're trying to do, I'd suggest the following:
> > 
> > - create the "coach" role;
> > - grant this role to all coaches;
> > - put your coaches into the corresponding groups (teams);
> > - use fine-grained permissions to implement access rules (grant access to the players' data if the requester has the "coach" role and belongs to the same group as the player).
> > 
> > Hope it helps,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> > 
> > > As far as I understand keycloak this is currently not possible
> > > 
> > > 
> > > Kind Regards,
> > > 
> > > Max
> > > 
> > > 
> > > Am 10.07.18 um 14:58 schrieb Dmitry Telegin:
> > > > Hi Vinay,
> > > > 
> > > > ??From my experience, I'd tell that:
> > > > - roles are more likely to reflect person's functions in the
> > > > organization;
> > > > - groups?are more likely to reflect organizational structure.
> > > > 
> > > > For example, if there are offices and departments (like "NY
> > > > Office",
> > > > "IT Department"), that would normally map to nested groups.
> > > > 
> > > > On the other hand, business functions would rather map to roles
> > > > (like
> > > > "managers", "developers", "sysadmins" etc.)
> > > > 
> > > > There's also a number of technical differences:
> > > > - akin to nested groups, there are composite roles. However, the
> > > > logic
> > > > is different: if you grant a composite role to a user, every child
> > > > role
> > > > would be granted, too (which is not true for groups);
> > > > - you can assign a role to a group (not vice versa);
> > > > - by default, Keycloak adapters can restrict access based on roles
> > > > only. If you want to use groups for the same, you'll need to turn
> > > > on
> > > > authorization services and create corresponding policies.
> > > > 
> > > > Could you please elaborate on your particular use case? If you
> > > > describe
> > > > it briefly, I think we'll be able decide what's better for you.
> > > > 
> > > > Dmitry Telegin
> > > > CTO, Acutus s.r.o.
> > > > Keycloak Consulting and Training
> > > > 
> > > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > > +42 (022) 888-30-71
> > > > E-mail: info at acutus.pro
> > > > 
> > > > On Mon, 2018-07-09 at 12:39 -0400, Vinay wrote:
> > > > > What is a difference between keycloak roles and usergroups ? are
> > > > > they
> > > > > interchangeable i.e. can we use roles instead of groups or vice
> > > > > versa
> > > > > to
> > > > > address a problem ? Is it possible to have roles within roles,
> > > > > just
> > > > > like
> > > > > groups ?
> > > > > A clear guidelines on how to use groups and roles will help.
> > > > > 
> > > > > thanks
> > > > > /Vinay
> > > > > _______________________________________________
> > > > > keycloak-user mailing list
> > > > > keycloak-user at lists.jboss.org
> > > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > > 
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > > 
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> 
> 

From matthew.evans at oracle.com  Wed Jul 25 20:13:33 2018
From: matthew.evans at oracle.com (Matt Evans)
Date: Wed, 25 Jul 2018 17:13:33 -0700 (PDT)
Subject: [keycloak-user] Passwords for keycloak
In-Reply-To: <1532306899.2248.2.camel@acutus.pro>
References: <172baf42-154e-451f-a252-8ec0609d3372@default>
	<9dde4736-45d7-4cb3-b346-2dd4a604fd5e@default>
	<1532306899.2248.2.camel@acutus.pro>
Message-ID: <82367715-4fdd-42d5-b1e6-e2a4ddb9b8db@default>

Hi Dmitry

Thanks for the tips! We've not made much progress with this at present, I was just doing some research to see what would be needed when we get to it.

Thanks

Matt

-----Original Message-----
From: Dmitry Telegin <dt at acutus.pro> 
Sent: Monday, 23 July 2018 10:48 AM
To: Matt Evans <matthew.evans at oracle.com>; keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Passwords for keycloak

Hi Matt,

Seems like you've already figured out everything yourself :)

After you have your CredentialStoreSpi implemented, you should be able to use "--credential-reference={store=my_store, alias=database-pw}"
instead of "--password" while configuring datasource via jboss-cli.sh.

How is it going with the implementation? BTW is it HashiCorp Vault you're trying to integrate with?

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2018-07-18 at 22:08 -0700, Matt Evans wrote:
> Doing a bit of further googling about jboss/wildfly, should I be 
> looking at implementing the CredentialStoreSpi as detailed in section
> 4.1.8 of this article?
> 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__access.redhat.com
> _documentation_en-2Dus_red-5Fhat-5Fjboss-5Fenterpris&d=DwIDaQ&c=RoP1Yu
> mCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=8v1OAq8sCvoGRIPd-IGvCVHI6L8Cwv
> p2ANtoqmsCBYY&m=xrJPoY_3pjZV5osGylcZa3VJ6mcLcSoTgszLWv82ujA&s=XF6WgHx2
> TWAM7mAIeUHu0Qodcg_up3UCYdRnSQn5-cM&e=
> e_application_platform/7.1/html/how_to_configure_server_security/secu
> rely_storing_credentials
> 
> Could I then use that credential store to configure the data source?
> 
> Thanks
> 
> Matt
> 
> -----Original Message-----
> From: Matt Evans
> Sent: Thursday, 19 July 2018 2:42 PM
> To: keycloak-user at lists.jboss.org
> Subject: [keycloak-user] Passwords for keycloak
> 
> Is it possible to extend keycloak to read its settings, specifically 
> passwords, from a secure configuration store? For example, how would I 
> go about having keycloak read the password for the database connection 
> from a secure store, so it's not stored in the config files on the 
> machine, or passed as command line parameters?
> 
> ?
> 
> Thanks
> 
> ?
> 
> Matt
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_
> mailman_listinfo_keycloak-
> 2Duser&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=8v1OA
> q8sCvoGRIPd-
> IGvCVHI6L8Cwvp2ANtoqmsCBYY&m=gHuodr78XcGcZlTriPKgtawh7WUFIrGFf3RLC2eQ
> aBs&s=me9vViYHTZl_8XeCzceLxIAAY8M7Jq0VIjmPU4NEEuc&e=
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m
> ailman_listinfo_keycloak-2Duser&d=DwIDaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7
> qIrMUB65eapI_JnE&r=8v1OAq8sCvoGRIPd-IGvCVHI6L8Cwvp2ANtoqmsCBYY&m=xrJPo
> Y_3pjZV5osGylcZa3VJ6mcLcSoTgszLWv82ujA&s=RnCzxTN6WK36Ufj0lLZSr2EuWH7Kd
> Zh83P--RPFU1Dg&e=


From dt at acutus.pro  Wed Jul 25 20:32:25 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Thu, 26 Jul 2018 03:32:25 +0300
Subject: [keycloak-user] Outbound SSL Connection in SPI
In-Reply-To: <CAGqTYaxV0x1FSnedqrynqQ8QuGqM9MWF5rD7V2ZDJ4OaYAiJ_Q@mail.gmail.com>
References: <CAGqTYaw8SpFqzPXhLXtCuZ8yV_6orOCig=XEnPixmzUdNH2sew@mail.gmail.com>
	<CAGqTYaxV0x1FSnedqrynqQ8QuGqM9MWF5rD7V2ZDJ4OaYAiJ_Q@mail.gmail.com>
Message-ID: <1532565145.2078.11.camel@acutus.pro>

Hi Henning,

The HttpClientProvider scenario is more correct. But can you try session.getProvider(HttpClientProvider.class), instead of creating it manually? Does it make any difference?

If no, what does session.getProvider(TruststoreProvider.class) return?

If it is null, the next question I'm going to ask you will be "do you know how to attach debugger to you Keycloak process?" :)

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2018-07-25 at 09:45 +0200, Henning Waack wrote:
> Any input on this? Kinda stuck with this issue... Thanks!
> 
> Am 24. Juli 2018 um 11:18 schrieb Henning Waack <
> henning.waack at codecentric.de>:
> 
> > Hi.
> > 
> > I am implementing a custom OIDC Protocol Mapper. Within I have to make a
> > https connection, which currently fails because I do not have a truststore
> > configured on my http connection.
> > 
> > I have added a truststore SPI to my standalone.xml:
> > 
> > ????????????<spi name="truststore">
> > ????????????????<provider name="file" enabled="true">
> > ????????????????????<properties>
> > ????????????????????????<property name="file" value="${jboss.server.config.
> > dir}/nak.test.jks"/>
> > ????????????????????????<property name="password" value="****"/>
> > ????????????????????????<property name="hostname-verification-policy"
> > value="WILDCARD"/>
> > ????????????????????????<property name="disabled" value="false"/>
> > ????????????????????</properties>
> > ????????????????</provider>
> > ????????????</spi>
> > 
> > 
> > But I do not know how to get a HttpClient instance which uses this
> > truststore. I have tried with:
> > 
> > 
> > org.apache.http.client.HttpClient httpClient = new
> > org.keycloak.connections.httpclient.HttpClientBuilder().build();
> > 
> > and
> > 
> > DefaultHttpClientFactory factory = new DefaultHttpClientFactory();
> > HttpClientProvider httpClientProvider = factory.create((
> > KeycloakSession)session);
> > return httpClientProvider.getHttpClient();
> > 
> > whereas the first just does not have the truststore configured, and the
> > second fails with a NPE.
> > 
> > So how do I get an outbound http connection which uses my truststore SPI?
> > 
> > Thanks & greetings
> > 
> > Henning
> > --
> > 
> > 
> > -----------
> > 
> > Henning Waack | IT Consultant
> > 
> > 
> > codecentric AG | Hochstra?e 11
> > <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
> > > 
> > 
> > <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
> > 
> > <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
> > Solingen
> > <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
> > ?|Deutschland
> > <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
> > 
> > 
> > tel: +49 (0)151 108 515 29
> > 
> > www.codecentric.de | blog.codecentric.de | www.meettheexperts.de
> > 
> > Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal
> > 
> > Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns
> > Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz
> > 
> > Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche
> > und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige
> > Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie
> > bitte sofort den Absender und l?schen Sie diese E-Mail und evtl.
> > beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen
> > evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist
> > nicht gestattet.
> > 
> 
> 
> 

From will.lopez77 at gmail.com  Thu Jul 26 00:36:36 2018
From: will.lopez77 at gmail.com (Will Lopez)
Date: Wed, 25 Jul 2018 21:36:36 -0700
Subject: [keycloak-user] Make query string param available in marker template
Message-ID: <1FE93541-0864-4BEA-8C28-4F020F727614@gmail.com>

Hello,

I have a use case where I need to render a block of HTML depending on the value of a query string param in the login page. The value will be coming from the login URL similar to this: 

http://localhost:8080/auth/realms/default/protocol/openid-connect/auth?client_id=reaction-next-starterkit&redirect_uri=http://localhost:4000/auth&state=dc243a13-3fd9-4e64-a5f7-cb4dbc67243a&response_mode=fragment&response_type=id_token token&scope=openid&nonce=aa48185b-0582-4d4a-8f36-b6d01d7e72c6&app=1&customvar=1

I would like to have customvar available in the login.ftl to accomplish my objective. So far I have tried to retrieve the baseUrl from the client bean, but it?s not available, the app classes when I attempt to access baseUrl. 

Thanks in advance for any help.

~Will

From scotthezzell at hotmail.com  Thu Jul 26 04:58:55 2018
From: scotthezzell at hotmail.com (Scott Hezzell)
Date: Thu, 26 Jul 2018 08:58:55 +0000
Subject: [keycloak-user] Mobile client - recommended forgotten password flow
Message-ID: <DB6P189MB05027A0BBF64CD6CCAEACC40D82B0@DB6P189MB0502.EURP189.PROD.OUTLOOK.COM>

Hi all


What is the recommended process for a forgotten password flow from a mobile client?


I have enabled 'Forgotten Password' at the realm level and the flow works nicely from a web client using the 'Forgotten Password' link from the login page. When I try the flow from a mobile client, as it opens the initial login page and the 'send reset email' page in a different browser session to the one I open the reset email link into I 'lose' the authentication session and keycloak defaults the client to the account client instead of the mobile client.


Any advice from anyone who has faced a similar problem would be greatly appreciated.


Scott

From Yann.Jouanin at witbe.net  Thu Jul 26 05:12:05 2018
From: Yann.Jouanin at witbe.net (Yann Jouanin)
Date: Thu, 26 Jul 2018 09:12:05 +0000
Subject: [keycloak-user] IdP selection based on email address
In-Reply-To: <1532562567.2078.7.camel@acutus.pro>
References: <dba15758c41b4f0aa58828ebcc1c8a57@witbe.net>
	<1532562567.2078.7.camel@acutus.pro>
Message-ID: <d9e4fe1c31d442f4b17c43f9cce51761@witbe.net>

Hello,

Thanks for your reply.
Indeed I managed to write the function attached in javascript and I was able to redirect to an IdP for specific domains.

I have an additional question, I there a way to continue the flow (In my case I would like to optionaly prompt for OTP). 
My current flow is:

"cookies"(alternative)
" Choose User"(required)
Script(select idp) (required) (the script redirect to idp for a domains, otherwise triggers context.success) Subflow forms(optional):
 - Username Password Form (required)
OTP Form (optional).

Did I misunderstood the flow usage? Now when a user is authenticated using my idp but has an OTP, the OTP is not prompted.

Best regards ,

Yann
 
-------- FUNCTIONS ---------


Authenticate function:
function authenticate(context) {
    
    var username = user ? user.username : "anonymous";
    if (username.endsWith("mydomain.com")) {
        redirect_to_idp(context, "idpformydomain");
        return;
    }
    context.success();
    return;
}


Function:


AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError");
ClientSessionCode = Java.type("org.keycloak.services.managers.ClientSessionCode");
Urls = Java.type("org.keycloak.services.Urls");
OAuth2Constants = Java.type("org.keycloak.OAuth2Constants");
Response = Java.type("javax.ws.rs.core.Response");

/**
 * Redirect to Identification provider
 *
 * @param context {@see org.keycloak.authentication.AuthenticationFlowContext}
 * @param providerId : the alias of the provider to use  */
 
function redirect_to_idp(context, providerId) {
    var identityProviders = context.getRealm().getIdentityProviders();
    var identityProvidersLen = identityProviders.length;
    for (var i = 0; i < identityProvidersLen; i++) {
        identityProvider = identityProviders[i];
        if (identityProvider.isEnabled() && providerId.equals(identityProvider.getAlias())) {
            var accessCode = new ClientSessionCode(context.getSession(), context.getRealm(), context.getAuthenticationSession()).getOrGenerateCode();
            var clientId = context.getAuthenticationSession().getClient().getClientId();
            var tabId = context.getAuthenticationSession().getTabId();
            var location = Urls.identityProviderAuthnRequest(context.getUriInfo().getBaseUri(), providerId, context.getRealm().getName(), accessCode, clientId, tabId);
            if (context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY) != null) 
            {
                location = UriBuilder.fromUri(location).queryParam(OAuth2Constants.DISPLAY, context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY)).build();
            }
            var response = Response.seeOther(location).build();
            LOG.info("Redirecting to %s" + providerId);
            context.forceChallenge(response);
            return;
        }
    }
}




From leandro.rebosio at gmail.com  Thu Jul 26 05:58:16 2018
From: leandro.rebosio at gmail.com (Leandro Rebosio)
Date: Thu, 26 Jul 2018 11:58:16 +0200
Subject: [keycloak-user] Client (App) - Keycloak (Server) binding
Message-ID: <CAMmyUGTpBY_OpnvcUjNGt=uGCBu4nU5=dG7_opZjW-C9mmnXJA@mail.gmail.com>

Hey there, I didn't find any documentation about this particular topic, let
me explain a bit. How can I bind my application to a Keycloak server
instance and be sure that this binding is immutable?
I know about certs and public key but if someone changes the key on my app
it would be able to use a different Keycloak instance to authenticate,
isn'it?

Thanks for your clarification and I apologize if this is not the right way
to use the mailing list.

From psilva at redhat.com  Thu Jul 26 08:00:17 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 26 Jul 2018 09:00:17 -0300
Subject: [keycloak-user] FW: Access control and client setup
In-Reply-To: <CC7F9E69ED13DD478810F42866C6FAA1A6CB5146@CBW-MHEXCH-C.iconos.be>
References: <CC7F9E69ED13DD478810F42866C6FAA1A6CB50F4@CBW-MHEXCH-C.iconos.be>
	<CC7F9E69ED13DD478810F42866C6FAA1A6CB5146@CBW-MHEXCH-C.iconos.be>
Message-ID: <CAJrcDBc3Fb-z4nZG=QsPAwMtUOsnfs4y_KONt11CSrY6jS9RZA@mail.gmail.com>

On Wed, Jul 25, 2018 at 4:21 AM, Wyns Dean <dean.wyns at aptus.be> wrote:

> Hi
>
> I'm evaluating Keycloak as our IAM and SSO and it seems very powerful, but
> I can't seem to wrap my head around some things.
>
> We want to separate our APIs from the IAM. The sole purpose of Keycloak is
> to provide an identity and access token, primarily using the implicit flow.
> The client-side application (usually SPAs) uses the access token in all API
> calls and the resource server checks the signature of the access token but
> does not access Keycloak at all.
>
> Each backend has a few operations, and each operation gets its own
> "permission". For example one API can manage "items", so there are four
> permissions:
> - create:item
> - read:item
> - update:item
> - delete:item
>
> Is it best practice with Keycloak to model these permissions as scopes?
> And then use roles/permissions/policies to limit the scope of the user? The
> backend can then just decode the access token and read the granted scopes.
>

Ideally, you should define your authorization settings based on on your
model. So if you have a resource "Item", which is a protected resource in
your API you should have a "Item Resource" in Keycloak. The actions/methods
create, read, update and delete can be scopes associated with your "Item"
resource.

Once you have your item resource and scopes, you can define permissions
that govern access for the resource itself or for each scope individually.
All depends on how you create those permissions (resource vs scope
permissions) and policies associated with them.

The backend could just decode the token and check for the "permissions"
claim. Or you can also query the Keycloak server on every request to obtain
a decision.


>
> Also, in a SPA + API set-up, do I create two clients in Keycloak, one for
> each? This is only useful when the API needs resource protection, right? I
> guess in my case I only need one client for the SPA because the API only
> needs the scope from the access token by decoding it.
>

I would say you should have two clients representing both applications.
They have different requirements and are really different things. Your SPA
is probably a reguar public client while your API is a resource server.


>
> Thanks for any feedback
>
> Kind regards
> Dean
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From tomas at intrahouse.com  Thu Jul 26 08:41:03 2018
From: tomas at intrahouse.com (=?UTF-8?B?VG9tw6FzIEdhcmPDrWE=?=)
Date: Thu, 26 Jul 2018 13:41:03 +0100
Subject: [keycloak-user] JDBC Database issue when migrating from
	v3.4.3.Final to v4.1.0
Message-ID: <CALgk1PKjJq3G2XJHHjcxce5si5HGmXMYECyztNW0ekBFvHBEXw@mail.gmail.com>

Hi,

 I was in the process of upgrading our instance of v3.4.3.Final to
v4.1.0.Final. but the migration model manager from Keycloak crashes. Here's
the stack trace:

aused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct
public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
    at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
    at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)
    at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)
    at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)
    at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)
    at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
    at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
    at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
    at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
    at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250)
    at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)
    at
io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)
    at
io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)
    at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
    at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
    at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
    at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
    at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
    ... 6 more
Caused by: org.hibernate.exception.GenericJDBCException: Could not read
entity state from ResultSet :
EntityKey[org.keycloak.models.jpa.entities.RealmAttributeEntity#component[name,realm]{name=_browser_header.contentSecurityPolicy,
realm=org.keycloak.models.jpa.entities.RealmEntity#master}]
    at
org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47)
    at
org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111)
    at
org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97)
    at
org.hibernate.loader.plan.exec.process.internal.EntityReferenceInitializerImpl.loadFromResultSet(EntityReferenceInitializerImpl.java:320)
    at
org.hibernate.loader.plan.exec.process.internal.EntityReferenceInitializerImpl.hydrateEntityState(EntityReferenceInitializerImpl.java:233)
    at
org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.readRow(AbstractRowReader.java:103)
    at
org.hibernate.loader.plan.exec.process.internal.ResultSetProcessorImpl.extractResults(ResultSetProcessorImpl.java:122)
    at
org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:122)
    at
org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:86)
    at
org.hibernate.loader.collection.plan.AbstractLoadPlanBasedCollectionInitializer.initialize(AbstractLoadPlanBasedCollectionInitializer.java:88)
    at
org.hibernate.persister.collection.AbstractCollectionPersister.initialize(AbstractCollectionPersister.java:688)
    at
org.hibernate.event.internal.DefaultInitializeCollectionEventListener.onInitializeCollection(DefaultInitializeCollectionEventListener.java:75)
    at
org.hibernate.internal.SessionImpl.initializeCollection(SessionImpl.java:2004)
    at
org.hibernate.collection.internal.AbstractPersistentCollection$4.doWork(AbstractPersistentCollection.java:567)
    at
org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249)
    at
org.hibernate.collection.internal.AbstractPersistentCollection.initialize(AbstractPersistentCollection.java:563)
    at
org.hibernate.collection.internal.AbstractPersistentCollection.read(AbstractPersistentCollection.java:132)
    at
org.hibernate.collection.internal.PersistentBag.iterator(PersistentBag.java:277)
    at
org.keycloak.models.jpa.RealmAdapter.getAttribute(RealmAdapter.java:209)
    at
org.keycloak.models.jpa.RealmAdapter.getDisplayName(RealmAdapter.java:79)
    at
org.keycloak.models.cache.infinispan.entities.CachedRealm.<init>(CachedRealm.java:157)
    at
org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399)
    at
org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102)
    at
org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459)
    at
org.keycloak.migration.migrators.MigrateTo3_4_1.migrate(MigrateTo3_4_1.java:40)
    at
org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:94)
    at
org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:245)
    at
org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:186)
    at
org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145)
    at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
    at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
    at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
    at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
    ... 28 more
Caused by: java.sql.SQLException: Can not call getNString() when field's
charset isn't UTF-8
    at com.mysql.jdbc.JDBC4ResultSet.getNString(JDBC4ResultSet.java:212)
    at com.mysql.jdbc.JDBC4ResultSet.getNString(JDBC4ResultSet.java:232)
    at
org.jboss.jca.adapters.jdbc.WrappedResultSet.getNString(WrappedResultSet.java:4634)
    at
org.hibernate.type.descriptor.sql.NVarcharTypeDescriptor$2.doExtract(NVarcharTypeDescriptor.java:62)
    at
org.hibernate.type.descriptor.sql.BasicExtractor.extract(BasicExtractor.java:47)
    at
org.hibernate.type.AbstractStandardBasicType.nullSafeGet(AbstractStandardBasicType.java:235)
    at
org.hibernate.type.AbstractStandardBasicType.nullSafeGet(AbstractStandardBasicType.java:231)
    at
org.hibernate.type.AbstractStandardBasicType.nullSafeGet(AbstractStandardBasicType.java:222)
    at
org.hibernate.type.AbstractStandardBasicType.hydrate(AbstractStandardBasicType.java:296)
    at
org.hibernate.persister.entity.AbstractEntityPersister.hydrate(AbstractEntityPersister.java:2840)
    at
org.hibernate.loader.plan.exec.process.internal.EntityReferenceInitializerImpl.loadFromResultSet(EntityReferenceInitializerImpl.java:305)
    ... 60 more

I don't quite get why this is happening since the very same code being run
here should be running in v3.4.3 (at
org.keycloak.migration.migrators.MigrateTo3_4_1.migrate(MigrateTo3_4_1.java:40))
which works fine in that version.

I'm using a v5.5 MariaDB database with a 5.5 MySQL JDBC Connector. The same
libraries I used in v3.4.3 were installed into the v4.1.0 instance, so no
change in configuration.

All the tables / columns are using UTF-8 with utf8_unicode_ci collation:
> SHOW FULL COLUMNS FROM REALM_ATTRIBUTE;
+----------+--------------+-----------------+------+-----+---------+-------+---------------------------------+---------+
| Field    | Type         | Collation       | Null | Key | Default | Extra
| Privileges                      | Comment |
+----------+--------------+-----------------+------+-----+---------+-------+---------------------------------+---------+
| NAME     | varchar(255) | utf8_unicode_ci | NO   | PRI | NULL    |
| select,insert,update,references |         |
| VALUE    | varchar(255) | utf8_unicode_ci | YES  |     | NULL    |
| select,insert,update,references |         |
| REALM_ID | varchar(36)  | utf8_unicode_ci | NO   | PRI | NULL    |
| select,insert,update,references |         |
+----------+--------------+-----------------+------+-----+---------+-------+---------------------------------+---------+

The database configuration is similar to this one:
<connection-url>jdbc:mysql://localhost:3306/databasename?useUnicode=true&amp;characterEncoding=utf8</connection-url>

<driver name="mysql" module="com.mysql.jdbc">

<xa-datasource-class>com.mysql.jdbc.jdbc2.optional.MysqlXADataSource</xa-datasource-class>
</driver>

Thanks,
Tom?s

From christoph at contentpass.de  Thu Jul 26 10:24:26 2018
From: christoph at contentpass.de (Christoph Tavan)
Date: Thu, 26 Jul 2018 16:24:26 +0200
Subject: [keycloak-user] redirectUri gets lost when opening email
 verification link in new browser (since authSession gets lost)
Message-ID: <7E0F24FC-8703-49C5-AD1F-C90CBE1B9397@contentpass.de>

Hello Keycloak Mailinglist,

I'm struggeling with getting user registrations that requires email verification to work in a native app context.

In my test setup I have a native (iOS) mobile app that includes OIDC authentication. Normal login works perfectly: The Keycloak login form is opened in a webview, the user logs in and redirects back to an app link which the native app can handle, all good.

Things don't work that smooth when a user wants to register within the webview. Here's what happens to my understanding:

1. Webview is opened, Keycloak creates a new authSession where the redirectUri (from the redirect_uri url query parameter) is stored.
2. User registers, verification email is sent.
3. User clicks on the email verification link which opens in the system browser where the authSession of the app's webview is obviously not present. The user is presented with the confirmEmailAddressVerification verification and clicks the proceedWithAction link.
4. Email is now verified. However, since the original authSession that was created in the webview and that contained the redirectUri is not present in the system browser, the user is now presented with a link to the baseUrl of the client instead of the app-url that was originally passed as redirect_uri to the initial authorization request. I have tried to configure the app url as "Base URL" in the client, but this doesn't get rendered in the view. Instead the "back to application" link points to /auth/realms/REALMNAME/account

I think this whole problem is not specific to the native app use case: we would have the same issue if the registration process is started in one browser and the email verification link is opened in a different browser where the initial login authSession is not present.

Has anyone ever gotten this to work? I.e. continuation of a registration flow in a new browser session which was different from the session where the registration began?

Thanks
Christoph

From tomas at intrahouse.com  Thu Jul 26 10:51:32 2018
From: tomas at intrahouse.com (=?UTF-8?B?VG9tw6FzIEdhcmPDrWE=?=)
Date: Thu, 26 Jul 2018 15:51:32 +0100
Subject: [keycloak-user] JDBC Database issue when migrating from
	v3.4.3.Final to v4.1.0
In-Reply-To: <CALgk1PKjJq3G2XJHHjcxce5si5HGmXMYECyztNW0ekBFvHBEXw@mail.gmail.com>
References: <CALgk1PKjJq3G2XJHHjcxce5si5HGmXMYECyztNW0ekBFvHBEXw@mail.gmail.com>
Message-ID: <CALgk1P+e06wr9kJ1LO1K+r3Y5t4QU2swrxN6KkZtdr_U_yuFPQ@mail.gmail.com>

Ok, I found the issue.

It's a misconfiguration one. If this happens to you:
<connection-url>jdbc:mysql://localhost:3306/databasename?useUnicode=true&amp;characterEncoding=utf8</connection-url>

, change that utf8 to UTF-8 and the problem is gone.

Not sure why it didn't affect me in previous versions, but now it works.


On Thu, Jul 26, 2018 at 1:41 PM Tom?s Garc?a <tomas at intrahouse.com> wrote:

> Hi,
>
>  I was in the process of upgrading our instance of v3.4.3.Final to
> v4.1.0.Final. but the migration model manager from Keycloak crashes. Here's
> the stack trace:
>
> aused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct
> public
> org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
>     at
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
>     at
> org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298)
>     at
> org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340)
>     at
> org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253)
>     at
> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120)
>     at
> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
>     at
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
>     at
> org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
>     at
> io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
>     at
> io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:250)
>     at
> io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133)
>     at
> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565)
>     at
> io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536)
>     at
> io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42)
>     at
> io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>     at
> org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
>     at
> io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100)
>     at
> org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81)
>     ... 6 more
> Caused by: org.hibernate.exception.GenericJDBCException: Could not read
> entity state from ResultSet :
> EntityKey[org.keycloak.models.jpa.entities.RealmAttributeEntity#component[name,realm]{name=_browser_header.contentSecurityPolicy,
> realm=org.keycloak.models.jpa.entities.RealmEntity#master}]
>     at
> org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47)
>     at
> org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:111)
>     at
> org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:97)
>     at
> org.hibernate.loader.plan.exec.process.internal.EntityReferenceInitializerImpl.loadFromResultSet(EntityReferenceInitializerImpl.java:320)
>     at
> org.hibernate.loader.plan.exec.process.internal.EntityReferenceInitializerImpl.hydrateEntityState(EntityReferenceInitializerImpl.java:233)
>     at
> org.hibernate.loader.plan.exec.process.internal.AbstractRowReader.readRow(AbstractRowReader.java:103)
>     at
> org.hibernate.loader.plan.exec.process.internal.ResultSetProcessorImpl.extractResults(ResultSetProcessorImpl.java:122)
>     at
> org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:122)
>     at
> org.hibernate.loader.plan.exec.internal.AbstractLoadPlanBasedLoader.executeLoad(AbstractLoadPlanBasedLoader.java:86)
>     at
> org.hibernate.loader.collection.plan.AbstractLoadPlanBasedCollectionInitializer.initialize(AbstractLoadPlanBasedCollectionInitializer.java:88)
>     at
> org.hibernate.persister.collection.AbstractCollectionPersister.initialize(AbstractCollectionPersister.java:688)
>     at
> org.hibernate.event.internal.DefaultInitializeCollectionEventListener.onInitializeCollection(DefaultInitializeCollectionEventListener.java:75)
>     at
> org.hibernate.internal.SessionImpl.initializeCollection(SessionImpl.java:2004)
>     at
> org.hibernate.collection.internal.AbstractPersistentCollection$4.doWork(AbstractPersistentCollection.java:567)
>     at
> org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:249)
>     at
> org.hibernate.collection.internal.AbstractPersistentCollection.initialize(AbstractPersistentCollection.java:563)
>     at
> org.hibernate.collection.internal.AbstractPersistentCollection.read(AbstractPersistentCollection.java:132)
>     at
> org.hibernate.collection.internal.PersistentBag.iterator(PersistentBag.java:277)
>     at
> org.keycloak.models.jpa.RealmAdapter.getAttribute(RealmAdapter.java:209)
>     at
> org.keycloak.models.jpa.RealmAdapter.getDisplayName(RealmAdapter.java:79)
>     at
> org.keycloak.models.cache.infinispan.entities.CachedRealm.<init>(CachedRealm.java:157)
>     at
> org.keycloak.models.cache.infinispan.RealmCacheSession.getRealm(RealmCacheSession.java:399)
>     at
> org.keycloak.models.jpa.JpaRealmProvider.getRealms(JpaRealmProvider.java:102)
>     at
> org.keycloak.models.cache.infinispan.RealmCacheSession.getRealms(RealmCacheSession.java:459)
>     at
> org.keycloak.migration.migrators.MigrateTo3_4_1.migrate(MigrateTo3_4_1.java:40)
>     at
> org.keycloak.migration.MigrationModelManager.migrate(MigrationModelManager.java:94)
>     at
> org.keycloak.services.resources.KeycloakApplication.migrateModel(KeycloakApplication.java:245)
>     at
> org.keycloak.services.resources.KeycloakApplication.migrateAndBootstrap(KeycloakApplication.java:186)
>     at
> org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:145)
>     at
> org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:227)
>     at
> org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:136)
>     at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
> Method)
>     at
> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
>     at
> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
>     at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
>     at
> org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
>     ... 28 more
> Caused by: java.sql.SQLException: Can not call getNString() when field's
> charset isn't UTF-8
>     at com.mysql.jdbc.JDBC4ResultSet.getNString(JDBC4ResultSet.java:212)
>     at com.mysql.jdbc.JDBC4ResultSet.getNString(JDBC4ResultSet.java:232)
>     at
> org.jboss.jca.adapters.jdbc.WrappedResultSet.getNString(WrappedResultSet.java:4634)
>     at
> org.hibernate.type.descriptor.sql.NVarcharTypeDescriptor$2.doExtract(NVarcharTypeDescriptor.java:62)
>     at
> org.hibernate.type.descriptor.sql.BasicExtractor.extract(BasicExtractor.java:47)
>     at
> org.hibernate.type.AbstractStandardBasicType.nullSafeGet(AbstractStandardBasicType.java:235)
>     at
> org.hibernate.type.AbstractStandardBasicType.nullSafeGet(AbstractStandardBasicType.java:231)
>     at
> org.hibernate.type.AbstractStandardBasicType.nullSafeGet(AbstractStandardBasicType.java:222)
>     at
> org.hibernate.type.AbstractStandardBasicType.hydrate(AbstractStandardBasicType.java:296)
>     at
> org.hibernate.persister.entity.AbstractEntityPersister.hydrate(AbstractEntityPersister.java:2840)
>     at
> org.hibernate.loader.plan.exec.process.internal.EntityReferenceInitializerImpl.loadFromResultSet(EntityReferenceInitializerImpl.java:305)
>     ... 60 more
>
> I don't quite get why this is happening since the very same code being run
> here should be running in v3.4.3 (at
> org.keycloak.migration.migrators.MigrateTo3_4_1.migrate(MigrateTo3_4_1.java:40))
> which works fine in that version.
>
> I'm using a v5.5 MariaDB database with a 5.5 MySQL JDBC Connector. The
> same libraries I used in v3.4.3 were installed into the v4.1.0 instance, so
> no change in configuration.
>
> All the tables / columns are using UTF-8 with utf8_unicode_ci collation:
> > SHOW FULL COLUMNS FROM REALM_ATTRIBUTE;
>
> +----------+--------------+-----------------+------+-----+---------+-------+---------------------------------+---------+
> | Field    | Type         | Collation       | Null | Key | Default | Extra
> | Privileges                      | Comment |
>
> +----------+--------------+-----------------+------+-----+---------+-------+---------------------------------+---------+
> | NAME     | varchar(255) | utf8_unicode_ci | NO   | PRI | NULL    |
> | select,insert,update,references |         |
> | VALUE    | varchar(255) | utf8_unicode_ci | YES  |     | NULL    |
> | select,insert,update,references |         |
> | REALM_ID | varchar(36)  | utf8_unicode_ci | NO   | PRI | NULL    |
> | select,insert,update,references |         |
>
> +----------+--------------+-----------------+------+-----+---------+-------+---------------------------------+---------+
>
> The database configuration is similar to this one:
>
> <connection-url>jdbc:mysql://localhost:3306/databasename?useUnicode=true&amp;characterEncoding=utf8</connection-url>
>
> <driver name="mysql" module="com.mysql.jdbc">
>
> <xa-datasource-class>com.mysql.jdbc.jdbc2.optional.MysqlXADataSource</xa-datasource-class>
> </driver>
>
> Thanks,
> Tom?s
>

From postmaster at lists.jboss.org  Thu Jul 26 20:15:04 2018
From: postmaster at lists.jboss.org (MAILER-DAEMON)
Date: Fri, 27 Jul 2018 08:15:04 +0800
Subject: [keycloak-user] Returned mail: Data format error
Message-ID: <201807270016.w6R0GstF010835@lists01.dmz-a.mwc.hst.phx2.redhat.com>

The original message was received at Fri, 27 Jul 2018 08:15:04 +0800
from 39.161.52.19

----- The following addresses had permanent fatal errors -----
<keycloak-user at lists.jboss.org>

----- Transcript of session follows -----
... while talking to lists.jboss.org.:
>>> DATA
<<< 400-aturner; %MAIL-E-OPENOUT, error opening !AS as output
<<< 400-aturner; -SYSTEM-F-EXDISKQUOTA, disk quota exceeded
<<< 400

-------------- next part --------------
A non-text attachment was scrubbed...
Name: text.zip
Type: application/octet-stream
Size: 28978 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180727/7c72b99b/attachment-0001.obj 

From henning.waack at codecentric.de  Fri Jul 27 04:17:53 2018
From: henning.waack at codecentric.de (Henning Waack)
Date: Fri, 27 Jul 2018 10:17:53 +0200
Subject: [keycloak-user] Close EntityManager in RealmResourceProvider?
Message-ID: <CAGqTYaxeXe-34fa-FOjuY8ryWa2osWvpKXYcuXaMQDnQCrbLkg@mail.gmail.com>

Hi.

I am implementing a RealmResourceProvider (KC 4.0) in which I use an
EntityManager provided by the KeycloakSession to access the KC DB:

EntityManager em =
((KeycloakSession)session).getProvider(JpaConnectionProvider.class).getEntityManager();

In my class which extends
org.keycloak.services.resource.RealmResourceProvider and uses this
EntityManager, do I have to close the EM instance after using it? Or do I
have to close it in my RealmResourceProviderFactory.close() method where I
obtain it from the session?

Thanks & greetings

Henning

From harigarian at gmail.com  Fri Jul 27 06:50:26 2018
From: harigarian at gmail.com (prashant kumar)
Date: Fri, 27 Jul 2018 16:20:26 +0530
Subject: [keycloak-user] one issue in keycloak
Message-ID: <CAGFjpH4Ykmap1EOq1-aT=buGO5i3X9qACHrJ37cMUXdV1eXv7Q@mail.gmail.com>

 Hi,

We are using keycloak for identiy provider and have got following
requirement,

   - We need to show user email
   - If the user is of key cloak then showing password text otherwise
   showing list of other identity provider.


We couldn't divide username and password without changing the core keycloak
class namely

org.keycloak.authentication.DefaultAuthenticationFlow and then class
doesn't support extension without changing the entire hierarchy of objects
in new.

We can only add provider using SPI for subsequent flow.

So we have taken following approach

1) Changing the core class itself but then keycloak release update will
happen only with this change incorporated.

2) Created our own rest API which is using keycloak utilities and services
as object but entire flow is in the rest API.

Please provide your take on this along with if there is any way we can
inject our own object using spring injection or some other injection
mechanism.

Thanks,
Prashant

>

From jambo_mcd at yahoo.co.uk  Fri Jul 27 12:29:04 2018
From: jambo_mcd at yahoo.co.uk (Jamie McDowell)
Date: Fri, 27 Jul 2018 16:29:04 +0000 (UTC)
Subject: [keycloak-user] kcadm - adding a protocol-mapper
In-Reply-To: <393991387.3571827.1532708749385@mail.yahoo.com>
References: <393991387.3571827.1532708749385.ref@mail.yahoo.com>
	<393991387.3571827.1532708749385@mail.yahoo.com>
Message-ID: <98566890.3575432.1532708944298@mail.yahoo.com>

Hi,

I am trying to add a client protocol-mapper however when i try and run this i get a?HTTP error - 500 Internal Server Error
opt/jboss/keycloak/bin/kcadm.sh create \clients/<id>/protocol-mappers/models \-r demorealm \-s protocol=openid-connect \-s protocolMapper=oidc-usermodel-realm-mapper \-s consentRequired=false \-s config.claim.name=group_membership \-s config.jsonType.label=String \-s config.id.token.claim=true \-s config.access.token.claim=true \-s config.userinfo.token.claim=true \-s config.multivalued=true \-s name=Realm \
I can confirm that kcadm works as i have been able to create groups, LDAP mappers, realms etc...
In the server.log i can see the below error when i run the above
ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-109) Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can notat [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 55dee6f8; line: 1, column: 119] (through reference chain: org.keycloak.representations.idm.ProtocolMapperRepresentation["co? ? ? ?at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:270) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ?at com.fasterxml.jackson.databind.DeserializationContext.reportMappingException(DeserializationContext.java:1234) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ?at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1122) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ?at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1075) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ?at com.fasterxml.jackson.databind.deser.std.StringDeserializer.deserialize(StringDeserializer.java:60)
Appreciate if anyone can advise on this (keycloak version is 3.4.3)
Thanks?Jamie  

From jonas.schoenenberger at gmail.com  Fri Jul 27 12:39:45 2018
From: jonas.schoenenberger at gmail.com (=?UTF-8?Q?Jonas_Sch=C3=B6nenberger?=)
Date: Fri, 27 Jul 2018 18:39:45 +0200
Subject: [keycloak-user] Implicit Flow - Invalid grant_type
Message-ID: <CAP1gnsLorEg6qLvamu-sAGXiF15RvyHwpx9+Eer+C_SFa-=p_g@mail.gmail.com>

Hi everyone

I would like to use the implicit flow with some of my services that use
Keycloak as their Identity-Provider. According to the documentation a token
can be obtained from the token endpoint with the implicit flow:

/realms/{realm-name}/protocol/openid-connect/token
> This is the URL endpoint for obtaining a temporary code in the
> Authorization Code Flow or for obtaining tokens via the Implicit Flow,
> Direct Grants, or Client Grants.


In the well-known config "implicit" is listed as a valid grant_type:

"grant_types_supported": [
>         "authorization_code",
>         "implicit",
>         "refresh_token",
>         "password",
>         "client_credentials"
>     ]


However calls to the above mentioned token endpoint fail with an "Invalid
grant_type" error when I set the "grant_type" to "implicit" and try to
fetch a token. Besides the implicit grant_type I handover the client_id of
my client, its redirect url, "id_token token" as "response_type" and as
"scope" "openid". Implicit flow is enabled on the clients I want to use
that flow with.

I had a look at the source code and it seems that the implicit grant_type
is not one of the accepted grant types:
https://github.com/keycloak/keycloak/blob/8b6979ac18b19eb47e618e05ccffdde0c9adb6ff/services/src/main/java/org/keycloak/protocol/oidc/endpoints/TokenEndpoint.java#L239

Does someone know how to obtain a token with the implicit flow from
Keycloak and whether it is possible through the above mentioned API at all?

Thank you for your support and Best Regards
Jonas

From postmaster at lists.jboss.org  Sat Jul 28 21:51:11 2018
From: postmaster at lists.jboss.org (Bounced mail)
Date: Sun, 29 Jul 2018 09:51:11 +0800
Subject: [keycloak-user] Returned mail: Data format error
Message-ID: <201807290153.w6T1rFOP008030@lists01.dmz-a.mwc.hst.phx2.redhat.com>

The message was not delivered due to the following reason:

Your message was not delivered because the destination server was
not reachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.

Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.

Your message was not delivered within 5 days:
Mail server 137.123.118.28 is not responding.

The following recipients did not receive this message:
<keycloak-user at lists.jboss.org>

Please reply to postmaster at lists.jboss.org
if you feel this message to be in error.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: readme.zip
Type: application/octet-stream
Size: 28982 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20180729/af5b4e68/attachment-0001.obj 

From ranjan.pakira at capgemini.com  Mon Jul 30 04:00:23 2018
From: ranjan.pakira at capgemini.com (Pakira, Ranjan)
Date: Mon, 30 Jul 2018 08:00:23 +0000
Subject: [keycloak-user] Need info for network security
Message-ID: <0CCF50CABB0BC0438C7672FC2C769FB4D88E0748@IN-BLR-DAGND3.corp.capgemini.com>

Hi,
We are planning to setup Keycloak in new Network and network security team need some information.  Can you please help us with the answer of the following queries?

How is this user data secured in rest and in transit?
How is in control of Keyclock? and do you have the correct process around access, Starters movers leavers etc?

Thanks & Regards,
Ranjan Pakira

This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

From erlend at hamnaberg.net  Mon Jul 30 04:02:52 2018
From: erlend at hamnaberg.net (Erlend Hamnaberg)
Date: Mon, 30 Jul 2018 10:02:52 +0200
Subject: [keycloak-user] Upgrading Keycloak 3.4.2 to 4.1.0 in docker
Message-ID: <CAGuwm8U+iLHAL3eWHoVYbAbjM6NFv7QYGRHUfjG2BN+BNqSD1A@mail.gmail.com>

Hello all.

I was wondering if it required to run the upgrade steps (apart from the
database migrations and themes ) when deploying keycloak in dockerized form?
I am of course extending

FROM jboss/keycloak:4.1.0.Final

I started the server with just upgrading the database automatically, and it
seems to work fine.
Am I missing something other important step?

/Erlend

From vikas027 at gmail.com  Mon Jul 30 05:48:28 2018
From: vikas027 at gmail.com (Vikas Kumar)
Date: Mon, 30 Jul 2018 19:48:28 +1000
Subject: [keycloak-user] Reset Admin Password through database
Message-ID: <CAEmR2tJQkvCZeuAv=VGTrzkLrKZJ-HLjLp3vX0tCXnWwXSB5OA@mail.gmail.com>

Hello,

I have a task to export data (mysqldump) from one keycloak server and
restore (mysqlrestore) it to another.

I am looking to change the admin password through the database i.e. before
starting the new keycloak server. I know I can do it using API but want to
do it before the keycloak is up.

I've tried but could not find anything online :(

Regards,
Vikas

From erlend at hamnaberg.net  Mon Jul 30 06:15:30 2018
From: erlend at hamnaberg.net (Erlend Hamnaberg)
Date: Mon, 30 Jul 2018 12:15:30 +0200
Subject: [keycloak-user] Upgrading Keycloak 3.4.2 to 4.1.0 in docker
In-Reply-To: <CAGuwm8U+iLHAL3eWHoVYbAbjM6NFv7QYGRHUfjG2BN+BNqSD1A@mail.gmail.com>
References: <CAGuwm8U+iLHAL3eWHoVYbAbjM6NFv7QYGRHUfjG2BN+BNqSD1A@mail.gmail.com>
Message-ID: <CAGuwm8Vp7EJoZZwmEiSdOdXC3OX7N55fyyV8W6ZRJmpjOHJg+Q@mail.gmail.com>

I meant KC 3.4.3.

/Erlend

On Mon, Jul 30, 2018 at 10:02 AM, Erlend Hamnaberg <erlend at hamnaberg.net>
wrote:

> Hello all.
>
> I was wondering if it required to run the upgrade steps (apart from the
> database migrations and themes ) when deploying keycloak in dockerized form?
> I am of course extending
>
> FROM jboss/keycloak:4.1.0.Final
>
> I started the server with just upgrading the database automatically, and
> it seems to work fine.
> Am I missing something other important step?
>
> /Erlend
>

From testoauth55 at gmail.com  Mon Jul 30 06:38:28 2018
From: testoauth55 at gmail.com (Test Oauth)
Date: Mon, 30 Jul 2018 16:08:28 +0530
Subject: [keycloak-user] Browser not maintaining session for keycloak users
Message-ID: <CANAVTmNcScSF1BSbP4ay6idv_G42vUS6jFx2oY+0x5s9bFKMBQ@mail.gmail.com>

I am using openid-connect for authenticating users. After successful
authentication, browser windows says:
"Login Successful

You may close this browser window and go back to your console application."

However, even without closing the window if I relaunch my application
(using keycloak.loginDesktop();) even within 10 seconds, still the login
page appears instead of : you are already logged in.

Browser: Firefox.

From dean.wyns at aptus.be  Mon Jul 30 09:43:59 2018
From: dean.wyns at aptus.be (Wyns Dean)
Date: Mon, 30 Jul 2018 13:43:59 +0000
Subject: [keycloak-user] FW: Access control and client setup
In-Reply-To: <CAJrcDBc3Fb-z4nZG=QsPAwMtUOsnfs4y_KONt11CSrY6jS9RZA@mail.gmail.com>
References: <CC7F9E69ED13DD478810F42866C6FAA1A6CB50F4@CBW-MHEXCH-C.iconos.be>
	<CC7F9E69ED13DD478810F42866C6FAA1A6CB5146@CBW-MHEXCH-C.iconos.be>
	<CAJrcDBc3Fb-z4nZG=QsPAwMtUOsnfs4y_KONt11CSrY6jS9RZA@mail.gmail.com>
Message-ID: <CC7F9E69ED13DD478810F42866C6FAA1ACC8708A@ws08-mhexch10-b.iconos.be>

Hi Pedro

Thanks for your answer.

So the idea is to create one client for the API, let?s call it ?my-api? with authorization enabled and the resources/scopes/permissions like you described previously. And I?ll create another (public) client for the SPA, ?my-app?.

If users authenticate against my-app using the implicit flow, how can I link the scopes associated with the resources of my-api and have them follow the permissions that are defined on my-api? Do I have to add the scopes as optional ?Client Scopes? so they are shared? The problem then is that they don?t show up under the Authorization tab of my-api, only the Authorization Scopes do. Or should authorization be enabled for my-app as well?

I would like the backend to purely check on the scope associated with the access token, by looking at the scope claim. There doesn?t seem to ever be a permissions claim in my tests, I only get the ?resource_access? claim but that only contains the roles, which I don?t need in the backend.

Sorry if I?m being unclear.

Your help is highly appreciated!
Dean

Van: Pedro Igor Silva <psilva at redhat.com>
Verzonden: donderdag 26 juli 2018 14:00
Aan: Wyns Dean <dean.wyns at aptus.be>
CC: keycloak-user at lists.jboss.org
Onderwerp: Re: [keycloak-user] FW: Access control and client setup



On Wed, Jul 25, 2018 at 4:21 AM, Wyns Dean <dean.wyns at aptus.be<mailto:dean.wyns at aptus.be>> wrote:
Hi

I'm evaluating Keycloak as our IAM and SSO and it seems very powerful, but I can't seem to wrap my head around some things.

We want to separate our APIs from the IAM. The sole purpose of Keycloak is to provide an identity and access token, primarily using the implicit flow. The client-side application (usually SPAs) uses the access token in all API calls and the resource server checks the signature of the access token but does not access Keycloak at all.

Each backend has a few operations, and each operation gets its own "permission". For example one API can manage "items", so there are four permissions:
- create:item
- read:item
- update:item
- delete:item

Is it best practice with Keycloak to model these permissions as scopes? And then use roles/permissions/policies to limit the scope of the user? The backend can then just decode the access token and read the granted scopes.

Ideally, you should define your authorization settings based on on your model. So if you have a resource "Item", which is a protected resource in your API you should have a "Item Resource" in Keycloak. The actions/methods create, read, update and delete can be scopes associated with your "Item" resource.

Once you have your item resource and scopes, you can define permissions that govern access for the resource itself or for each scope individually. All depends on how you create those permissions (resource vs scope permissions) and policies associated with them.

The backend could just decode the token and check for the "permissions" claim. Or you can also query the Keycloak server on every request to obtain a decision.


Also, in a SPA + API set-up, do I create two clients in Keycloak, one for each? This is only useful when the API needs resource protection, right? I guess in my case I only need one client for the SPA because the API only needs the scope from the access token by decoding it.

I would say you should have two clients representing both applications. They have different requirements and are really different things. Your SPA is probably a reguar public client while your API is a resource server.


Thanks for any feedback

Kind regards
Dean


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From pritiguleria10 at gmail.com  Mon Jul 30 11:23:26 2018
From: pritiguleria10 at gmail.com (priti guleria)
Date: Mon, 30 Jul 2018 20:53:26 +0530
Subject: [keycloak-user] Multiple AUTH_SESSION_IDs
Message-ID: <CADFbsZ+3=3ZAwiwt6BqbhwGd9UvpwSCEuHxhgYe-W8jJcgkn2g@mail.gmail.com>

Does keycloak create one AUTH_SESSION_ID per owner session node when in
cluster? I have a cluster with two owners for sessions and with every
successful login there are two AUTH_SESSION_IDs returned.



Also, I tried to remove route information from AUTH_SESSION_ID by following
the below link. However, route information was dropped only for
authentication session and was retained for user session. Is there anything
more to be done here?



https://github.com/keycloak/keycloak-documentation/blob/master/server_installation/topics/clustering/sticky-sessions.adoc



To overcome some of the above problems, I am configuring jboss.node.name to
same value say ?mycookie? in every node in the cluster and then add routing
information in load balancer. Will this cause any issue? I have not noticed
any issue so far.


Thanks,

Priti

From psilva at redhat.com  Mon Jul 30 11:52:00 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 30 Jul 2018 12:52:00 -0300
Subject: [keycloak-user] FW: Access control and client setup
In-Reply-To: <CC7F9E69ED13DD478810F42866C6FAA1ACC8708A@ws08-mhexch10-b.iconos.be>
References: <CC7F9E69ED13DD478810F42866C6FAA1A6CB50F4@CBW-MHEXCH-C.iconos.be>
	<CC7F9E69ED13DD478810F42866C6FAA1A6CB5146@CBW-MHEXCH-C.iconos.be>
	<CAJrcDBc3Fb-z4nZG=QsPAwMtUOsnfs4y_KONt11CSrY6jS9RZA@mail.gmail.com>
	<CC7F9E69ED13DD478810F42866C6FAA1ACC8708A@ws08-mhexch10-b.iconos.be>
Message-ID: <CAJrcDBe+eK_yUzLKY4Dtb6T4uUFPzJuOJQp8NLYbr=mAwESwew@mail.gmail.com>

On Mon, Jul 30, 2018 at 10:43 AM, Wyns Dean <dean.wyns at aptus.be> wrote:

> Hi Pedro
>
>
>
> Thanks for your answer.
>
>
>
> So the idea is to create one client for the API, let?s call it ?my-api?
> with authorization enabled and the resources/scopes/permissions like you
> described previously. And I?ll create another (public) client for the SPA,
> ?my-app?.
>
>
>
> If users authenticate against my-app using the implicit flow, how can I
> link the scopes associated with the resources of my-api and have them
> follow the permissions that are defined on my-api? Do I have to add the
> scopes as optional ?Client Scopes? so they are shared? The problem then is
> that they don?t show up under the Authorization tab of my-api, only the
> Authorization Scopes do. Or should authorization be enabled for my-app as
> well?
>

Client Scopes and Authorization tabs are different features. The first
provides an authorization model based on OAuth2 scopes, where scopes may
map to one or more claims inside your token or even restrict the roles you
send n the token. They are also related with user consent.

The Authorization provides you the necessary means to setup resource-based
permissions using different access control mechanisms. It also provides
privacy based on user-managed access.


>
>
> I would like the backend to purely check on the scope associated with the
> access token, by looking at the scope claim. There doesn?t seem to ever be
> a permissions claim in my tests, I only get the ?resource_access? claim but
> that only contains the roles, which I don?t need in the backend.
>

Are these scopes a result of user consent ? Or do you need more
fine-grained control and externalize authorization from my-api ?

Are you using a specific Keycloak adapter ? (wildfly, spring, etc)


>
>
> Sorry if I?m being unclear.
>
>
>
> Your help is highly appreciated!
>
> Dean
>
>
>
> *Van:* Pedro Igor Silva <psilva at redhat.com>
> *Verzonden:* donderdag 26 juli 2018 14:00
> *Aan:* Wyns Dean <dean.wyns at aptus.be>
> *CC:* keycloak-user at lists.jboss.org
> *Onderwerp:* Re: [keycloak-user] FW: Access control and client setup
>
>
>
>
>
>
>
> On Wed, Jul 25, 2018 at 4:21 AM, Wyns Dean <dean.wyns at aptus.be> wrote:
>
> Hi
>
> I'm evaluating Keycloak as our IAM and SSO and it seems very powerful, but
> I can't seem to wrap my head around some things.
>
> We want to separate our APIs from the IAM. The sole purpose of Keycloak is
> to provide an identity and access token, primarily using the implicit flow.
> The client-side application (usually SPAs) uses the access token in all API
> calls and the resource server checks the signature of the access token but
> does not access Keycloak at all.
>
> Each backend has a few operations, and each operation gets its own
> "permission". For example one API can manage "items", so there are four
> permissions:
> - create:item
> - read:item
> - update:item
> - delete:item
>
> Is it best practice with Keycloak to model these permissions as scopes?
> And then use roles/permissions/policies to limit the scope of the user? The
> backend can then just decode the access token and read the granted scopes.
>
>
>
> Ideally, you should define your authorization settings based on on your
> model. So if you have a resource "Item", which is a protected resource in
> your API you should have a "Item Resource" in Keycloak. The actions/methods
> create, read, update and delete can be scopes associated with your "Item"
> resource.
>
>
>
> Once you have your item resource and scopes, you can define permissions
> that govern access for the resource itself or for each scope individually.
> All depends on how you create those permissions (resource vs scope
> permissions) and policies associated with them.
>
>
>
> The backend could just decode the token and check for the "permissions"
> claim. Or you can also query the Keycloak server on every request to obtain
> a decision.
>
>
>
>
> Also, in a SPA + API set-up, do I create two clients in Keycloak, one for
> each? This is only useful when the API needs resource protection, right? I
> guess in my case I only need one client for the SPA because the API only
> needs the scope from the access token by decoding it.
>
>
>
> I would say you should have two clients representing both applications.
> They have different requirements and are really different things. Your SPA
> is probably a reguar public client while your API is a resource server.
>
>
>
>
> Thanks for any feedback
>
> Kind regards
> Dean
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>

From padluk at gmx.de  Mon Jul 30 12:27:38 2018
From: padluk at gmx.de (Patrick Lukauer)
Date: Mon, 30 Jul 2018 18:27:38 +0200
Subject: [keycloak-user] custom registration flow
Message-ID: <trinity-2bb5e8cf-1839-4e34-aad9-f61daa8e7c2e-1532968058106@3c-app-gmx-bs39>


From vandana0242 at gmail.com  Mon Jul 30 14:50:34 2018
From: vandana0242 at gmail.com (vandana thota)
Date: Mon, 30 Jul 2018 13:50:34 -0500
Subject: [keycloak-user] Keycloak configurations
Message-ID: <CAL_K0ezFxamy7ZEKioK+eNqcO97MR3bJEquDxbxR0TvT=dC6cA@mail.gmail.com>

Hello

1)Is there any puppet module  for keycloak 4.1. final , any puppet module
for keycloak-SAML adapter ?

2) What is the good practice haveing one keycloak  for all wildfly server
which  QA non prod , one  for  Dev non -prod,  one for  test non prod
wildfly server ?

3)  having one keycloak server for  whole prod environment ?


Thanks

From dt at acutus.pro  Mon Jul 30 20:27:48 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 31 Jul 2018 03:27:48 +0300
Subject: [keycloak-user] Keycloak configurations
In-Reply-To: <CAL_K0ezFxamy7ZEKioK+eNqcO97MR3bJEquDxbxR0TvT=dC6cA@mail.gmail.com>
References: <CAL_K0ezFxamy7ZEKioK+eNqcO97MR3bJEquDxbxR0TvT=dC6cA@mail.gmail.com>
Message-ID: <1532996868.5207.3.camel@acutus.pro>

Hi Vandana,

> 1)Is there any puppet module??for keycloak 4.1. final , any puppet
> module
> for keycloak-SAML adapter ?

Have look at this: https://forge.puppet.com/treydock/keycloak

This is a puppet module to install (and possibly configure) Keycloak.
As for SAML adapter - not that I know of, unfortunately.

> 2) What is the good practice haveing one keycloak??for all wildfly
> server
> which??QA non prod , one??for??Dev non -prod,??one for??test non prod
> wildfly server ?

If you mean "should we have separate Keycloak instances for different
environments, or one would suffice?" - well, that depends on your
needs.

Technically, there is no restriction like "one Wildfly server - one
Keycloak server", so you can safely use one instance of Keycloak;
you'll just have to configure three clients per application, reflecting
the corresponding environment (QA, dev, testing). Please remember than
if this instance goes down for some reason, this will affect all the
teams.

If you decide to have dedicated Keycloak instances, but you want the
same users/groups everywhere, you'll probably need to configure shared
external user store like LDAP or Active Directory.

> 3)??having one keycloak server for??whole prod environment ?

In production, it's common to setup a Keycloak cluster, for the
purposes of high availability and load balancing. You should consider
this if you expect high load and/or have requirements for high
availability.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

> 
> 
> Thanks
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Mon Jul 30 20:36:29 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 31 Jul 2018 03:36:29 +0300
Subject: [keycloak-user] Multiple AUTH_SESSION_IDs
In-Reply-To: <CADFbsZ+3=3ZAwiwt6BqbhwGd9UvpwSCEuHxhgYe-W8jJcgkn2g@mail.gmail.com>
References: <CADFbsZ+3=3ZAwiwt6BqbhwGd9UvpwSCEuHxhgYe-W8jJcgkn2g@mail.gmail.com>
Message-ID: <1532997389.5207.6.camel@acutus.pro>

Hi Priti,

Setting identical node names is definitely?not something you should do, you will break synchronization between the nodes in the cluster.
See this discussion: http://lists.jboss.org/pipermail/keycloak-user/2018-July/014752.html

And could you please share your load balancer config, so we can look into it?

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-07-30 at 20:53 +0530, priti guleria wrote:
> Does keycloak create one AUTH_SESSION_ID per owner session node when in
> cluster? I have a cluster with two owners for sessions and with every
> successful login there are two AUTH_SESSION_IDs returned.
> 
> 
> 
> Also, I tried to remove route information from AUTH_SESSION_ID by following
> the below link. However, route information was dropped only for
> authentication session and was retained for user session. Is there anything
> more to be done here?
> 
> 
> 
> https://github.com/keycloak/keycloak-documentation/blob/master/server_installation/topics/clustering/sticky-sessions.adoc
> 
> 
> 
> To overcome some of the above problems, I am configuring jboss.node.name to
> same value say ?mycookie? in every node in the cluster and then add routing
> information in load balancer. Will this cause any issue? I have not noticed
> any issue so far.
> 
> 
> Thanks,
> 
> Priti
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Mon Jul 30 20:44:20 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 31 Jul 2018 03:44:20 +0300
Subject: [keycloak-user] Browser not maintaining session for keycloak
 users
In-Reply-To: <CANAVTmNcScSF1BSbP4ay6idv_G42vUS6jFx2oY+0x5s9bFKMBQ@mail.gmail.com>
References: <CANAVTmNcScSF1BSbP4ay6idv_G42vUS6jFx2oY+0x5s9bFKMBQ@mail.gmail.com>
Message-ID: <1532997860.5207.8.camel@acutus.pro>

Hi,

Did you?do everything in accordance with the docs?
https://www.keycloak.org/docs/latest/securing_apps/index.html#_installed_adapter

Do you experience this in "manual" mode too?

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-07-30 at 16:08 +0530, Test Oauth wrote:
> I am using openid-connect for authenticating users. After successful
> authentication, browser windows says:
> "Login Successful
> 
> You may close this browser window and go back to your console application."
> 
> However, even without closing the window if I relaunch my application
> (using keycloak.loginDesktop();) even within 10 seconds, still the login
> page appears instead of : you are already logged in.
> 
> Browser: Firefox.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Mon Jul 30 20:54:25 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 31 Jul 2018 03:54:25 +0300
Subject: [keycloak-user] Upgrading Keycloak 3.4.2 to 4.1.0 in docker
In-Reply-To: <CAGuwm8U+iLHAL3eWHoVYbAbjM6NFv7QYGRHUfjG2BN+BNqSD1A@mail.gmail.com>
References: <CAGuwm8U+iLHAL3eWHoVYbAbjM6NFv7QYGRHUfjG2BN+BNqSD1A@mail.gmail.com>
Message-ID: <1532998465.5207.10.camel@acutus.pro>

Hi Erlend,

Normally you shouldn't do anything else, unless you manage Keycloak configuration yourself, i.e. $KEYCLOAK/standalone/configuration is a Docker volume.
In this case you might need to migrate your configuration. There are helpful scripts in $KEYCLOAK/bin/migrate*.cli to facilitate that.

If you deploy custom providers (extensions), especially if using frequently changing private SPIs, you'll also make sure the code compiles with the new version of Keycloak.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-07-30 at 10:02 +0200, Erlend Hamnaberg wrote:
> Hello all.
> 
> I was wondering if it required to run the upgrade steps (apart from the
> database migrations and themes ) when deploying keycloak in dockerized form?
> I am of course extending
> 
> FROM jboss/keycloak:4.1.0.Final
> 
> I started the server with just upgrading the database automatically, and it
> seems to work fine.
> Am I missing something other important step?
> 
> /Erlend
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Mon Jul 30 22:01:41 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 31 Jul 2018 05:01:41 +0300
Subject: [keycloak-user] Need info for network security
In-Reply-To: <0CCF50CABB0BC0438C7672FC2C769FB4D88E0748@IN-BLR-DAGND3.corp.capgemini.com>
References: <0CCF50CABB0BC0438C7672FC2C769FB4D88E0748@IN-BLR-DAGND3.corp.capgemini.com>
Message-ID: <1533002501.5207.12.camel@acutus.pro>

Hi Ranjan,

On Mon, 2018-07-30 at 08:00 +0000, Pakira, Ranjan wrote:
> Hi,
> We are planning to setup Keycloak in new Network and network security team need some information.??Can you please help us with the answer of the following queries?
> 
> How is this user data secured in rest and in transit?

It is recommended that the data in transit be protected with SSL/TLS.
It can be configured either in Keycloak or (preferably) on the reverse
proxy / load balancer side.

OpenID Connect and REST services use JSON message format.?No additional protection is involved aside from SSL/TLS.

SAML protocol can use additional message-level security, like encrypted/signed assertions.

> How is in control of Keyclock? and do you have the correct process around access, Starters movers leavers etc?

If you meant "who is in control of Keycloak", it is developed by Red Hat with contributions from the community. I'd suggest that you contact Red Hat directly re the process.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

> 
> Thanks & Regards,
> Ranjan Pakira
> 
> This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Mon Jul 30 22:48:47 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 31 Jul 2018 05:48:47 +0300
Subject: [keycloak-user] kcadm - adding a protocol-mapper
In-Reply-To: <98566890.3575432.1532708944298@mail.yahoo.com>
References: <393991387.3571827.1532708749385.ref@mail.yahoo.com>
	<393991387.3571827.1532708749385@mail.yahoo.com>
	<98566890.3575432.1532708944298@mail.yahoo.com>
Message-ID: <1533005327.5207.14.camel@acutus.pro>

Hi Jamie,

Seems like you've hit a bug. I can confirm this for KC 4.1.0. As a workaround I've tried to use JSON, but got even stranger error:

Resource not found for url: http://localhost:8080/auth/admin/realms/master/clients/<id>/protocol-mappers/models

But that's exactly the URL the Admin Console makes HTTP POST to. I'd suggest that you file a bug in JIRA.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-07-27 at 16:29 +0000, Jamie McDowell wrote:
> Hi,
> 
> I am trying to add a client protocol-mapper however when i try and run this i get a?HTTP error - 500 Internal Server Error
> opt/jboss/keycloak/bin/kcadm.sh create \clients/<id>/protocol-mappers/models \-r demorealm \-s protocol=openid-connect \-s protocolMapper=oidc-usermodel-realm-mapper \-s consentRequired=false \-s config.claim.name=group_membership \-s config.jsonType.label=String \-s config.id.token.claim=true \-s config.access.token.claim=true \-s config.userinfo.token.claim=true \-s config.multivalued=true \-s name=Realm \
> I can confirm that kcadm works as i have been able to create groups, LDAP mappers, realms etc...
> In the server.log i can see the below error when i run the above
> > ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-109) Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can notat [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 55dee6f8; line: 1, column: 119] (through reference chain: org.keycloak.representations.idm.ProtocolMapperRepresentation["co? ? ? ?at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:270) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ?at com.fasterxml.jackson.databind.DeserializationContext.reportMappingException(DeserializationContext.java:1234) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ?at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1122) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ?at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1075) ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?? ? ? ?at com.fasterxml.jackson.databind.deser.std.StringDeserializer.deserialize(StringDeserializer.java:60)
> Appreciate if anyone can advise on this (keycloak version is 3.4.3)
> Thanks?Jamie??
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From dt at acutus.pro  Mon Jul 30 23:10:40 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 31 Jul 2018 06:10:40 +0300
Subject: [keycloak-user] one issue in keycloak
In-Reply-To: <CAGFjpH4Ykmap1EOq1-aT=buGO5i3X9qACHrJ37cMUXdV1eXv7Q@mail.gmail.com>
References: <CAGFjpH4Ykmap1EOq1-aT=buGO5i3X9qACHrJ37cMUXdV1eXv7Q@mail.gmail.com>
Message-ID: <1533006640.5207.16.camel@acutus.pro>

Hi Prashant,

The power of Keycloak is that in order to bring to Keycloak some new functionality, you don't need to modify Keycloak code in 99% of cases. Everything is done via SPIs + themes.

In your case, I'd suggest that you take a look at the following classes (keycloak-services module):

org.keycloak.authentication.authenticators.resetcred.ResetCredentialChooseUser
org.keycloak.authentication.authenticators.directgrant.ValidatePassword

They are destined for another flows (reset credentials and direct grant respectively), but you can use them as a reference. They demonstrate how username and password handling can be done separately.

Also I'd suggest that you look into Theme Resource SPI and Script Authenticator. These might be helpful in your case.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-07-27 at 16:20 +0530, prashant kumar wrote:
> ?Hi,
> 
> We are using keycloak for identiy provider and have got following
> requirement,
> 
> ???- We need to show user email
> ???- If the user is of key cloak then showing password text otherwise
> ???showing list of other identity provider.
> 
> 
> We couldn't divide username and password without changing the core keycloak
> class namely
> 
> org.keycloak.authentication.DefaultAuthenticationFlow and then class
> doesn't support extension without changing the entire hierarchy of objects
> in new.
> 
> We can only add provider using SPI for subsequent flow.
> 
> So we have taken following approach
> 
> 1) Changing the core class itself but then keycloak release update will
> happen only with this change incorporated.
> 
> 2) Created our own rest API which is using keycloak utilities and services
> as object but entire flow is in the rest API.
> 
> Please provide your take on this along with if there is any way we can
> inject our own object using spring injection or some other injection
> mechanism.
> 
> Thanks,
> Prashant
> 
> > 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Mon Jul 30 23:20:02 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 31 Jul 2018 06:20:02 +0300
Subject: [keycloak-user] Close EntityManager in RealmResourceProvider?
In-Reply-To: <CAGqTYaxeXe-34fa-FOjuY8ryWa2osWvpKXYcuXaMQDnQCrbLkg@mail.gmail.com>
References: <CAGqTYaxeXe-34fa-FOjuY8ryWa2osWvpKXYcuXaMQDnQCrbLkg@mail.gmail.com>
Message-ID: <1533007202.5207.18.camel@acutus.pro>

Hi Henning,

First, it's recommended that you don't use EntityManager directly in your RealmResourceProvider, but rather create a facade class to encapsulate JPA operations.

examples/providers/domain-extension is a nice example of the above (look for ExampleService and its implementation).

Second, generally you should retrieve an EntityManager before each new transaction. As long as it's in a local variable, it will be finalized and closed automatically, so normally you don't need to bother.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Fri, 2018-07-27 at 10:17 +0200, Henning Waack wrote:
> Hi.
> 
> I am implementing a RealmResourceProvider (KC 4.0) in which I use an
> EntityManager provided by the KeycloakSession to access the KC DB:
> 
> EntityManager em =
> ((KeycloakSession)session).getProvider(JpaConnectionProvider.class).getEntityManager();
> 
> In my class which extends
> org.keycloak.services.resource.RealmResourceProvider and uses this
> EntityManager, do I have to close the EM instance after using it? Or do I
> have to close it in my RealmResourceProviderFactory.close() method where I
> obtain it from the session?
> 
> Thanks & greetings
> 
> Henning
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Mon Jul 30 23:27:21 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 31 Jul 2018 06:27:21 +0300
Subject: [keycloak-user] Client (App) - Keycloak (Server) binding
In-Reply-To: <CAMmyUGTpBY_OpnvcUjNGt=uGCBu4nU5=dG7_opZjW-C9mmnXJA@mail.gmail.com>
References: <CAMmyUGTpBY_OpnvcUjNGt=uGCBu4nU5=dG7_opZjW-C9mmnXJA@mail.gmail.com>
Message-ID: <1533007641.5207.20.camel@acutus.pro>

Hi Leandro,

So basically you're shipping an application pre-configured to use your
Keycloak, and you want to prohibit users from changing this to another
server?

What type of application is it? Off the top of my head, you can use
server certificate verification on the adapter side. Not sure however
if it's available OOTB. But you're right: the user might replace server
name and certificate, so I'm afraid there's no 100% bulletproof solution here.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Thu, 2018-07-26 at 11:58 +0200, Leandro Rebosio wrote:
> Hey there, I didn't find any documentation about this particular topic, let
> me explain a bit. How can I bind my application to a Keycloak server
> instance and be sure that this binding is immutable?
> I know about certs and public key but if someone changes the key on my app
> it would be able to use a different Keycloak instance to authenticate,
> isn'it?
> 
> Thanks for your clarification and I apologize if this is not the right way
> to use the mailing list.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Mon Jul 30 23:32:27 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 31 Jul 2018 06:32:27 +0300
Subject: [keycloak-user] IdP selection based on email address
In-Reply-To: <d9e4fe1c31d442f4b17c43f9cce51761@witbe.net>
References: <dba15758c41b4f0aa58828ebcc1c8a57@witbe.net>
	<1532562567.2078.7.camel@acutus.pro>
	<d9e4fe1c31d442f4b17c43f9cce51761@witbe.net>
Message-ID: <1533007947.5207.22.camel@acutus.pro>

Hi Yann,

Is the OTP Forms execution inside the subflow? Could you please attach a screenshot of the overall flow?

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Thu, 2018-07-26 at 09:12 +0000, Yann Jouanin wrote:
> Hello,
> 
> Thanks for your reply.
> Indeed I managed to write the function attached in javascript and I was able to redirect to an IdP for specific domains.
> 
> I have an additional question, I there a way to continue the flow (In my case I would like to optionaly prompt for OTP).?
> My current flow is:
> 
> "cookies"(alternative)
> " Choose User"(required)
> Script(select idp) (required) (the script redirect to idp for a domains, otherwise triggers context.success) Subflow forms(optional):
> ?- Username Password Form (required)
> OTP Form (optional).
> 
> Did I misunderstood the flow usage? Now when a user is authenticated using my idp but has an OTP, the OTP is not prompted.
> 
> Best regards ,
> 
> Yann
> ?
> -------- FUNCTIONS ---------
> 
> 
> Authenticate function:
> function authenticate(context) {
> ????
> ????var username = user ? user.username : "anonymous";
> ????if (username.endsWith("mydomain.com")) {
> ????????redirect_to_idp(context, "idpformydomain");
> ????????return;
> ????}
> ????context.success();
> ????return;
> }
> 
> 
> Function:
> 
> 
> AuthenticationFlowError = Java.type("org.keycloak.authentication.AuthenticationFlowError");
> ClientSessionCode = Java.type("org.keycloak.services.managers.ClientSessionCode");
> Urls = Java.type("org.keycloak.services.Urls");
> OAuth2Constants = Java.type("org.keycloak.OAuth2Constants");
> Response = Java.type("javax.ws.rs.core.Response");
> 
> /**
> ?* Redirect to Identification provider
> ?*
> > ?* @param context {@see org.keycloak.authentication.AuthenticationFlowContext}
> ?* @param providerId : the alias of the provider to use??*/
> ?
> function redirect_to_idp(context, providerId) {
> ????var identityProviders = context.getRealm().getIdentityProviders();
> ????var identityProvidersLen = identityProviders.length;
> ????for (var i = 0; i < identityProvidersLen; i++) {
> ????????identityProvider = identityProviders[i];
> ????????if (identityProvider.isEnabled() && providerId.equals(identityProvider.getAlias())) {
> ????????????var accessCode = new ClientSessionCode(context.getSession(), context.getRealm(), context.getAuthenticationSession()).getOrGenerateCode();
> ????????????var clientId = context.getAuthenticationSession().getClient().getClientId();
> ????????????var tabId = context.getAuthenticationSession().getTabId();
> ????????????var location = Urls.identityProviderAuthnRequest(context.getUriInfo().getBaseUri(), providerId, context.getRealm().getName(), accessCode, clientId, tabId);
> ????????????if (context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY) != null)?
> ????????????{
> ????????????????location = UriBuilder.fromUri(location).queryParam(OAuth2Constants.DISPLAY, context.getAuthenticationSession().getClientNote(OAuth2Constants.DISPLAY)).build();
> ????????????}
> ????????????var response = Response.seeOther(location).build();
> ????????????LOG.info("Redirecting to %s" + providerId);
> ????????????context.forceChallenge(response);
> ????????????return;
> ????????}
> ????}
> }
> 
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Mon Jul 30 23:37:22 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 31 Jul 2018 06:37:22 +0300
Subject: [keycloak-user] SSO with multiple domains
In-Reply-To: <CAB+XyjRLwHsZM6toO7LvA6SGpus6h5dySd8ds9BMWX1_8FFXSQ@mail.gmail.com>
References: <CAB+XyjRLwHsZM6toO7LvA6SGpus6h5dySd8ds9BMWX1_8FFXSQ@mail.gmail.com>
Message-ID: <1533008242.5207.24.camel@acutus.pro>

Hi Ushanas,

Out of the box, client applications do not have any mechanism to determine if the user has logged out.
But you can implement it using the so called "iframe trick". More info here: https://www.keycloak.org/docs/latest/securing_apps/index.html#openid-connect-vs-saml

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Thu, 2018-07-26 at 04:06 +0530, Ushanas Shastri wrote:
> Hello,
> 
> We have 4 different applications, hosted on 3 unique servers.??All
> applications are protected by KeyCloak. All apps are built on AngularJS.
> 
> ?In cases where we have multiple tabs open (one for each application) in
> Chrome.
> 
> When users logout from one Tab, the other tabs don't always logout. Post
> this, applications that we login to keep getting unauthorized, and I assume
> that the tokens have been invalidated.
> 
> I've tried version 3.0 and 3.2.1.
> 
> I'm looking for any guidance and best practices to handle such cases.
> 
> 
> 
> Regards, Ushanas.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Mon Jul 30 23:43:14 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 31 Jul 2018 06:43:14 +0300
Subject: [keycloak-user] Sharing default configuration for keycloak
 deployment
In-Reply-To: <CANAVTmMZzVYW7g2KUtwG9oBS48M9Vgo-CQTPpx4m6_dL6w9e4Q@mail.gmail.com>
References: <CANAVTmMZzVYW7g2KUtwG9oBS48M9Vgo-CQTPpx4m6_dL6w9e4Q@mail.gmail.com>
Message-ID: <1533008594.5207.26.camel@acutus.pro>

Hi,

Is it correct that you're shipping vanilla Keycloak distro with your application, and you want to apply configuration changes as easy as possible?

You should be considering the following tools:
$KEYCLOAK/bin/add-user-keycloak.sh (to add admin user)
$KEYCLOAK/bin/kcadm.sh (to create realms and virtually everything else in Keycloak; remember you'll need to spin it up first)
$KEYCLOAK/bin/jboss-cli.sh (to install JDBC driver, configure database etc.)

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Wed, 2018-07-25 at 12:17 +0530, Test Oauth wrote:
> I am shipping Keycloak with my application and there is some default
> configuration that I have done. I want to ship this default configuration
> (like admin name/password, realm names etc) with my application so that the
> customers can bring the basic authentication flow up with a single click
> (of probably a batch file).
> 
> Is there a way to do this?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Tue Jul 31 00:01:56 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 31 Jul 2018 07:01:56 +0300
Subject: [keycloak-user] Extract user roles from jwt auth token
In-Reply-To: <CAG3apS8VoGa55zBSEYRgjzpqTutg-nrY-wehMU=DfAua9gbThw@mail.gmail.com>
References: <CAG3apS8VoGa55zBSEYRgjzpqTutg-nrY-wehMU=DfAua9gbThw@mail.gmail.com>
Message-ID: <1533009716.5207.28.camel@acutus.pro>

Hi Irtiza,

In Keycloak, there are two types of roles: realm roles and client roles. In JWT, they are mapped to realm_access and resource_access object, respectively.

So in your JWT example, resource_access lists client roles. Does the user have any realm roles assigned? What version of Keycloak are you using?

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-07-23 at 12:28 +0500, Irtiza Ali wrote:
> I am using this endpoint:
> 
> XXXXXXXXXX/protocol/openid-connect/token
> 
> to authenticate the user. Once the user is authenticated a json(jwt) is
> returned from keyclock.
> 
> Decoded jwt json:
> 
> {
> ? "jti": "30d233b2-bba8-4f21-bc51-8c867cd5db8b",
> ? "exp": 1532326409,
> ? "nbf": 0,
> ? "iat": 1532325509,
> > ? "iss": "http://localhost:8080/auth/realms/nodejs-example",
> ? "aud": "nodejs-connect",
> ? "sub": "faf3fc64-b96b-4e3f-8e86-4fc727e20d31",
> ? "typ": "Bearer",
> ? "azp": "nodejs-connect",
> ? "auth_time": 0,
> ? "session_state": "736f9570-a3c8-4180-927e-15b5e0f63764",
> ? "acr": "1",
> ? "allowed-origins": [],
> ? "resource_access": {
> ????"account": {
> ??????"roles": [
> ????????"view-profile"
> ??????]
> ????}
> ? },
> ? "name": "aaa bbb",
> ? "preferred_username": "ali123",
> ? "given_name": "aaa",
> ? "family_name": "bbb",
> > ? "email": "a123 at yahoo.com"
> }
> 
> How can I retrieve the user roles from that JWT token?
> 
> Thank you
> 
> Irtiza Ali
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From testoauth55 at gmail.com  Tue Jul 31 00:04:13 2018
From: testoauth55 at gmail.com (Test Oauth)
Date: Tue, 31 Jul 2018 09:34:13 +0530
Subject: [keycloak-user] Browser not maintaining session for keycloak
	users
In-Reply-To: <1532997860.5207.8.camel@acutus.pro>
References: <CANAVTmNcScSF1BSbP4ay6idv_G42vUS6jFx2oY+0x5s9bFKMBQ@mail.gmail.com>
	<1532997860.5207.8.camel@acutus.pro>
Message-ID: <CANAVTmPuh2-mMa=9eTAPh2Wyyx1XNUwHijHUMsin4rygv=Yt=w@mail.gmail.com>

Yes sir,
I followed the doc  https://www.keycloak.org/docs/
latest/securing_apps/index.html#_installed_adapter. And am seeing the same
behavior on chrome and firefox.

Also regarding the manual mode, I see the same behavior i.e I have to
re-login for each re-run of the client app.

But if I do this:

System.out.println("Login through manual mode");
keycloak.loginManual();
System.out.println("Login through browser");
keycloak.loginDesktop();

i.e. if I call both modes in the same code or even same mode twice in the
same code, then I don't have to re-login for second call (in the above
example for loginDesktop). However when I re-run the application, I need to
re-login. This might be a stupid guess but could these sessions be "java
object specific"?


On Tue, Jul 31, 2018 at 6:14 AM, Dmitry Telegin <dt at acutus.pro> wrote:

> Hi,
>
> Did you do everything in accordance with the docs?
> https://www.keycloak.org/docs/latest/securing_apps/index.
> html#_installed_adapter
>
> Do you experience this in "manual" mode too?
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Mon, 2018-07-30 at 16:08 +0530, Test Oauth wrote:
> > I am using openid-connect for authenticating users. After successful
> > authentication, browser windows says:
> > "Login Successful
> >
> > You may close this browser window and go back to your console
> application."
> >
> > However, even without closing the window if I relaunch my application
> > (using keycloak.loginDesktop();) even within 10 seconds, still the login
> > page appears instead of : you are already logged in.
> >
> > Browser: Firefox.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From testoauth55 at gmail.com  Tue Jul 31 00:14:39 2018
From: testoauth55 at gmail.com (Test Oauth)
Date: Tue, 31 Jul 2018 09:44:39 +0530
Subject: [keycloak-user] Sharing default configuration for keycloak
	deployment
In-Reply-To: <1533008594.5207.26.camel@acutus.pro>
References: <CANAVTmMZzVYW7g2KUtwG9oBS48M9Vgo-CQTPpx4m6_dL6w9e4Q@mail.gmail.com>
	<1533008594.5207.26.camel@acutus.pro>
Message-ID: <CANAVTmNGkN3VV5-XfswMhVDpgHs_nB7z8RTrgKcU+C-oNcMXgw@mail.gmail.com>

Thanks for the info. That is exactly what I have been looking for.

For reference, this doc is gem:
http://blog.keycloak.org/2017/01/administer-keycloak-server-from-shell.html


On Tue, Jul 31, 2018 at 9:13 AM, Dmitry Telegin <dt at acutus.pro> wrote:

> Hi,
>
> Is it correct that you're shipping vanilla Keycloak distro with your
> application, and you want to apply configuration changes as easy as
> possible?
>
> You should be considering the following tools:
> $KEYCLOAK/bin/add-user-keycloak.sh (to add admin user)
> $KEYCLOAK/bin/kcadm.sh (to create realms and virtually everything else in
> Keycloak; remember you'll need to spin it up first)
> $KEYCLOAK/bin/jboss-cli.sh (to install JDBC driver, configure database
> etc.)
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Wed, 2018-07-25 at 12:17 +0530, Test Oauth wrote:
> > I am shipping Keycloak with my application and there is some default
> > configuration that I have done. I want to ship this default configuration
> > (like admin name/password, realm names etc) with my application so that
> the
> > customers can bring the basic authentication flow up with a single click
> > (of probably a batch file).
> >
> > Is there a way to do this?
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From dt at acutus.pro  Tue Jul 31 00:25:48 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 31 Jul 2018 07:25:48 +0300
Subject: [keycloak-user] Dynamically branded login?
In-Reply-To: <CAPVdwjqvyf+uVObf4OGBbgSKJb_TZ-7OzPuG-abryKJtW2zHew@mail.gmail.com>
References: <CAPVdwjqvyf+uVObf4OGBbgSKJb_TZ-7OzPuG-abryKJtW2zHew@mail.gmail.com>
Message-ID: <1533011148.5207.30.camel@acutus.pro>

Hi Craig, sorry for late response,

On Thu, 2018-07-12 at 06:08 -0500, Craig Setera wrote:
> We build and host a multitenant application that is currently using
> homegrown authentication and authorization (using Picketlink).??We are
> considering a move to Keycloak.??My preference would be to use the login
> flows that are built in to Keycloak rather than building our own, however
> that is dependent on whether we can properly brand those login flows on a
> per-customer basis in some dynamic way.

In Keycloak parlance, the term "login flow" has a very particular
meaning. Basically, it's what you see in the Authentication section in
the Admin Console. It defines how authentication *works* rather than
how it *looks like* (i.e. logic rather than appearance).

Do you really mean "login flows"? From the second part of your message
I can deduce you're mainly interested in customizing the GUI.

> In looking at the theme SPI support, it appears to be mostly targeted to
> supporting mulitple "static" themes.??Is it possible to make a theme that
> is dynamic based on, for example, a query parameter?

By default, Keycloak uses FreeMarker templates for login screens. In
the templates, the URL object is exposed as ${url}, so you can analyze
it and add conditional statements. If you're ok with that, probably you
won't need to implement any SPIs.

Otherwise, you can either implement custom theme selection logic based
on request parameters (Theme Selector SPI), or completely redefine
theming mechanism (Theme SPI).

> ???Are there any
> examples anywhere on how that might be possible???

Well, builtin Keycloak themes are the best example IMO :) you can find
the default login theme under
themes/src/main/resources/theme/base/login in the source tree.

> Would Keycloak carry
> through query parameters if they were provided when launching the login
> flow?

It's best to create a custom theme and see :)

Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

> 
> Thanks,
> Craig
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dt at acutus.pro  Tue Jul 31 01:30:54 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 31 Jul 2018 08:30:54 +0300
Subject: [keycloak-user] Problem while getting users
In-Reply-To: <CAHzNUnvbQGYD8mJeP6YV_KyffP=-XKPSP7QsLobGg2jU76=2Bw@mail.gmail.com>
References: <CAHzNUnvbQGYD8mJeP6YV_KyffP=-XKPSP7QsLobGg2jU76=2Bw@mail.gmail.com>
Message-ID: <1533015054.5207.32.camel@acutus.pro>

Hi Cedric,

Indeed, the roles/{role-name}/users endpoint returns assigned roles only. OTOH,?for a single user it is possible to retrieve the list of effective roles, which is computed.

You can file an improvement request at JIRA, but I'm not sure if it will be accepted. To implement it in an efficient way, effective roles should be cached in the DB, that means significant changes to the codebase.

Meanwhile, you can implement this piece of functionality as an extension to Keycloak. Let me know if that is interesting for you, so I'd elaborate.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Mon, 2018-07-23 at 18:36 +0200, Cedric Vidaillac wrote:
> Hi all,
> 
> I'm trying things with the admin CLI, I want to get all users that have a
> specified role,
> 
> So I'm using this :
> 
> GET /{realm}/clients/{id}/roles/{role-name}/users
> 
> Then, we decided it was really easier to manage users by assigning them to
> a default group, then assigning roles to my default group... than assigning
> ?roles for each users everytime...
> 
> So when I lookup any user now, on the "role mapping" tab, I can see the
> desired role on the "*Effective Roles*" column, good.
> 
> However, the API above only return users which have the role in the "Assigned
> Roles", even though my user have the role through the group.
> 
> So I this normal or is it a bug ?
> As the goal of the API is to " Return List of Users that have the specified
> role name" I'd say it's a bug, but maybe I'm not seeing clear.
> 
> Thanks for reading.
> 
> Cedric.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From iali at an10.io  Tue Jul 31 02:00:13 2018
From: iali at an10.io (Irtiza Ali)
Date: Tue, 31 Jul 2018 11:00:13 +0500
Subject: [keycloak-user] Extract user roles from jwt auth token
In-Reply-To: <1533009716.5207.28.camel@acutus.pro>
References: <CAG3apS8VoGa55zBSEYRgjzpqTutg-nrY-wehMU=DfAua9gbThw@mail.gmail.com>
	<1533009716.5207.28.camel@acutus.pro>
Message-ID: <CAG3apS9SVPO6YZq=TUzRnAeKMk5GD1gUzU8Br3EpAqT228xfvw@mail.gmail.com>

Thank you, Dmitry for the response,

1) Yes, I have assigned admin and client roles to the user.
2) My keycloak version is 4.0.0

I have resolved this issue thanks for the help

IA



On Tue, Jul 31, 2018 at 9:01 AM, Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Irtiza,
>
> In Keycloak, there are two types of roles: realm roles and client roles.
> In JWT, they are mapped to realm_access and resource_access object,
> respectively.
>
> So in your JWT example, resource_access lists client roles. Does the user
> have any realm roles assigned? What version of Keycloak are you using?
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Mon, 2018-07-23 at 12:28 +0500, Irtiza Ali wrote:
> > I am using this endpoint:
> >
> > XXXXXXXXXX/protocol/openid-connect/token
> >
> > to authenticate the user. Once the user is authenticated a json(jwt) is
> > returned from keyclock.
> >
> > Decoded jwt json:
> >
> > {
> >   "jti": "30d233b2-bba8-4f21-bc51-8c867cd5db8b",
> >   "exp": 1532326409,
> >   "nbf": 0,
> >   "iat": 1532325509,
> > >   "iss": "http://localhost:8080/auth/realms/nodejs-example",
> >   "aud": "nodejs-connect",
> >   "sub": "faf3fc64-b96b-4e3f-8e86-4fc727e20d31",
> >   "typ": "Bearer",
> >   "azp": "nodejs-connect",
> >   "auth_time": 0,
> >   "session_state": "736f9570-a3c8-4180-927e-15b5e0f63764",
> >   "acr": "1",
> >   "allowed-origins": [],
> >   "resource_access": {
> >     "account": {
> >       "roles": [
> >         "view-profile"
> >       ]
> >     }
> >   },
> >   "name": "aaa bbb",
> >   "preferred_username": "ali123",
> >   "given_name": "aaa",
> >   "family_name": "bbb",
> > >   "email": "a123 at yahoo.com"
> > }
> >
> > How can I retrieve the user roles from that JWT token?
> >
> > Thank you
> >
> > Irtiza Ali
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From dt at acutus.pro  Tue Jul 31 02:07:33 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 31 Jul 2018 09:07:33 +0300
Subject: [keycloak-user] Extract user roles from jwt auth token
In-Reply-To: <CAG3apS9SVPO6YZq=TUzRnAeKMk5GD1gUzU8Br3EpAqT228xfvw@mail.gmail.com>
References: <CAG3apS8VoGa55zBSEYRgjzpqTutg-nrY-wehMU=DfAua9gbThw@mail.gmail.com>
	<1533009716.5207.28.camel@acutus.pro>
	<CAG3apS9SVPO6YZq=TUzRnAeKMk5GD1gUzU8Br3EpAqT228xfvw@mail.gmail.com>
Message-ID: <1533017253.5207.38.camel@acutus.pro>

Hi Irtiza,

On Tue, 2018-07-31 at 11:00 +0500, Irtiza Ali wrote:
> Thank you, Dmitry for the response,
> 
> 1) Yes, I have assigned admin and client roles to the user.
> 2) My keycloak version is 4.0.0
> 
> I have resolved this issue thanks for the help

You're welcome! Just FYI:?the behavior has changed after 3.2.0, so that realm_access is no longer included in JWT by default. It has to be configured explicitly.

Good luck!
Dmitry

> 
> IA
> 
> 
> 
> > On Tue, Jul 31, 2018 at 9:01 AM, Dmitry Telegin <dt at acutus.pro> wrote:
> > Hi Irtiza,
> > 
> > In Keycloak, there are two types of roles: realm roles and client roles. In JWT, they are mapped to realm_access and resource_access object, respectively.
> > 
> > So in your JWT example, resource_access lists client roles. Does the user have any realm roles assigned? What version of Keycloak are you using?
> > 
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> > 
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> > 
> > On Mon, 2018-07-23 at 12:28 +0500, Irtiza Ali wrote:
> > > I am using this endpoint:
> > >?
> > > XXXXXXXXXX/protocol/openid-connect/token
> > >?
> > > to authenticate the user. Once the user is authenticated a json(jwt) is
> > > returned from keyclock.
> > >?
> > > Decoded jwt json:
> > >?
> > > {
> > > ? "jti": "30d233b2-bba8-4f21-bc51-8c867cd5db8b",
> > > ? "exp": 1532326409,
> > > ? "nbf": 0,
> > > ? "iat": 1532325509,
> > > > > > ? "iss": "http://localhost:8080/auth/realms/nodejs-example",
> > > ? "aud": "nodejs-connect",
> > > ? "sub": "faf3fc64-b96b-4e3f-8e86-4fc727e20d31",
> > > ? "typ": "Bearer",
> > > ? "azp": "nodejs-connect",
> > > ? "auth_time": 0,
> > > ? "session_state": "736f9570-a3c8-4180-927e-15b5e0f63764",
> > > ? "acr": "1",
> > > ? "allowed-origins": [],
> > > ? "resource_access": {
> > > ????"account": {
> > > ??????"roles": [
> > > ????????"view-profile"
> > > ??????]
> > > ????}
> > > ? },
> > > ? "name": "aaa bbb",
> > > ? "preferred_username": "ali123",
> > > ? "given_name": "aaa",
> > > ? "family_name": "bbb",
> > > > > > ? "email": "a123 at yahoo.com"
> > > }
> > >?
> > > How can I retrieve the user roles from that JWT token?
> > >?
> > > Thank you
> > >?
> > > Irtiza Ali
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > 
> 
> 

From iali at an10.io  Tue Jul 31 02:37:05 2018
From: iali at an10.io (Irtiza Ali)
Date: Tue, 31 Jul 2018 11:37:05 +0500
Subject: [keycloak-user] Extract user roles from jwt auth token
In-Reply-To: <1533017253.5207.38.camel@acutus.pro>
References: <CAG3apS8VoGa55zBSEYRgjzpqTutg-nrY-wehMU=DfAua9gbThw@mail.gmail.com>
	<1533009716.5207.28.camel@acutus.pro>
	<CAG3apS9SVPO6YZq=TUzRnAeKMk5GD1gUzU8Br3EpAqT228xfvw@mail.gmail.com>
	<1533017253.5207.38.camel@acutus.pro>
Message-ID: <CAG3apS9Um2x0DUfaek5vhw7mTcBSO-nvwYiE2MLuMPzDk3ihZA@mail.gmail.com>

Thanks for the tip!


IA

On Tue, 31 Jul 2018, 11:07 Dmitry Telegin, <dt at acutus.pro> wrote:

> Hi Irtiza,
>
> On Tue, 2018-07-31 at 11:00 +0500, Irtiza Ali wrote:
> > Thank you, Dmitry for the response,
> >
> > 1) Yes, I have assigned admin and client roles to the user.
> > 2) My keycloak version is 4.0.0
> >
> > I have resolved this issue thanks for the help
>
> You're welcome! Just FYI: the behavior has changed after 3.2.0, so that
> realm_access is no longer included in JWT by default. It has to be
> configured explicitly.
>
> Good luck!
> Dmitry
>
> >
> > IA
> >
> >
> >
> > > On Tue, Jul 31, 2018 at 9:01 AM, Dmitry Telegin <dt at acutus.pro> wrote:
> > > Hi Irtiza,
> > >
> > > In Keycloak, there are two types of roles: realm roles and client
> roles. In JWT, they are mapped to realm_access and resource_access object,
> respectively.
> > >
> > > So in your JWT example, resource_access lists client roles. Does the
> user have any realm roles assigned? What version of Keycloak are you using?
> > >
> > > Cheers,
> > > Dmitry Telegin
> > > CTO, Acutus s.r.o.
> > > Keycloak Consulting and Training
> > >
> > > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > > +42 (022) 888-30-71
> > > E-mail: info at acutus.pro
> > >
> > > On Mon, 2018-07-23 at 12:28 +0500, Irtiza Ali wrote:
> > > > I am using this endpoint:
> > > >
> > > > XXXXXXXXXX/protocol/openid-connect/token
> > > >
> > > > to authenticate the user. Once the user is authenticated a json(jwt)
> is
> > > > returned from keyclock.
> > > >
> > > > Decoded jwt json:
> > > >
> > > > {
> > > >   "jti": "30d233b2-bba8-4f21-bc51-8c867cd5db8b",
> > > >   "exp": 1532326409,
> > > >   "nbf": 0,
> > > >   "iat": 1532325509,
> > > > > > >   "iss": "http://localhost:8080/auth/realms/nodejs-example",
> > > >   "aud": "nodejs-connect",
> > > >   "sub": "faf3fc64-b96b-4e3f-8e86-4fc727e20d31",
> > > >   "typ": "Bearer",
> > > >   "azp": "nodejs-connect",
> > > >   "auth_time": 0,
> > > >   "session_state": "736f9570-a3c8-4180-927e-15b5e0f63764",
> > > >   "acr": "1",
> > > >   "allowed-origins": [],
> > > >   "resource_access": {
> > > >     "account": {
> > > >       "roles": [
> > > >         "view-profile"
> > > >       ]
> > > >     }
> > > >   },
> > > >   "name": "aaa bbb",
> > > >   "preferred_username": "ali123",
> > > >   "given_name": "aaa",
> > > >   "family_name": "bbb",
> > > > > > >   "email": "a123 at yahoo.com"
> > > > }
> > > >
> > > > How can I retrieve the user roles from that JWT token?
> > > >
> > > > Thank you
> > > >
> > > > Irtiza Ali
> > > > _______________________________________________
> > > > keycloak-user mailing list
> > > > keycloak-user at lists.jboss.org
> > > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >
> >
> >
>

From iali at an10.io  Tue Jul 31 02:41:20 2018
From: iali at an10.io (Irtiza Ali)
Date: Tue, 31 Jul 2018 11:41:20 +0500
Subject: [keycloak-user] Keycloak integration with mysql.
Message-ID: <CAG3apS9wLwVFrhDnUKG2jgcxxmX991OAtsCiJjTvH48zHATNZw@mail.gmail.com>

Hello everyone,

Keycloak by default uses h2 hibernate as db and I want to replace it with
mysql. I have followed the guidelines in documentation but was unable to
figure out that mysql is integrated or not.

Kindly provide me some guilelines in this regards.


1) any blog or tutorials for this purpose.
2) any method to validate that mysql in integrated with keycloak.


Thankyou

Regards
Irtiza Ali

From erlend at hamnaberg.net  Tue Jul 31 02:48:57 2018
From: erlend at hamnaberg.net (Erlend Hamnaberg)
Date: Tue, 31 Jul 2018 08:48:57 +0200
Subject: [keycloak-user] Upgrading Keycloak 3.4.2 to 4.1.0 in docker
In-Reply-To: <1532998465.5207.10.camel@acutus.pro>
References: <CAGuwm8U+iLHAL3eWHoVYbAbjM6NFv7QYGRHUfjG2BN+BNqSD1A@mail.gmail.com>
	<1532998465.5207.10.camel@acutus.pro>
Message-ID: <CAGuwm8XC9Rcjt_G4oxitFz-8AG2Rjp2mW+TWo29HV-CSspjk2A@mail.gmail.com>

That is what I hoped. Thanks a lot, Dmitry.

/Erlend

On Tue, Jul 31, 2018 at 2:54 AM, Dmitry Telegin <dt at acutus.pro> wrote:

> Hi Erlend,
>
> Normally you shouldn't do anything else, unless you manage Keycloak
> configuration yourself, i.e. $KEYCLOAK/standalone/configuration is a
> Docker volume.
> In this case you might need to migrate your configuration. There are
> helpful scripts in $KEYCLOAK/bin/migrate*.cli to facilitate that.
>
> If you deploy custom providers (extensions), especially if using
> frequently changing private SPIs, you'll also make sure the code compiles
> with the new version of Keycloak.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Mon, 2018-07-30 at 10:02 +0200, Erlend Hamnaberg wrote:
> > Hello all.
> >
> > I was wondering if it required to run the upgrade steps (apart from the
> > database migrations and themes ) when deploying keycloak in dockerized
> form?
> > I am of course extending
> >
> > FROM jboss/keycloak:4.1.0.Final
> >
> > I started the server with just upgrading the database automatically, and
> it
> > seems to work fine.
> > Am I missing something other important step?
> >
> > /Erlend
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From dt at acutus.pro  Tue Jul 31 02:50:33 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 31 Jul 2018 09:50:33 +0300
Subject: [keycloak-user] Keycloak integration with mysql.
In-Reply-To: <CAG3apS9wLwVFrhDnUKG2jgcxxmX991OAtsCiJjTvH48zHATNZw@mail.gmail.com>
References: <CAG3apS9wLwVFrhDnUKG2jgcxxmX991OAtsCiJjTvH48zHATNZw@mail.gmail.com>
Message-ID: <1533019833.5207.40.camel@acutus.pro>

Hi again Irtiza,

On Tue, 2018-07-31 at 11:41 +0500, Irtiza Ali wrote:
> Hello everyone,
> 
> Keycloak by default uses h2 hibernate as db and I want to replace it with
> mysql. I have followed the guidelines in documentation but was unable to
> figure out that mysql is integrated or not.
> 
> Kindly provide me some guilelines in this regards.
> 
> 
> 1) any blog or tutorials for this purpose.

Here's the doc: https://www.keycloak.org/docs/latest/server_installatio
n/index.html#_database

Basically, you'll need to install a JDBC driver, setup your database and configure it in Keycloak.

> 2) any method to validate that mysql in integrated with keycloak.

The best way would be to connect to MySQL (using CLI, or MySQL
Workbench, or whatever tool you choose) and to see if its populated.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

> 
> 
> Thankyou
> 
> Regards
> Irtiza Ali
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From dean.wyns at aptus.be  Tue Jul 31 02:58:55 2018
From: dean.wyns at aptus.be (Wyns Dean)
Date: Tue, 31 Jul 2018 06:58:55 +0000
Subject: [keycloak-user] FW: Access control and client setup
In-Reply-To: <CAJrcDBe+eK_yUzLKY4Dtb6T4uUFPzJuOJQp8NLYbr=mAwESwew@mail.gmail.com>
References: <CC7F9E69ED13DD478810F42866C6FAA1A6CB50F4@CBW-MHEXCH-C.iconos.be>
	<CC7F9E69ED13DD478810F42866C6FAA1A6CB5146@CBW-MHEXCH-C.iconos.be>
	<CAJrcDBc3Fb-z4nZG=QsPAwMtUOsnfs4y_KONt11CSrY6jS9RZA@mail.gmail.com>
	<CC7F9E69ED13DD478810F42866C6FAA1ACC8708A@ws08-mhexch10-b.iconos.be>
	<CAJrcDBe+eK_yUzLKY4Dtb6T4uUFPzJuOJQp8NLYbr=mAwESwew@mail.gmail.com>
Message-ID: <CC7F9E69ED13DD478810F42866C6FAA1ACC871E8@ws08-mhexch10-b.iconos.be>

Hi Pedro

Thanks for the clarification.

The scopes are not really a result of user concent, but rather just a request for the right amount of permissions.
A user can ask for as much permission he needs by using the scope. So if the SPA needs read and create permission for items, the scope can be ?openid read:items create:items?. If the user can only read items, eventually the resulting scope should be ?openid read:items? and the backend can block create calls.
I saw some people create roles for every scope and then use composite roles to for example create ?admin? users with the right roles for the scopes. Is this the right way to do this?

An item is assigned to a customer (and a user is assigned to a customer), so my-api still needs to filter on that so that users can only read items from their own customer. Is this a use case where the fine-grained authorization of Keycloak comes into play? We?d need to create an item resource in Keycloak for every item in our database, right? And then use UMA to check the access to a particular item?

We could also just add the customer as a claim in the token and use that to filter our database (but like you said then my-api does the authorization). I think this is the way to go for our case at the moment, as we already have an existing system where it happens like this. So it requires minimal refactoring.

As of now, we?re not using any adapters yet. Most of our backend processes are in Node.js btw. But we?re also checking out Kong as an API gateway to use, so we could use an OIDC plugin that communicates with Keycloak if needed.

Thanks a lot
Dean
Van: Pedro Igor Silva <psilva at redhat.com>
Verzonden: maandag 30 juli 2018 17:52
Aan: Wyns Dean <dean.wyns at aptus.be>
CC: keycloak-user at lists.jboss.org
Onderwerp: Re: [keycloak-user] FW: Access control and client setup

On Mon, Jul 30, 2018 at 10:43 AM, Wyns Dean <dean.wyns at aptus.be<mailto:dean.wyns at aptus.be>> wrote:
Hi Pedro

Thanks for your answer.

So the idea is to create one client for the API, let?s call it ?my-api? with authorization enabled and the resources/scopes/permissions like you described previously. And I?ll create another (public) client for the SPA, ?my-app?.

If users authenticate against my-app using the implicit flow, how can I link the scopes associated with the resources of my-api and have them follow the permissions that are defined on my-api? Do I have to add the scopes as optional ?Client Scopes? so they are shared? The problem then is that they don?t show up under the Authorization tab of my-api, only the Authorization Scopes do. Or should authorization be enabled for my-app as well?

Client Scopes and Authorization tabs are different features. The first provides an authorization model based on OAuth2 scopes, where scopes may map to one or more claims inside your token or even restrict the roles you send n the token. They are also related with user consent.

The Authorization provides you the necessary means to setup resource-based permissions using different access control mechanisms. It also provides privacy based on user-managed access.


I would like the backend to purely check on the scope associated with the access token, by looking at the scope claim. There doesn?t seem to ever be a permissions claim in my tests, I only get the ?resource_access? claim but that only contains the roles, which I don?t need in the backend.

Are these scopes a result of user consent ? Or do you need more fine-grained control and externalize authorization from my-api ?

Are you using a specific Keycloak adapter ? (wildfly, spring, etc)


Sorry if I?m being unclear.

Your help is highly appreciated!
Dean

Van: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Verzonden: donderdag 26 juli 2018 14:00
Aan: Wyns Dean <dean.wyns at aptus.be<mailto:dean.wyns at aptus.be>>
CC: keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
Onderwerp: Re: [keycloak-user] FW: Access control and client setup



On Wed, Jul 25, 2018 at 4:21 AM, Wyns Dean <dean.wyns at aptus.be<mailto:dean.wyns at aptus.be>> wrote:
Hi

I'm evaluating Keycloak as our IAM and SSO and it seems very powerful, but I can't seem to wrap my head around some things.

We want to separate our APIs from the IAM. The sole purpose of Keycloak is to provide an identity and access token, primarily using the implicit flow. The client-side application (usually SPAs) uses the access token in all API calls and the resource server checks the signature of the access token but does not access Keycloak at all.

Each backend has a few operations, and each operation gets its own "permission". For example one API can manage "items", so there are four permissions:
- create:item
- read:item
- update:item
- delete:item

Is it best practice with Keycloak to model these permissions as scopes? And then use roles/permissions/policies to limit the scope of the user? The backend can then just decode the access token and read the granted scopes.

Ideally, you should define your authorization settings based on on your model. So if you have a resource "Item", which is a protected resource in your API you should have a "Item Resource" in Keycloak. The actions/methods create, read, update and delete can be scopes associated with your "Item" resource.

Once you have your item resource and scopes, you can define permissions that govern access for the resource itself or for each scope individually. All depends on how you create those permissions (resource vs scope permissions) and policies associated with them.

The backend could just decode the token and check for the "permissions" claim. Or you can also query the Keycloak server on every request to obtain a decision.


Also, in a SPA + API set-up, do I create two clients in Keycloak, one for each? This is only useful when the API needs resource protection, right? I guess in my case I only need one client for the SPA because the API only needs the scope from the access token by decoding it.

I would say you should have two clients representing both applications. They have different requirements and are really different things. Your SPA is probably a reguar public client while your API is a resource server.


Thanks for any feedback

Kind regards
Dean


_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user



From matthias.kesternich at moneymeets.com  Tue Jul 31 03:11:49 2018
From: matthias.kesternich at moneymeets.com (Matthias Kesternich)
Date: Tue, 31 Jul 2018 07:11:49 +0000
Subject: [keycloak-user] kcadm - adding a protocol-mapper
In-Reply-To: <1533005327.5207.14.camel@acutus.pro>
References: <393991387.3571827.1532708749385.ref@mail.yahoo.com>
	<393991387.3571827.1532708749385@mail.yahoo.com>
	<98566890.3575432.1532708944298@mail.yahoo.com>
	<1533005327.5207.14.camel@acutus.pro>
Message-ID: <5126F9C8-5AA5-4C27-BD8E-C3871BD5A462@moneymeets.com>

FWIW I have no problem creating mappers for 4.0.0 and 4.1.0. I use this:



kcadm.sh create clients/$CLIENT_ID/protocol-mappers/models -f - << 'EOF'

{

  "protocol": "openid-connect",

  "name": "scope",

  "protocolMapper": "oidc-script-based-protocol-mapper",

  "config": {

    "script": "somescript",

    "id.token.claim": false,

    "access.token.claim": true,

    "userinfo.token.claim": false,

    "multivalued": true,

    "claim.name": "myclaim",

    "jsonType.label": ""

  }

}

EOF



To me it seems the OPs json is invalid as indicated by "handleUnexpectedToken".



Best,

-Matthias



?Am 31.07.18, 04:50 schrieb "keycloak-user-bounces at lists.jboss.org im Auftrag von Dmitry Telegin" <keycloak-user-bounces at lists.jboss.org im Auftrag von dt at acutus.pro>:



    Hi Jamie,

    

    Seems like you've hit a bug. I can confirm this for KC 4.1.0. As a workaround I've tried to use JSON, but got even stranger error:

    

    Resource not found for url: http://localhost:8080/auth/admin/realms/master/clients/<id>/protocol-mappers/models

    

    But that's exactly the URL the Admin Console makes HTTP POST to. I'd suggest that you file a bug in JIRA.

    

    Cheers,

    Dmitry Telegin

    CTO, Acutus s.r.o.

    Keycloak Consulting and Training

    

    Pod lipami street 339/52, 130 00 Prague 3, Czech Republic

    +42 (022) 888-30-71

    E-mail: info at acutus.pro

    

    On Fri, 2018-07-27 at 16:29 +0000, Jamie McDowell wrote:

    > Hi,

    > 

    > I am trying to add a client protocol-mapper however when i try and run this i get a HTTP error - 500 Internal Server Error

    > opt/jboss/keycloak/bin/kcadm.sh create \clients/<id>/protocol-mappers/models \-r demorealm \-s protocol=openid-connect \-s protocolMapper=oidc-usermodel-realm-mapper \-s consentRequired=false \-s config.claim.name=group_membership \-s config.jsonType.label=String \-s config.id.token.claim=true \-s config.access.token.claim=true \-s config.userinfo.token.claim=true \-s config.multivalued=true \-s name=Realm \

    > I can confirm that kcadm works as i have been able to create groups, LDAP mappers, realms etc...

    > In the server.log i can see the below error when i run the above

    > > ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-109) Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can notat [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 55dee6f8; line: 1, column: 119] (through reference chain: org.keycloak.representations.idm.ProtocolMapperRepresentation["co       at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:270)                                                                                             at com.fasterxml.jackson.databind.DeserializationContext.reportMappingException(DeserializationContext.java:1234)                                                                     at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1122)                                                                       at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1075)                                                                       at com.fasterxml.jackson.databind.deser.std.StringDeserializer.deserialize(StringDeserializer.java:60)

    > Appreciate if anyone can advise on this (keycloak version is 3.4.3)

    > Thanks Jamie  

    > _______________________________________________

    > keycloak-user mailing list

    > keycloak-user at lists.jboss.org

    > https://lists.jboss.org/mailman/listinfo/keycloak-user

    

    _______________________________________________

    keycloak-user mailing list

    keycloak-user at lists.jboss.org

    https://lists.jboss.org/mailman/listinfo/keycloak-user




From slaskawi at redhat.com  Tue Jul 31 03:36:30 2018
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Tue, 31 Jul 2018 09:36:30 +0200
Subject: [keycloak-user] Sharing default configuration for keycloak
	deployment
In-Reply-To: <CANAVTmNGkN3VV5-XfswMhVDpgHs_nB7z8RTrgKcU+C-oNcMXgw@mail.gmail.com>
References: <CANAVTmMZzVYW7g2KUtwG9oBS48M9Vgo-CQTPpx4m6_dL6w9e4Q@mail.gmail.com>
	<1533008594.5207.26.camel@acutus.pro>
	<CANAVTmNGkN3VV5-XfswMhVDpgHs_nB7z8RTrgKcU+C-oNcMXgw@mail.gmail.com>
Message-ID: <CAA9R9O7482scvYAkveg+ZZEM3ewfEfu3tN4+fu3ZXCQhFiKHSA@mail.gmail.com>

As for the realm config, you can also start the keycloak with these
switches:

./standalone.sh -Dkeycloak.migration.action=import
-Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.file=realm-export.json
-Dkeycloak.migration.strategy=OVERWRITE_EXISTING

This will start Keycloak and import your realm.

On Tue, Jul 31, 2018 at 6:16 AM Test Oauth <testoauth55 at gmail.com> wrote:

> Thanks for the info. That is exactly what I have been looking for.
>
> For reference, this doc is gem:
> http://blog.keycloak.org/2017/01/administer-keycloak-server-from-shell.html
>
>
> On Tue, Jul 31, 2018 at 9:13 AM, Dmitry Telegin <dt at acutus.pro> wrote:
>
> > Hi,
> >
> > Is it correct that you're shipping vanilla Keycloak distro with your
> > application, and you want to apply configuration changes as easy as
> > possible?
> >
> > You should be considering the following tools:
> > $KEYCLOAK/bin/add-user-keycloak.sh (to add admin user)
> > $KEYCLOAK/bin/kcadm.sh (to create realms and virtually everything else in
> > Keycloak; remember you'll need to spin it up first)
> > $KEYCLOAK/bin/jboss-cli.sh (to install JDBC driver, configure database
> > etc.)
> >
> > Cheers,
> > Dmitry Telegin
> > CTO, Acutus s.r.o.
> > Keycloak Consulting and Training
> >
> > Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> > +42 (022) 888-30-71
> > E-mail: info at acutus.pro
> >
> > On Wed, 2018-07-25 at 12:17 +0530, Test Oauth wrote:
> > > I am shipping Keycloak with my application and there is some default
> > > configuration that I have done. I want to ship this default
> configuration
> > > (like admin name/password, realm names etc) with my application so that
> > the
> > > customers can bring the basic authentication flow up with a single
> click
> > > (of probably a batch file).
> > >
> > > Is there a way to do this?
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From henning.waack at codecentric.de  Tue Jul 31 04:05:10 2018
From: henning.waack at codecentric.de (Henning Waack)
Date: Tue, 31 Jul 2018 10:05:10 +0200
Subject: [keycloak-user] Close EntityManager in RealmResourceProvider?
In-Reply-To: <1533007202.5207.18.camel@acutus.pro>
References: <CAGqTYaxeXe-34fa-FOjuY8ryWa2osWvpKXYcuXaMQDnQCrbLkg@mail.gmail.com>
	<1533007202.5207.18.camel@acutus.pro>
Message-ID: <CAGqTYawKzrnVY=ZfidRhYGVQoC3o0oSdv5=XJ-rVevhWOMXBWQ@mail.gmail.com>

Perfect, thanks Dimitry, this is basically what I am doing already. Just
didn't know if I have to close the EntityManager myself, e.g. in the
close() Method.

Greetings

Henning

2018-07-31 5:20 GMT+02:00 Dmitry Telegin <dt at acutus.pro>:

> Hi Henning,
>
> First, it's recommended that you don't use EntityManager directly in your
> RealmResourceProvider, but rather create a facade class to encapsulate JPA
> operations.
>
> examples/providers/domain-extension is a nice example of the above (look
> for ExampleService and its implementation).
>
> Second, generally you should retrieve an EntityManager before each new
> transaction. As long as it's in a local variable, it will be finalized and
> closed automatically, so normally you don't need to bother.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Fri, 2018-07-27 at 10:17 +0200, Henning Waack wrote:
> > Hi.
> >
> > I am implementing a RealmResourceProvider (KC 4.0) in which I use an
> > EntityManager provided by the KeycloakSession to access the KC DB:
> >
> > EntityManager em =
> > ((KeycloakSession)session).getProvider(JpaConnectionProvider.class).
> getEntityManager();
> >
> > In my class which extends
> > org.keycloak.services.resource.RealmResourceProvider and uses this
> > EntityManager, do I have to close the EM instance after using it? Or do I
> > have to close it in my RealmResourceProviderFactory.close() method
> where I
> > obtain it from the session?
> >
> > Thanks & greetings
> >
> > Henning
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>



-- 


-----------

Henning Waack | IT Consultant


codecentric AG | Hochstra?e 11
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
|
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>

<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
Solingen
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
 |Deutschland
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>


tel: +49 (0)151 108 515 29

www.codecentric.de | blog.codecentric.de | www.meettheexperts.de

Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal

Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns
Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz

Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche
und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige
Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie
bitte sofort den Absender und l?schen Sie diese E-Mail und evtl.
beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen
evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist
nicht gestattet.

From henning.waack at codecentric.de  Tue Jul 31 04:06:25 2018
From: henning.waack at codecentric.de (Henning Waack)
Date: Tue, 31 Jul 2018 10:06:25 +0200
Subject: [keycloak-user] Outbound SSL Connection in SPI
In-Reply-To: <1532565145.2078.11.camel@acutus.pro>
References: <CAGqTYaw8SpFqzPXhLXtCuZ8yV_6orOCig=XEnPixmzUdNH2sew@mail.gmail.com>
	<CAGqTYaxV0x1FSnedqrynqQ8QuGqM9MWF5rD7V2ZDJ4OaYAiJ_Q@mail.gmail.com>
	<1532565145.2078.11.camel@acutus.pro>
Message-ID: <CAGqTYaw8a6GCJOQbs7ekY5v9t46g5tJemxvia5m1VG8hJmeoZQ@mail.gmail.com>

Dimitry, using session.getProvider(HttpClientProvider.class) did the trick,
perfect solution!

Thanks again for your great help!

Greetings

Henning

2018-07-26 2:32 GMT+02:00 Dmitry Telegin <dt at acutus.pro>:

> Hi Henning,
>
> The HttpClientProvider scenario is more correct. But can you try
> session.getProvider(HttpClientProvider.class), instead of creating it
> manually? Does it make any difference?
>
> If no, what does session.getProvider(TruststoreProvider.class) return?
>
> If it is null, the next question I'm going to ask you will be "do you know
> how to attach debugger to you Keycloak process?" :)
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> On Wed, 2018-07-25 at 09:45 +0200, Henning Waack wrote:
> > Any input on this? Kinda stuck with this issue... Thanks!
> >
> > Am 24. Juli 2018 um 11:18 schrieb Henning Waack <
> > henning.waack at codecentric.de>:
> >
> > > Hi.
> > >
> > > I am implementing a custom OIDC Protocol Mapper. Within I have to make
> a
> > > https connection, which currently fails because I do not have a
> truststore
> > > configured on my http connection.
> > >
> > > I have added a truststore SPI to my standalone.xml:
> > >
> > >             <spi name="truststore">
> > >                 <provider name="file" enabled="true">
> > >                     <properties>
> > >                         <property name="file"
> value="${jboss.server.config.
> > > dir}/nak.test.jks"/>
> > >                         <property name="password" value="****"/>
> > >                         <property name="hostname-verification-policy"
> > > value="WILDCARD"/>
> > >                         <property name="disabled" value="false"/>
> > >                     </properties>
> > >                 </provider>
> > >             </spi>
> > >
> > >
> > > But I do not know how to get a HttpClient instance which uses this
> > > truststore. I have tried with:
> > >
> > >
> > > org.apache.http.client.HttpClient httpClient = new
> > > org.keycloak.connections.httpclient.HttpClientBuilder().build();
> > >
> > > and
> > >
> > > DefaultHttpClientFactory factory = new DefaultHttpClientFactory();
> > > HttpClientProvider httpClientProvider = factory.create((
> > > KeycloakSession)session);
> > > return httpClientProvider.getHttpClient();
> > >
> > > whereas the first just does not have the truststore configured, and the
> > > second fails with a NPE.
> > >
> > > So how do I get an outbound http connection which uses my truststore
> SPI?
> > >
> > > Thanks & greetings
> > >
> > > Henning
> > > --
> > >
> > >
> > > -----------
> > >
> > > Henning Waack | IT Consultant
> > >
> > >
> > > codecentric AG | Hochstra?e 11
> > > <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%
> C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
> > > >
> > >
> > > <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%
> C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
> > >
> > > <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%
> C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
> > > Solingen
> > > <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%
> C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
> > >  |Deutschland
> > > <https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%
> C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
> > >
> > >
> > > tel: +49 (0)151 108 515 29
> > >
> > > www.codecentric.de | blog.codecentric.de | www.meettheexperts.de
> > >
> > > Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal
> > >
> > > Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns
> > > Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen
> Sch?tz
> > >
> > > Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt
> vertrauliche
> > > und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der
> richtige
> > > Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren
> Sie
> > > bitte sofort den Absender und l?schen Sie diese E-Mail und evtl.
> > > beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder
> ?ffnen
> > > evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail
> ist
> > > nicht gestattet.
> > >
> >
> >
> >
>



-- 


-----------

Henning Waack | IT Consultant


codecentric AG | Hochstra?e 11
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
|
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>

<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>42697
Solingen
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>
 |Deutschland
<https://maps.google.com/?q=Hochstra%C3%9Fe+11%C2%A0+%7C+%C2%A0+42697+Solingen+%C2%A0%7CDeutschland&entry=gmail&source=g>


tel: +49 (0)151 108 515 29

www.codecentric.de | blog.codecentric.de | www.meettheexperts.de

Sitz der Gesellschaft: Solingen | HRB 25917 | Amtsgericht Wuppertal

Vorstand: Michael Hochg?rtel . Ulrich K?hn . Rainer Vehns
Aufsichtsrat: Patric Fedlmeier (Vorsitzender) . Klaus J?ger . J?rgen Sch?tz

Diese E-Mail einschlie?lich evtl. beigef?gter Dateien enth?lt vertrauliche
und/oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige
Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie
bitte sofort den Absender und l?schen Sie diese E-Mail und evtl.
beigef?gter Dateien umgehend. Das unerlaubte Kopieren, Nutzen oder ?ffnen
evtl. beigef?gter Dateien sowie die unbefugte Weitergabe dieser E-Mail ist
nicht gestattet.

From Yann.Jouanin at witbe.net  Tue Jul 31 04:26:20 2018
From: Yann.Jouanin at witbe.net (Yann Jouanin)
Date: Tue, 31 Jul 2018 08:26:20 +0000
Subject: [keycloak-user] Implicit flow between two (or more) keycloak
 instances
Message-ID: <ad7bcf2d8be447ac9555b069aaa0b452@witbe.net>

Hello community,

Has anybody a clue on this topic?

Best regards,

Yann
> 
> I am currently trying to use implicit flow between two keycloak instances.
> My setup is :
> We have one keycloak used in our cloud and one on customer premise,
> federating the customer's ldap.
> 
> Because there is no network connectivity between both the keycloak
> instances I want to use the implicit flow so the customer access our service
> in cloud, get redirected to our keycloak instance for login and then has the
> option to use its on premise instance configured as a OIDC identity provider.
> The setup work in a lab with standard flow, but with implicit flow, I get an
> error message "Standard flow is disabled for the client"
> 
> Is implicit flow usable in this case?
> 
> Best regards,
> Yann Jouanin
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From cedric.couralet at gmail.com  Tue Jul 31 05:15:46 2018
From: cedric.couralet at gmail.com (=?UTF-8?Q?C=C3=A9dric_Couralet?=)
Date: Tue, 31 Jul 2018 11:15:46 +0200
Subject: [keycloak-user] Implicit flow between two (or more) keycloak
	instances
In-Reply-To: <ad7bcf2d8be447ac9555b069aaa0b452@witbe.net>
References: <ad7bcf2d8be447ac9555b069aaa0b452@witbe.net>
Message-ID: <CAMwoAzc8RXW-3vGhSMaZ_4+A4ThsBwfmhnEsRz05adW5v5YBwQ@mail.gmail.com>

Hi,

For the same use case (no communication between two keycloak
instance), we resorted to use SAML authentication.
It works, but I would prefer OIDC Implicit Flow to work :)


C?dric Couralet
Le mar. 31 juil. 2018 ? 10:25, Yann Jouanin <Yann.Jouanin at witbe.net> a ?crit :
>> Hello community,
>
> Has anybody a clue on this topic?
>
> Best regards,
>
> Yann
> >
> > I am currently trying to use implicit flow between two keycloak instances.
> > My setup is :
> > We have one keycloak used in our cloud and one on customer premise,
> > federating the customer's ldap.
> >
> > Because there is no network connectivity between both the keycloak
> > instances I want to use the implicit flow so the customer access our service
> > in cloud, get redirected to our keycloak instance for login and then has the
> > option to use its on premise instance configured as a OIDC identity provider.
> > The setup work in a lab with standard flow, but with implicit flow, I get an
> > error message "Standard flow is disabled for the client"
> >
> > Is implicit flow usable in this case?
> >
> > Best regards,
> > Yann Jouanin
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From testoauth55 at gmail.com  Tue Jul 31 07:28:04 2018
From: testoauth55 at gmail.com (Test Oauth)
Date: Tue, 31 Jul 2018 16:58:04 +0530
Subject: [keycloak-user] Browser not maintaining session for keycloak
	users
In-Reply-To: <CANAVTmPuh2-mMa=9eTAPh2Wyyx1XNUwHijHUMsin4rygv=Yt=w@mail.gmail.com>
References: <CANAVTmNcScSF1BSbP4ay6idv_G42vUS6jFx2oY+0x5s9bFKMBQ@mail.gmail.com>
	<1532997860.5207.8.camel@acutus.pro>
	<CANAVTmPuh2-mMa=9eTAPh2Wyyx1XNUwHijHUMsin4rygv=Yt=w@mail.gmail.com>
Message-ID: <CANAVTmNsvddCJjU5pK0nEy_F3-_d9xWML73Lv1hckVj6PzXSRA@mail.gmail.com>

An update on my findings: When I checked developer console: I am getting
KC_RESTART cookie in cookies section.

On Tue, Jul 31, 2018 at 9:34 AM, Test Oauth <testoauth55 at gmail.com> wrote:

> Yes sir,
> I followed the doc  https://www.keycloak.org/docs/
> latest/securing_apps/index.html#_installed_adapter. And am seeing the
> same behavior on chrome and firefox.
>
> Also regarding the manual mode, I see the same behavior i.e I have to
> re-login for each re-run of the client app.
>
> But if I do this:
>
> System.out.println("Login through manual mode");
> keycloak.loginManual();
> System.out.println("Login through browser");
> keycloak.loginDesktop();
>
> i.e. if I call both modes in the same code or even same mode twice in the
> same code, then I don't have to re-login for second call (in the above
> example for loginDesktop). However when I re-run the application, I need to
> re-login. This might be a stupid guess but could these sessions be "java
> object specific"?
>
>
> On Tue, Jul 31, 2018 at 6:14 AM, Dmitry Telegin <dt at acutus.pro> wrote:
>
>> Hi,
>>
>> Did you do everything in accordance with the docs?
>> https://www.keycloak.org/docs/latest/securing_apps/index.htm
>> l#_installed_adapter
>>
>> Do you experience this in "manual" mode too?
>>
>> Cheers,
>> Dmitry Telegin
>> CTO, Acutus s.r.o.
>> Keycloak Consulting and Training
>>
>> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
>> +42 (022) 888-30-71
>> E-mail: info at acutus.pro
>>
>> On Mon, 2018-07-30 at 16:08 +0530, Test Oauth wrote:
>> > I am using openid-connect for authenticating users. After successful
>> > authentication, browser windows says:
>> > "Login Successful
>> >
>> > You may close this browser window and go back to your console
>> application."
>> >
>> > However, even without closing the window if I relaunch my application
>> > (using keycloak.loginDesktop();) even within 10 seconds, still the login
>> > page appears instead of : you are already logged in.
>> >
>> > Browser: Firefox.
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>

From psilva at redhat.com  Tue Jul 31 08:05:28 2018
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 31 Jul 2018 09:05:28 -0300
Subject: [keycloak-user] FW: Access control and client setup
In-Reply-To: <CC7F9E69ED13DD478810F42866C6FAA1ACC871E8@ws08-mhexch10-b.iconos.be>
References: <CC7F9E69ED13DD478810F42866C6FAA1A6CB50F4@CBW-MHEXCH-C.iconos.be>
	<CC7F9E69ED13DD478810F42866C6FAA1A6CB5146@CBW-MHEXCH-C.iconos.be>
	<CAJrcDBc3Fb-z4nZG=QsPAwMtUOsnfs4y_KONt11CSrY6jS9RZA@mail.gmail.com>
	<CC7F9E69ED13DD478810F42866C6FAA1ACC8708A@ws08-mhexch10-b.iconos.be>
	<CAJrcDBe+eK_yUzLKY4Dtb6T4uUFPzJuOJQp8NLYbr=mAwESwew@mail.gmail.com>
	<CC7F9E69ED13DD478810F42866C6FAA1ACC871E8@ws08-mhexch10-b.iconos.be>
Message-ID: <CAJrcDBfV5SnCPveBiMQOfFvQwRo7td5TYH0m6Hx=P4xcSLTa6Q@mail.gmail.com>

On Tue, Jul 31, 2018 at 3:58 AM, Wyns Dean <dean.wyns at aptus.be> wrote:

> Hi Pedro
>
>
>
> Thanks for the clarification.
>
>
>
> The scopes are not really a result of user concent, but rather just a
> request for the right amount of permissions.
>
> A user can ask for as much permission he needs by using the scope. So if
> the SPA needs read and create permission for items, the scope can be
> ?openid read:items create:items?. If the user can only read items,
> eventually the resulting scope should be ?openid read:items? and the
> backend can block create calls.
>
> I saw some people create roles for every scope and then use composite
> roles to for example create ?admin? users with the right roles for the
> scopes. Is this the right way to do this?
>
>
>
> An item is assigned to a customer (and a user is assigned to a customer),
> so my-api still needs to filter on that so that users can only read items
> from their own customer. Is this a use case where the fine-grained
> authorization of Keycloak comes into play? We?d need to create an item
> resource in Keycloak for every item in our database, right? And then use
> UMA to check the access to a particular item?
>

I think UMA does not fit as it seems you don't need users managing their
resources. In this case you could have a single resource in Keycloak and
configure my-api to send claims to the server when obtaining permissions
from server. These claims would provide the necessary information that your
policies should consider when evaluating permissions to a general resource
in Keycloak representing all your items.


>
>
> We could also just add the customer as a claim in the token and use that
> to filter our database (but like you said then my-api does the
> authorization). I think this is the way to go for our case at the moment,
> as we already have an existing system where it happens like this. So it
> requires minimal refactoring.
>

Filter records in a database is not among the use cases we are considering,
but API security and privacy (through UMA).  I'm not saying that is not
possible, but that would require network calls to the server to check
permissions to each item returned from your database. Best is filter data
when querying database ...

However, if after filtering these resources (by customer) you have specific
authorization requirements around what you can do in particular item or
even if the user is allowed to access some part of your API, then you could
use fine-grained permissions and easily externalize these authz decisions
from your app.


>
>
> As of now, we?re not using any adapters yet. Most of our backend processes
> are in Node.js btw. But we?re also checking out Kong as an API gateway to
> use, so we could use an OIDC plugin that communicates with Keycloak if
> needed.
>
>
>
> Thanks a lot
>
> Dean
>
> *Van:* Pedro Igor Silva <psilva at redhat.com>
> *Verzonden:* maandag 30 juli 2018 17:52
>
> *Aan:* Wyns Dean <dean.wyns at aptus.be>
> *CC:* keycloak-user at lists.jboss.org
> *Onderwerp:* Re: [keycloak-user] FW: Access control and client setup
>
>
>
> On Mon, Jul 30, 2018 at 10:43 AM, Wyns Dean <dean.wyns at aptus.be> wrote:
>
> Hi Pedro
>
>
>
> Thanks for your answer.
>
>
>
> So the idea is to create one client for the API, let?s call it ?my-api?
> with authorization enabled and the resources/scopes/permissions like you
> described previously. And I?ll create another (public) client for the SPA,
> ?my-app?.
>
>
>
> If users authenticate against my-app using the implicit flow, how can I
> link the scopes associated with the resources of my-api and have them
> follow the permissions that are defined on my-api? Do I have to add the
> scopes as optional ?Client Scopes? so they are shared? The problem then is
> that they don?t show up under the Authorization tab of my-api, only the
> Authorization Scopes do. Or should authorization be enabled for my-app as
> well?
>
>
>
> Client Scopes and Authorization tabs are different features. The first
> provides an authorization model based on OAuth2 scopes, where scopes may
> map to one or more claims inside your token or even restrict the roles you
> send n the token. They are also related with user consent.
>
>
>
> The Authorization provides you the necessary means to setup resource-based
> permissions using different access control mechanisms. It also provides
> privacy based on user-managed access.
>
>
>
>
>
> I would like the backend to purely check on the scope associated with the
> access token, by looking at the scope claim. There doesn?t seem to ever be
> a permissions claim in my tests, I only get the ?resource_access? claim but
> that only contains the roles, which I don?t need in the backend.
>
>
>
> Are these scopes a result of user consent ? Or do you need more
> fine-grained control and externalize authorization from my-api ?
>
>
>
> Are you using a specific Keycloak adapter ? (wildfly, spring, etc)
>
>
>
>
>
> Sorry if I?m being unclear.
>
>
>
> Your help is highly appreciated!
>
> Dean
>
>
>
> *Van:* Pedro Igor Silva <psilva at redhat.com>
> *Verzonden:* donderdag 26 juli 2018 14:00
> *Aan:* Wyns Dean <dean.wyns at aptus.be>
> *CC:* keycloak-user at lists.jboss.org
> *Onderwerp:* Re: [keycloak-user] FW: Access control and client setup
>
>
>
>
>
>
>
> On Wed, Jul 25, 2018 at 4:21 AM, Wyns Dean <dean.wyns at aptus.be> wrote:
>
> Hi
>
> I'm evaluating Keycloak as our IAM and SSO and it seems very powerful, but
> I can't seem to wrap my head around some things.
>
> We want to separate our APIs from the IAM. The sole purpose of Keycloak is
> to provide an identity and access token, primarily using the implicit flow.
> The client-side application (usually SPAs) uses the access token in all API
> calls and the resource server checks the signature of the access token but
> does not access Keycloak at all.
>
> Each backend has a few operations, and each operation gets its own
> "permission". For example one API can manage "items", so there are four
> permissions:
> - create:item
> - read:item
> - update:item
> - delete:item
>
> Is it best practice with Keycloak to model these permissions as scopes?
> And then use roles/permissions/policies to limit the scope of the user? The
> backend can then just decode the access token and read the granted scopes.
>
>
>
> Ideally, you should define your authorization settings based on on your
> model. So if you have a resource "Item", which is a protected resource in
> your API you should have a "Item Resource" in Keycloak. The actions/methods
> create, read, update and delete can be scopes associated with your "Item"
> resource.
>
>
>
> Once you have your item resource and scopes, you can define permissions
> that govern access for the resource itself or for each scope individually.
> All depends on how you create those permissions (resource vs scope
> permissions) and policies associated with them.
>
>
>
> The backend could just decode the token and check for the "permissions"
> claim. Or you can also query the Keycloak server on every request to obtain
> a decision.
>
>
>
>
> Also, in a SPA + API set-up, do I create two clients in Keycloak, one for
> each? This is only useful when the API needs resource protection, right? I
> guess in my case I only need one client for the SPA because the API only
> needs the scope from the access token by decoding it.
>
>
>
> I would say you should have two clients representing both applications.
> They have different requirements and are really different things. Your SPA
> is probably a reguar public client while your API is a resource server.
>
>
>
>
> Thanks for any feedback
>
> Kind regards
> Dean
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
>
>

From iali at an10.io  Tue Jul 31 08:24:55 2018
From: iali at an10.io (Irtiza Ali)
Date: Tue, 31 Jul 2018 17:24:55 +0500
Subject: [keycloak-user] Keycloak integration with mysql.
In-Reply-To: <1533019833.5207.40.camel@acutus.pro>
References: <CAG3apS9wLwVFrhDnUKG2jgcxxmX991OAtsCiJjTvH48zHATNZw@mail.gmail.com>
	<1533019833.5207.40.camel@acutus.pro>
Message-ID: <CAG3apS--O5PQrH8m9eVymCRWbjZJ44djh4s4qWS_8y96ry-mUw@mail.gmail.com>

Ok, I will follow the guidelines you provided.


IA

On Tue, Jul 31, 2018 at 11:50 AM, Dmitry Telegin <dt at acutus.pro> wrote:

> Hi again Irtiza,
>
> On Tue, 2018-07-31 at 11:41 +0500, Irtiza Ali wrote:
> > Hello everyone,
> >
> > Keycloak by default uses h2 hibernate as db and I want to replace it with
> > mysql. I have followed the guidelines in documentation but was unable to
> > figure out that mysql is integrated or not.
> >
> > Kindly provide me some guilelines in this regards.
> >
> >
> > 1) any blog or tutorials for this purpose.
>
> Here's the doc: https://www.keycloak.org/docs/latest/server_installatio
> n/index.html#_database
>
> Basically, you'll need to install a JDBC driver, setup your database and
> configure it in Keycloak.
>
> > 2) any method to validate that mysql in integrated with keycloak.
>
> The best way would be to connect to MySQL (using CLI, or MySQL
> Workbench, or whatever tool you choose) and to see if its populated.
>
> Cheers,
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
>
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
>
> >
> >
> > Thankyou
> >
> > Regards
> > Irtiza Ali
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From bruno at abstractj.org  Tue Jul 31 09:17:08 2018
From: bruno at abstractj.org (Bruno Oliveira)
Date: Tue, 31 Jul 2018 10:17:08 -0300
Subject: [keycloak-user] Using Keycloak 3.4 with Spring Boot 2 Adapter 4
In-Reply-To: <642202C7-A61F-4DEC-BF50-C61EF7B8D447@comlineag.de>
References: <642202C7-A61F-4DEC-BF50-C61EF7B8D447@comlineag.de>
Message-ID: <20180731131708.GA24564@abstractj.org>

I wouldn't say it's insecure, but you may miss some important bug fixes.
Keep everything up to date if possible is always the best alternative.

On 2018-07-19, Benke, Tim wrote:
> Hello everybody,
> 
> It?s intuitively clear to me that an outdated adapter communicating with a *newer* Keycloak isn?t a great idea and the documentation suggests importing the javascript adapter from the server itself.
> 
> What about the opposite case of a new backend adapter with version 4.0.0.Final and an older Keycloak 3.4.3. Is this insecure? We?re considering this option to reduce the hassle of updating keycloak itself and upgrading our custom theme.
> 
> Best regards,
> Tim Benke
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From ranjan.pakira at capgemini.com  Tue Jul 31 09:34:39 2018
From: ranjan.pakira at capgemini.com (Pakira, Ranjan)
Date: Tue, 31 Jul 2018 13:34:39 +0000
Subject: [keycloak-user] Need info for network security
In-Reply-To: <1533002501.5207.12.camel@acutus.pro>
References: <0CCF50CABB0BC0438C7672FC2C769FB4D88E0748@IN-BLR-DAGND3.corp.capgemini.com>
	<1533002501.5207.12.camel@acutus.pro>
Message-ID: <0CCF50CABB0BC0438C7672FC2C769FB4D88E0BC9@IN-BLR-DAGND3.corp.capgemini.com>

Hi,

Thanks for your input.

Could you please help to share how the stored user data is secured, is any hashing mechanism used?

Thanks in advance!

Regards,
Ranjan

-----Original Message-----
From: Dmitry Telegin [mailto:dt at acutus.pro] 
Sent: Tuesday, July 31, 2018 7:32 AM
To: Pakira, Ranjan; 'keycloak-user at lists.jboss.org'
Cc: Hammarberg, Daniel; Sanyal, Sabyasachi
Subject: Re: [keycloak-user] Need info for network security

Hi Ranjan,

On Mon, 2018-07-30 at 08:00 +0000, Pakira, Ranjan wrote:
> Hi,
> We are planning to setup Keycloak in new Network and network security team need some information.??Can you please help us with the answer of the following queries?
> 
> How is this user data secured in rest and in transit?

It is recommended that the data in transit be protected with SSL/TLS.
It can be configured either in Keycloak or (preferably) on the reverse proxy / load balancer side.

OpenID Connect and REST services use JSON message format.?No additional protection is involved aside from SSL/TLS.

SAML protocol can use additional message-level security, like encrypted/signed assertions.

> How is in control of Keyclock? and do you have the correct process around access, Starters movers leavers etc?

If you meant "who is in control of Keycloak", it is developed by Red Hat with contributions from the community. I'd suggest that you contact Red Hat directly re the process.

Cheers,
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

> 
> Thanks & Regards,
> Ranjan Pakira
> 
> This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


From jambo_mcd at yahoo.co.uk  Tue Jul 31 11:15:41 2018
From: jambo_mcd at yahoo.co.uk (Jamie McDowell)
Date: Tue, 31 Jul 2018 15:15:41 +0000 (UTC)
Subject: [keycloak-user] kcadm - adding a protocol-mapper
In-Reply-To: <5126F9C8-5AA5-4C27-BD8E-C3871BD5A462@moneymeets.com>
References: <393991387.3571827.1532708749385.ref@mail.yahoo.com>
	<393991387.3571827.1532708749385@mail.yahoo.com>
	<98566890.3575432.1532708944298@mail.yahoo.com>
	<1533005327.5207.14.camel@acutus.pro>
	<5126F9C8-5AA5-4C27-BD8E-C3871BD5A462@moneymeets.com>
Message-ID: <1981069224.6401500.1533050141234@mail.yahoo.com>

Cheers Guys,
We have got this working by importing a json file with the settings.?
I can look at creating a bug in regards to adding this via kcadm if this is definitely a bug?

Regards,
Jamie 

    On Tuesday, 31 July 2018, 08:11:52 BST, Matthias Kesternich <matthias.kesternich at moneymeets.com> wrote:  
 
 FWIW I have no problem creating mappers for 4.0.0 and 4.1.0. I use this:



kcadm.sh create clients/$CLIENT_ID/protocol-mappers/models -f - << 'EOF'

{

? "protocol": "openid-connect",

? "name": "scope",

? "protocolMapper": "oidc-script-based-protocol-mapper",

? "config": {

? ? "script": "somescript",

? ? "id.token.claim": false,

? ? "access.token.claim": true,

? ? "userinfo.token.claim": false,

? ? "multivalued": true,

? ? "claim.name": "myclaim",

? ? "jsonType.label": ""

? }

}

EOF



To me it seems the OPs json is invalid as indicated by "handleUnexpectedToken".



Best,

-Matthias



?Am 31.07.18, 04:50 schrieb "keycloak-user-bounces at lists.jboss.org im Auftrag von Dmitry Telegin" <keycloak-user-bounces at lists.jboss.org im Auftrag von dt at acutus.pro>:



? ? Hi Jamie,

? ? 

? ? Seems like you've hit a bug. I can confirm this for KC 4.1.0. As a workaround I've tried to use JSON, but got even stranger error:

? ? 

? ? Resource not found for url: http://localhost:8080/auth/admin/realms/master/clients/<id>/protocol-mappers/models

? ? 

? ? But that's exactly the URL the Admin Console makes HTTP POST to. I'd suggest that you file a bug in JIRA.

? ? 

? ? Cheers,

? ? Dmitry Telegin

? ? CTO, Acutus s.r.o.

? ? Keycloak Consulting and Training

? ? 

? ? Pod lipami street 339/52, 130 00 Prague 3, Czech Republic

? ? +42 (022) 888-30-71

? ? E-mail: info at acutus.pro

? ? 

? ? On Fri, 2018-07-27 at 16:29 +0000, Jamie McDowell wrote:

? ? > Hi,

? ? > 

? ? > I am trying to add a client protocol-mapper however when i try and run this i get a HTTP error - 500 Internal Server Error

? ? > opt/jboss/keycloak/bin/kcadm.sh create \clients/<id>/protocol-mappers/models \-r demorealm \-s protocol=openid-connect \-s protocolMapper=oidc-usermodel-realm-mapper \-s consentRequired=false \-s config.claim.name=group_membership \-s config.jsonType.label=String \-s config.id.token.claim=true \-s config.access.token.claim=true \-s config.userinfo.token.claim=true \-s config.multivalued=true \-s name=Realm \

? ? > I can confirm that kcadm works as i have been able to create groups, LDAP mappers, realms etc...

? ? > In the server.log i can see the below error when i run the above

? ? > > ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-109) Uncaught server error: com.fasterxml.jackson.databind.JsonMappingException: Can notat [Source: io.undertow.servlet.spec.ServletInputStreamImpl at 55dee6f8; line: 1, column: 119] (through reference chain: org.keycloak.representations.idm.ProtocolMapperRepresentation["co? ? ? at com.fasterxml.jackson.databind.JsonMappingException.from(JsonMappingException.java:270)? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? at com.fasterxml.jackson.databind.DeserializationContext.reportMappingException(DeserializationContext.java:1234)? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1122)? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? at com.fasterxml.jackson.databind.DeserializationContext.handleUnexpectedToken(DeserializationContext.java:1075)? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? at com.fasterxml.jackson.databind.deser.std.StringDeserializer.deserialize(StringDeserializer.java:60)

? ? > Appreciate if anyone can advise on this (keycloak version is 3.4.3)

? ? > Thanks Jamie? 

? ? > _______________________________________________

? ? > keycloak-user mailing list

? ? > keycloak-user at lists.jboss.org

? ? > https://lists.jboss.org/mailman/listinfo/keycloak-user

? ? 

? ? _______________________________________________

? ? keycloak-user mailing list

? ? keycloak-user at lists.jboss.org

? ? https://lists.jboss.org/mailman/listinfo/keycloak-user


  

From robert.smol at stereoit.com  Tue Jul 31 11:26:13 2018
From: robert.smol at stereoit.com (Robert Smol)
Date: Tue, 31 Jul 2018 17:26:13 +0200
Subject: [keycloak-user] Auth0 Lock alternative
Message-ID: <CAOz-6qvimTtHtqiK0EpM_cUmpi-8omg5ZCbxJ7S5tpB3XfTibQ@mail.gmail.com>

Hi,

is there any similar project like Auth0 Lock? Something that would allow me
to embed Keycloak's login page into my classical web app? Currently
whenever I need to login the user, I forward him to Keycloak, but there are
demands to show the login window directly on our webpage.

Robert

From ddtxra at gmail.com  Tue Jul 31 11:41:56 2018
From: ddtxra at gmail.com (Daniel Teixeira)
Date: Tue, 31 Jul 2018 17:41:56 +0200
Subject: [keycloak-user] Keycloak Admin REST API not updating
	user.federatedIdentities attribute
Message-ID: <CAHvCgvx0Rk7vdzWgMU+oNQHHLjSahgCGDfAw_-CtenZwjXGD_w@mail.gmail.com>

I would like to update (and ideally create) the federatedIdentities
attribute of a user using the Admin Rest API, but it seems like this does
not work / or it is not supported?

I am able to update normal user attributes but not the federatedIdentities.

Is this a bug or is it supposed to be like this?

Is there a different way to do this? (Of course I could do an insert into,
in the database, but I would prefer to use the api...). I need to run this
for more than 200 users...

My code:
https://github.com/ddtxra/python-console-keycloak-example/blob/master/admin-rest-api-update-user.py

From will.lopez77 at gmail.com  Tue Jul 31 13:43:25 2018
From: will.lopez77 at gmail.com (Will Lopez)
Date: Tue, 31 Jul 2018 10:43:25 -0700
Subject: [keycloak-user] Keycloak: Make query string param available in
 marker FreeMarker template
Message-ID: <83D6E14D-0926-4A26-9506-602A17787E3F@gmail.com>

I have a use case where I need to render a block of HTML depending on the value of a query string param in the login page. The value will be coming from the login URL similar to this:

http://localhost:8080/auth/realms/default/protocol/openid-connect/auth?...&customvar=1
I would like to have customvar available in the login.ftl to accomplish my objective. So far I have tried to retrieve the baseUrl from the client bean, but it?s not available, the app crashes when I attempt to access baseUrl. I have also attempted to access the request url in the ${url}, but it's not available either.

Thanks in advance for any help.

From ebenzacar at gmail.com  Tue Jul 31 15:21:19 2018
From: ebenzacar at gmail.com (Eric B)
Date: Tue, 31 Jul 2018 15:21:19 -0400
Subject: [keycloak-user] Auth0 Lock alternative
In-Reply-To: <CAOz-6qvimTtHtqiK0EpM_cUmpi-8omg5ZCbxJ7S5tpB3XfTibQ@mail.gmail.com>
References: <CAOz-6qvimTtHtqiK0EpM_cUmpi-8omg5ZCbxJ7S5tpB3XfTibQ@mail.gmail.com>
Message-ID: <CA+T+PjEORq-m2hbUu91xtQ5A4ysJo6tLZRhvtfi46ALbK-MscQ@mail.gmail.com>

I believe there are ways to embed keycloak in an iframe, but there are
security implications of doing that.  By default, I believe keycloak has
some xframe options enabled to prevent precisely that.  I haven't tried it
myself yet, so i would be interested to know as well how easy it is to
accomplish.

Thanks

Eric

On Tue, Jul 31, 2018, 11:29 AM Robert Smol, <robert.smol at stereoit.com>
wrote:

> Hi,
>
> is there any similar project like Auth0 Lock? Something that would allow me
> to embed Keycloak's login page into my classical web app? Currently
> whenever I need to login the user, I forward him to Keycloak, but there are
> demands to show the login window directly on our webpage.
>
> Robert
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mposolda at redhat.com  Tue Jul 31 16:05:04 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 31 Jul 2018 22:05:04 +0200
Subject: [keycloak-user] Keycloak Admin REST API not updating
 user.federatedIdentities attribute
In-Reply-To: <CAHvCgvx0Rk7vdzWgMU+oNQHHLjSahgCGDfAw_-CtenZwjXGD_w@mail.gmail.com>
References: <CAHvCgvx0Rk7vdzWgMU+oNQHHLjSahgCGDfAw_-CtenZwjXGD_w@mail.gmail.com>
Message-ID: <6a745d7a-6339-f731-0b40-7fda8d43a7da@redhat.com>

Hi Daniel,

it is possible, but you need to use different REST endpoints than the 
REST endpoint for update user details. See the docs for our admin REST 
API or take a look at our admin console (tab "Federated Identity" of 
user) and see with some tool (something like Firebug from FF) what admin 
REST endpoints is the admin console calling to CRUD federated identities.

Thanks,
Marek

On 31/07/18 17:41, Daniel Teixeira wrote:
> I would like to update (and ideally create) the federatedIdentities
> attribute of a user using the Admin Rest API, but it seems like this does
> not work / or it is not supported?
>
> I am able to update normal user attributes but not the federatedIdentities.
>
> Is this a bug or is it supposed to be like this?
>
> Is there a different way to do this? (Of course I could do an insert into,
> in the database, but I would prefer to use the api...). I need to run this
> for more than 200 users...
>
> My code:
> https://github.com/ddtxra/python-console-keycloak-example/blob/master/admin-rest-api-update-user.py
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Tue Jul 31 16:10:44 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 31 Jul 2018 22:10:44 +0200
Subject: [keycloak-user] Auth0 Lock alternative
In-Reply-To: <CAOz-6qvimTtHtqiK0EpM_cUmpi-8omg5ZCbxJ7S5tpB3XfTibQ@mail.gmail.com>
References: <CAOz-6qvimTtHtqiK0EpM_cUmpi-8omg5ZCbxJ7S5tpB3XfTibQ@mail.gmail.com>
Message-ID: <a6758ee8-da9a-d9d9-b01f-026b28b3f1f8@redhat.com>

Hi,

you can either look at our Themes functionality if you want to customize 
look and feel of login page (See the docs and examples for the details). 
In this case, page will be still displayed by Keycloak server, just will 
have different L&F.

Other possibility is to use OAuth2 
Resource-Owner-Password-Credentials-Grant (Direct grant). In this case, 
you can create the form by yourself and then send the username+password 
in the separate HTTP Post request to Keycloak and Keycloak will return 
you back the tokens.

Marek

On 31/07/18 17:26, Robert Smol wrote:
> Hi,
>
> is there any similar project like Auth0 Lock? Something that would allow me
> to embed Keycloak's login page into my classical web app? Currently
> whenever I need to login the user, I forward him to Keycloak, but there are
> demands to show the login window directly on our webpage.
>
> Robert
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From dt at acutus.pro  Tue Jul 31 16:38:44 2018
From: dt at acutus.pro (Dmitry Telegin)
Date: Tue, 31 Jul 2018 23:38:44 +0300
Subject: [keycloak-user] Keycloak Admin REST API not updating
 user.federatedIdentities attribute
In-Reply-To: <CAHvCgvx0Rk7vdzWgMU+oNQHHLjSahgCGDfAw_-CtenZwjXGD_w@mail.gmail.com>
References: <CAHvCgvx0Rk7vdzWgMU+oNQHHLjSahgCGDfAw_-CtenZwjXGD_w@mail.gmail.com>
Message-ID: <1533069524.4909.4.camel@acutus.pro>

Hi Daniel,

That's what you can do with federated identities currently:

GET /auth/admin/realms/{realm}/users/{user}/federated-identity - list federated identities configured for the user
POST /auth/admin/realms/{realm}/users/{user}/federated-identity/{provider} - create a new federated identity
DELETE /auth/admin/realms/{realm}/users/{user}/federated-identity/{provider} - remove federated identity

https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/admin/UserResource.java#L363

Updating federated entities with PUT is not supported yet. Feel free to
file an RFE in JIRA for that.

Meanwhile, you can implement this missing piece as a custom REST
resource and deploy it to your Keycloak. If I remember correctly, you
should be already familiar with the process :)

Good luck!
Dmitry Telegin
CTO, Acutus s.r.o.
Keycloak Consulting and Training

Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
+42 (022) 888-30-71
E-mail: info at acutus.pro

On Tue, 2018-07-31 at 17:41 +0200, Daniel Teixeira wrote:
> I would like to update (and ideally create) the federatedIdentities
> attribute of a user using the Admin Rest API, but it seems like this does
> not work / or it is not supported?
> 
> I am able to update normal user attributes but not the federatedIdentities.
> 
> Is this a bug or is it supposed to be like this?
> 
> Is there a different way to do this? (Of course I could do an insert into,
> in the database, but I would prefer to use the api...). I need to run this
> for more than 200 users...
> 
> My code:
> https://github.com/ddtxra/python-console-keycloak-example/blob/master/admin-rest-api-update-user.py
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From will.lopez77 at gmail.com  Tue Jul 31 17:13:44 2018
From: will.lopez77 at gmail.com (Will Lopez)
Date: Tue, 31 Jul 2018 14:13:44 -0700
Subject: [keycloak-user] Dynamically branded login?
In-Reply-To: <1533011148.5207.30.camel@acutus.pro>
References: <CAPVdwjqvyf+uVObf4OGBbgSKJb_TZ-7OzPuG-abryKJtW2zHew@mail.gmail.com>
	<1533011148.5207.30.camel@acutus.pro>
Message-ID: <8AF691FB-F182-4B78-B126-91D4077DCA31@gmail.com>

Hi Dmitry,

I have a use case for this same need: conditionally rendering a block of HTML in in the login.ftl based on the value of a query string param.

I have an a question with more details here: https://stackoverflow.com/questions/51619158/keycloak-make-query-string-param-available-in-marker-freemarker-template?noredirect=1#comment90204334_51619158 <https://stackoverflow.com/questions/51619158/keycloak-make-query-string-param-available-in-marker-freemarker-template?noredirect=1#comment90204334_51619158>

I attempted to use ${ur} as you suggested, however it does not have a public method that provides the request url :( 

https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/forms/login/freemarker/model/UrlBean.java <https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/forms/login/freemarker/model/UrlBean.java>

I am missing something? Or is there any other way to access the login request url in login.ftl? 

Thanks, Will 

> On Jul 30, 2018, at 9:25 PM, Dmitry Telegin <dt at acutus.pro> wrote:
> 
> Hi Craig, sorry for late response,
> 
> On Thu, 2018-07-12 at 06:08 -0500, Craig Setera wrote:
>> We build and host a multitenant application that is currently using
>> homegrown authentication and authorization (using Picketlink).  We are
>> considering a move to Keycloak.  My preference would be to use the login
>> flows that are built in to Keycloak rather than building our own, however
>> that is dependent on whether we can properly brand those login flows on a
>> per-customer basis in some dynamic way.
> 
> In Keycloak parlance, the term "login flow" has a very particular
> meaning. Basically, it's what you see in the Authentication section in
> the Admin Console. It defines how authentication *works* rather than
> how it *looks like* (i.e. logic rather than appearance).
> 
> Do you really mean "login flows"? From the second part of your message
> I can deduce you're mainly interested in customizing the GUI.
> 
>> In looking at the theme SPI support, it appears to be mostly targeted to
>> supporting mulitple "static" themes.  Is it possible to make a theme that
>> is dynamic based on, for example, a query parameter?
> 
> By default, Keycloak uses FreeMarker templates for login screens. In
> the templates, the URL object is exposed as ${url}, so you can analyze
> it and add conditional statements. If you're ok with that, probably you
> won't need to implement any SPIs.
> 
> Otherwise, you can either implement custom theme selection logic based
> on request parameters (Theme Selector SPI), or completely redefine
> theming mechanism (Theme SPI).
> 
>>    Are there any
>> examples anywhere on how that might be possible?  
> 
> Well, builtin Keycloak themes are the best example IMO :) you can find
> the default login theme under
> themes/src/main/resources/theme/base/login in the source tree.
> 
>> Would Keycloak carry
>> through query parameters if they were provided when launching the login
>> flow?
> 
> It's best to create a custom theme and see :)
> 
> Good luck!
> Dmitry Telegin
> CTO, Acutus s.r.o.
> Keycloak Consulting and Training
> 
> Pod lipami street 339/52, 130 00 Prague 3, Czech Republic
> +42 (022) 888-30-71
> E-mail: info at acutus.pro
> 
>> 
>> Thanks,
>> Craig
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user