From kedar.maindargikar at gmail.com  Mon Apr  1 02:51:01 2019
From: kedar.maindargikar at gmail.com (Kedar Maindargikar)
Date: Mon, 1 Apr 2019 12:21:01 +0530
Subject: [keycloak-user] Keycloak with cassandra and postgres
Message-ID: <CAKzTivayVs=HGGGbmETZF_ROC9MmvFVJtSktHk_-tAXNdT+dPA@mail.gmail.com>

Hello ,

I am new to keycloak . We have postgres and cassandra 2 databases in our
product , Postgres is not in cluster , it is connecting one to one to each
node of the application . Cassandra is in cluster . My question is if I can
connect the postgres as external database to keycloak which will save the
configuration and realm info on each node separately. For user database can
I use UserProvider/UserFederationProvicder SPI to connecto to cassandra ?
If yes , then when I will do add User from keycloak administration UI ,
that user will go to cassandra database ?

Please advise

Thank you
Kedar

From chroman at gmail.com  Mon Apr  1 08:49:25 2019
From: chroman at gmail.com (Catalin Roman)
Date: Mon, 1 Apr 2019 15:49:25 +0300
Subject: [keycloak-user] Radius integration
Message-ID: <CALOz+jDS0DaR+LoYC3rzWSONYB+zRBSD=CV7roCd5v9Yc61AZQ@mail.gmail.com>

Hi,

I'm on a new project with a new customer who is only exposing a RADIUS
interface for authentication.
Since Keycloak is part of our target architecture, we are looking into ways
to integrate with RADIUS.
Therefor, I'm asking for your advice what would be the best way to go
further.
Is it possible to write a keycloak plugin, using the User Ferederation or
Authentication concepts from Keycloak?
Does it even make sense?
I googled a lot and didn't find anything related.

Thanks,
Catalin

From lemso at free.fr  Mon Apr  1 10:29:47 2019
From: lemso at free.fr (=?UTF-8?Q?Lamine_L=C3=A9o_Keita?=)
Date: Mon, 1 Apr 2019 16:29:47 +0200
Subject: [keycloak-user] Display issue in user groups tab
In-Reply-To: <CAM5SUC7K3apdxJhXZcBvT0z=pj7vT2dz25yobosiT6hhEPk31g@mail.gmail.com>
References: <CALBYMM+CXcWoNgO-Q8YOiNEP8SN4tXH_B1v6kutjvRAoh0Cc4g@mail.gmail.com>
	<CAM5SUC7pDRLcu3A6D=w8FHL4zJUFXCj44YzOPumRij4O3X5cUw@mail.gmail.com>
	<CALBYMMLqXohNWAYJsYXcm6oi5QNbeu+A9rSRgx9_FgC2XS+hjw@mail.gmail.com>
	<CAM5SUC7K3apdxJhXZcBvT0z=pj7vT2dz25yobosiT6hhEPk31g@mail.gmail.com>
Message-ID: <CALBYMMJXS0QMj-6pFOjK-a_Z2Xe8XLoNqjq9DFDrijoBg4TPBA@mail.gmail.com>

On avigator console, I have this error :

angular.js:14961 Error: [$injector:unpr]
http://errors.angularjs.org/1.6.10/$injector/unpr?p0=groupsProvider%20%3C-%20groups%20%3C-%20UserGroupMembershipCtrl%20%3C-%20UserGroupMembershipCtrl%20%3C-%20UserGroupMembershipCtrl
    at angular.js:88
    at angular.js:4898
    at Object.d [as get] (angular.js:5058)
    at angular.js:4903
    at d (angular.js:5058)
    at e (angular.js:5083)
    at Object.instantiate (angular.js:5129)
    at angular.js:11154
    at Object.link (angular-route.js:1209)
    at angular.js:1393 "<div data-ng-view="" id="view" class="ng-scope">"

BR,
Lamine Keita

On Thu, Mar 28, 2019 at 6:24 PM Bruno Oliveira <bruno at abstractj.org> wrote:

> Also try to look at the Web browser console. The more details you
> provide, the better to figure out if there's something wrong.
>
> On Thu, Mar 28, 2019 at 1:30 PM Lamine L?o Keita <lemso at free.fr> wrote:
> >
> > Hi Bruno,
> >
> > Thx for your reactivity!
> >
> > In logs I've got nothing particular as all data are received when
> clicking on user id to see it details ....
> >
> > Iwill try to set log level to debug to see if I can have more logs....
> >
> > Regards,
> > Lamine
> >
> > On Thu, Mar 28, 2019 at 3:42 PM Bruno Oliveira <bruno at abstractj.org>
> wrote:
> >>
> >> Hmmm I don't see that. What do you have at your server logs?
> >>
> >> On Thu, Mar 28, 2019 at 10:50 AM Lamine L?o Keita <lemso at free.fr>
> wrote:
> >> >
> >> > Hi,
> >> >
> >> > Current version of Keycloak is 4.8.3.Final
> >> >
> >> > When I click on the groups tab of any user in any realm I've got the
> bellow
> >> > display issue.
> >> >
> >> > Anybody already got this?
> >> >
> >> > Regards,
> >> > Lamine
> >> > _______________________________________________
> >> > keycloak-user mailing list
> >> > keycloak-user at lists.jboss.org
> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >>
> >>
> >> --
> >> - abstractj
>
>
>
> --
> - abstractj
>

From ryans at jlab.org  Mon Apr  1 10:59:06 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Mon, 1 Apr 2019 14:59:06 +0000
Subject: [keycloak-user] Flow Execution REST API Inconsistencies
Message-ID: <BL0PR0901MB30599CD86B0268994342748DDC550@BL0PR0901MB3059.namprd09.prod.outlook.com>

Has anyone else noticed there are a few inconsistencies in the authentication flow execution section of the REST API.  For example, ordered most severe first:


  1.  You cannot specify an ID when creating an authentication flow execution (I believe every other create command allows this, and if you provide an ID it is ignored), which means when scripting you must programmatically capture the random ID that is generated in order to provide it to future commands (kcadm.sh create authentication/flows/<alias>/executions/execution -s id=ignored).
  2.  You cannot specify a flow ID when when adding an execution to a flow, instead you must use the flow alias, which may contain spaces that must be escaped (again, I believe every other create command uses ID, not alias)
  3.  You cannot specify the requirement (example: "ALTERNATIVE") when creating an execution.  You must separately update a newly created execution.   Coupled with forced random ID, this is awkward.
  4.  When creating an execution the parameter "provider" is used.  When creating a flow the parameter is named "providerId"

From uo67113 at gmail.com  Mon Apr  1 12:45:56 2019
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Mon, 1 Apr 2019 18:45:56 +0200
Subject: [keycloak-user] Keycloak Integration with Celoxis
In-Reply-To: <DB7PR03MB3884286C327A823341B3BC35C45A0@DB7PR03MB3884.eurprd03.prod.outlook.com>
References: <DB7PR03MB3884286C327A823341B3BC35C45A0@DB7PR03MB3884.eurprd03.prod.outlook.com>
Message-ID: <CACp70M=KHjKBiEcfO7jFt7Fp6xQvsrukRCvW9X3C1e_T1g5G5Q@mail.gmail.com>

Hello Kevin,

I am afraid that the only thing that I can suggest you is to change your
celoxis IDP URL configuration [1].

Cheers,

Luis

[1]
https://celoxis.atlassian.net/wiki/spaces/DOC11/pages/113704014/Single+Sign-On+SSO

El vie., 29 mar. 2019 a las 8:45, Kevin Perez Moreno (<
moreno at netguardians.ch>) escribi?:

> Hello,
>
> I am currently trying to integrate Celoxis into our SSO provided by
> keycloak. Celoxis is configured to send SAML requests to our keycloak
> server by using the following IDP endpoint URL:
> https://xxx.xx/auth/realms/Demo/protocol/saml
> However, I am getting an "invalid authn request reason invalid
> destination" WARN message in keycloak
> After changing the log level to DEBUG. I found out that the Celoxis app is
> sending a SAML with destination URL
> https://xxx.xx/auth/realms/Demo/protocol/saml?
> It seems that a question mark was added at the end of the destination URL.
> Please see DEBUG traces below. I wonder if this is the expected behavior,
> i.e., the question mark added at the end of the SAML Destination URL is
> causing keycloak to throw an invalid authn request error.
> If this is the expected behavior, I wonder if there is any workaround to
> avoid this error (perhaps ignoring destination validation?)
>
> 17:06:47,989 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
> task-9) RESTEASY002315: PathInfo: /realms/Demo/protocol/saml
> 17:06:47,993 DEBUG [org.keycloak.protocol.saml.SamlService] (default
> task-9) SAML GET
> 17:06:47,994 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-9)
> SAML Redirect Binding
> 17:06:47,994 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-9)
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="ONELOGIN_2eca86d4-06b6-45d1-b944-b2e453326418" Version="2.0"
> IssueInstant="2019-03-28T16:06:47Z" Destination="
> https://xxx/auth/realms/Demo/protocol/saml?"
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> AssertionConsumerServiceURL="
> https://app.celoxis.com/psa/person.Login.do?code=netguardians
> "><saml:Issuer>celoxis.com</saml:Issuer><samlp:NameIDPolicy
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> AllowCreate="true" /></samlp:AuthnRequest>
> 17:06:47,999 DEBUG [org.keycloak.protocol.saml.SamlService] (default
> task-9) verified request
> 17:06:47,999 DEBUG [org.keycloak.protocol.saml.SamlService] (default
> task-9) ** login request
> 17:06:47,999 WARN  [org.keycloak.events] (default task-9)
> type=LOGIN_ERROR, realmId=Demo, clientId=null, userId=null,
> ipAddress=x.x.x.x, error=invalid_authn_request, reason=invalid_destination
>
> Thank you in advance
> Kevin
>
> [https://cdn.netguardians.ch/images/banner_new_web.jpg]<
> https://www.netguardians.ch/>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From chroman at gmail.com  Mon Apr  1 14:57:53 2019
From: chroman at gmail.com (Catalin Roman)
Date: Mon, 1 Apr 2019 21:57:53 +0300
Subject: [keycloak-user] Radius integration
In-Reply-To: <OSAPR01MB32031F64E5AE2F7F66DE6651AC550@OSAPR01MB3203.jpnprd01.prod.outlook.com>
References: <CALOz+jDS0DaR+LoYC3rzWSONYB+zRBSD=CV7roCd5v9Yc61AZQ@mail.gmail.com>
	<OSAPR01MB32031F64E5AE2F7F66DE6651AC550@OSAPR01MB3203.jpnprd01.prod.outlook.com>
Message-ID: <CALOz+jA01Q7C=1dhtH=wT4uGg9OLBxWDxKruEOZrs1GjN3WUqw@mail.gmail.com>

Unfortunately, we are not allowed to install anything on the RADIUS server.

On Mon, Apr 1, 2019, 16:53 Jason Prouty <jprouty at jcius.com> wrote:

> There is a plugin you can compile and have radius connect to a keycloak
> server.
>
> https://github.com/jimdigriz/freeradius-oauth2-perl
>
> ------------------------------
> *From:* keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> on behalf of Catalin Roman <
> chroman at gmail.com>
> *Sent:* Monday, April 1, 2019 6:49 AM
> *To:* keycloak-user at lists.jboss.org
> *Subject:* [keycloak-user] Radius integration
>
> Hi,
>
> I'm on a new project with a new customer who is only exposing a RADIUS
> interface for authentication.
> Since Keycloak is part of our target architecture, we are looking into ways
> to integrate with RADIUS.
> Therefor, I'm asking for your advice what would be the best way to go
> further.
> Is it possible to write a keycloak plugin, using the User Ferederation or
> Authentication concepts from Keycloak?
> Does it even make sense?
> I googled a lot and didn't find anything related.
>
> Thanks,
> Catalin
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From joecam1673 at gmail.com  Mon Apr  1 15:37:22 2019
From: joecam1673 at gmail.com (Joe Hedrick)
Date: Mon, 1 Apr 2019 14:37:22 -0500
Subject: [keycloak-user] SAML User Roles (app-profile-saml-jee-jsp )
Message-ID: <CAB5U9PphExJbZW4hZc6FH6QbEZ7M9QojuSDHt4dt58dVMs9eRw@mail.gmail.com>

Hey folks,
    I'm having some trouble getting the app-profile-saml-jee-jsp quickstart
up and running.  I'm getting a Forbidden for my demo user "alice" in the
demo realm demo.  I followed the quickstart readme pretty thoroughly I
thought but I'm wondering if maybe there's a role that needs to be added to
the use "alice" that's specific to SAML that isn't mentioned?
    The same user seems to work fine for quickstarts that are OpenID
Connect.

I'm running Wildfly 15.0.0.Final and Keycloak-5.0.0 with Maven 3.6.0 and
OpenJDK8 on Debian Buster.

Thanks!
Joe

From joecam1673 at gmail.com  Mon Apr  1 16:01:54 2019
From: joecam1673 at gmail.com (Joe Hedrick)
Date: Mon, 1 Apr 2019 15:01:54 -0500
Subject: [keycloak-user] SAML User Roles (app-profile-saml-jee-jsp )
In-Reply-To: <CAB5U9PphExJbZW4hZc6FH6QbEZ7M9QojuSDHt4dt58dVMs9eRw@mail.gmail.com>
References: <CAB5U9PphExJbZW4hZc6FH6QbEZ7M9QojuSDHt4dt58dVMs9eRw@mail.gmail.com>
Message-ID: <CAB5U9Pr9kyjE=gS66g=_kMWR9md4Eq7ubKRhsiQVM5RUwuYy3w@mail.gmail.com>

ugh, sorry.  Somehow the "user" role wasn't added to the "alice" user for
this demo realm.  Please disregard.

Thanks anyway!
Joe

On Mon, Apr 1, 2019 at 2:37 PM Joe Hedrick <joecam1673 at gmail.com> wrote:

> Hey folks,
>     I'm having some trouble getting the app-profile-saml-jee-jsp
> quickstart up and running.  I'm getting a Forbidden for my demo user
> "alice" in the demo realm demo.  I followed the quickstart readme pretty
> thoroughly I thought but I'm wondering if maybe there's a role that needs
> to be added to the use "alice" that's specific to SAML that isn't mentioned?
>     The same user seems to work fine for quickstarts that are OpenID
> Connect.
>
> I'm running Wildfly 15.0.0.Final and Keycloak-5.0.0 with Maven 3.6.0 and
> OpenJDK8 on Debian Buster.
>
> Thanks!
> Joe
>
>
>

From j9dy1g at gmail.com  Mon Apr  1 16:39:39 2019
From: j9dy1g at gmail.com (Jody H)
Date: Mon, 1 Apr 2019 22:39:39 +0200
Subject: [keycloak-user] Keycloak Admin Client dependencies for Keycloak
	5.0.0?
Message-ID: <CADqF5beoG2Hnh2cZN23qmBz3Jyx1SGE-Ei4UVJT-jOPVUQo2QQ@mail.gmail.com>

Hi,

I have looked around on Google for a while now but I can't seem to figure
out my problem. I mostly used the Gist from Github here to get started:
https://gist.github.com/thomasdarimont/43689aefb37540624e35
After things were not really working out, I tried some other stuff that you
can find below:
I am trying to use the Keycloak admin client in Java, version 5.0.0.

My POM contains the following:

<properties>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>

<keycloak.version>5.0.0</keycloak.version>
<resteasy.version>3.1.3.Final</resteasy.version>
<jackson.version>2.9.8</jackson.version>
</properties>

<dependencies>
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-admin-client</artifactId>
<version>${keycloak.version}</version>
</dependency>
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>resteasy-client</artifactId>
<version>${resteasy.version}</version>
</dependency>
<dependency>
<groupId>org.jboss.resteasy</groupId>
<artifactId>resteasy-jackson2-provider</artifactId>
<version>${resteasy.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-core</artifactId>
<version>${jackson.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>${jackson.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-annotations</artifactId>
<version>${jackson.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.jaxrs</groupId>
<artifactId>jackson-jaxrs-json-provider</artifactId>
<version>${jackson.version}</version>
</dependency>
</dependencies>

When I add the following code, building the keycloak client fails:
Keycloak keycloak =
KeycloakBuilder.builder().serverUrl("localhost:8080/auth").realm("master")
.username("admin").password("admin").clientId("admin-cli").build();

System.out.println(keycloak.serverInfo().getInfo().toString());

Produces the following exception:
 java -jar .\keycloak-admin-0.0.1-SNAPSHOT.jar
Exception in thread "main" java.lang.IllegalArgumentException:
RESTEASY003720: path param realm has not been provided by the parameter map
        at
org.jboss.resteasy.specimpl.ResteasyUriBuilder.replaceParameter(ResteasyUriBuilder.java:659)
        at
org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildString(ResteasyUriBuilder.java:581)
        at
org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValues(ResteasyUriBuilder.java:780)
        at
org.jboss.resteasy.specimpl.ResteasyUriBuilder.build(ResteasyUriBuilder.java:772)
        at
org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.getUri(ClientWebTarget.java:107)
        at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.createRequest(ClientInvoker.java:124)
        at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:104)
        at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
        at com.sun.proxy.$Proxy15.grantToken(Unknown Source)
        at
org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:89)
        at
org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:69)
        at
org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:64)
        at
org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52)
        at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:431)
        at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:105)
        at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
        at com.sun.proxy.$Proxy17.getInfo(Unknown Source)

When using the Keycloak.getInstance method, I get another exception:
Keycloak keycloak = Keycloak.getInstance("http://localhost:8080/auth",
"master", "admin", "admin", "admin-cli");

Produces exception:
Exception in thread "main" javax.ws.rs.client.ResponseProcessingException:
javax.ws.rs.ProcessingException: RESTEASY003145: Unable to find a
MessageBodyReader of content-type application/json and type class
org.keycloak.representations.AccessTokenResponse
        at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:156)
        at
org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:60)
        at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:107)
        at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
        at com.sun.proxy.$Proxy15.grantToken(Unknown Source)
        at
org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:89)
        at
org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:69)
        at
org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:64)
        at
org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52)
        at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:431)
        at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:105)
        at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
        at com.sun.proxy.$Proxy17.getInfo(Unknown Source)
        at test.KeycloakAdmin.main(MyMain.java:17)
Caused by: javax.ws.rs.ProcessingException: RESTEASY003145: Unable to find
a MessageBodyReader of content-type application/json and type class
org.keycloak.representations.AccessTokenResponse
        at
org.jboss.resteasy.core.interception.jaxrs.ClientReaderInterceptorContext.throwReaderNotFound(ClientReaderInterceptorContext.java:42)
        at
org.jboss.resteasy.core.interception.jaxrs.AbstractReaderInterceptorContext.getReader(AbstractReaderInterceptorContext.java:80)
        at
org.jboss.resteasy.core.interception.jaxrs.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53)
        at
org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(ClientResponse.java:266)
        at
org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readEntity(ClientResponse.java:196)
        at
org.jboss.resteasy.specimpl.BuiltResponse.readEntity(BuiltResponse.java:212)
        at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:120)
        ... 13 more

Can someone share insight on how to use the keycloak admin client library
in the most recent version? Which dependencies do I need inside of my pom?

Thanks!

From gary at apnic.net  Mon Apr  1 19:15:27 2019
From: gary at apnic.net (Gary Kennedy)
Date: Mon, 1 Apr 2019 23:15:27 +0000
Subject: [keycloak-user] Getting auth request params in script mapper?
In-Reply-To: <CF5CD404-C3C4-469B-A4AA-6F5B85265480@apnic.net>
References: <CF5CD404-C3C4-469B-A4AA-6F5B85265480@apnic.net>
Message-ID: <D901E749-FA1F-4C34-B464-29DE5C38C0BA@apnic.net>

Turns out this does work, quite nicely too, and the issue stems from me using direct grants against the token endpoint during experimentation - derp. ie, I wasn't using the authorization endpoint.

Cheers,
Gary

> On 28 Mar 2019, at 3:13 pm, Gary Kennedy <gary at apnic.net> wrote:
> 
> Looking at the AuthorizationEndpoint class I notice that additional authorization request parameters are put in the authentication session client notes.
> (https://github.com/keycloak/keycloak/blob/4.8.2.Final/services/src/main/java/org/keycloak/protocol/oidc/endpoints/AuthorizationEndpoint.java#L379)
> 
> I would like to work with those request parameters in a (preferably script) mapper to put calculated claims into the access token however I can't seem to find them.
> 
> Does anyone have any ideas/thoughts on how I can use the authorization request parameters to put claims into tokens?
> Preferably without code customisation/provider; but that's a restriction I can break if needed :)
> 
> I thought this would work, but the only note is the issuer ("iss").
> 
>    userSession.getAuthenticatedClientSessionByClient(keycloakSession.getContext().getClient().getId()).getNotes();
> 
> Cheers,
> Gary

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3492 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190401/ee5067b9/attachment.bin 

From sblanc at redhat.com  Tue Apr  2 04:22:29 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 2 Apr 2019 10:22:29 +0200
Subject: [keycloak-user] Keycloak Admin Client dependencies for Keycloak
	5.0.0?
In-Reply-To: <CADqF5beoG2Hnh2cZN23qmBz3Jyx1SGE-Ei4UVJT-jOPVUQo2QQ@mail.gmail.com>
References: <CADqF5beoG2Hnh2cZN23qmBz3Jyx1SGE-Ei4UVJT-jOPVUQo2QQ@mail.gmail.com>
Message-ID: <CAMZCGg9CfV8h8gXHuccDavJojtFV5BsRoys2cgYWmHO3mG7d8Q@mail.gmail.com>

Hi,

Your first error is because you forgot "http://" .
For the second one, it's working for me with the pom you provided. You are
probably not passing the needed classpath libs in your java -jar command
(or include the dependencies in your jar)

On Mon, Apr 1, 2019 at 10:51 PM Jody H <j9dy1g at gmail.com> wrote:

> Hi,
>
> I have looked around on Google for a while now but I can't seem to figure
> out my problem. I mostly used the Gist from Github here to get started:
> https://gist.github.com/thomasdarimont/43689aefb37540624e35
> After things were not really working out, I tried some other stuff that you
> can find below:
> I am trying to use the Keycloak admin client in Java, version 5.0.0.
>
> My POM contains the following:
>
> <properties>
> <maven.compiler.source>1.8</maven.compiler.source>
> <maven.compiler.target>1.8</maven.compiler.target>
>
> <keycloak.version>5.0.0</keycloak.version>
> <resteasy.version>3.1.3.Final</resteasy.version>
> <jackson.version>2.9.8</jackson.version>
> </properties>
>
> <dependencies>
> <dependency>
> <groupId>org.keycloak</groupId>
> <artifactId>keycloak-admin-client</artifactId>
> <version>${keycloak.version}</version>
> </dependency>
> <dependency>
> <groupId>org.jboss.resteasy</groupId>
> <artifactId>resteasy-client</artifactId>
> <version>${resteasy.version}</version>
> </dependency>
> <dependency>
> <groupId>org.jboss.resteasy</groupId>
> <artifactId>resteasy-jackson2-provider</artifactId>
> <version>${resteasy.version}</version>
> </dependency>
> <dependency>
> <groupId>com.fasterxml.jackson.core</groupId>
> <artifactId>jackson-core</artifactId>
> <version>${jackson.version}</version>
> </dependency>
> <dependency>
> <groupId>com.fasterxml.jackson.core</groupId>
> <artifactId>jackson-databind</artifactId>
> <version>${jackson.version}</version>
> </dependency>
> <dependency>
> <groupId>com.fasterxml.jackson.core</groupId>
> <artifactId>jackson-annotations</artifactId>
> <version>${jackson.version}</version>
> </dependency>
> <dependency>
> <groupId>com.fasterxml.jackson.jaxrs</groupId>
> <artifactId>jackson-jaxrs-json-provider</artifactId>
> <version>${jackson.version}</version>
> </dependency>
> </dependencies>
>
> When I add the following code, building the keycloak client fails:
> Keycloak keycloak =
> KeycloakBuilder.builder().serverUrl("localhost:8080/auth").realm("master")
> .username("admin").password("admin").clientId("admin-cli").build();
>
> System.out.println(keycloak.serverInfo().getInfo().toString());
>
> Produces the following exception:
>  java -jar .\keycloak-admin-0.0.1-SNAPSHOT.jar
> Exception in thread "main" java.lang.IllegalArgumentException:
> RESTEASY003720: path param realm has not been provided by the parameter map
>         at
>
> org.jboss.resteasy.specimpl.ResteasyUriBuilder.replaceParameter(ResteasyUriBuilder.java:659)
>         at
>
> org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildString(ResteasyUriBuilder.java:581)
>         at
>
> org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValues(ResteasyUriBuilder.java:780)
>         at
>
> org.jboss.resteasy.specimpl.ResteasyUriBuilder.build(ResteasyUriBuilder.java:772)
>         at
>
> org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.getUri(ClientWebTarget.java:107)
>         at
>
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.createRequest(ClientInvoker.java:124)
>         at
>
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:104)
>         at
>
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
>         at com.sun.proxy.$Proxy15.grantToken(Unknown Source)
>         at
>
> org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:89)
>         at
>
> org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:69)
>         at
>
> org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:64)
>         at
>
> org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52)
>         at
>
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:431)
>         at
>
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:105)
>         at
>
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
>         at com.sun.proxy.$Proxy17.getInfo(Unknown Source)
>
> When using the Keycloak.getInstance method, I get another exception:
> Keycloak keycloak = Keycloak.getInstance("http://localhost:8080/auth",
> "master", "admin", "admin", "admin-cli");
>
> Produces exception:
> Exception in thread "main" javax.ws.rs.client.ResponseProcessingException:
> javax.ws.rs.ProcessingException: RESTEASY003145: Unable to find a
> MessageBodyReader of content-type application/json and type class
> org.keycloak.representations.AccessTokenResponse
>         at
>
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:156)
>         at
>
> org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:60)
>         at
>
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:107)
>         at
>
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
>         at com.sun.proxy.$Proxy15.grantToken(Unknown Source)
>         at
>
> org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:89)
>         at
>
> org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:69)
>         at
>
> org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:64)
>         at
>
> org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52)
>         at
>
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:431)
>         at
>
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:105)
>         at
>
> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
>         at com.sun.proxy.$Proxy17.getInfo(Unknown Source)
>         at test.KeycloakAdmin.main(MyMain.java:17)
> Caused by: javax.ws.rs.ProcessingException: RESTEASY003145: Unable to find
> a MessageBodyReader of content-type application/json and type class
> org.keycloak.representations.AccessTokenResponse
>         at
>
> org.jboss.resteasy.core.interception.jaxrs.ClientReaderInterceptorContext.throwReaderNotFound(ClientReaderInterceptorContext.java:42)
>         at
>
> org.jboss.resteasy.core.interception.jaxrs.AbstractReaderInterceptorContext.getReader(AbstractReaderInterceptorContext.java:80)
>         at
>
> org.jboss.resteasy.core.interception.jaxrs.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53)
>         at
>
> org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(ClientResponse.java:266)
>         at
>
> org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readEntity(ClientResponse.java:196)
>         at
>
> org.jboss.resteasy.specimpl.BuiltResponse.readEntity(BuiltResponse.java:212)
>         at
>
> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:120)
>         ... 13 more
>
> Can someone share insight on how to use the keycloak admin client library
> in the most recent version? Which dependencies do I need inside of my pom?
>
> Thanks!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Tue Apr  2 05:24:04 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 2 Apr 2019 11:24:04 +0200
Subject: [keycloak-user] Flow Execution REST API Inconsistencies
In-Reply-To: <BL0PR0901MB30599CD86B0268994342748DDC550@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB30599CD86B0268994342748DDC550@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <CAMZCGg_L4oOWgZYM10wY5Ckjn49oFd+Zu8uUSz-Eb8PXb9+NTw@mail.gmail.com>

I agreed there are some inconsistencies here. Could you open a ticket so
that we can track this ?


On Mon, Apr 1, 2019 at 5:15 PM Ryan Slominski <ryans at jlab.org> wrote:

> Has anyone else noticed there are a few inconsistencies in the
> authentication flow execution section of the REST API.  For example,
> ordered most severe first:
>
>
>   1.  You cannot specify an ID when creating an authentication flow
> execution (I believe every other create command allows this, and if you
> provide an ID it is ignored), which means when scripting you must
> programmatically capture the random ID that is generated in order to
> provide it to future commands (kcadm.sh create
> authentication/flows/<alias>/executions/execution -s id=ignored).
>   2.  You cannot specify a flow ID when when adding an execution to a
> flow, instead you must use the flow alias, which may contain spaces that
> must be escaped (again, I believe every other create command uses ID, not
> alias)
>   3.  You cannot specify the requirement (example: "ALTERNATIVE") when
> creating an execution.  You must separately update a newly created
> execution.   Coupled with forced random ID, this is awkward.
>   4.  When creating an execution the parameter "provider" is used.  When
> creating a flow the parameter is named "providerId"
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Tue Apr  2 05:28:12 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 2 Apr 2019 11:28:12 +0200
Subject: [keycloak-user] Keycloak policies eval
In-Reply-To: <CAEK+65U73uV5un62na5B7AuQkvFeLj4Ou=nsL269+5GfNCX9TQ@mail.gmail.com>
References: <CAEK+65U73uV5un62na5B7AuQkvFeLj4Ou=nsL269+5GfNCX9TQ@mail.gmail.com>
Message-ID: <CAMZCGg8FRAw4uO2PcyUFbR2RcQUdKCAvhXq_ate2yJVg1asBpQ@mail.gmail.com>

We need more info here. Do you want just authentication with simple RBAC or
do you want to use the authorization layer ? Have you seen our Springboot
quickstarts ?

On Sun, Mar 31, 2019 at 2:15 PM Sim?o Silva <simao.sfos at gmail.com> wrote:

> Hi there,
>
> I'm  implementing keycloak for authentication in a server with spring
> boot.  I'm doing something like "@RequestMapping("/login") " in java but
> the policies aren't taken into account, because I can login with every user
> in the client. I want something like this
>
> https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-jee-vanilla/src/main/webapp/index.jsp
> ,
> that  tells me if the user can or not access the specific client in a
> resource. What should I do?
>
> Best regards,
> Sim?o Silva
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sblanc at redhat.com  Tue Apr  2 05:43:04 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 2 Apr 2019 11:43:04 +0200
Subject: [keycloak-user] Backchannel logout for multiple webapps using a
 single opendid-connect client
In-Reply-To: <20190328-144545.13nldvkcw-2uk@mailcc14>
References: <20190328-144545.13nldvkcw-2uk@mailcc14>
Message-ID: <CAMZCGg95+4TTAmfOZJSn=b3jgyWC5YpDF3xQNvs0YGuhXc19tw@mail.gmail.com>

No, it's using the admin URL. But don't you have the same issue with your
redirect URL if you are using just one client for 100 apps ?
To avoid too much configuration and still create one client per webapp you
could take a look at the Client Registration service (
https://www.keycloak.org/docs/latest/securing_apps/index.html#_client_registration)
where client can registers them self.

On Thu, Mar 28, 2019 at 2:48 PM Michael Kebe <Michael.Kebe at hkm.de> wrote:

> Hi mailinglist,
>
> is it possible to get backchannel logout working with a single
> openid-connect client, which is used by multiple webapps?
>
> To get backchannel logout working for a single webapp I had to set the
> Admin URL to a specific URL of one webapp.
>
> I expected that Keycloak stores from where the session is initiated and
> knows where the backchannel logout has to be sent to.
>
> I could create for each webapp a specific client and set the Admin URL
> accordingly, but that is too much configuration work for over 100 webapps.
>
> Do I misunderstand the public Access Type?
>
> Michael
>
>
>
> H?ttenwerke Krupp Mannesmann GmbH, Ehinger Str. 200, D-47259 Duisburg
> Gesch?ftsf?hrung: Dr. Herbert Eichelkraut, Dr. Gerhard Erdmann, Carsten
> Laakmann
> Vorsitzender des Aufsichtsrats: Prof. Dr.-Ing. Heinz J?rg Fuhrmann
> Sitz der Gesellschaft: Duisburg
> Eintragung im Handelsregister: Amtsgericht Duisburg HRB 4716
> http://www.hkm.de
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From j9dy1g at gmail.com  Tue Apr  2 07:20:19 2019
From: j9dy1g at gmail.com (Jody H)
Date: Tue, 2 Apr 2019 13:20:19 +0200
Subject: [keycloak-user] Realm Admin Console not visible with "manage-users",
 "view-users" and "query-groups" roles
Message-ID: <CADqF5bexbwtqx4Kv-y70Mg+B9-uizaO2b9a-m5xsOKAh_R+mjw@mail.gmail.com>

Hi everyone,

I got trouble to allow users the permission to access the realm admin
console.
I want some users to be able to add users to groups, but not see any of the
client configuration etc.

I added the roles "manage-users", "view-users" and "query-groups" to a test
user. When logging in with the test user (which I verified is logging in
with the correct user id in the Keycloak logs), I can not access the realm
admin console due to:

"Forbidden
You don't have access to the requested resource."

When I add more privileges, such as "view-realm", then I can access the
realm admin console with that test user. But this is too much permission
for my users.

This is a screenshot which shows the effective roles of the test user. The
three role mappings described above are set in a group and the test user is
member of this group.
[image: grafik.png]

Any tip on how to have the user access the admin console and only allow the
user to view clients and manage group membership?

Keycloak Server Version     4.8.3.Final

Thanks!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: grafik.png
Type: image/png
Size: 14125 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190402/43033d24/attachment.png 

From nykykof at gmail.com  Tue Apr  2 07:52:07 2019
From: nykykof at gmail.com (Koffi Yannick N'ZI)
Date: Tue, 2 Apr 2019 13:52:07 +0200
Subject: [keycloak-user] configure realm master on server initialization
Message-ID: <CALE3cLMfSZxdq8ae+7MAupHxf9fAKu__CeaOz9VUH5Vq6st0Aw@mail.gmail.com>

Hello,

I'm working on deploying keycloak on a PaaS Like CloudFoundry. I'm able now
to do so and to create realms on demand.
However, i have an issue. I want to automate the stmtp server configuration
in every realm when creating them, including the realm master. I'm able to
do so for new realm except the master one.

So my question is: is it possible to configure the realm master by putting
some configurations properties in the standalone.xml file or elsewhere ?
What property name must i set if so ?

thanks

-- 
Koffi Yannick N'ZI

*Ing?nieur en Technologies de l'Information et de la Communication option
T?l?communication et R?seaux.*
*Mast?re sp?cialis? en Technologies du web et la Cyber S?curit? *

nykykof at gmail.com

From ryans at jlab.org  Tue Apr  2 08:20:10 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Tue, 2 Apr 2019 12:20:10 +0000
Subject: [keycloak-user] Flow Execution REST API Inconsistencies
In-Reply-To: <CAMZCGg_L4oOWgZYM10wY5Ckjn49oFd+Zu8uUSz-Eb8PXb9+NTw@mail.gmail.com>
References: <BL0PR0901MB30599CD86B0268994342748DDC550@BL0PR0901MB3059.namprd09.prod.outlook.com>,
	<CAMZCGg_L4oOWgZYM10wY5Ckjn49oFd+Zu8uUSz-Eb8PXb9+NTw@mail.gmail.com>
Message-ID: <BL0PR0901MB3059EC03FB496C137670F6B5DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>

Ticket Created:  https://issues.jboss.org/browse/KEYCLOAK-9976
________________________________
From: Sebastien Blanc <sblanc at redhat.com>
Sent: Tuesday, April 2, 2019 5:24 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Flow Execution REST API Inconsistencies

I agreed there are some inconsistencies here. Could you open a ticket so that we can track this ?


On Mon, Apr 1, 2019 at 5:15 PM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Has anyone else noticed there are a few inconsistencies in the authentication flow execution section of the REST API.  For example, ordered most severe first:


  1.  You cannot specify an ID when creating an authentication flow execution (I believe every other create command allows this, and if you provide an ID it is ignored), which means when scripting you must programmatically capture the random ID that is generated in order to provide it to future commands (kcadm.sh create authentication/flows/<alias>/executions/execution -s id=ignored).
  2.  You cannot specify a flow ID when when adding an execution to a flow, instead you must use the flow alias, which may contain spaces that must be escaped (again, I believe every other create command uses ID, not alias)
  3.  You cannot specify the requirement (example: "ALTERNATIVE") when creating an execution.  You must separately update a newly created execution.   Coupled with forced random ID, this is awkward.
  4.  When creating an execution the parameter "provider" is used.  When creating a flow the parameter is named "providerId"
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7Cf06832149c0247aaa5e208d6b74cfae7%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C1%7C636897938589539680&sdata=k6h%2BRtnbN%2FOzrtPxAJLQbJVVSLWy5%2Bt2hGZFOaeAiNk%3D&reserved=0>

From fabrice.geslin-prestataire at laposte.fr  Tue Apr  2 08:34:25 2019
From: fabrice.geslin-prestataire at laposte.fr (GESLIN Fabrice)
Date: Tue, 2 Apr 2019 12:34:25 +0000
Subject: [keycloak-user] java.lang.NoClassDefFoundError in a customized
 Reset password authentication flow
Message-ID: <AM6PR01MB4359E83FA1465E384879E092BB560@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>

Hi,


We're trying to customize the reset password flow by providing a custom authenticator

ResetCredentialEmailSms to replace the ResetCredentialEmail provided by default in Keycloak


In our ResetCredentialEmailSms class, as in the original ResetCredentialEmail, we're importing and using the org.keycloak.authentication.actiontoken.resetcred.ResetCredentialsActionToken class .


We can build our authenticator successfully with no warning or error of any kind but at runtime we got the following issue :


^[[36mkeycloak    |^[[0m ^[[0m^[[31m12:06:43,542 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-1) Uncaught server error: java.lang.NoClassDefFoundError: org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionToken
^[[36mkeycloak    |^[[0m        at moncompte.oidcprovider.authentication.authenticators.resetcred.ResetCredentialEmailSms.authenticate(ResetCredentialEmailSms.java:85)
^[[36mkeycloak    |^[[0m        at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:221)
^[[36mkeycloak    |^[[0m        at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:117)
^[[36mkeycloak    |^[[0m        at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
^[[36mkeycloak    |^[[0m        at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
^[[36mkeycloak    |^[[0m        at org.keycloak.services.resources.LoginActionsService.processResetCredentials(LoginActionsService.java:622)
^[[36mkeycloak    |^[[0m        at org.keycloak.services.resources.LoginActionsService.resetCredentials(LoginActionsService.java:414)
^[[36mkeycloak    |^[[0m        at org.keycloak.services.resources.LoginActionsService.resetCredentialsPOST(LoginActionsService.java:337)
^[[36mkeycloak    |^[[0m        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
^[[36mkeycloak    |^[[0m        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
^[[36mkeycloak    |^[[0m        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
^[[36mkeycloak    |^[[0m        at java.lang.reflect.Method.invoke(Method.java:498)
...

[[36mkeycloak    |^[[0m        at java.lang.Thread.run(Thread.java:748)
^[[36mkeycloak    |^[[0m Caused by: java.lang.ClassNotFoundException: org.keycloak.authentication.actiontoken.resetcred.ResetCredentialsActionToken from [Module "deployment.mon-compte-authentication-0.0.1.jar" from Service Module Loader]
^[[36mkeycloak    |^[[0m        at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:255)
^[[36mkeycloak    |^[[0m        at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410)
^[[36mkeycloak    |^[[0m        at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
^[[36mkeycloak    |^[[0m        at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116)
^[[36mkeycloak    |^[[0m        ... 77 more

Any clue about what we did wrong ?


Fabrice Geslin


Groupe La Poste


Post-scriptum La Poste

Ce message est confidentiel. Sous reserve de tout accord conclu par ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur.

From psilva at redhat.com  Tue Apr  2 08:37:20 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 2 Apr 2019 09:37:20 -0300
Subject: [keycloak-user] Realm Admin Console not visible with
 "manage-users", "view-users" and "query-groups" roles
In-Reply-To: <CADqF5bexbwtqx4Kv-y70Mg+B9-uizaO2b9a-m5xsOKAh_R+mjw@mail.gmail.com>
References: <CADqF5bexbwtqx4Kv-y70Mg+B9-uizaO2b9a-m5xsOKAh_R+mjw@mail.gmail.com>
Message-ID: <CAJrcDBfVxDJnOt9GKMF1oAqrdhFkCc2BnNsxyTMJbQtBWW8N9g@mail.gmail.com>

Hi Jody,

This should be fixed in 5.0.0. Could you try it out?

Regards.
Pedro Igor

On Tue, Apr 2, 2019 at 8:38 AM Jody H <j9dy1g at gmail.com> wrote:

> Hi everyone,
>
> I got trouble to allow users the permission to access the realm admin
> console.
> I want some users to be able to add users to groups, but not see any of the
> client configuration etc.
>
> I added the roles "manage-users", "view-users" and "query-groups" to a test
> user. When logging in with the test user (which I verified is logging in
> with the correct user id in the Keycloak logs), I can not access the realm
> admin console due to:
>
> "Forbidden
> You don't have access to the requested resource."
>
> When I add more privileges, such as "view-realm", then I can access the
> realm admin console with that test user. But this is too much permission
> for my users.
>
> This is a screenshot which shows the effective roles of the test user. The
> three role mappings described above are set in a group and the test user is
> member of this group.
> [image: grafik.png]
>
> Any tip on how to have the user access the admin console and only allow the
> user to view clients and manage group membership?
>
> Keycloak Server Version     4.8.3.Final
>
> Thanks!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sblanc at redhat.com  Tue Apr  2 08:39:27 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 2 Apr 2019 14:39:27 +0200
Subject: [keycloak-user] configure realm master on server initialization
In-Reply-To: <CALE3cLMfSZxdq8ae+7MAupHxf9fAKu__CeaOz9VUH5Vq6st0Aw@mail.gmail.com>
References: <CALE3cLMfSZxdq8ae+7MAupHxf9fAKu__CeaOz9VUH5Vq6st0Aw@mail.gmail.com>
Message-ID: <CAMZCGg8uOc0txYZjtWKBBbWndHO2mmPHE23cHfe3XyF-Yd8NQQ@mail.gmail.com>

What prevents you to configure SMTP for the Master Realm ? How are you
doing it for the other realms (API ? ) ?


On Tue, Apr 2, 2019 at 2:11 PM Koffi Yannick N'ZI <nykykof at gmail.com> wrote:

> Hello,
>
> I'm working on deploying keycloak on a PaaS Like CloudFoundry. I'm able now
> to do so and to create realms on demand.
> However, i have an issue. I want to automate the stmtp server configuration
> in every realm when creating them, including the realm master. I'm able to
> do so for new realm except the master one.
>
> So my question is: is it possible to configure the realm master by putting
> some configurations properties in the standalone.xml file or elsewhere ?
> What property name must i set if so ?
>
> thanks
>
> --
> Koffi Yannick N'ZI
>
> *Ing?nieur en Technologies de l'Information et de la Communication option
> T?l?communication et R?seaux.*
> *Mast?re sp?cialis? en Technologies du web et la Cyber S?curit? *
>
> nykykof at gmail.com
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From nykykof at gmail.com  Tue Apr  2 08:48:46 2019
From: nykykof at gmail.com (Koffi Yannick N'ZI)
Date: Tue, 2 Apr 2019 14:48:46 +0200
Subject: [keycloak-user] configure realm master on server initialization
In-Reply-To: <CAMZCGg8uOc0txYZjtWKBBbWndHO2mmPHE23cHfe3XyF-Yd8NQQ@mail.gmail.com>
References: <CALE3cLMfSZxdq8ae+7MAupHxf9fAKu__CeaOz9VUH5Vq6st0Aw@mail.gmail.com>
	<CAMZCGg8uOc0txYZjtWKBBbWndHO2mmPHE23cHfe3XyF-Yd8NQQ@mail.gmail.com>
Message-ID: <CALE3cLN6ZKK_EiENaCJTOzR6jiBUmVdks=D0DA6h7BBB+v=0fw@mail.gmail.com>

For the others realm i create them with the APIs. So when sending the realm
object i set the realm smtp server property. It assumes that the Keycloak
instance is deployed.
But for the realm master i cannot do so.

I would like to set some environnement variables which can be detected by
keycloak when starting


Le mar. 2 avr. 2019 ? 14:39, Sebastien Blanc <sblanc at redhat.com> a ?crit :

> What prevents you to configure SMTP for the Master Realm ? How are you
> doing it for the other realms (API ? ) ?
>
>
> On Tue, Apr 2, 2019 at 2:11 PM Koffi Yannick N'ZI <nykykof at gmail.com>
> wrote:
>
>> Hello,
>>
>> I'm working on deploying keycloak on a PaaS Like CloudFoundry. I'm able
>> now
>> to do so and to create realms on demand.
>> However, i have an issue. I want to automate the stmtp server
>> configuration
>> in every realm when creating them, including the realm master. I'm able to
>> do so for new realm except the master one.
>>
>> So my question is: is it possible to configure the realm master by putting
>> some configurations properties in the standalone.xml file or elsewhere ?
>> What property name must i set if so ?
>>
>> thanks
>>
>> --
>> Koffi Yannick N'ZI
>>
>> *Ing?nieur en Technologies de l'Information et de la Communication option
>> T?l?communication et R?seaux.*
>> *Mast?re sp?cialis? en Technologies du web et la Cyber S?curit? *
>>
>> nykykof at gmail.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Koffi Yannick N'ZI

*Ing?nieur en Technologies de l'Information et de la Communication option
T?l?communication et R?seaux.*
*Mast?re sp?cialis? en Technologies du web et la Cyber S?curit?*

nykykof at gmail.com

From sblanc at redhat.com  Tue Apr  2 09:09:14 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 2 Apr 2019 15:09:14 +0200
Subject: [keycloak-user] configure realm master on server initialization
In-Reply-To: <CALE3cLN6ZKK_EiENaCJTOzR6jiBUmVdks=D0DA6h7BBB+v=0fw@mail.gmail.com>
References: <CALE3cLMfSZxdq8ae+7MAupHxf9fAKu__CeaOz9VUH5Vq6st0Aw@mail.gmail.com>
	<CAMZCGg8uOc0txYZjtWKBBbWndHO2mmPHE23cHfe3XyF-Yd8NQQ@mail.gmail.com>
	<CALE3cLN6ZKK_EiENaCJTOzR6jiBUmVdks=D0DA6h7BBB+v=0fw@mail.gmail.com>
Message-ID: <CAMZCGg_wyhg2WmiVappkwwa-=+GhSkpofyrmWFTmuRCqPadf9g@mail.gmail.com>

But you could do a PUT (update) on the master realm and passing the
smtpServer properties map ?



On Tue, Apr 2, 2019 at 2:49 PM Koffi Yannick N'ZI <nykykof at gmail.com> wrote:

> For the others realm i create them with the APIs. So when sending the
> realm object i set the realm smtp server property. It assumes that the
> Keycloak instance is deployed.
> But for the realm master i cannot do so.
>
> I would like to set some environnement variables which can be detected by
> keycloak when starting
>
>
> Le mar. 2 avr. 2019 ? 14:39, Sebastien Blanc <sblanc at redhat.com> a ?crit :
>
>> What prevents you to configure SMTP for the Master Realm ? How are you
>> doing it for the other realms (API ? ) ?
>>
>>
>> On Tue, Apr 2, 2019 at 2:11 PM Koffi Yannick N'ZI <nykykof at gmail.com>
>> wrote:
>>
>>> Hello,
>>>
>>> I'm working on deploying keycloak on a PaaS Like CloudFoundry. I'm able
>>> now
>>> to do so and to create realms on demand.
>>> However, i have an issue. I want to automate the stmtp server
>>> configuration
>>> in every realm when creating them, including the realm master. I'm able
>>> to
>>> do so for new realm except the master one.
>>>
>>> So my question is: is it possible to configure the realm master by
>>> putting
>>> some configurations properties in the standalone.xml file or elsewhere ?
>>> What property name must i set if so ?
>>>
>>> thanks
>>>
>>> --
>>> Koffi Yannick N'ZI
>>>
>>> *Ing?nieur en Technologies de l'Information et de la Communication option
>>> T?l?communication et R?seaux.*
>>> *Mast?re sp?cialis? en Technologies du web et la Cyber S?curit? *
>>>
>>> nykykof at gmail.com
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
> --
> Koffi Yannick N'ZI
>
> *Ing?nieur en Technologies de l'Information et de la Communication option
> T?l?communication et R?seaux.*
> *Mast?re sp?cialis? en Technologies du web et la Cyber S?curit?*
>
> nykykof at gmail.com
>
>

From nykykof at gmail.com  Tue Apr  2 09:27:25 2019
From: nykykof at gmail.com (Koffi Yannick N'ZI)
Date: Tue, 2 Apr 2019 15:27:25 +0200
Subject: [keycloak-user] configure realm master on server initialization
In-Reply-To: <CAMZCGg_wyhg2WmiVappkwwa-=+GhSkpofyrmWFTmuRCqPadf9g@mail.gmail.com>
References: <CALE3cLMfSZxdq8ae+7MAupHxf9fAKu__CeaOz9VUH5Vq6st0Aw@mail.gmail.com>
	<CAMZCGg8uOc0txYZjtWKBBbWndHO2mmPHE23cHfe3XyF-Yd8NQQ@mail.gmail.com>
	<CALE3cLN6ZKK_EiENaCJTOzR6jiBUmVdks=D0DA6h7BBB+v=0fw@mail.gmail.com>
	<CAMZCGg_wyhg2WmiVappkwwa-=+GhSkpofyrmWFTmuRCqPadf9g@mail.gmail.com>
Message-ID: <CALE3cLMQU-FJcXAy58DoOC8OW2EL97+4Z6NmZsYOZc74eqGzvg@mail.gmail.com>

Yes i can make manually a request (by using, for example, the kcadm.sh
script provided out of the box) in order to update the realm master.

But what i expect, what i wish is a way to provide automatically the smtp
informations on server initialization. I want it so because the smtp
properties can dynamically change, in the cloud, from a deployment to
another.

And i don't want (if i could) to make for each deployment a request to
update the master realm.

Le mar. 2 avr. 2019 ? 15:09, Sebastien Blanc <sblanc at redhat.com> a ?crit :

> But you could do a PUT (update) on the master realm and passing the
> smtpServer properties map ?
>
>
>
> On Tue, Apr 2, 2019 at 2:49 PM Koffi Yannick N'ZI <nykykof at gmail.com>
> wrote:
>
>> For the others realm i create them with the APIs. So when sending the
>> realm object i set the realm smtp server property. It assumes that the
>> Keycloak instance is deployed.
>> But for the realm master i cannot do so.
>>
>> I would like to set some environnement variables which can be detected by
>> keycloak when starting
>>
>>
>> Le mar. 2 avr. 2019 ? 14:39, Sebastien Blanc <sblanc at redhat.com> a
>> ?crit :
>>
>>> What prevents you to configure SMTP for the Master Realm ? How are you
>>> doing it for the other realms (API ? ) ?
>>>
>>>
>>> On Tue, Apr 2, 2019 at 2:11 PM Koffi Yannick N'ZI <nykykof at gmail.com>
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> I'm working on deploying keycloak on a PaaS Like CloudFoundry. I'm able
>>>> now
>>>> to do so and to create realms on demand.
>>>> However, i have an issue. I want to automate the stmtp server
>>>> configuration
>>>> in every realm when creating them, including the realm master. I'm able
>>>> to
>>>> do so for new realm except the master one.
>>>>
>>>> So my question is: is it possible to configure the realm master by
>>>> putting
>>>> some configurations properties in the standalone.xml file or elsewhere ?
>>>> What property name must i set if so ?
>>>>
>>>> thanks
>>>>
>>>> --
>>>> Koffi Yannick N'ZI
>>>>
>>>> *Ing?nieur en Technologies de l'Information et de la Communication
>>>> option
>>>> T?l?communication et R?seaux.*
>>>> *Mast?re sp?cialis? en Technologies du web et la Cyber S?curit? *
>>>>
>>>> nykykof at gmail.com
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>
>> --
>> Koffi Yannick N'ZI
>>
>> *Ing?nieur en Technologies de l'Information et de la Communication option
>> T?l?communication et R?seaux.*
>> *Mast?re sp?cialis? en Technologies du web et la Cyber S?curit?*
>>
>> nykykof at gmail.com
>>
>>

-- 
Koffi Yannick N'ZI

*Ing?nieur en Technologies de l'Information et de la Communication option
T?l?communication et R?seaux.*
*Mast?re sp?cialis? en Technologies du web et Cyber S?curit?.*

nykykof at gmail.com

From sblanc at redhat.com  Tue Apr  2 10:06:46 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 2 Apr 2019 16:06:46 +0200
Subject: [keycloak-user] configure realm master on server initialization
In-Reply-To: <CALE3cLMQU-FJcXAy58DoOC8OW2EL97+4Z6NmZsYOZc74eqGzvg@mail.gmail.com>
References: <CALE3cLMfSZxdq8ae+7MAupHxf9fAKu__CeaOz9VUH5Vq6st0Aw@mail.gmail.com>
	<CAMZCGg8uOc0txYZjtWKBBbWndHO2mmPHE23cHfe3XyF-Yd8NQQ@mail.gmail.com>
	<CALE3cLN6ZKK_EiENaCJTOzR6jiBUmVdks=D0DA6h7BBB+v=0fw@mail.gmail.com>
	<CAMZCGg_wyhg2WmiVappkwwa-=+GhSkpofyrmWFTmuRCqPadf9g@mail.gmail.com>
	<CALE3cLMQU-FJcXAy58DoOC8OW2EL97+4Z6NmZsYOZc74eqGzvg@mail.gmail.com>
Message-ID: <CAMZCGg8PLt=aKwGq9vej+a8cZ9-VztMkoqmTysRrz7tY5+0xbA@mail.gmail.com>

I see. I'm afraid we don't have this out of the box.
One other option could be to import a master realm at startup, this will
overwrite the current master. And in your master realm json you could have
some variables that you replace


On Tue, Apr 2, 2019 at 3:27 PM Koffi Yannick N'ZI <nykykof at gmail.com> wrote:

> Yes i can make manually a request (by using, for example, the kcadm.sh
> script provided out of the box) in order to update the realm master.
>
> But what i expect, what i wish is a way to provide automatically the smtp
> informations on server initialization. I want it so because the smtp
> properties can dynamically change, in the cloud, from a deployment to
> another.
>
> And i don't want (if i could) to make for each deployment a request to
> update the master realm.
>
> Le mar. 2 avr. 2019 ? 15:09, Sebastien Blanc <sblanc at redhat.com> a ?crit :
>
>> But you could do a PUT (update) on the master realm and passing the
>> smtpServer properties map ?
>>
>>
>>
>> On Tue, Apr 2, 2019 at 2:49 PM Koffi Yannick N'ZI <nykykof at gmail.com>
>> wrote:
>>
>>> For the others realm i create them with the APIs. So when sending the
>>> realm object i set the realm smtp server property. It assumes that the
>>> Keycloak instance is deployed.
>>> But for the realm master i cannot do so.
>>>
>>> I would like to set some environnement variables which can be detected
>>> by keycloak when starting
>>>
>>>
>>> Le mar. 2 avr. 2019 ? 14:39, Sebastien Blanc <sblanc at redhat.com> a
>>> ?crit :
>>>
>>>> What prevents you to configure SMTP for the Master Realm ? How are you
>>>> doing it for the other realms (API ? ) ?
>>>>
>>>>
>>>> On Tue, Apr 2, 2019 at 2:11 PM Koffi Yannick N'ZI <nykykof at gmail.com>
>>>> wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> I'm working on deploying keycloak on a PaaS Like CloudFoundry. I'm
>>>>> able now
>>>>> to do so and to create realms on demand.
>>>>> However, i have an issue. I want to automate the stmtp server
>>>>> configuration
>>>>> in every realm when creating them, including the realm master. I'm
>>>>> able to
>>>>> do so for new realm except the master one.
>>>>>
>>>>> So my question is: is it possible to configure the realm master by
>>>>> putting
>>>>> some configurations properties in the standalone.xml file or elsewhere
>>>>> ?
>>>>> What property name must i set if so ?
>>>>>
>>>>> thanks
>>>>>
>>>>> --
>>>>> Koffi Yannick N'ZI
>>>>>
>>>>> *Ing?nieur en Technologies de l'Information et de la Communication
>>>>> option
>>>>> T?l?communication et R?seaux.*
>>>>> *Mast?re sp?cialis? en Technologies du web et la Cyber S?curit? *
>>>>>
>>>>> nykykof at gmail.com
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>
>>> --
>>> Koffi Yannick N'ZI
>>>
>>> *Ing?nieur en Technologies de l'Information et de la Communication
>>> option T?l?communication et R?seaux.*
>>> *Mast?re sp?cialis? en Technologies du web et la Cyber S?curit?*
>>>
>>> nykykof at gmail.com
>>>
>>>
>
> --
> Koffi Yannick N'ZI
>
> *Ing?nieur en Technologies de l'Information et de la Communication option
> T?l?communication et R?seaux.*
> *Mast?re sp?cialis? en Technologies du web et Cyber S?curit?.*
>
> nykykof at gmail.com
>
>

From mposolda at redhat.com  Tue Apr  2 10:56:08 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 2 Apr 2019 16:56:08 +0200
Subject: [keycloak-user] java.lang.NoClassDefFoundError in a customized
 Reset password authentication flow
In-Reply-To: <AM6PR01MB4359E83FA1465E384879E092BB560@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>
References: <AM6PR01MB4359E83FA1465E384879E092BB560@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>
Message-ID: <8d4158c5-0e2b-4633-2503-0cb77502b017@redhat.com>

Hi,

I think this error is due the fact that file 
jboss-deployment-structure.xml is either missing or it is missing the 
references to needed jboss module with the class 
org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionToken. 
Which I think is the module "org.keycloak.keycloak-services" .

For some more reference, see for example this quickstart 
https://github.com/keycloak/keycloak-quickstarts/tree/latest/action-token-authenticator 
and especially this file in it 
https://github.com/keycloak/keycloak-quickstarts/blob/latest/action-token-authenticator/src/main/webapp/WEB-INF/jboss-deployment-structure.xml 
.

Hope this helps,
Marek

On 02/04/2019 14:34, GESLIN Fabrice wrote:
> Hi,
>
>
> We're trying to customize the reset password flow by providing a custom authenticator
>
> ResetCredentialEmailSms to replace the ResetCredentialEmail provided by default in Keycloak
>
>
> In our ResetCredentialEmailSms class, as in the original ResetCredentialEmail, we're importing and using the org.keycloak.authentication.actiontoken.resetcred.ResetCredentialsActionToken class .
>
>
> We can build our authenticator successfully with no warning or error of any kind but at runtime we got the following issue :
>
>
> ^[[36mkeycloak    |^[[0m ^[[0m^[[31m12:06:43,542 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-1) Uncaught server error: java.lang.NoClassDefFoundError: org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionToken
> ^[[36mkeycloak    |^[[0m        at moncompte.oidcprovider.authentication.authenticators.resetcred.ResetCredentialEmailSms.authenticate(ResetCredentialEmailSms.java:85)
> ^[[36mkeycloak    |^[[0m        at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:221)
> ^[[36mkeycloak    |^[[0m        at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:117)
> ^[[36mkeycloak    |^[[0m        at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
> ^[[36mkeycloak    |^[[0m        at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
> ^[[36mkeycloak    |^[[0m        at org.keycloak.services.resources.LoginActionsService.processResetCredentials(LoginActionsService.java:622)
> ^[[36mkeycloak    |^[[0m        at org.keycloak.services.resources.LoginActionsService.resetCredentials(LoginActionsService.java:414)
> ^[[36mkeycloak    |^[[0m        at org.keycloak.services.resources.LoginActionsService.resetCredentialsPOST(LoginActionsService.java:337)
> ^[[36mkeycloak    |^[[0m        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ^[[36mkeycloak    |^[[0m        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ^[[36mkeycloak    |^[[0m        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ^[[36mkeycloak    |^[[0m        at java.lang.reflect.Method.invoke(Method.java:498)
> ...
>
> [[36mkeycloak    |^[[0m        at java.lang.Thread.run(Thread.java:748)
> ^[[36mkeycloak    |^[[0m Caused by: java.lang.ClassNotFoundException: org.keycloak.authentication.actiontoken.resetcred.ResetCredentialsActionToken from [Module "deployment.mon-compte-authentication-0.0.1.jar" from Service Module Loader]
> ^[[36mkeycloak    |^[[0m        at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:255)
> ^[[36mkeycloak    |^[[0m        at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410)
> ^[[36mkeycloak    |^[[0m        at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
> ^[[36mkeycloak    |^[[0m        at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116)
> ^[[36mkeycloak    |^[[0m        ... 77 more
>
> Any clue about what we did wrong ?
>
>
> Fabrice Geslin
>
>
> Groupe La Poste
>
>
> Post-scriptum La Poste
>
> Ce message est confidentiel. Sous reserve de tout accord conclu par ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mizuki0621 at gmail.com  Tue Apr  2 13:05:45 2019
From: mizuki0621 at gmail.com (mizuki)
Date: Tue, 2 Apr 2019 13:05:45 -0400
Subject: [keycloak-user] problem with social identity providers with broker
	(only google works)
Message-ID: <CAKCDg-BCPfNeybj_045wN+DbTR_ckXeVm=h0zdX6wNn2oFjFtA@mail.gmail.com>

Hi,

I've verified this problem with keycloak latest version as well as v4.8.x,
using broker only works with google, with other social identify providers,
all throws the same error 'Unexpected error when authenticating with
identity provider' to the browser and in server.log:

10:46:59,838 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-2)
Failed to make identity provider oauth callback:
javax.net.ssl.SSLException: Received fatal alert: protocol_version
at com.ibm.jsse2.k.a(k.java:32)
at com.ibm.jsse2.k.a(k.java:37)
at com.ibm.jsse2.av.b(av.java:549)
at com.ibm.jsse2.av.a(av.java:715)
at com.ibm.jsse2.av.i(av.java:574)
at com.ibm.jsse2.av.a(av.java:280)
at com.ibm.jsse2.av.startHandshake(av.java:431)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
at
org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)

That happens after the correct credentials being put in. So far, I've
tested:
- linkedin
- facebook
- microsoft
- github

The error almost suggest the error is with incorrect TLS version. To
troubleshoot, I sniffed network packets, comparing Google  with non-working
providers (ex, LInkedIn).
Interesting thing found out was that, the keycloak instance is hosted
behind a proxy, when authenticating with external providers, all
communication shall go through proxy,
in google's case it went well and communication was successful, however
with Linkedin for example, after username/password successfully
authenticated, the backend keycloak instance all in sudden start to talk to
LinkedIn server itself instead of going through proxy. Of course the
communication will fail and error returned.

Can anyone advice?

PS: keycloak mailing list seems to have trouble with google email, I
apologize in advance if the reply is delayed or resent multiple times.

Thanks!
Mizuki

From ryans at jlab.org  Tue Apr  2 13:43:34 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Tue, 2 Apr 2019 17:43:34 +0000
Subject: [keycloak-user] Where to define Roles?
Message-ID: <BL0PR0901MB3059889F157FEC59643732B6DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>

Any thoughts on where to define roles.  It seems there may be three choices:


  1.  Define Roles in the user storage provider.  I believe Red Hat Identity Manager (LDAP) supports this for example.  Then I believe Keycloak can be configured to load the roles
  2.  Define Roles directly in Keycloak (possibly defined based on groups synced from LDAP)
  3.  Define Roles in client applications (possibly defined based on groups queried from Keycloak).  I believe Wildly client adapter "Elytron" subsystem might support this?  Not sure.  Custom clients certainly could query Keycloak for groups and then define their own roles.

From fabrice.geslin-prestataire at laposte.fr  Tue Apr  2 14:06:43 2019
From: fabrice.geslin-prestataire at laposte.fr (GESLIN Fabrice)
Date: Tue, 2 Apr 2019 18:06:43 +0000
Subject: [keycloak-user] java.lang.NoClassDefFoundError in a customized
 Reset password authentication flow
In-Reply-To: <8d4158c5-0e2b-4633-2503-0cb77502b017@redhat.com>
References: <AM6PR01MB4359E83FA1465E384879E092BB560@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>
	<8d4158c5-0e2b-4633-2503-0cb77502b017@redhat.com>
Message-ID: <AM6PR01MB43590750B7FDECEF1D655FD6BB560@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>

Thanks for the answer Marek but unfortunately adding the jboss-deployment-structure.xml to the META-INF of our jar doesn't solve the problem.

FYI, we've previously implemented a custom Username Password Form authenticator that imports and uses some classes from  the keycloak-services module and we didn't have to explicitly specify the dependencies in an xml file.

Is there anything special with the ResetCredentialsActionToken class or its package ?

Regards,

Fabrice Geslin

-----Message d'origine-----
De?: Marek Posolda [mailto:mposolda at redhat.com] 
Envoy??: mardi 2 avril 2019 16:56
??: GESLIN Fabrice <fabrice.geslin-prestataire at laposte.fr>; keycloak-user at lists.jboss.org
Objet?: Re: [keycloak-user] java.lang.NoClassDefFoundError in a customized Reset password authentication flow

Hi,

I think this error is due the fact that file jboss-deployment-structure.xml is either missing or it is missing the references to needed jboss module with the class org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionToken. 
Which I think is the module "org.keycloak.keycloak-services" .

For some more reference, see for example this quickstart https://github.com/keycloak/keycloak-quickstarts/tree/latest/action-token-authenticator
and especially this file in it
https://github.com/keycloak/keycloak-quickstarts/blob/latest/action-token-authenticator/src/main/webapp/WEB-INF/jboss-deployment-structure.xml
.

Hope this helps,
Marek

On 02/04/2019 14:34, GESLIN Fabrice wrote:
> Hi,
>
>
> We're trying to customize the reset password flow by providing a 
> custom authenticator
>
> ResetCredentialEmailSms to replace the ResetCredentialEmail provided 
> by default in Keycloak
>
>
> In our ResetCredentialEmailSms class, as in the original ResetCredentialEmail, we're importing and using the org.keycloak.authentication.actiontoken.resetcred.ResetCredentialsActionToken class .
>
>
> We can build our authenticator successfully with no warning or error of any kind but at runtime we got the following issue :
>
>
> ^[[36mkeycloak    |^[[0m ^[[0m^[[31m12:06:43,542 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-1) Uncaught server error: java.lang.NoClassDefFoundError: org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionToken
> ^[[36mkeycloak    |^[[0m        at moncompte.oidcprovider.authentication.authenticators.resetcred.ResetCredentialEmailSms.authenticate(ResetCredentialEmailSms.java:85)
> ^[[36mkeycloak    |^[[0m        at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:221)
> ^[[36mkeycloak    |^[[0m        at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:117)
> ^[[36mkeycloak    |^[[0m        at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
> ^[[36mkeycloak    |^[[0m        at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
> ^[[36mkeycloak    |^[[0m        at org.keycloak.services.resources.LoginActionsService.processResetCredentials(LoginActionsService.java:622)
> ^[[36mkeycloak    |^[[0m        at org.keycloak.services.resources.LoginActionsService.resetCredentials(LoginActionsService.java:414)
> ^[[36mkeycloak    |^[[0m        at org.keycloak.services.resources.LoginActionsService.resetCredentialsPOST(LoginActionsService.java:337)
> ^[[36mkeycloak    |^[[0m        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ^[[36mkeycloak    |^[[0m        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> ^[[36mkeycloak    |^[[0m        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ^[[36mkeycloak    |^[[0m        at java.lang.reflect.Method.invoke(Method.java:498)
> ...
>
> [[36mkeycloak    |^[[0m        at java.lang.Thread.run(Thread.java:748)
> ^[[36mkeycloak    |^[[0m Caused by: java.lang.ClassNotFoundException: org.keycloak.authentication.actiontoken.resetcred.ResetCredentialsActionToken from [Module "deployment.mon-compte-authentication-0.0.1.jar" from Service Module Loader]
> ^[[36mkeycloak    |^[[0m        at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:255)
> ^[[36mkeycloak    |^[[0m        at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410)
> ^[[36mkeycloak    |^[[0m        at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
> ^[[36mkeycloak    |^[[0m        at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116)
> ^[[36mkeycloak    |^[[0m        ... 77 more
>
> Any clue about what we did wrong ?
>
>
> Fabrice Geslin
>
>
> Groupe La Poste
>
>
> Post-scriptum La Poste
>
> Ce message est confidentiel. Sous reserve de tout accord conclu par ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



Post-scriptum La Poste

Ce message est confidentiel. Sous reserve de tout accord conclu par
ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement
l'expediteur.


From psilva at redhat.com  Tue Apr  2 15:33:53 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 2 Apr 2019 16:33:53 -0300
Subject: [keycloak-user] Where to define Roles?
In-Reply-To: <BL0PR0901MB3059889F157FEC59643732B6DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB3059889F157FEC59643732B6DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <CAJrcDBd_k5XeRWj3c07XmfyXKyW85tsGtXXZL-wJnczL56PQ=Q@mail.gmail.com>

Hi Ryan,

It really depends on your use case. You could potentially have a mix of all
three alternatives.

Regards.
Pedro Igor

On Tue, Apr 2, 2019 at 3:41 PM Ryan Slominski <ryans at jlab.org> wrote:

> Any thoughts on where to define roles.  It seems there may be three
> choices:
>
>
>   1.  Define Roles in the user storage provider.  I believe Red Hat
> Identity Manager (LDAP) supports this for example.  Then I believe Keycloak
> can be configured to load the roles
>   2.  Define Roles directly in Keycloak (possibly defined based on groups
> synced from LDAP)
>   3.  Define Roles in client applications (possibly defined based on
> groups queried from Keycloak).  I believe Wildly client adapter "Elytron"
> subsystem might support this?  Not sure.  Custom clients certainly could
> query Keycloak for groups and then define their own roles.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mposolda at redhat.com  Tue Apr  2 15:45:29 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 2 Apr 2019 21:45:29 +0200
Subject: [keycloak-user] java.lang.NoClassDefFoundError in a customized
 Reset password authentication flow
In-Reply-To: <AM6PR01MB43590750B7FDECEF1D655FD6BB560@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>
References: <AM6PR01MB4359E83FA1465E384879E092BB560@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>
	<8d4158c5-0e2b-4633-2503-0cb77502b017@redhat.com>
	<AM6PR01MB43590750B7FDECEF1D655FD6BB560@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>
Message-ID: <fd8a8ece-cc93-42c1-b775-ca6eead1473d@redhat.com>

On 02/04/2019 20:06, GESLIN Fabrice wrote:
> Thanks for the answer Marek but unfortunately adding the jboss-deployment-structure.xml to the META-INF of our jar doesn't solve the problem.
>
> FYI, we've previously implemented a custom Username Password Form authenticator that imports and uses some classes from  the keycloak-services module and we didn't have to explicitly specify the dependencies in an xml file.
>
> Is there anything special with the ResetCredentialsActionToken class or its package ?

No, there is nothing special in this class. Just maybe that it inherits 
from some classes/interfaces from other keycloak modules. So maybe you 
need to add few more modules like keycloak-server-spi and 
keycloak-server-spi-private.

If you still see issues, I suggest to try for example:

- Deploy as a WAR instead of JAR (Same like the quickstart I pointed is 
doing)
- Deploy your JAR as a module rather than the file directly deployed in 
standalone/deployments

Marek

>
> Regards,
>
> Fabrice Geslin
>
> -----Message d'origine-----
> De?: Marek Posolda [mailto:mposolda at redhat.com]
> Envoy??: mardi 2 avril 2019 16:56
> ??: GESLIN Fabrice <fabrice.geslin-prestataire at laposte.fr>; keycloak-user at lists.jboss.org
> Objet?: Re: [keycloak-user] java.lang.NoClassDefFoundError in a customized Reset password authentication flow
>
> Hi,
>
> I think this error is due the fact that file jboss-deployment-structure.xml is either missing or it is missing the references to needed jboss module with the class org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionToken.
> Which I think is the module "org.keycloak.keycloak-services" .
>
> For some more reference, see for example this quickstart https://github.com/keycloak/keycloak-quickstarts/tree/latest/action-token-authenticator
> and especially this file in it
> https://github.com/keycloak/keycloak-quickstarts/blob/latest/action-token-authenticator/src/main/webapp/WEB-INF/jboss-deployment-structure.xml
> .
>
> Hope this helps,
> Marek
>
> On 02/04/2019 14:34, GESLIN Fabrice wrote:
>> Hi,
>>
>>
>> We're trying to customize the reset password flow by providing a
>> custom authenticator
>>
>> ResetCredentialEmailSms to replace the ResetCredentialEmail provided
>> by default in Keycloak
>>
>>
>> In our ResetCredentialEmailSms class, as in the original ResetCredentialEmail, we're importing and using the org.keycloak.authentication.actiontoken.resetcred.ResetCredentialsActionToken class .
>>
>>
>> We can build our authenticator successfully with no warning or error of any kind but at runtime we got the following issue :
>>
>>
>> ^[[36mkeycloak    |^[[0m ^[[0m^[[31m12:06:43,542 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-1) Uncaught server error: java.lang.NoClassDefFoundError: org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionToken
>> ^[[36mkeycloak    |^[[0m        at moncompte.oidcprovider.authentication.authenticators.resetcred.ResetCredentialEmailSms.authenticate(ResetCredentialEmailSms.java:85)
>> ^[[36mkeycloak    |^[[0m        at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:221)
>> ^[[36mkeycloak    |^[[0m        at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:117)
>> ^[[36mkeycloak    |^[[0m        at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
>> ^[[36mkeycloak    |^[[0m        at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
>> ^[[36mkeycloak    |^[[0m        at org.keycloak.services.resources.LoginActionsService.processResetCredentials(LoginActionsService.java:622)
>> ^[[36mkeycloak    |^[[0m        at org.keycloak.services.resources.LoginActionsService.resetCredentials(LoginActionsService.java:414)
>> ^[[36mkeycloak    |^[[0m        at org.keycloak.services.resources.LoginActionsService.resetCredentialsPOST(LoginActionsService.java:337)
>> ^[[36mkeycloak    |^[[0m        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> ^[[36mkeycloak    |^[[0m        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>> ^[[36mkeycloak    |^[[0m        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> ^[[36mkeycloak    |^[[0m        at java.lang.reflect.Method.invoke(Method.java:498)
>> ...
>>
>> [[36mkeycloak    |^[[0m        at java.lang.Thread.run(Thread.java:748)
>> ^[[36mkeycloak    |^[[0m Caused by: java.lang.ClassNotFoundException: org.keycloak.authentication.actiontoken.resetcred.ResetCredentialsActionToken from [Module "deployment.mon-compte-authentication-0.0.1.jar" from Service Module Loader]
>> ^[[36mkeycloak    |^[[0m        at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:255)
>> ^[[36mkeycloak    |^[[0m        at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410)
>> ^[[36mkeycloak    |^[[0m        at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
>> ^[[36mkeycloak    |^[[0m        at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116)
>> ^[[36mkeycloak    |^[[0m        ... 77 more
>>
>> Any clue about what we did wrong ?
>>
>>
>> Fabrice Geslin
>>
>>
>> Groupe La Poste
>>
>>
>> Post-scriptum La Poste
>>
>> Ce message est confidentiel. Sous reserve de tout accord conclu par ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> Post-scriptum La Poste
>
> Ce message est confidentiel. Sous reserve de tout accord conclu par
> ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement
> l'expediteur.



From mizuki0621 at gmail.com  Tue Apr  2 16:33:41 2019
From: mizuki0621 at gmail.com (mizuki)
Date: Tue, 2 Apr 2019 16:33:41 -0400
Subject: [keycloak-user] problem with social identity providers with
	broker (only google works)
In-Reply-To: <CAKCDg-BCPfNeybj_045wN+DbTR_ckXeVm=h0zdX6wNn2oFjFtA@mail.gmail.com>
References: <CAKCDg-BCPfNeybj_045wN+DbTR_ckXeVm=h0zdX6wNn2oFjFtA@mail.gmail.com>
Message-ID: <CAKCDg-Dd-otjWOnn7KpTOFNdHXdNa4AZmkn8Q0i_zg4FeGy-Eg@mail.gmail.com>

Just a comment:
I do not want to unnecessarily complicate the case by involving proxy.
 From the packets flow, it seems like Keycloak started initiating
communication with those social providers using TLSv1 (after password was
submitted and possible during code-for-token stage), any reasons triggered
this or any work-arounds? is it because the social providers are using
TLSv1?

Cheers.
Mizuki



On Tue, Apr 2, 2019 at 1:05 PM mizuki <mizuki0621 at gmail.com> wrote:

> Hi,
>
> I've verified this problem with keycloak latest version as well as v4.8.x,
> using broker only works with google, with other social identify providers,
> all throws the same error 'Unexpected error when authenticating with
> identity provider' to the browser and in server.log:
>
> 10:46:59,838 ERROR
> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-2)
> Failed to make identity provider oauth callback:
> javax.net.ssl.SSLException: Received fatal alert: protocol_version
> at com.ibm.jsse2.k.a(k.java:32)
> at com.ibm.jsse2.k.a(k.java:37)
> at com.ibm.jsse2.av.b(av.java:549)
> at com.ibm.jsse2.av.a(av.java:715)
> at com.ibm.jsse2.av.i(av.java:574)
> at com.ibm.jsse2.av.a(av.java:280)
> at com.ibm.jsse2.av.startHandshake(av.java:431)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
> at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
> at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
> at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
> at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
> at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
> at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
> at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
>
> That happens after the correct credentials being put in. So far, I've
> tested:
> - linkedin
> - facebook
> - microsoft
> - github
>
> The error almost suggest the error is with incorrect TLS version. To
> troubleshoot, I sniffed network packets, comparing Google  with non-working
> providers (ex, LInkedIn).
> Interesting thing found out was that, the keycloak instance is hosted
> behind a proxy, when authenticating with external providers, all
> communication shall go through proxy,
> in google's case it went well and communication was successful, however
> with Linkedin for example, after username/password successfully
> authenticated, the backend keycloak instance all in sudden start to talk to
> LinkedIn server itself instead of going through proxy. Of course the
> communication will fail and error returned.
>
> Can anyone advice?
>
> PS: keycloak mailing list seems to have trouble with google email, I
> apologize in advance if the reply is delayed or resent multiple times.
>
> Thanks!
> Mizuki
>

From ryans at jlab.org  Tue Apr  2 17:06:55 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Tue, 2 Apr 2019 21:06:55 +0000
Subject: [keycloak-user] Wildfly Elytron client adapter - Propagate security
	domain to EJB
Message-ID: <BL0PR0901MB30595AC6A5F6BAE4E4D8C687DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>

Has anyone been able to propagate the Keycloak security domain in Wildfly Elytron client adapter to EJBs in an application using jboss-ejb3.xml?  Creating a single file that is bundled with the application war seems like a better solution than importing  and apply a JBOSS specific annotation (@SecurityDomain) to hundreds of EJBs.

I placed the file into WEB-INF with contents:

<?xml version="1.1" encoding="UTF-8"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
    xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:s="urn:security"
    xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd"
    version="3.1" impl-version="2.0">
    <assembly-descriptor>
        <s:security>
            <ejb-name>*</ejb-name>
            <s:security-domain>keycloak</s:security-domain>
        </s:security>
    </assembly-descriptor>
</jboss:ejb-jar>

I also tried label "KeycloakDomain" instead of "keycloak".  In either case I get the following error when I attempt to deploy the war file:

    "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => [
        "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]",
        "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]",
        "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]"

From sblanc at redhat.com  Tue Apr  2 17:12:23 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 2 Apr 2019 23:12:23 +0200
Subject: [keycloak-user] Keycloak policies eval
In-Reply-To: <CAEK+65WUi3ePYZ=QrtahmNWnQrxP6-f91TTnCzLB9EqrE0e-XQ@mail.gmail.com>
References: <CAEK+65U73uV5un62na5B7AuQkvFeLj4Ou=nsL269+5GfNCX9TQ@mail.gmail.com>
	<CAMZCGg8FRAw4uO2PcyUFbR2RcQUdKCAvhXq_ate2yJVg1asBpQ@mail.gmail.com>
	<CAEK+65WUi3ePYZ=QrtahmNWnQrxP6-f91TTnCzLB9EqrE0e-XQ@mail.gmail.com>
Message-ID: <CAMZCGg-yfm3qFhgEFnN4aNdEGZdbHoA7ixmNKQV+ZEWT1N73PQ@mail.gmail.com>

I'm sorry and still don't really get your question. If you want to use
policies and you are using Spring Boot you should really take a look at
this quickstart :
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-springboot

On Tue, Apr 2, 2019 at 6:12 PM Sim?o Silva <simao.sfos at gmail.com> wrote:

> Hi there,
>
> I use this url to get my users access token ("
> http://localhost:8090/auth/realms/MYREALM/protocol/openid-connect/token")
> with username, password, client_id, realm, client secret  and grant type,
> the last one with the value "password". My question is how to make this
> request  not returning any access token therefore not allowing
> authentication on my Realm using some kind of policy (time and role-based).
>
> Best regards,
> Sim?o Silva
>
>
> On Tue, Apr 2, 2019 at 10:28 AM Sebastien Blanc <sblanc at redhat.com> wrote:
>
>> We need more info here. Do you want just authentication with simple RBAC
>> or do you want to use the authorization layer ? Have you seen our
>> Springboot quickstarts ?
>>
>> On Sun, Mar 31, 2019 at 2:15 PM Sim?o Silva <simao.sfos at gmail.com> wrote:
>>
>>> Hi there,
>>>
>>> I'm  implementing keycloak for authentication in a server with spring
>>> boot.  I'm doing something like "@RequestMapping("/login") " in java but
>>> the policies aren't taken into account, because I can login with every
>>> user
>>> in the client. I want something like this
>>>
>>> https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-jee-vanilla/src/main/webapp/index.jsp
>>> ,
>>> that  tells me if the user can or not access the specific client in a
>>> resource. What should I do?
>>>
>>> Best regards,
>>> Sim?o Silva
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>

From sblanc at redhat.com  Tue Apr  2 17:19:23 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 2 Apr 2019 23:19:23 +0200
Subject: [keycloak-user] Keycloak Admin Client dependencies for Keycloak
	5.0.0?
In-Reply-To: <CADqF5be8d9mFdSmE7y1mMDNYk6do7ktmZYs4mWN9qVgZsOJGjQ@mail.gmail.com>
References: <CADqF5beoG2Hnh2cZN23qmBz3Jyx1SGE-Ei4UVJT-jOPVUQo2QQ@mail.gmail.com>
	<CAMZCGg9CfV8h8gXHuccDavJojtFV5BsRoys2cgYWmHO3mG7d8Q@mail.gmail.com>
	<CADqF5be8d9mFdSmE7y1mMDNYk6do7ktmZYs4mWN9qVgZsOJGjQ@mail.gmail.com>
Message-ID: <CAMZCGg9x8-W=9R6iBL8WZzYX15zPEwyr=KgTtjVJHc=Hh8rDfA@mail.gmail.com>

This looks like more a Maven packaging issue that you have rather than an
issue with Keycloak. With are you using the shade plugin ? Maybe you should
try this approach https://stackoverflow.com/a/574650

On Tue, Apr 2, 2019 at 5:58 PM Jody H <j9dy1g at gmail.com> wrote:

> Hi Sebastien,
>
> unfortunately I can not make it work with your changes.
> This is my entire POM. Do you see anything that is wrong/missing?
> <project xmlns="http://maven.apache.org/POM/4.0.0"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://maven.apache.org/POM/4.0.0
> http://maven.apache.org/xsd/maven-4.0.0.xsd">
> <modelVersion>4.0.0</modelVersion>
> <groupId>keycloak-admin</groupId>
> <artifactId>keycloak-admin</artifactId>
> <version>0.0.1-SNAPSHOT</version>
>
> <properties>
> <maven.compiler.source>1.8</maven.compiler.source>
> <maven.compiler.target>1.8</maven.compiler.target>
>
> <keycloak.version>5.0.0</keycloak.version>
> <resteasy.version>3.1.3.Final</resteasy.version>
> <jackson.version>2.9.8</jackson.version>
> </properties>
>
>
> <build>
> <plugins>
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-shade-plugin</artifactId>
> <version>3.2.1</version>
> <executions>
> <execution>
> <phase>package</phase>
> <goals>
> <goal>shade</goal>
> </goals>
> <configuration>
> <transformers>
> <transformer
>
> implementation="org.apache.maven.plugins.shade.resource.ManifestResourceTransformer">
> <mainClass>com.test.KeycloakService</mainClass>
> </transformer>
> </transformers>
> <filters>
> <filter>
> <artifact>*:*</artifact>
> <excludes>
> <exclude>META-INF/*.SF</exclude>
> <exclude>META-INF/*.DSA</exclude>
> <exclude>META-INF/*.RSA</exclude>
> </excludes>
> </filter>
> </filters>
> </configuration>
> </execution>
> </executions>
> </plugin>
> </plugins>
> </build>
>
> <dependencies>
> <dependency>
> <groupId>org.keycloak</groupId>
> <artifactId>keycloak-admin-client</artifactId>
> <version>${keycloak.version}</version>
> </dependency>
> <dependency>
> <groupId>org.jboss.resteasy</groupId>
> <artifactId>resteasy-client</artifactId>
> <version>${resteasy.version}</version>
> </dependency>
> <dependency>
> <groupId>org.jboss.resteasy</groupId>
> <artifactId>resteasy-jackson2-provider</artifactId>
> <version>${resteasy.version}</version>
> </dependency>
> <dependency>
> <groupId>com.fasterxml.jackson.core</groupId>
> <artifactId>jackson-core</artifactId>
> <version>${jackson.version}</version>
> </dependency>
> <dependency>
> <groupId>com.fasterxml.jackson.core</groupId>
> <artifactId>jackson-databind</artifactId>
> <version>${jackson.version}</version>
> </dependency>
> <dependency>
> <groupId>com.fasterxml.jackson.core</groupId>
> <artifactId>jackson-annotations</artifactId>
> <version>${jackson.version}</version>
> </dependency>
> <dependency>
> <groupId>com.fasterxml.jackson.jaxrs</groupId>
> <artifactId>jackson-jaxrs-json-provider</artifactId>
> <version>${jackson.version}</version>
> </dependency>
> </dependencies>
>
> </project>
>
> Also, here is the mvn package output from my Windows machine:
> PS \eclipse-workspace\keycloak-admin> mvn package
> [INFO] Scanning for projects...
> [INFO]
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Building keycloak-admin 0.0.1-SNAPSHOT
> [INFO]
> ------------------------------------------------------------------------
> [INFO]
> [INFO] --- maven-resources-plugin:2.6:resources (default-resources) @
> keycloak-admin ---
> [WARNING] Using platform encoding (Cp1252 actually) to copy filtered
> resources, i.e. build is platform dependent!
> [INFO] Copying 0 resource
> [INFO]
> [INFO] --- maven-compiler-plugin:3.1:compile (default-compile) @
> keycloak-admin ---
> [INFO] Nothing to compile - all classes are up to date
> [INFO]
> [INFO] --- maven-resources-plugin:2.6:testResources
> (default-testResources) @ keycloak-admin ---
> [WARNING] Using platform encoding (Cp1252 actually) to copy filtered
> resources, i.e. build is platform dependent!
> [INFO] Copying 0 resource
> [INFO]
> [INFO] --- maven-compiler-plugin:3.1:testCompile (default-testCompile) @
> keycloak-admin ---
> [INFO] Nothing to compile - all classes are up to date
> [INFO]
> [INFO] --- maven-surefire-plugin:2.12.4:test (default-test) @
> keycloak-admin ---
> [INFO]
> [INFO] --- maven-jar-plugin:2.4:jar (default-jar) @ keycloak-admin ---
> [INFO]
> [INFO] --- maven-shade-plugin:3.2.1:shade (default) @ keycloak-admin ---
> [INFO] Including org.keycloak:keycloak-admin-client:jar:5.0.0 in the
> shaded jar.
> [INFO] Including org.keycloak:keycloak-core:jar:5.0.0 in the shaded jar.
> [INFO] Including org.keycloak:keycloak-common:jar:5.0.0 in the shaded jar.
> [INFO] Including org.bouncycastle:bcprov-jdk15on:jar:1.60 in the shaded
> jar.
> [INFO] Including org.bouncycastle:bcpkix-jdk15on:jar:1.60 in the shaded
> jar.
> [INFO] Including org.jboss.resteasy:resteasy-client:jar:3.1.3.Final in the
> shaded jar.
> [INFO] Including org.jboss.resteasy:resteasy-jaxrs:jar:3.1.3.Final in the
> shaded jar.
> [INFO] Including org.jboss.spec.javax.ws.rs:jboss-jaxrs-api_2.0_spec:jar:1.0.1.Beta1
> in the shaded jar.
> [INFO] Including
> org.jboss.spec.javax.annotation:jboss-annotations-api_1.2_spec:jar:1.0.0.Final
> in the shaded jar.
> [INFO] Including javax.activation:activation:jar:1.1.1 in the shaded jar.
> [INFO] Including commons-io:commons-io:jar:2.5 in the shaded jar.
> [INFO] Including net.jcip:jcip-annotations:jar:1.0 in the shaded jar.
> [INFO] Including
> org.jboss.resteasy:resteasy-jaxrs-services:jar:3.1.3.Final in the shaded
> jar.
> [INFO] Including org.jboss.logging:jboss-logging:jar:3.3.0.Final in the
> shaded jar.
> [INFO] Including org.apache.httpcomponents:httpclient:jar:4.5.2 in the
> shaded jar.
> [INFO] Including org.apache.httpcomponents:httpcore:jar:4.4.4 in the
> shaded jar.
> [INFO] Including commons-logging:commons-logging:jar:1.2 in the shaded jar.
> [INFO] Including commons-codec:commons-codec:jar:1.9 in the shaded jar.
> [INFO] Including
> org.jboss.resteasy:resteasy-jackson2-provider:jar:3.1.3.Final in the shaded
> jar.
> [INFO] Including com.fasterxml.jackson.core:jackson-core:jar:2.9.8 in the
> shaded jar.
> [INFO] Including com.fasterxml.jackson.core:jackson-databind:jar:2.9.8 in
> the shaded jar.
> [INFO] Including com.fasterxml.jackson.core:jackson-annotations:jar:2.9.8
> in the shaded jar.
> [INFO] Including
> com.fasterxml.jackson.jaxrs:jackson-jaxrs-json-provider:jar:2.9.8 in the
> shaded jar.
> [INFO] Including com.fasterxml.jackson.jaxrs:jackson-jaxrs-base:jar:2.9.8
> in the shaded jar.
> [INFO] Including
> com.fasterxml.jackson.module:jackson-module-jaxb-annotations:jar:2.9.8 in
> the shaded jar.
> [WARNING] keycloak-admin-0.0.1-SNAPSHOT.jar,
> keycloak-admin-client-5.0.0.jar define 64 overlapping classes:
> [WARNING]   - org.keycloak.admin.client.resource.ScopePermissionsResource
> [WARNING]   - org.keycloak.admin.client.resource.TimePolicyResource
> [WARNING]   -
> org.keycloak.admin.client.resource.ClientRegistrationPolicyResource
> [WARNING]   -
> org.keycloak.admin.client.resource.UserStorageProviderResource
> [WARNING]   - org.keycloak.admin.client.resource.UserPolicyResource
> [WARNING]   - org.keycloak.admin.client.resource.ComponentsResource
> [WARNING]   -
> org.keycloak.admin.client.resource.ResourcePermissionsResource
> [WARNING]   - org.keycloak.admin.client.resource.RoleByIdResource
> [WARNING]   - org.keycloak.admin.client.resource.GroupResource
> [WARNING]   - org.keycloak.admin.client.resource.ClientPoliciesResource
> [WARNING]   - 54 more...
> [WARNING] resteasy-client-3.1.3.Final.jar,
> keycloak-admin-0.0.1-SNAPSHOT.jar define 106 overlapping classes:
> [WARNING]   - org.jboss.resteasy.client.jaxrs.cache.MapCache
> [WARNING]   - org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder
> [WARNING]   -
> org.jboss.resteasy.client.jaxrs.internal.proxy.processors.invocation.CookieParamProcessor
> [WARNING]   -
> org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.DefaultEntityExtractorFactory$1
> [WARNING]   -
> org.jboss.resteasy.client.jaxrs.internal.proxy.processors.WebTargetProcessor
> [WARNING]   - org.jboss.resteasy.client.jaxrs.internal.ClientInvocation
> [WARNING]   -
> org.jboss.resteasy.client.jaxrs.internal.proxy.processors.webtarget.PathParamProcessor
> [WARNING]   - org.jboss.resteasy.client.jaxrs.internal.ClientInvocation$4
> [WARNING]   -
> org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient43Engine
> [WARNING]   - org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder$2
> [WARNING]   - 96 more...
> [WARNING] jboss-jaxrs-api_2.0_spec-1.0.1.Beta1.jar,
> keycloak-admin-0.0.1-SNAPSHOT.jar define 127 overlapping classes:
> [WARNING]   - javax.ws.rs.ext.RuntimeDelegate$HeaderDelegate
> [WARNING]   - javax.ws.rs.DefaultValue
> [WARNING]   - javax.ws.rs.core.StreamingOutput
> [WARNING]   - javax.ws.rs.HEAD
> [WARNING]   - javax.ws.rs.ext.WriterInterceptor
> [WARNING]   - javax.ws.rs.core.Request
> [WARNING]   - javax.ws.rs.ext.Providers
> [WARNING]   - javax.ws.rs.container.Suspended
> [WARNING]   - javax.ws.rs.container.ConnectionCallback
> [WARNING]   - javax.ws.rs.client.Invocation
> [WARNING]   - 117 more...
> [WARNING] keycloak-admin-0.0.1-SNAPSHOT.jar, commons-codec-1.9.jar define
> 85 overlapping classes:
> [WARNING]   - org.apache.commons.codec.language.Nysiis
> [WARNING]   - org.apache.commons.codec.language.bm.Rule$1
> [WARNING]   - org.apache.commons.codec.language.bm.Rule$RPattern
> [WARNING]   -
> org.apache.commons.codec.language.ColognePhonetic$CologneInputBuffer
> [WARNING]   - org.apache.commons.codec.language.bm.BeiderMorseEncoder
> [WARNING]   - org.apache.commons.codec.digest.UnixCrypt
> [WARNING]   - org.apache.commons.codec.language.Soundex
> [WARNING]   - org.apache.commons.codec.binary.BinaryCodec
> [WARNING]   - org.apache.commons.codec.language.bm.Languages$1
> [WARNING]   - org.apache.commons.codec.language.bm.PhoneticEngine$1
> [WARNING]   - 75 more...
> [WARNING] keycloak-admin-0.0.1-SNAPSHOT.jar, httpclient-4.5.2.jar define
> 463 overlapping classes:
> [WARNING]   - org.apache.http.impl.cookie.RFC2109Spec
> [WARNING]   - org.apache.http.impl.execchain.MainClientExec
> [WARNING]   - org.apache.http.client.methods.HttpGet
> [WARNING]   - org.apache.http.conn.routing.RouteInfo$TunnelType
> [WARNING]   - org.apache.http.impl.cookie.BrowserCompatSpecFactory
> [WARNING]   - org.apache.http.impl.client.HttpAuthenticator
> [WARNING]   - org.apache.http.conn.ManagedClientConnection
> [WARNING]   - org.apache.http.client.protocol.RequestAuthCache
> [WARNING]   - org.apache.http.conn.params.ConnConnectionParamBean
> [WARNING]   - org.apache.http.impl.client.IdleConnectionEvictor
> [WARNING]   - 453 more...
> [WARNING] keycloak-admin-0.0.1-SNAPSHOT.jar, jackson-annotations-2.9.8.jar
> define 68 overlapping classes:
> [WARNING]   - com.fasterxml.jackson.annotation.JsonAutoDetect
> [WARNING]   - com.fasterxml.jackson.annotation.JsonInclude
> [WARNING]   - com.fasterxml.jackson.annotation.ObjectIdGenerators
> [WARNING]   - com.fasterxml.jackson.annotation.JsonFormat$Features
> [WARNING]   - com.fasterxml.jackson.annotation.JsonFormat$Feature
> [WARNING]   - com.fasterxml.jackson.annotation.JsonIgnore
> [WARNING]   - com.fasterxml.jackson.annotation.JsonSetter
> [WARNING]   - com.fasterxml.jackson.annotation.JsonTypeInfo$None
> [WARNING]   - com.fasterxml.jackson.annotation.JsonFormat$Shape
> [WARNING]   - com.fasterxml.jackson.annotation.JsonSubTypes
> [WARNING]   - 58 more...
> [WARNING] keycloak-admin-0.0.1-SNAPSHOT.jar,
> jboss-annotations-api_1.2_spec-1.0.0.Final.jar define 15 overlapping
> classes:
> [WARNING]   - javax.annotation.ManagedBean
> [WARNING]   - javax.annotation.PreDestroy
> [WARNING]   - javax.annotation.Resource$AuthenticationType
> [WARNING]   - javax.annotation.Generated
> [WARNING]   - javax.annotation.security.DeclareRoles
> [WARNING]   - javax.annotation.Priority
> [WARNING]   - javax.annotation.Resource
> [WARNING]   - javax.annotation.security.DenyAll
> [WARNING]   - javax.annotation.security.RunAs
> [WARNING]   - javax.annotation.sql.DataSourceDefinitions
> [WARNING]   - 5 more...
> [WARNING] keycloak-admin-0.0.1-SNAPSHOT.jar, bcpkix-jdk15on-1.60.jar
> define 674 overlapping classes:
> [WARNING]   - org.bouncycastle.cert.dane.DANEEntrySelectorFactory
> [WARNING]   - org.bouncycastle.cert.dane.DANEEntryFactory
> [WARNING]   - org.bouncycastle.cert.jcajce.JcaX500NameUtil
> [WARNING]   - org.bouncycastle.cert.crmf.PKMACBuilder$1
> [WARNING]   - org.bouncycastle.cert.X509v2CRLBuilder
> [WARNING]   - org.bouncycastle.cert.ocsp.CertificateStatus
> [WARNING]   - org.bouncycastle.cms.jcajce.EnvelopedDataHelper$2
> [WARNING]   - org.bouncycastle.eac.jcajce.DefaultEACHelper
> [WARNING]   -
> org.bouncycastle.cert.path.validations.BasicConstraintsValidation
> [WARNING]   - org.bouncycastle.operator.bc.BcDSAContentSignerBuilder
> [WARNING]   - 664 more...
> [WARNING] keycloak-admin-0.0.1-SNAPSHOT.jar, bcprov-jdk15on-1.60.jar
> define 3330 overlapping classes:
> [WARNING]   - org.bouncycastle.crypto.tls.HeartbeatMode
> [WARNING]   - org.bouncycastle.crypto.modes.gcm.Tables8kGCMMultiplier
> [WARNING]   -
> org.bouncycastle.jcajce.provider.asymmetric.ecgost.KeyFactorySpi
> [WARNING]   - org.bouncycastle.jcajce.provider.symmetric.AES$AlgParamsCCM
> [WARNING]   - org.bouncycastle.asn1.cmc.CMCStatusInfoV2
> [WARNING]   - org.bouncycastle.jcajce.provider.digest.SHA384$Mappings
> [WARNING]   - org.bouncycastle.asn1.x509.CRLNumber
> [WARNING]   - org.bouncycastle.jcajce.provider.digest.SM3
> [WARNING]   - org.bouncycastle.asn1.x509.TBSCertList$1
> [WARNING]   - org.bouncycastle.jcajce.provider.symmetric.GOST28147$Mac
> [WARNING]   - 3320 more...
> [WARNING] keycloak-admin-0.0.1-SNAPSHOT.jar,
> resteasy-jaxrs-3.1.3.Final.jar define 404 overlapping classes:
> [WARNING]   - org.jboss.resteasy.plugins.delegates.NewCookieHeaderDelegate
> [WARNING]   -
> org.jboss.resteasy.core.interception.jaxrs.JaxrsInterceptorRegistry$AscendingPrecedenceComparator
> [WARNING]   - org.jboss.resteasy.spi.MethodNotAllowedException
> [WARNING]   - org.jboss.resteasy.util.ReadFromStream
> [WARNING]   - org.jboss.resteasy.core.ExceptionAdapter
> [WARNING]   -
> org.jboss.resteasy.plugins.server.servlet.ResteasyBootstrapClasses
> [WARNING]   - org.jboss.resteasy.spi.ResteasyAsynchronousResponse
> [WARNING]   -
> org.jboss.resteasy.plugins.interceptors.GZIPEncodingInterceptor$CommittedGZIPOutputStream
> [WARNING]   - org.jboss.resteasy.spi.HttpRequestPreprocessor
> [WARNING]   - org.jboss.resteasy.spi.DecoratorProcessor
> [WARNING]   - 394 more...
> [WARNING] keycloak-admin-0.0.1-SNAPSHOT.jar, activation-1.1.1.jar define
> 38 overlapping classes:
> [WARNING]   - javax.activation.DataContentHandlerFactory
> [WARNING]   - javax.activation.ObjectDataContentHandler
> [WARNING]   - javax.activation.DataContentHandler
> [WARNING]   - com.sun.activation.viewers.TextViewer
> [WARNING]   - com.sun.activation.registries.MimeTypeEntry
> [WARNING]   - com.sun.activation.registries.LogSupport
> [WARNING]   - javax.activation.CommandObject
> [WARNING]   - javax.activation.SecuritySupport$2
> [WARNING]   - com.sun.activation.viewers.TextEditor
> [WARNING]   - com.sun.activation.viewers.ImageViewerCanvas
> [WARNING]   - 28 more...
> [WARNING] commons-io-2.5.jar, keycloak-admin-0.0.1-SNAPSHOT.jar define 123
> overlapping classes:
> [WARNING]   - org.apache.commons.io.FileCleaningTracker
> [WARNING]   - org.apache.commons.io.comparator.SizeFileComparator
> [WARNING]   - org.apache.commons.io.input.CloseShieldInputStream
> [WARNING]   - org.apache.commons.io.filefilter.EmptyFileFilter
> [WARNING]   - org.apache.commons.io.monitor.FileEntry
> [WARNING]   - org.apache.commons.io.output.ThresholdingOutputStream
> [WARNING]   - org.apache.commons.io.input.TailerListener
> [WARNING]   - org.apache.commons.io.IOExceptionWithCause
> [WARNING]   - org.apache.commons.io.comparator.PathFileComparator
> [WARNING]   - org.apache.commons.io.filefilter.NotFileFilter
> [WARNING]   - 113 more...
> [WARNING] keycloak-admin-0.0.1-SNAPSHOT.jar, jcip-annotations-1.0.jar
> define 4 overlapping classes:
> [WARNING]   - net.jcip.annotations.GuardedBy
> [WARNING]   - net.jcip.annotations.NotThreadSafe
> [WARNING]   - net.jcip.annotations.ThreadSafe
> [WARNING]   - net.jcip.annotations.Immutable
> [WARNING] keycloak-admin-0.0.1-SNAPSHOT.jar, jackson-databind-2.9.8.jar
> define 624 overlapping classes:
> [WARNING]   -
> com.fasterxml.jackson.databind.introspect.AnnotationCollector$NoAnnotations
> [WARNING]   - com.fasterxml.jackson.databind.BeanDescription
> [WARNING]   -
> com.fasterxml.jackson.databind.deser.impl.BeanAsArrayBuilderDeserializer
> [WARNING]   - com.fasterxml.jackson.databind.introspect.AnnotatedMethodMap
> [WARNING]   - com.fasterxml.jackson.databind.SerializerProvider
> [WARNING]   -
> com.fasterxml.jackson.databind.introspect.AnnotationCollector$OneAnnotation
> [WARNING]   -
> com.fasterxml.jackson.databind.ser.std.StaticListSerializerBase
> [WARNING]   -
> com.fasterxml.jackson.databind.ser.std.NumberSerializers$ShortSerializer
> [WARNING]   - com.fasterxml.jackson.databind.ser.BeanSerializerFactory
> [WARNING]   -
> com.fasterxml.jackson.databind.introspect.AnnotationCollector$TwoAnnotations
> [WARNING]   - 614 more...
> [WARNING] jackson-core-2.9.8.jar, keycloak-admin-0.0.1-SNAPSHOT.jar define
> 107 overlapping classes:
> [WARNING]   - com.fasterxml.jackson.core.JsonGenerator$Feature
> [WARNING]   -
> com.fasterxml.jackson.core.util.ThreadLocalBufferManager$ThreadLocalBufferManagerHolder
> [WARNING]   - com.fasterxml.jackson.core.util.Separators
> [WARNING]   - com.fasterxml.jackson.core.io.SegmentedStringWriter
> [WARNING]   - com.fasterxml.jackson.core.TreeNode
> [WARNING]   - com.fasterxml.jackson.core.sym.Name
> [WARNING]   - com.fasterxml.jackson.core.util.RequestPayload
> [WARNING]   - com.fasterxml.jackson.core.util.JsonGeneratorDelegate
> [WARNING]   - com.fasterxml.jackson.core.async.NonBlockingInputFeeder
> [WARNING]   - com.fasterxml.jackson.core.JsonFactory
> [WARNING]   - 97 more...
> [WARNING] keycloak-common-5.0.0.jar, keycloak-admin-0.0.1-SNAPSHOT.jar
> define 75 overlapping classes:
> [WARNING]   - org.keycloak.common.util.RandomString
> [WARNING]   - org.keycloak.common.constants.KerberosConstants
> [WARNING]   - org.keycloak.common.util.EnvUtil
> [WARNING]   - org.keycloak.common.Profile$Feature
> [WARNING]   - org.keycloak.common.util.HostUtils
> [WARNING]   - org.keycloak.common.util.NetworkUtils
> [WARNING]   - org.keycloak.common.util.KeystoreUtil$KeystoreFormat
> [WARNING]   -
> org.keycloak.common.util.reflections.SetAccessiblePrivilegedAction
> [WARNING]   - org.keycloak.common.util.OCSPUtils$2
> [WARNING]   - org.keycloak.common.util.KerberosJdkProvider
> [WARNING]   - 65 more...
> [WARNING] keycloak-admin-0.0.1-SNAPSHOT.jar, httpcore-4.4.4.jar define 254
> overlapping classes:
> [WARNING]   - org.apache.http.protocol.HttpRequestHandler
> [WARNING]   - org.apache.http.impl.io.ChunkedOutputStream
> [WARNING]   - org.apache.http.protocol.ChainBuilder
> [WARNING]   -
> org.apache.http.impl.entity.DisallowIdentityContentLengthStrategy
> [WARNING]   - org.apache.http.impl.ConnSupport
> [WARNING]   - org.apache.http.impl.io.DefaultHttpResponseParserFactory
> [WARNING]   - org.apache.http.NameValuePair
> [WARNING]   - org.apache.http.HttpClientConnection
> [WARNING]   - org.apache.http.protocol.HttpExpectationVerifier
> [WARNING]   - org.apache.http.protocol.UriPatternMatcher
> [WARNING]   - 244 more...
> [WARNING] keycloak-admin-0.0.1-SNAPSHOT.jar, keycloak-core-5.0.0.jar
> define 236 overlapping classes:
> [WARNING]   - org.keycloak.json.StringOrArraySerializer
> [WARNING]   - org.keycloak.representations.JsonWebToken
> [WARNING]   -
> org.keycloak.representations.idm.RealmEventsConfigRepresentation
> [WARNING]   - org.keycloak.TokenVerifier$Predicate
> [WARNING]   - org.keycloak.crypto.KeyUse
> [WARNING]   - org.keycloak.representations.adapters.config.BaseRealmConfig
> [WARNING]   - org.keycloak.crypto.KeyStatus
> [WARNING]   - org.keycloak.representations.idm.CertificateRepresentation
> [WARNING]   - org.keycloak.TokenVerifier$4
> [WARNING]   - org.keycloak.crypto.HashException
> [WARNING]   - 226 more...
> [WARNING] keycloak-admin-0.0.1-SNAPSHOT.jar,
> jackson-jaxrs-json-provider-2.9.8.jar define 9 overlapping classes:
> [WARNING]   - com.fasterxml.jackson.jaxrs.json.annotation.JSONP$Def
> [WARNING]   - com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider
> [WARNING]   - com.fasterxml.jackson.jaxrs.json.JsonMapperConfigurator$1
> [WARNING]   - com.fasterxml.jackson.jaxrs.json.PackageVersion
> [WARNING]   - com.fasterxml.jackson.jaxrs.json.annotation.JacksonFeatures
> [WARNING]   - com.fasterxml.jackson.jaxrs.json.annotation.JSONP
> [WARNING]   - com.fasterxml.jackson.jaxrs.json.JsonEndpointConfig
> [WARNING]   - com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider
> [WARNING]   - com.fasterxml.jackson.jaxrs.json.JsonMapperConfigurator
> [WARNING] keycloak-admin-0.0.1-SNAPSHOT.jar, jackson-jaxrs-base-2.9.8.jar
> define 19 overlapping classes:
> [WARNING]   -
> com.fasterxml.jackson.jaxrs.base.nocontent.JaxRS1NoContentExceptionSupplier
> [WARNING]   - com.fasterxml.jackson.jaxrs.base.ProviderBase
> [WARNING]   - com.fasterxml.jackson.jaxrs.base.NoContentExceptionSupplier
> [WARNING]   - com.fasterxml.jackson.jaxrs.annotation.JacksonFeatures
> [WARNING]   - com.fasterxml.jackson.jaxrs.cfg.MapperConfiguratorBase
> [WARNING]   - com.fasterxml.jackson.jaxrs.cfg.ObjectReaderInjector
> [WARNING]   - com.fasterxml.jackson.jaxrs.cfg.ObjectReaderModifier
> [WARNING]   -
> com.fasterxml.jackson.jaxrs.base.nocontent.JaxRS2NoContentExceptionSupplier
> [WARNING]   - com.fasterxml.jackson.jaxrs.base.JsonParseExceptionMapper
> [WARNING]   - com.fasterxml.jackson.jaxrs.util.EndpointAsBeanProperty
> [WARNING]   - 9 more...
> [WARNING] keycloak-admin-0.0.1-SNAPSHOT.jar, jboss-logging-3.3.0.Final.jar
> define 48 overlapping classes:
> [WARNING]   - org.jboss.logging.MDC
> [WARNING]   - org.jboss.logging.LogMessage
> [WARNING]   - org.jboss.logging.Param
> [WARNING]   - org.jboss.logging.Log4j2Logger
> [WARNING]   - org.jboss.logging.NDC
> [WARNING]   - org.jboss.logging.Messages$1
> [WARNING]   - org.jboss.logging.Message
> [WARNING]   - org.jboss.logging.LoggerProvider
> [WARNING]   - org.jboss.logging.Logger$Level
> [WARNING]   - org.jboss.logging.Log4jLoggerProvider
> [WARNING]   - 38 more...
> [WARNING] keycloak-admin-0.0.1-SNAPSHOT.jar,
> jackson-module-jaxb-annotations-2.9.8.jar define 12 overlapping classes:
> [WARNING]   -
> com.fasterxml.jackson.module.jaxb.ser.DomElementJsonSerializer
> [WARNING]   -
> com.fasterxml.jackson.module.jaxb.deser.DataHandlerJsonDeserializer$1
> [WARNING]   - com.fasterxml.jackson.module.jaxb.JaxbAnnotationIntrospector
> [WARNING]   -
> com.fasterxml.jackson.module.jaxb.JaxbAnnotationModule$Priority
> [WARNING]   -
> com.fasterxml.jackson.module.jaxb.deser.DomElementJsonDeserializer
> [WARNING]   - com.fasterxml.jackson.module.jaxb.JaxbAnnotationModule$1
> [WARNING]   -
> com.fasterxml.jackson.module.jaxb.JaxbAnnotationIntrospector$1
> [WARNING]   - com.fasterxml.jackson.module.jaxb.JaxbAnnotationModule
> [WARNING]   -
> com.fasterxml.jackson.module.jaxb.deser.DataHandlerJsonDeserializer
> [WARNING]   - com.fasterxml.jackson.module.jaxb.PackageVersion
> [WARNING]   - 2 more...
> [WARNING] keycloak-admin-0.0.1-SNAPSHOT.jar, commons-logging-1.2.jar
> define 28 overlapping classes:
> [WARNING]   - org.apache.commons.logging.LogSource
> [WARNING]   - org.apache.commons.logging.impl.ServletContextCleaner
> [WARNING]   - org.apache.commons.logging.Log
> [WARNING]   - org.apache.commons.logging.LogFactory$3
> [WARNING]   - org.apache.commons.logging.impl.LogFactoryImpl$2
> [WARNING]   - org.apache.commons.logging.impl.LogKitLogger
> [WARNING]   - org.apache.commons.logging.LogConfigurationException
> [WARNING]   - org.apache.commons.logging.impl.Jdk14Logger
> [WARNING]   - org.apache.commons.logging.impl.WeakHashtable$Referenced
> [WARNING]   - org.apache.commons.logging.impl.WeakHashtable$WeakKey
> [WARNING]   - 18 more...
> [WARNING] keycloak-admin-0.0.1-SNAPSHOT.jar,
> resteasy-jackson2-provider-3.1.3.Final.jar define 8 overlapping classes:
> [WARNING]   - org.jboss.resteasy.annotations.providers.NoJackson
> [WARNING]   -
> org.jboss.resteasy.plugins.providers.jackson.UnrecognizedPropertyExceptionHandler
> [WARNING]   -
> org.jboss.resteasy.plugins.providers.jackson.Jackson2JsonpInterceptor
> [WARNING]   -
> org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider$ClassAnnotationKey
> [WARNING]   -
> org.jboss.resteasy.plugins.providers.jackson.Jackson2JsonpInterceptor$DoNotCloseDelegateOutputStream
> [WARNING]   - org.jboss.resteasy.annotations.providers.jackson.Formatted
> [WARNING]   -
> org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider$1
> [WARNING]   -
> org.jboss.resteasy.plugins.providers.jackson.ResteasyJackson2Provider
> [WARNING] maven-shade-plugin has detected that some class files are
> [WARNING] present in two or more JARs. When this happens, only one
> [WARNING] single version of the class is copied to the uber jar.
> [WARNING] Usually this is not harmful and you can skip these warnings,
> [WARNING] otherwise try to manually exclude artifacts based on
> [WARNING] mvn dependency:tree -Ddetail=true and the above output.
> [WARNING] See http://maven.apache.org/plugins/maven-shade-plugin/
> [INFO] Replacing original artifact with shaded artifact.
> [INFO] Replacing
> C:\Users\jody\eclipse-workspace\keycloak-admin\target\keycloak-admin-0.0.1-SNAPSHOT.jar
> with
> C:\Users\jody\eclipse-workspace\keycloak-admin\target\keycloak-admin-0.0.1-SNAPSHOT-shaded.jar
> [INFO] Dependency-reduced POM written at:
> C:\Users\jody\eclipse-workspace\keycloak-admin\dependency-reduced-pom.xml
> [INFO]
> ------------------------------------------------------------------------
> [INFO] BUILD SUCCESS
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Total time: 4.586 s
> [INFO] Finished at: 2019-04-02T17:54:51+02:00
> [INFO] Final Memory: 17M/428M
> [INFO]
> -----------------------------------------------------------------------
>
> Is this the same for your build?
>
> Thanks for your help
> Jody
>
> Am Di., 2. Apr. 2019 um 10:22 Uhr schrieb Sebastien Blanc <
> sblanc at redhat.com>:
>
>> Hi,
>>
>> Your first error is because you forgot "http://" .
>> For the second one, it's working for me with the pom you provided. You
>> are probably not passing the needed classpath libs in your java -jar
>> command (or include the dependencies in your jar)
>>
>> On Mon, Apr 1, 2019 at 10:51 PM Jody H <j9dy1g at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I have looked around on Google for a while now but I can't seem to figure
>>> out my problem. I mostly used the Gist from Github here to get started:
>>> https://gist.github.com/thomasdarimont/43689aefb37540624e35
>>> After things were not really working out, I tried some other stuff that
>>> you
>>> can find below:
>>> I am trying to use the Keycloak admin client in Java, version 5.0.0.
>>>
>>> My POM contains the following:
>>>
>>> <properties>
>>> <maven.compiler.source>1.8</maven.compiler.source>
>>> <maven.compiler.target>1.8</maven.compiler.target>
>>>
>>> <keycloak.version>5.0.0</keycloak.version>
>>> <resteasy.version>3.1.3.Final</resteasy.version>
>>> <jackson.version>2.9.8</jackson.version>
>>> </properties>
>>>
>>> <dependencies>
>>> <dependency>
>>> <groupId>org.keycloak</groupId>
>>> <artifactId>keycloak-admin-client</artifactId>
>>> <version>${keycloak.version}</version>
>>> </dependency>
>>> <dependency>
>>> <groupId>org.jboss.resteasy</groupId>
>>> <artifactId>resteasy-client</artifactId>
>>> <version>${resteasy.version}</version>
>>> </dependency>
>>> <dependency>
>>> <groupId>org.jboss.resteasy</groupId>
>>> <artifactId>resteasy-jackson2-provider</artifactId>
>>> <version>${resteasy.version}</version>
>>> </dependency>
>>> <dependency>
>>> <groupId>com.fasterxml.jackson.core</groupId>
>>> <artifactId>jackson-core</artifactId>
>>> <version>${jackson.version}</version>
>>> </dependency>
>>> <dependency>
>>> <groupId>com.fasterxml.jackson.core</groupId>
>>> <artifactId>jackson-databind</artifactId>
>>> <version>${jackson.version}</version>
>>> </dependency>
>>> <dependency>
>>> <groupId>com.fasterxml.jackson.core</groupId>
>>> <artifactId>jackson-annotations</artifactId>
>>> <version>${jackson.version}</version>
>>> </dependency>
>>> <dependency>
>>> <groupId>com.fasterxml.jackson.jaxrs</groupId>
>>> <artifactId>jackson-jaxrs-json-provider</artifactId>
>>> <version>${jackson.version}</version>
>>> </dependency>
>>> </dependencies>
>>>
>>> When I add the following code, building the keycloak client fails:
>>> Keycloak keycloak =
>>>
>>> KeycloakBuilder.builder().serverUrl("localhost:8080/auth").realm("master")
>>> .username("admin").password("admin").clientId("admin-cli").build();
>>>
>>> System.out.println(keycloak.serverInfo().getInfo().toString());
>>>
>>> Produces the following exception:
>>>  java -jar .\keycloak-admin-0.0.1-SNAPSHOT.jar
>>> Exception in thread "main" java.lang.IllegalArgumentException:
>>> RESTEASY003720: path param realm has not been provided by the parameter
>>> map
>>>         at
>>>
>>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.replaceParameter(ResteasyUriBuilder.java:659)
>>>         at
>>>
>>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildString(ResteasyUriBuilder.java:581)
>>>         at
>>>
>>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.buildFromValues(ResteasyUriBuilder.java:780)
>>>         at
>>>
>>> org.jboss.resteasy.specimpl.ResteasyUriBuilder.build(ResteasyUriBuilder.java:772)
>>>         at
>>>
>>> org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.getUri(ClientWebTarget.java:107)
>>>         at
>>>
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.createRequest(ClientInvoker.java:124)
>>>         at
>>>
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:104)
>>>         at
>>>
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
>>>         at com.sun.proxy.$Proxy15.grantToken(Unknown Source)
>>>         at
>>>
>>> org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:89)
>>>         at
>>>
>>> org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:69)
>>>         at
>>>
>>> org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:64)
>>>         at
>>>
>>> org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52)
>>>         at
>>>
>>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:431)
>>>         at
>>>
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:105)
>>>         at
>>>
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
>>>         at com.sun.proxy.$Proxy17.getInfo(Unknown Source)
>>>
>>> When using the Keycloak.getInstance method, I get another exception:
>>> Keycloak keycloak = Keycloak.getInstance("http://localhost:8080/auth",
>>> "master", "admin", "admin", "admin-cli");
>>>
>>> Produces exception:
>>> Exception in thread "main"
>>> javax.ws.rs.client.ResponseProcessingException:
>>> javax.ws.rs.ProcessingException: RESTEASY003145: Unable to find a
>>> MessageBodyReader of content-type application/json and type class
>>> org.keycloak.representations.AccessTokenResponse
>>>         at
>>>
>>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:156)
>>>         at
>>>
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.extractors.BodyEntityExtractor.extractEntity(BodyEntityExtractor.java:60)
>>>         at
>>>
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:107)
>>>         at
>>>
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
>>>         at com.sun.proxy.$Proxy15.grantToken(Unknown Source)
>>>         at
>>>
>>> org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:89)
>>>         at
>>>
>>> org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:69)
>>>         at
>>>
>>> org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:64)
>>>         at
>>>
>>> org.keycloak.admin.client.resource.BearerAuthFilter.filter(BearerAuthFilter.java:52)
>>>         at
>>>
>>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:431)
>>>         at
>>>
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:105)
>>>         at
>>>
>>> org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:76)
>>>         at com.sun.proxy.$Proxy17.getInfo(Unknown Source)
>>>         at test.KeycloakAdmin.main(MyMain.java:17)
>>> Caused by: javax.ws.rs.ProcessingException: RESTEASY003145: Unable to
>>> find
>>> a MessageBodyReader of content-type application/json and type class
>>> org.keycloak.representations.AccessTokenResponse
>>>         at
>>>
>>> org.jboss.resteasy.core.interception.jaxrs.ClientReaderInterceptorContext.throwReaderNotFound(ClientReaderInterceptorContext.java:42)
>>>         at
>>>
>>> org.jboss.resteasy.core.interception.jaxrs.AbstractReaderInterceptorContext.getReader(AbstractReaderInterceptorContext.java:80)
>>>         at
>>>
>>> org.jboss.resteasy.core.interception.jaxrs.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53)
>>>         at
>>>
>>> org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(ClientResponse.java:266)
>>>         at
>>>
>>> org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readEntity(ClientResponse.java:196)
>>>         at
>>>
>>> org.jboss.resteasy.specimpl.BuiltResponse.readEntity(BuiltResponse.java:212)
>>>         at
>>>
>>> org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.extractResult(ClientInvocation.java:120)
>>>         ... 13 more
>>>
>>> Can someone share insight on how to use the keycloak admin client library
>>> in the most recent version? Which dependencies do I need inside of my
>>> pom?
>>>
>>> Thanks!
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>

From bruno at abstractj.org  Tue Apr  2 18:03:30 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Tue, 2 Apr 2019 19:03:30 -0300
Subject: [keycloak-user] Display issue in user groups tab
In-Reply-To: <CALBYMMJXS0QMj-6pFOjK-a_Z2Xe8XLoNqjq9DFDrijoBg4TPBA@mail.gmail.com>
References: <CALBYMM+CXcWoNgO-Q8YOiNEP8SN4tXH_B1v6kutjvRAoh0Cc4g@mail.gmail.com>
	<CAM5SUC7pDRLcu3A6D=w8FHL4zJUFXCj44YzOPumRij4O3X5cUw@mail.gmail.com>
	<CALBYMMLqXohNWAYJsYXcm6oi5QNbeu+A9rSRgx9_FgC2XS+hjw@mail.gmail.com>
	<CAM5SUC7K3apdxJhXZcBvT0z=pj7vT2dz25yobosiT6hhEPk31g@mail.gmail.com>
	<CALBYMMJXS0QMj-6pFOjK-a_Z2Xe8XLoNqjq9DFDrijoBg4TPBA@mail.gmail.com>
Message-ID: <20190402220330.GA20045@abstractj.org>

That's strange, can you reproduce the same issue by running one of our
docker images?

docker run -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin jboss/keycloak:4.8.3.Final

If yes, could you please provide them?

On 2019-04-01, Lamine L?o Keita wrote:
> On avigator console, I have this error :
> 
> angular.js:14961 Error: [$injector:unpr]
> http://errors.angularjs.org/1.6.10/$injector/unpr?p0=groupsProvider%20%3C-%20groups%20%3C-%20UserGroupMembershipCtrl%20%3C-%20UserGroupMembershipCtrl%20%3C-%20UserGroupMembershipCtrl
>     at angular.js:88
>     at angular.js:4898
>     at Object.d [as get] (angular.js:5058)
>     at angular.js:4903
>     at d (angular.js:5058)
>     at e (angular.js:5083)
>     at Object.instantiate (angular.js:5129)
>     at angular.js:11154
>     at Object.link (angular-route.js:1209)
>     at angular.js:1393 "<div data-ng-view="" id="view" class="ng-scope">"
> 
> BR,
> Lamine Keita
> 
> On Thu, Mar 28, 2019 at 6:24 PM Bruno Oliveira <bruno at abstractj.org> wrote:
> 
> > Also try to look at the Web browser console. The more details you
> > provide, the better to figure out if there's something wrong.
> >
> > On Thu, Mar 28, 2019 at 1:30 PM Lamine L?o Keita <lemso at free.fr> wrote:
> > >
> > > Hi Bruno,
> > >
> > > Thx for your reactivity!
> > >
> > > In logs I've got nothing particular as all data are received when
> > clicking on user id to see it details ....
> > >
> > > Iwill try to set log level to debug to see if I can have more logs....
> > >
> > > Regards,
> > > Lamine
> > >
> > > On Thu, Mar 28, 2019 at 3:42 PM Bruno Oliveira <bruno at abstractj.org>
> > wrote:
> > >>
> > >> Hmmm I don't see that. What do you have at your server logs?
> > >>
> > >> On Thu, Mar 28, 2019 at 10:50 AM Lamine L?o Keita <lemso at free.fr>
> > wrote:
> > >> >
> > >> > Hi,
> > >> >
> > >> > Current version of Keycloak is 4.8.3.Final
> > >> >
> > >> > When I click on the groups tab of any user in any realm I've got the
> > bellow
> > >> > display issue.
> > >> >
> > >> > Anybody already got this?
> > >> >
> > >> > Regards,
> > >> > Lamine
> > >> > _______________________________________________
> > >> > keycloak-user mailing list
> > >> > keycloak-user at lists.jboss.org
> > >> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>
> > >>
> > >>
> > >> --
> > >> - abstractj
> >
> >
> >
> > --
> > - abstractj
> >

-- 

abstractj

From psilva at redhat.com  Tue Apr  2 18:11:52 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 2 Apr 2019 19:11:52 -0300
Subject: [keycloak-user] Keycloak policies eval
In-Reply-To: <CAMZCGg-yfm3qFhgEFnN4aNdEGZdbHoA7ixmNKQV+ZEWT1N73PQ@mail.gmail.com>
References: <CAEK+65U73uV5un62na5B7AuQkvFeLj4Ou=nsL269+5GfNCX9TQ@mail.gmail.com>
	<CAMZCGg8FRAw4uO2PcyUFbR2RcQUdKCAvhXq_ate2yJVg1asBpQ@mail.gmail.com>
	<CAEK+65WUi3ePYZ=QrtahmNWnQrxP6-f91TTnCzLB9EqrE0e-XQ@mail.gmail.com>
	<CAMZCGg-yfm3qFhgEFnN4aNdEGZdbHoA7ixmNKQV+ZEWT1N73PQ@mail.gmail.com>
Message-ID: <CAJrcDBf-Pe1oecNFmX6hnLeztoNQNqEyBn6NcabcRdaJxfx8JA@mail.gmail.com>

I think this is maybe related to the "Client Authorization" extension? See
https://www.keycloak.org/extensions.html. It seems that what you are
looking for is not supported OOTB.

This extension is really interesting ...

On Tue, Apr 2, 2019 at 6:17 PM Sebastien Blanc <sblanc at redhat.com> wrote:

> I'm sorry and still don't really get your question. If you want to use
> policies and you are using Spring Boot you should really take a look at
> this quickstart :
>
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-springboot
>
> On Tue, Apr 2, 2019 at 6:12 PM Sim?o Silva <simao.sfos at gmail.com> wrote:
>
> > Hi there,
> >
> > I use this url to get my users access token ("
> > http://localhost:8090/auth/realms/MYREALM/protocol/openid-connect/token
> ")
> > with username, password, client_id, realm, client secret  and grant type,
> > the last one with the value "password". My question is how to make this
> > request  not returning any access token therefore not allowing
> > authentication on my Realm using some kind of policy (time and
> role-based).
> >
> > Best regards,
> > Sim?o Silva
> >
> >
> > On Tue, Apr 2, 2019 at 10:28 AM Sebastien Blanc <sblanc at redhat.com>
> wrote:
> >
> >> We need more info here. Do you want just authentication with simple RBAC
> >> or do you want to use the authorization layer ? Have you seen our
> >> Springboot quickstarts ?
> >>
> >> On Sun, Mar 31, 2019 at 2:15 PM Sim?o Silva <simao.sfos at gmail.com>
> wrote:
> >>
> >>> Hi there,
> >>>
> >>> I'm  implementing keycloak for authentication in a server with spring
> >>> boot.  I'm doing something like "@RequestMapping("/login") " in java
> but
> >>> the policies aren't taken into account, because I can login with every
> >>> user
> >>> in the client. I want something like this
> >>>
> >>>
> https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-jee-vanilla/src/main/webapp/index.jsp
> >>> ,
> >>> that  tells me if the user can or not access the specific client in a
> >>> resource. What should I do?
> >>>
> >>> Best regards,
> >>> Sim?o Silva
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>
> >>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From psilva at redhat.com  Tue Apr  2 21:07:46 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 2 Apr 2019 22:07:46 -0300
Subject: [keycloak-user] Wildfly Elytron client adapter - Propagate
 security domain to EJB
In-Reply-To: <BL0PR0901MB30595AC6A5F6BAE4E4D8C687DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB30595AC6A5F6BAE4E4D8C687DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <CAJrcDBci7vm0Wqy9g0Wo2L32=e16yitTvM1wBPmC9nTwgS3wfQ@mail.gmail.com>

Hi,

I guess it is a local EJB ? If so, could you try configuring the EJB
subsystem with an application-security-domain as follows:

/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)

Regards.

On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org> wrote:

> Has anyone been able to propagate the Keycloak security domain in Wildfly
> Elytron client adapter to EJBs in an application using jboss-ejb3.xml?
> Creating a single file that is bundled with the application war seems like
> a better solution than importing  and apply a JBOSS specific annotation
> (@SecurityDomain) to hundreds of EJBs.
>
> I placed the file into WEB-INF with contents:
>
> <?xml version="1.1" encoding="UTF-8"?>
> <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
>     xmlns="http://java.sun.com/xml/ns/javaee"
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>     xmlns:s="urn:security"
>     xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee
> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd"
>     version="3.1" impl-version="2.0">
>     <assembly-descriptor>
>         <s:security>
>             <ejb-name>*</ejb-name>
>             <s:security-domain>keycloak</s:security-domain>
>         </s:security>
>     </assembly-descriptor>
> </jboss:ejb-jar>
>
> I also tried label "KeycloakDomain" instead of "keycloak".  In either case
> I get the following error when I attempt to deploy the war file:
>
>     "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"],
>     "WFLYCTL0180: Services with missing/unavailable dependencies" => [
>         "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is
> missing [jboss.security.security-domain.KeycloakDomain]"
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From fabrice.geslin-prestataire at laposte.fr  Wed Apr  3 03:39:28 2019
From: fabrice.geslin-prestataire at laposte.fr (GESLIN Fabrice)
Date: Wed, 3 Apr 2019 07:39:28 +0000
Subject: [keycloak-user] java.lang.NoClassDefFoundError in a customized
 Reset password authentication flow
In-Reply-To: <fd8a8ece-cc93-42c1-b775-ca6eead1473d@redhat.com>
References: <AM6PR01MB4359E83FA1465E384879E092BB560@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>
	<8d4158c5-0e2b-4633-2503-0cb77502b017@redhat.com>
	<AM6PR01MB43590750B7FDECEF1D655FD6BB560@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>
	<fd8a8ece-cc93-42c1-b775-ca6eead1473d@redhat.com>
Message-ID: <AM6PR01MB4359118DC84AF82F498999E0BB570@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>

Hi,

After having added a few more dependencies in the jboss-deployment-structure.xml, it works.

Thank you for your kind and appreciated help Marek.

Regards,

Fabrice Geslin

-----Message d'origine-----
De?: Marek Posolda [mailto:mposolda at redhat.com] 
Envoy??: mardi 2 avril 2019 21:45
??: GESLIN Fabrice <fabrice.geslin-prestataire at laposte.fr>; keycloak-user at lists.jboss.org
Objet?: Re: [keycloak-user] java.lang.NoClassDefFoundError in a customized Reset password authentication flow

On 02/04/2019 20:06, GESLIN Fabrice wrote:
> Thanks for the answer Marek but unfortunately adding the jboss-deployment-structure.xml to the META-INF of our jar doesn't solve the problem.
>
> FYI, we've previously implemented a custom Username Password Form authenticator that imports and uses some classes from  the keycloak-services module and we didn't have to explicitly specify the dependencies in an xml file.
>
> Is there anything special with the ResetCredentialsActionToken class or its package ?

No, there is nothing special in this class. Just maybe that it inherits from some classes/interfaces from other keycloak modules. So maybe you need to add few more modules like keycloak-server-spi and keycloak-server-spi-private.

If you still see issues, I suggest to try for example:

- Deploy as a WAR instead of JAR (Same like the quickstart I pointed is
doing)
- Deploy your JAR as a module rather than the file directly deployed in standalone/deployments

Marek

>
> Regards,
>
> Fabrice Geslin
>
> -----Message d'origine-----
> De?: Marek Posolda [mailto:mposolda at redhat.com] Envoy??: mardi 2 avril 
> 2019 16:56 ??: GESLIN Fabrice <fabrice.geslin-prestataire at laposte.fr>; 
> keycloak-user at lists.jboss.org Objet?: Re: [keycloak-user] 
> java.lang.NoClassDefFoundError in a customized Reset password 
> authentication flow
>
> Hi,
>
> I think this error is due the fact that file jboss-deployment-structure.xml is either missing or it is missing the references to needed jboss module with the class org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionToken.
> Which I think is the module "org.keycloak.keycloak-services" .
>
> For some more reference, see for example this quickstart 
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/action-to
> ken-authenticator
> and especially this file in it
> https://github.com/keycloak/keycloak-quickstarts/blob/latest/action-to
> ken-authenticator/src/main/webapp/WEB-INF/jboss-deployment-structure.x
> ml
> .
>
> Hope this helps,
> Marek
>
> On 02/04/2019 14:34, GESLIN Fabrice wrote:
>> Hi,
>>
>>
>> We're trying to customize the reset password flow by providing a 
>> custom authenticator
>>
>> ResetCredentialEmailSms to replace the ResetCredentialEmail provided 
>> by default in Keycloak
>>
>>
>> In our ResetCredentialEmailSms class, as in the original ResetCredentialEmail, we're importing and using the org.keycloak.authentication.actiontoken.resetcred.ResetCredentialsActionToken class .
>>
>>
>> We can build our authenticator successfully with no warning or error of any kind but at runtime we got the following issue :
>>
>>
>> ^[[36mkeycloak    |^[[0m ^[[0m^[[31m12:06:43,542 ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-1) Uncaught server error: java.lang.NoClassDefFoundError: org/keycloak/authentication/actiontoken/resetcred/ResetCredentialsActionToken
>> ^[[36mkeycloak    |^[[0m        at moncompte.oidcprovider.authentication.authenticators.resetcred.ResetCredentialEmailSms.authenticate(ResetCredentialEmailSms.java:85)
>> ^[[36mkeycloak    |^[[0m        at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:221)
>> ^[[36mkeycloak    |^[[0m        at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:117)
>> ^[[36mkeycloak    |^[[0m        at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
>> ^[[36mkeycloak    |^[[0m        at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
>> ^[[36mkeycloak    |^[[0m        at org.keycloak.services.resources.LoginActionsService.processResetCredentials(LoginActionsService.java:622)
>> ^[[36mkeycloak    |^[[0m        at org.keycloak.services.resources.LoginActionsService.resetCredentials(LoginActionsService.java:414)
>> ^[[36mkeycloak    |^[[0m        at org.keycloak.services.resources.LoginActionsService.resetCredentialsPOST(LoginActionsService.java:337)
>> ^[[36mkeycloak    |^[[0m        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> ^[[36mkeycloak    |^[[0m        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>> ^[[36mkeycloak    |^[[0m        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> ^[[36mkeycloak    |^[[0m        at java.lang.reflect.Method.invoke(Method.java:498)
>> ...
>>
>> [[36mkeycloak    |^[[0m        at java.lang.Thread.run(Thread.java:748)
>> ^[[36mkeycloak    |^[[0m Caused by: java.lang.ClassNotFoundException: org.keycloak.authentication.actiontoken.resetcred.ResetCredentialsActionToken from [Module "deployment.mon-compte-authentication-0.0.1.jar" from Service Module Loader]
>> ^[[36mkeycloak    |^[[0m        at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:255)
>> ^[[36mkeycloak    |^[[0m        at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410)
>> ^[[36mkeycloak    |^[[0m        at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
>> ^[[36mkeycloak    |^[[0m        at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116)
>> ^[[36mkeycloak    |^[[0m        ... 77 more
>>
>> Any clue about what we did wrong ?
>>
>>
>> Fabrice Geslin
>>
>>
>> Groupe La Poste
>>
>>
>> Post-scriptum La Poste
>>
>> Ce message est confidentiel. Sous reserve de tout accord conclu par ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> Post-scriptum La Poste
>
> Ce message est confidentiel. Sous reserve de tout accord conclu par 
> ecrit entre vous et La Poste, son contenu ne represente en aucun cas 
> un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur.



Post-scriptum La Poste

Ce message est confidentiel. Sous reserve de tout accord conclu par
ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
engagement de la part de La Poste. Toute publication, utilisation ou
diffusion, meme partielle, doit etre autorisee prealablement. Si vous
n'etes pas destinataire de ce message, merci d'en avertir immediatement
l'expediteur.


From ryans at jlab.org  Wed Apr  3 07:40:12 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 3 Apr 2019 11:40:12 +0000
Subject: [keycloak-user] Wildfly Elytron client adapter - Propagate
 security domain to EJB
In-Reply-To: <CAJrcDBci7vm0Wqy9g0Wo2L32=e16yitTvM1wBPmC9nTwgS3wfQ@mail.gmail.com>
References: <BL0PR0901MB30595AC6A5F6BAE4E4D8C687DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>,
	<CAJrcDBci7vm0Wqy9g0Wo2L32=e16yitTvM1wBPmC9nTwgS3wfQ@mail.gmail.com>
Message-ID: <BL0PR0901MB3059B5856929773225CCC8D7DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>

Thanks for the idea.  Unfortunately it didn't work.  I still see:

"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"]

I am using only local EJBs.   I guess I must stick with the legacy Wildfly client adapter.  Looks like the JIRA to addresss the EJB propagation issue has been closed.  Can we re-open it?

See:  https://issues.jboss.org/browse/KEYCLOAK-5665
________________________________
From: Pedro Igor Silva <psilva at redhat.com>
Sent: Tuesday, April 2, 2019 9:07 PM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

Hi,

I guess it is a local EJB ? If so, could you try configuring the EJB subsystem with an application-security-domain as follows:

/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)

Regards.

On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Has anyone been able to propagate the Keycloak security domain in Wildfly Elytron client adapter to EJBs in an application using jboss-ejb3.xml?  Creating a single file that is bundled with the application war seems like a better solution than importing  and apply a JBOSS specific annotation (@SecurityDomain) to hundreds of EJBs.

I placed the file into WEB-INF with contents:

<?xml version="1.1" encoding="UTF-8"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7Cc5155f92c5c34a8839fb08d6b7d0cfce%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898504812196627&sdata=8CI%2BUGfBkF7iW4kd4P9C2aYUlPNo5QZZ5gMBIVfAkYM%3D&reserved=0>"
    xmlns="http://java.sun.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjava.sun.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7Cc5155f92c5c34a8839fb08d6b7d0cfce%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898504812206636&sdata=GU8KAYx%2BuNiadMpeZ9hZ0S9cazHWfr8dVBLsHzpT7ek%3D&reserved=0>"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Cryans%40jlab.org%7Cc5155f92c5c34a8839fb08d6b7d0cfce%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898504812206636&sdata=Z3jrWIqqmoykPWoVDG6JHwIiY8d2c8Uw9ts5EA1b51g%3D&reserved=0>"
    xmlns:s="urn:security"
    xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7Cc5155f92c5c34a8839fb08d6b7d0cfce%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898504812216645&sdata=iFAtU%2FWCbHOUkY3VVSBy35PoUWIqOVgnPM2l5mBSZM8%3D&reserved=0> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.org%2Fj2ee%2Fschema%2Fjboss-ejb3-2_0.xsd&data=02%7C01%7Cryans%40jlab.org%7Cc5155f92c5c34a8839fb08d6b7d0cfce%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898504812216645&sdata=RvJMnniRFn%2FsCkk3xzvPATt%2BF5S4LSrIQWL%2BPYzr%2BMU%3D&reserved=0>"
    version="3.1" impl-version="2.0">
    <assembly-descriptor>
        <s:security>
            <ejb-name>*</ejb-name>
            <s:security-domain>keycloak</s:security-domain>
        </s:security>
    </assembly-descriptor>
</jboss:ejb-jar>

I also tried label "KeycloakDomain" instead of "keycloak".  In either case I get the following error when I attempt to deploy the war file:

    "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => [
        "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]",
        "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]",
        "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]"
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7Cc5155f92c5c34a8839fb08d6b7d0cfce%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898504812226650&sdata=GWw%2Br3G2PkN2YbQ22R%2BgzHUU8swgqL7RKa0MUBaeRLA%3D&reserved=0>

From psilva at redhat.com  Wed Apr  3 07:53:55 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 3 Apr 2019 08:53:55 -0300
Subject: [keycloak-user] Wildfly Elytron client adapter - Propagate
 security domain to EJB
In-Reply-To: <BL0PR0901MB3059B5856929773225CCC8D7DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB30595AC6A5F6BAE4E4D8C687DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBci7vm0Wqy9g0Wo2L32=e16yitTvM1wBPmC9nTwgS3wfQ@mail.gmail.com>
	<BL0PR0901MB3059B5856929773225CCC8D7DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <CAJrcDBf8pjF_sEL5srEXuDdxDk7u+XDBk3aif_E0q7id5=4Jsg@mail.gmail.com>

I found an error in the command that I gave to you. Could try to change the
name of the application-security-domain to "KeycloakDomain", instead of
"other".

If it doesn't work I would prefer to try this out first before opening the
JIRA. But I appreciate if you can at least try the change above first.

On Wed, Apr 3, 2019 at 8:40 AM Ryan Slominski <ryans at jlab.org> wrote:

> Thanks for the idea.  Unfortunately it didn't work.  I still see:
>
> "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"]
>
> I am using only local EJBs.   I guess I must stick with the legacy Wildfly
> client adapter.  Looks like the JIRA to addresss the EJB propagation issue
> has been closed.  Can we re-open it?
>
> See:  https://issues.jboss.org/browse/KEYCLOAK-5665
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Tuesday, April 2, 2019 9:07 PM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Hi,
>
> I guess it is a local EJB ? If so, could you try configuring the EJB
> subsystem with an application-security-domain as follows:
>
>
> /subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)
>
> Regards.
>
> On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org> wrote:
>
> Has anyone been able to propagate the Keycloak security domain in Wildfly
> Elytron client adapter to EJBs in an application using jboss-ejb3.xml?
> Creating a single file that is bundled with the application war seems like
> a better solution than importing  and apply a JBOSS specific annotation
> (@SecurityDomain) to hundreds of EJBs.
>
> I placed the file into WEB-INF with contents:
>
> <?xml version="1.1" encoding="UTF-8"?>
> <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7Cc5155f92c5c34a8839fb08d6b7d0cfce%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898504812196627&sdata=8CI%2BUGfBkF7iW4kd4P9C2aYUlPNo5QZZ5gMBIVfAkYM%3D&reserved=0>
> "
>     xmlns="http://java.sun.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjava.sun.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7Cc5155f92c5c34a8839fb08d6b7d0cfce%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898504812206636&sdata=GU8KAYx%2BuNiadMpeZ9hZ0S9cazHWfr8dVBLsHzpT7ek%3D&reserved=0>
> "
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Cryans%40jlab.org%7Cc5155f92c5c34a8839fb08d6b7d0cfce%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898504812206636&sdata=Z3jrWIqqmoykPWoVDG6JHwIiY8d2c8Uw9ts5EA1b51g%3D&reserved=0>
> "
>     xmlns:s="urn:security"
>     xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7Cc5155f92c5c34a8839fb08d6b7d0cfce%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898504812216645&sdata=iFAtU%2FWCbHOUkY3VVSBy35PoUWIqOVgnPM2l5mBSZM8%3D&reserved=0>
> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.org%2Fj2ee%2Fschema%2Fjboss-ejb3-2_0.xsd&data=02%7C01%7Cryans%40jlab.org%7Cc5155f92c5c34a8839fb08d6b7d0cfce%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898504812216645&sdata=RvJMnniRFn%2FsCkk3xzvPATt%2BF5S4LSrIQWL%2BPYzr%2BMU%3D&reserved=0>
> "
>     version="3.1" impl-version="2.0">
>     <assembly-descriptor>
>         <s:security>
>             <ejb-name>*</ejb-name>
>             <s:security-domain>keycloak</s:security-domain>
>         </s:security>
>     </assembly-descriptor>
> </jboss:ejb-jar>
>
> I also tried label "KeycloakDomain" instead of "keycloak".  In either case
> I get the following error when I attempt to deploy the war file:
>
>     "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"],
>     "WFLYCTL0180: Services with missing/unavailable dependencies" => [
>         "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is
> missing [jboss.security.security-domain.KeycloakDomain]"
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7Cc5155f92c5c34a8839fb08d6b7d0cfce%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898504812226650&sdata=GWw%2Br3G2PkN2YbQ22R%2BgzHUU8swgqL7RKa0MUBaeRLA%3D&reserved=0>
>
>

From ryans at jlab.org  Wed Apr  3 07:58:42 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 3 Apr 2019 11:58:42 +0000
Subject: [keycloak-user] role-ldap-mapper oddities
Message-ID: <BL0PR0901MB305909309EDB8255B7B8EE34DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>

Anyone notice the following oddities with the role-ldap-mapper (Keycloak 5.0.0):


  1.  It has fewer options than group-ldap-mapper despite doing essentially same thing.
     *   "Drop non-existing groups during sync" is missing (label would be "Drop non-existing roles during sync")
     *   "Ignore Missing Groups" is missing (label would be "Ignore Missing Roles")
     *   Preserve Group Inheritance is missing (label would be "Preserve Role Inheritance")
     *   Mapped Group Attributes is missing?  Maybe Roles don't have attributes?  This one may not matter
  2.  Looking up members of a role shows empty set, but looking up the roles of a specific user works (bug?)
     *   Using web admin console "Role" page select a role and see it has empty membership
     *   Using web admin console "User" page select a user and see it has multiple roles including one that was "empty" from the "Role" page

From ryans at jlab.org  Wed Apr  3 08:08:20 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 3 Apr 2019 12:08:20 +0000
Subject: [keycloak-user] Wildfly Elytron client adapter - Propagate
 security domain to EJB
In-Reply-To: <CAJrcDBf8pjF_sEL5srEXuDdxDk7u+XDBk3aif_E0q7id5=4Jsg@mail.gmail.com>
References: <BL0PR0901MB30595AC6A5F6BAE4E4D8C687DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBci7vm0Wqy9g0Wo2L32=e16yitTvM1wBPmC9nTwgS3wfQ@mail.gmail.com>
	<BL0PR0901MB3059B5856929773225CCC8D7DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>,
	<CAJrcDBf8pjF_sEL5srEXuDdxDk7u+XDBk3aif_E0q7id5=4Jsg@mail.gmail.com>
Message-ID: <BL0PR0901MB3059954514559103A89AAEC5DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>

Using the command:

/subsystem=ejb3/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)

Results in different error upon application deploy:

08:03:35,017 ERROR [org.jboss.as.controller.management-operation] (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "staff.war")]) - failure description: {
    "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => ["jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]"]
}


More log context attached.


________________________________
From: Pedro Igor Silva <psilva at redhat.com>
Sent: Wednesday, April 3, 2019 7:53 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

I found an error in the command that I gave to you. Could try to change the name of the application-security-domain to "KeycloakDomain", instead of "other".

If it doesn't work I would prefer to try this out first before opening the JIRA. But I appreciate if you can at least try the change above first.

On Wed, Apr 3, 2019 at 8:40 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Thanks for the idea.  Unfortunately it didn't work.  I still see:

"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"]

I am using only local EJBs.   I guess I must stick with the legacy Wildfly client adapter.  Looks like the JIRA to addresss the EJB propagation issue has been closed.  Can we re-open it?

See:  https://issues.jboss.org/browse/KEYCLOAK-5665<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7C6e87cc01a72b420f378008d6b82b13eb%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898892491866363&sdata=voDpk9ziIwlbDcwqDeOLjhxI4bsmHgw67PAD3uFgRuU%3D&reserved=0>
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Tuesday, April 2, 2019 9:07 PM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

Hi,

I guess it is a local EJB ? If so, could you try configuring the EJB subsystem with an application-security-domain as follows:

/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)

Regards.

On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Has anyone been able to propagate the Keycloak security domain in Wildfly Elytron client adapter to EJBs in an application using jboss-ejb3.xml?  Creating a single file that is bundled with the application war seems like a better solution than importing  and apply a JBOSS specific annotation (@SecurityDomain) to hundreds of EJBs.

I placed the file into WEB-INF with contents:

<?xml version="1.1" encoding="UTF-8"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C6e87cc01a72b420f378008d6b82b13eb%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898892491876372&sdata=y%2FpHnisUctcK5%2BbqGAwn6JufzMRiNQgMt5yngiOpWDo%3D&reserved=0>"
    xmlns="http://java.sun.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjava.sun.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C6e87cc01a72b420f378008d6b82b13eb%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898892491876372&sdata=lWicNs3kzTcMio7nch%2BK4BM3btgKydvccZr70RFL%2FMA%3D&reserved=0>"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Cryans%40jlab.org%7C6e87cc01a72b420f378008d6b82b13eb%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898892491886373&sdata=DkgC5ZBO8F9j8cGRXmG%2FsderkpTLFu%2BCozKcMDEH9PQ%3D&reserved=0>"
    xmlns:s="urn:security"
    xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C6e87cc01a72b420f378008d6b82b13eb%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898892491886373&sdata=yc3nRnfLCYRPADfyMBX7EfKUsUFh7ipq%2F8k2Zv4GUfs%3D&reserved=0> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.org%2Fj2ee%2Fschema%2Fjboss-ejb3-2_0.xsd&data=02%7C01%7Cryans%40jlab.org%7C6e87cc01a72b420f378008d6b82b13eb%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898892491896386&sdata=yRJVNrIE1r33itc%2B5xKX7TsKt79KpeDdclwaGN%2BakQM%3D&reserved=0>"
    version="3.1" impl-version="2.0">
    <assembly-descriptor>
        <s:security>
            <ejb-name>*</ejb-name>
            <s:security-domain>keycloak</s:security-domain>
        </s:security>
    </assembly-descriptor>
</jboss:ejb-jar>

I also tried label "KeycloakDomain" instead of "keycloak".  In either case I get the following error when I attempt to deploy the war file:

    "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => [
        "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]",
        "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]",
        "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]"
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7C6e87cc01a72b420f378008d6b82b13eb%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898892491906396&sdata=bJZtpTfcm%2FJV7j964i1L4wfTkB6UoKp3%2FmmRYixnRkg%3D&reserved=0>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: log.txt
Url: http://lists.jboss.org/pipermail/keycloak-user/attachments/20190403/e34ed661/attachment-0001.txt 

From psilva at redhat.com  Wed Apr  3 08:15:46 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 3 Apr 2019 09:15:46 -0300
Subject: [keycloak-user] Wildfly Elytron client adapter - Propagate
 security domain to EJB
In-Reply-To: <BL0PR0901MB3059954514559103A89AAEC5DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB30595AC6A5F6BAE4E4D8C687DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBci7vm0Wqy9g0Wo2L32=e16yitTvM1wBPmC9nTwgS3wfQ@mail.gmail.com>
	<BL0PR0901MB3059B5856929773225CCC8D7DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBf8pjF_sEL5srEXuDdxDk7u+XDBk3aif_E0q7id5=4Jsg@mail.gmail.com>
	<BL0PR0901MB3059954514559103A89AAEC5DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <CAJrcDBd7mP+AbQs9ScJRPZLxKyZF06RP4B28LLxWCk-37y8Q5A@mail.gmail.com>

This seem to be related with your WAR deployment though. Did you try to
change the application-security-domain in both ejb3 and undertow subsystems
to "other". That way you don't need to specify a security domain as "other"
will be the default. IIRC, when you run the elytron adapter scripts an
"other" application-security-domain is created in the undertow subsystem.

On Wed, Apr 3, 2019 at 9:08 AM Ryan Slominski <ryans at jlab.org> wrote:

> Using the command:
>
>
> /subsystem=ejb3/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)
>
> Results in different error upon application deploy:
>
> 08:03:35,017 ERROR [org.jboss.as.controller.management-operation]
> (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed -
> address: ([("deployment" => "staff.war")]) - failure description: {
>     "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"],
>     "WFLYCTL0180: Services with missing/unavailable dependencies" =>
> ["jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.KeycloakDomain]"]
> }
>
>
> More log context attached.
>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 7:53 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> I found an error in the command that I gave to you. Could try to change
> the name of the application-security-domain to "KeycloakDomain", instead of
> "other".
>
> If it doesn't work I would prefer to try this out first before opening the
> JIRA. But I appreciate if you can at least try the change above first.
>
> On Wed, Apr 3, 2019 at 8:40 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Thanks for the idea.  Unfortunately it didn't work.  I still see:
>
> "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"]
>
> I am using only local EJBs.   I guess I must stick with the legacy Wildfly
> client adapter.  Looks like the JIRA to addresss the EJB propagation issue
> has been closed.  Can we re-open it?
>
> See:  https://issues.jboss.org/browse/KEYCLOAK-5665
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7C6e87cc01a72b420f378008d6b82b13eb%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898892491866363&sdata=voDpk9ziIwlbDcwqDeOLjhxI4bsmHgw67PAD3uFgRuU%3D&reserved=0>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Tuesday, April 2, 2019 9:07 PM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Hi,
>
> I guess it is a local EJB ? If so, could you try configuring the EJB
> subsystem with an application-security-domain as follows:
>
>
> /subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)
>
> Regards.
>
> On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org> wrote:
>
> Has anyone been able to propagate the Keycloak security domain in Wildfly
> Elytron client adapter to EJBs in an application using jboss-ejb3.xml?
> Creating a single file that is bundled with the application war seems like
> a better solution than importing  and apply a JBOSS specific annotation
> (@SecurityDomain) to hundreds of EJBs.
>
> I placed the file into WEB-INF with contents:
>
> <?xml version="1.1" encoding="UTF-8"?>
> <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C6e87cc01a72b420f378008d6b82b13eb%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898892491876372&sdata=y%2FpHnisUctcK5%2BbqGAwn6JufzMRiNQgMt5yngiOpWDo%3D&reserved=0>
> "
>     xmlns="http://java.sun.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjava.sun.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C6e87cc01a72b420f378008d6b82b13eb%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898892491876372&sdata=lWicNs3kzTcMio7nch%2BK4BM3btgKydvccZr70RFL%2FMA%3D&reserved=0>
> "
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Cryans%40jlab.org%7C6e87cc01a72b420f378008d6b82b13eb%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898892491886373&sdata=DkgC5ZBO8F9j8cGRXmG%2FsderkpTLFu%2BCozKcMDEH9PQ%3D&reserved=0>
> "
>     xmlns:s="urn:security"
>     xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C6e87cc01a72b420f378008d6b82b13eb%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898892491886373&sdata=yc3nRnfLCYRPADfyMBX7EfKUsUFh7ipq%2F8k2Zv4GUfs%3D&reserved=0>
> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.org%2Fj2ee%2Fschema%2Fjboss-ejb3-2_0.xsd&data=02%7C01%7Cryans%40jlab.org%7C6e87cc01a72b420f378008d6b82b13eb%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898892491896386&sdata=yRJVNrIE1r33itc%2B5xKX7TsKt79KpeDdclwaGN%2BakQM%3D&reserved=0>
> "
>     version="3.1" impl-version="2.0">
>     <assembly-descriptor>
>         <s:security>
>             <ejb-name>*</ejb-name>
>             <s:security-domain>keycloak</s:security-domain>
>         </s:security>
>     </assembly-descriptor>
> </jboss:ejb-jar>
>
> I also tried label "KeycloakDomain" instead of "keycloak".  In either case
> I get the following error when I attempt to deploy the war file:
>
>     "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"],
>     "WFLYCTL0180: Services with missing/unavailable dependencies" => [
>         "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is
> missing [jboss.security.security-domain.KeycloakDomain]"
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7C6e87cc01a72b420f378008d6b82b13eb%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898892491906396&sdata=bJZtpTfcm%2FJV7j964i1L4wfTkB6UoKp3%2FmmRYixnRkg%3D&reserved=0>
>
>

From ryans at jlab.org  Wed Apr  3 08:28:35 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 3 Apr 2019 12:28:35 +0000
Subject: [keycloak-user] Wildfly Elytron client adapter - Propagate
 security domain to EJB
In-Reply-To: <CAJrcDBd7mP+AbQs9ScJRPZLxKyZF06RP4B28LLxWCk-37y8Q5A@mail.gmail.com>
References: <BL0PR0901MB30595AC6A5F6BAE4E4D8C687DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBci7vm0Wqy9g0Wo2L32=e16yitTvM1wBPmC9nTwgS3wfQ@mail.gmail.com>
	<BL0PR0901MB3059B5856929773225CCC8D7DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBf8pjF_sEL5srEXuDdxDk7u+XDBk3aif_E0q7id5=4Jsg@mail.gmail.com>
	<BL0PR0901MB3059954514559103A89AAEC5DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>,
	<CAJrcDBd7mP+AbQs9ScJRPZLxKyZF06RP4B28LLxWCk-37y8Q5A@mail.gmail.com>
Message-ID: <BL0PR0901MB30598AA78C547D5F46AEE32DDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>

I'm not familiar with how the Elytron Keycloak client adapter works.    How do I change the application-security-domain in both ejb3 and undertow subsystems to "other"?

If I try:
/subsystem=undertow/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)

Then I get the following on deploy:

"{\"WFLYCTL0080: Failed services\" => {\"jboss.deployment.unit.\\\"staff.war\\\".undertow-deployment\" => \"java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.
    Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.
    Caused by: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.\"}}"


If I try:

/subsystem=undertow/application-security-domain=other:add(security-domain=KeycloakDomain)

The command fails with:

{
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0212: Duplicate resource [
    (\"subsystem\" => \"undertow\"),
    (\"application-security-domain\" => \"other\")
]",
    "rolled-back" => true
}
________________________________
From: Pedro Igor Silva <psilva at redhat.com>
Sent: Wednesday, April 3, 2019 8:15 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

This seem to be related with your WAR deployment though. Did you try to change the application-security-domain in both ejb3 and undertow subsystems to "other". That way you don't need to specify a security domain as "other" will be the default. IIRC, when you run the elytron adapter scripts an "other" application-security-domain is created in the undertow subsystem.

On Wed, Apr 3, 2019 at 9:08 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Using the command:

/subsystem=ejb3/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)

Results in different error upon application deploy:

08:03:35,017 ERROR [org.jboss.as.controller.management-operation] (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "staff.war")]) - failure description: {
    "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => ["jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]"]
}


More log context attached.


________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 7:53 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

I found an error in the command that I gave to you. Could try to change the name of the application-security-domain to "KeycloakDomain", instead of "other".

If it doesn't work I would prefer to try this out first before opening the JIRA. But I appreciate if you can at least try the change above first.

On Wed, Apr 3, 2019 at 8:40 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Thanks for the idea.  Unfortunately it didn't work.  I still see:

"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"]

I am using only local EJBs.   I guess I must stick with the legacy Wildfly client adapter.  Looks like the JIRA to addresss the EJB propagation issue has been closed.  Can we re-open it?

See:  https://issues.jboss.org/browse/KEYCLOAK-5665<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606438187&sdata=FFAbXphkRO9%2BdbGIGPySZr3nXp8XXluqXDt%2BUe%2FFe2Q%3D&reserved=0>
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Tuesday, April 2, 2019 9:07 PM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

Hi,

I guess it is a local EJB ? If so, could you try configuring the EJB subsystem with an application-security-domain as follows:

/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)

Regards.

On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Has anyone been able to propagate the Keycloak security domain in Wildfly Elytron client adapter to EJBs in an application using jboss-ejb3.xml?  Creating a single file that is bundled with the application war seems like a better solution than importing  and apply a JBOSS specific annotation (@SecurityDomain) to hundreds of EJBs.

I placed the file into WEB-INF with contents:

<?xml version="1.1" encoding="UTF-8"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606448188&sdata=Ak4pY6bfZ3R2y2AzlSbTWFXbB2nekeRqXN8I6YX3jwg%3D&reserved=0>"
    xmlns="http://java.sun.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjava.sun.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606458197&sdata=K881eDky%2BbaXlLuHuN%2FCxVnoG0Crd5fcn4fmV4KA9xM%3D&reserved=0>"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606458197&sdata=DC29UYkdLb5S33S577mdhDhgS5mwXFT145eNxyxyUGo%3D&reserved=0>"
    xmlns:s="urn:security"
    xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606468202&sdata=vr%2F9eJUEBiwHIoLd0sek9aesY%2FambfnInTCgv0kObek%3D&reserved=0> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.org%2Fj2ee%2Fschema%2Fjboss-ejb3-2_0.xsd&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606468202&sdata=Z80OIgc%2Flj%2Bx9akdsL6rXQPbjGN2H4VAULEiCjq6d8U%3D&reserved=0>"
    version="3.1" impl-version="2.0">
    <assembly-descriptor>
        <s:security>
            <ejb-name>*</ejb-name>
            <s:security-domain>keycloak</s:security-domain>
        </s:security>
    </assembly-descriptor>
</jboss:ejb-jar>

I also tried label "KeycloakDomain" instead of "keycloak".  In either case I get the following error when I attempt to deploy the war file:

    "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => [
        "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]",
        "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]",
        "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]"
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606478211&sdata=eYK983rVX2psH9W0OUJFzhH0vjfM0tzRZkZYxile3ac%3D&reserved=0>

From rafaelweingartner at gmail.com  Wed Apr  3 08:49:21 2019
From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=)
Date: Wed, 3 Apr 2019 09:49:21 -0300
Subject: [keycloak-user] Doubts regarding fine grained permission on groups
Message-ID: <CAG97rae4ZS5+=HKUKq2OTV02Y7gULD-xj8327uiFkV-Wk68K9A@mail.gmail.com>

Hello Keycloak community,
We seem to have stumbled across a feature that we do not fully understand
(after reading and re-reading, and testing). Could somebody help to clarify
the design of this feature?

When enabling fine grained group permissions, we see the option to assign
the scope "manage" to users in specific groups. According to our
understand, this scope would allow us to create the "role" of users
("group-admins") to manage (update user information, reset credentials,
enable/disable) other users in the same group; users with this "role" would
also not be able to see the other users in the realm that are not assigned
to the group where they have this special permissions. Therefore, the
actions of creating and removing users would still be restricted to the
manage-users permission that can be set to "user-managers" in the whole
realm.

During our tests, we noticed the the users that receive the "manage" scope
permission in a group are able to delete users of the group. Is this the
expected behavior? After noticing this, we also thought that they would
then be able to create users in the group (if they can remove, why not
enabling them to create as well?); however, these users are not able to
create other users in the group that they have permission to manage (even
when assigning explicitly the group to the user being created). Is this a
bug? Or something that is not completely documented?

-- 
Rafael Weing?rtner

From psilva at redhat.com  Wed Apr  3 08:50:59 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 3 Apr 2019 09:50:59 -0300
Subject: [keycloak-user] Wildfly Elytron client adapter - Propagate
 security domain to EJB
In-Reply-To: <BL0PR0901MB30598AA78C547D5F46AEE32DDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB30595AC6A5F6BAE4E4D8C687DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBci7vm0Wqy9g0Wo2L32=e16yitTvM1wBPmC9nTwgS3wfQ@mail.gmail.com>
	<BL0PR0901MB3059B5856929773225CCC8D7DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBf8pjF_sEL5srEXuDdxDk7u+XDBk3aif_E0q7id5=4Jsg@mail.gmail.com>
	<BL0PR0901MB3059954514559103A89AAEC5DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBd7mP+AbQs9ScJRPZLxKyZF06RP4B28LLxWCk-37y8Q5A@mail.gmail.com>
	<BL0PR0901MB30598AA78C547D5F46AEE32DDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <CAJrcDBcLrPcju40AGjGwAFozvTh=LBucV6OWzmBQqVv69aMyUA@mail.gmail.com>

The undertow subsystem already has the "other" application-security-domain
defined as I mentioned before.

As a last try, try this:

* /subsystem=ejb3/application-security-domain=other:add(security-
domain=KeycloakDomain)
* Leave the undertow subsystem with the default settings defined by the
elytron adapter CLI scripts
* Remove any reference to "security-domain" from your EJB archives/beans so
that "other" will be the default

What I'm trying to do is to make both web and ejb layers to use the same
elytron security domain so that you can access the security identity in
both layers.

If this doesn't work, I'll try to find some code that I think I have
somewhere that is doing this.

On Wed, Apr 3, 2019 at 9:28 AM Ryan Slominski <ryans at jlab.org> wrote:

> I'm not familiar with how the Elytron Keycloak client adapter works.
> How do I change the application-security-domain in both ejb3 and undertow
> subsystems to "other"?
>
> If I try:
>
> /subsystem=undertow/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)
>
> Then I get the following on deploy:
>
> "{\"WFLYCTL0080: Failed services\" =>
> {\"jboss.deployment.unit.\\\"staff.war\\\".undertow-deployment\" =>
> \"java.lang.RuntimeException: java.lang.IllegalStateException: The required
> mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT,
> FORM] from the HttpAuthenticationFactory.
>     Caused by: java.lang.RuntimeException:
> java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not
> available in mechanisms [BASIC, CLIENT_CERT, FORM] from the
> HttpAuthenticationFactory.
>     Caused by: java.lang.IllegalStateException: The required mechanism
> 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from
> the HttpAuthenticationFactory.\"}}"
>
>
> If I try:
>
>
> /subsystem=undertow/application-security-domain=other:add(security-domain=KeycloakDomain)
>
> The command fails with:
>
> {
>     "outcome" => "failed",
>     "failure-description" => "WFLYCTL0212: Duplicate resource [
>     (\"subsystem\" => \"undertow\"),
>     (\"application-security-domain\" => \"other\")
> ]",
>     "rolled-back" => true
> }
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 8:15 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> This seem to be related with your WAR deployment though. Did you try to
> change the application-security-domain in both ejb3 and undertow subsystems
> to "other". That way you don't need to specify a security domain as "other"
> will be the default. IIRC, when you run the elytron adapter scripts an
> "other" application-security-domain is created in the undertow subsystem.
>
> On Wed, Apr 3, 2019 at 9:08 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Using the command:
>
>
> /subsystem=ejb3/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)
>
> Results in different error upon application deploy:
>
> 08:03:35,017 ERROR [org.jboss.as.controller.management-operation]
> (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed -
> address: ([("deployment" => "staff.war")]) - failure description: {
>     "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"],
>     "WFLYCTL0180: Services with missing/unavailable dependencies" =>
> ["jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.KeycloakDomain]"]
> }
>
>
> More log context attached.
>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 7:53 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> I found an error in the command that I gave to you. Could try to change
> the name of the application-security-domain to "KeycloakDomain", instead of
> "other".
>
> If it doesn't work I would prefer to try this out first before opening the
> JIRA. But I appreciate if you can at least try the change above first.
>
> On Wed, Apr 3, 2019 at 8:40 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Thanks for the idea.  Unfortunately it didn't work.  I still see:
>
> "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"]
>
> I am using only local EJBs.   I guess I must stick with the legacy Wildfly
> client adapter.  Looks like the JIRA to addresss the EJB propagation issue
> has been closed.  Can we re-open it?
>
> See:  https://issues.jboss.org/browse/KEYCLOAK-5665
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606438187&sdata=FFAbXphkRO9%2BdbGIGPySZr3nXp8XXluqXDt%2BUe%2FFe2Q%3D&reserved=0>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Tuesday, April 2, 2019 9:07 PM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Hi,
>
> I guess it is a local EJB ? If so, could you try configuring the EJB
> subsystem with an application-security-domain as follows:
>
>
> /subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)
>
> Regards.
>
> On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org> wrote:
>
> Has anyone been able to propagate the Keycloak security domain in Wildfly
> Elytron client adapter to EJBs in an application using jboss-ejb3.xml?
> Creating a single file that is bundled with the application war seems like
> a better solution than importing  and apply a JBOSS specific annotation
> (@SecurityDomain) to hundreds of EJBs.
>
> I placed the file into WEB-INF with contents:
>
> <?xml version="1.1" encoding="UTF-8"?>
> <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606448188&sdata=Ak4pY6bfZ3R2y2AzlSbTWFXbB2nekeRqXN8I6YX3jwg%3D&reserved=0>
> "
>     xmlns="http://java.sun.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjava.sun.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606458197&sdata=K881eDky%2BbaXlLuHuN%2FCxVnoG0Crd5fcn4fmV4KA9xM%3D&reserved=0>
> "
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606458197&sdata=DC29UYkdLb5S33S577mdhDhgS5mwXFT145eNxyxyUGo%3D&reserved=0>
> "
>     xmlns:s="urn:security"
>     xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606468202&sdata=vr%2F9eJUEBiwHIoLd0sek9aesY%2FambfnInTCgv0kObek%3D&reserved=0>
> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.org%2Fj2ee%2Fschema%2Fjboss-ejb3-2_0.xsd&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606468202&sdata=Z80OIgc%2Flj%2Bx9akdsL6rXQPbjGN2H4VAULEiCjq6d8U%3D&reserved=0>
> "
>     version="3.1" impl-version="2.0">
>     <assembly-descriptor>
>         <s:security>
>             <ejb-name>*</ejb-name>
>             <s:security-domain>keycloak</s:security-domain>
>         </s:security>
>     </assembly-descriptor>
> </jboss:ejb-jar>
>
> I also tried label "KeycloakDomain" instead of "keycloak".  In either case
> I get the following error when I attempt to deploy the war file:
>
>     "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"],
>     "WFLYCTL0180: Services with missing/unavailable dependencies" => [
>         "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is
> missing [jboss.security.security-domain.KeycloakDomain]"
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7C6fe0e5b114a8446f396608d6b82e2169%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898905606478211&sdata=eYK983rVX2psH9W0OUJFzhH0vjfM0tzRZkZYxile3ac%3D&reserved=0>
>
>

From ryans at jlab.org  Wed Apr  3 09:10:52 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 3 Apr 2019 13:10:52 +0000
Subject: [keycloak-user] Wildfly Elytron client adapter - Propagate
 security domain to EJB
In-Reply-To: <CAJrcDBcLrPcju40AGjGwAFozvTh=LBucV6OWzmBQqVv69aMyUA@mail.gmail.com>
References: <BL0PR0901MB30595AC6A5F6BAE4E4D8C687DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBci7vm0Wqy9g0Wo2L32=e16yitTvM1wBPmC9nTwgS3wfQ@mail.gmail.com>
	<BL0PR0901MB3059B5856929773225CCC8D7DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBf8pjF_sEL5srEXuDdxDk7u+XDBk3aif_E0q7id5=4Jsg@mail.gmail.com>
	<BL0PR0901MB3059954514559103A89AAEC5DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBd7mP+AbQs9ScJRPZLxKyZF06RP4B28LLxWCk-37y8Q5A@mail.gmail.com>
	<BL0PR0901MB30598AA78C547D5F46AEE32DDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>,
	<CAJrcDBcLrPcju40AGjGwAFozvTh=LBucV6OWzmBQqVv69aMyUA@mail.gmail.com>
Message-ID: <BL0PR0901MB3059F02DD954E00352E2706FDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>

Thanks for the guidance, but I'm unable to get this working.  Here is what I tried:


  1.  Logged into Wildfly admin console and navigated to Configuration > Subsystems > EJB > Security Domain
     *   Ensured I only have one entry: "other" and that it's own "Security Domain" sub-field is "KeycloakDomain"
  2.  Navigated to Configuration > Subsystems > Web (Undertow) > Settings > Application Security Domain > other
     *   Ensured "Security Domain" sub-field is blank (actually tried with blank  and value "KeycloakDomain"; doesn't make a difference)
  3.  I deleted the jboss-ejb3.xml file from my web application WEB-INF directory

Still seeing the following error on deployment of war file:

"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"]

I am using the latest version of Wildfly (16.0.0.Final), so perhaps the latest Keycloak Elytron client adapter simply doesn't work with this version of Wildfly?


________________________________
From: Pedro Igor Silva <psilva at redhat.com>
Sent: Wednesday, April 3, 2019 8:50 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

The undertow subsystem already has the "other" application-security-domain defined as I mentioned before.

As a last try, try this:

* /subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)
* Leave the undertow subsystem with the default settings defined by the elytron adapter CLI scripts
* Remove any reference to "security-domain" from your EJB archives/beans so that "other" will be the default

What I'm trying to do is to make both web and ejb layers to use the same elytron security domain so that you can access the security identity in both layers.

If this doesn't work, I'll try to find some code that I think I have somewhere that is doing this.

On Wed, Apr 3, 2019 at 9:28 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
I'm not familiar with how the Elytron Keycloak client adapter works.    How do I change the application-security-domain in both ejb3 and undertow subsystems to "other"?

If I try:
/subsystem=undertow/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)

Then I get the following on deploy:

"{\"WFLYCTL0080: Failed services\" => {\"jboss.deployment.unit.\\\"staff.war\\\".undertow-deployment\" => \"java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.
    Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.
    Caused by: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.\"}}"


If I try:

/subsystem=undertow/application-security-domain=other:add(security-domain=KeycloakDomain)

The command fails with:

{
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0212: Duplicate resource [
    (\"subsystem\" => \"undertow\"),
    (\"application-security-domain\" => \"other\")
]",
    "rolled-back" => true
}
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 8:15 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

This seem to be related with your WAR deployment though. Did you try to change the application-security-domain in both ejb3 and undertow subsystems to "other". That way you don't need to specify a security domain as "other" will be the default. IIRC, when you run the elytron adapter scripts an "other" application-security-domain is created in the undertow subsystem.

On Wed, Apr 3, 2019 at 9:08 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Using the command:

/subsystem=ejb3/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)

Results in different error upon application deploy:

08:03:35,017 ERROR [org.jboss.as.controller.management-operation] (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "staff.war")]) - failure description: {
    "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => ["jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]"]
}


More log context attached.


________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 7:53 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

I found an error in the command that I gave to you. Could try to change the name of the application-security-domain to "KeycloakDomain", instead of "other".

If it doesn't work I would prefer to try this out first before opening the JIRA. But I appreciate if you can at least try the change above first.

On Wed, Apr 3, 2019 at 8:40 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Thanks for the idea.  Unfortunately it didn't work.  I still see:

"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"]

I am using only local EJBs.   I guess I must stick with the legacy Wildfly client adapter.  Looks like the JIRA to addresss the EJB propagation issue has been closed.  Can we re-open it?

See:  https://issues.jboss.org/browse/KEYCLOAK-5665<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7C164e3b69eaf5413ff75108d6b8330cae%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898926735905977&sdata=OD6hjD1CJSzWLvWe5BcNLdECsXs9o6Nkny8q9RU2nbw%3D&reserved=0>
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Tuesday, April 2, 2019 9:07 PM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

Hi,

I guess it is a local EJB ? If so, could you try configuring the EJB subsystem with an application-security-domain as follows:

/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)

Regards.

On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Has anyone been able to propagate the Keycloak security domain in Wildfly Elytron client adapter to EJBs in an application using jboss-ejb3.xml?  Creating a single file that is bundled with the application war seems like a better solution than importing  and apply a JBOSS specific annotation (@SecurityDomain) to hundreds of EJBs.

I placed the file into WEB-INF with contents:

<?xml version="1.1" encoding="UTF-8"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C164e3b69eaf5413ff75108d6b8330cae%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898926735905977&sdata=eV%2BTJMVBvgSthU2DUMGhLysmipbPy4JDGze%2B6u2%2Buak%3D&reserved=0>"
    xmlns="http://java.sun.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjava.sun.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C164e3b69eaf5413ff75108d6b8330cae%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898926735915987&sdata=%2FGBNua2sEtcNF5PoaAvK5iDKXEe5KP5Qbc4Igl03mKw%3D&reserved=0>"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Cryans%40jlab.org%7C164e3b69eaf5413ff75108d6b8330cae%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898926735925992&sdata=8%2Fvz7nL0iklapF6kl14jtC%2FvU1Slx0JyJSVUAMJWarI%3D&reserved=0>"
    xmlns:s="urn:security"
    xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C164e3b69eaf5413ff75108d6b8330cae%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898926735925992&sdata=bP7wKrifvTnfZiWOMoW1EG5Z97ONQbc9xnlTcfnHCdo%3D&reserved=0> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.org%2Fj2ee%2Fschema%2Fjboss-ejb3-2_0.xsd&data=02%7C01%7Cryans%40jlab.org%7C164e3b69eaf5413ff75108d6b8330cae%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898926735936001&sdata=7NQi7PisGaoEZQ1FhCguAEGwEsVe4aYNu9uBXFj%2FCGE%3D&reserved=0>"
    version="3.1" impl-version="2.0">
    <assembly-descriptor>
        <s:security>
            <ejb-name>*</ejb-name>
            <s:security-domain>keycloak</s:security-domain>
        </s:security>
    </assembly-descriptor>
</jboss:ejb-jar>

I also tried label "KeycloakDomain" instead of "keycloak".  In either case I get the following error when I attempt to deploy the war file:

    "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => [
        "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]",
        "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]",
        "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]"
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7C164e3b69eaf5413ff75108d6b8330cae%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898926735946019&sdata=CZ7rBpsIoZji2kR3cvm4KfJvc%2FNyr%2Bdr%2BH0aqT%2F3vPI%3D&reserved=0>

From gedik at salih.xyz  Wed Apr  3 09:13:00 2019
From: gedik at salih.xyz (Salih Gedik)
Date: Wed, 03 Apr 2019 16:13:00 +0300
Subject: [keycloak-user] Fwd: Error Adapter requires SSL. Request:
	http://XXXX
In-Reply-To: <7407231554296752@iva7-b6ed732000ae.qloud-c.yandex.net>
Message-ID: <7103161554297180@myt3-c7e5d17fe013.qloud-c.yandex.net>


From psilva at redhat.com  Wed Apr  3 09:16:58 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 3 Apr 2019 10:16:58 -0300
Subject: [keycloak-user] Wildfly Elytron client adapter - Propagate
 security domain to EJB
In-Reply-To: <BL0PR0901MB3059F02DD954E00352E2706FDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB30595AC6A5F6BAE4E4D8C687DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBci7vm0Wqy9g0Wo2L32=e16yitTvM1wBPmC9nTwgS3wfQ@mail.gmail.com>
	<BL0PR0901MB3059B5856929773225CCC8D7DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBf8pjF_sEL5srEXuDdxDk7u+XDBk3aif_E0q7id5=4Jsg@mail.gmail.com>
	<BL0PR0901MB3059954514559103A89AAEC5DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBd7mP+AbQs9ScJRPZLxKyZF06RP4B28LLxWCk-37y8Q5A@mail.gmail.com>
	<BL0PR0901MB30598AA78C547D5F46AEE32DDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBcLrPcju40AGjGwAFozvTh=LBucV6OWzmBQqVv69aMyUA@mail.gmail.com>
	<BL0PR0901MB3059F02DD954E00352E2706FDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <CAJrcDBekuOj5RxdvuxVoY-pdKVMjTmHZVCmdqiUk158U-kk4Aw@mail.gmail.com>

Not sure. I need to check this. I'll look at the that later this week.

Thank you for your feedbacks. Will ping you back once I've something to
share.

On Wed, Apr 3, 2019 at 10:11 AM Ryan Slominski <ryans at jlab.org> wrote:

> Thanks for the guidance, but I'm unable to get this working.  Here is what
> I tried:
>
>
>    1. Logged into Wildfly admin console and navigated to Configuration >
>    Subsystems > EJB > Security Domain
>       1. Ensured I only have one entry: "other" and that it's own
>       "Security Domain" sub-field is "KeycloakDomain"
>    2. Navigated to Configuration > Subsystems > Web (Undertow) > Settings
>    > Application Security Domain > other
>       1. Ensured "Security Domain" sub-field is blank (actually tried
>       with blank  and value "KeycloakDomain"; doesn't make a difference)
>    3. I deleted the jboss-ejb3.xml file from my web application WEB-INF
>    directory
>
> Still seeing the following error on deployment of war file:
>
> "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"]
>
> I am using the latest version of Wildfly (16.0.0.Final), so perhaps the
> latest Keycloak Elytron client adapter simply doesn't work with this
> version of Wildfly?
>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 8:50 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> The undertow subsystem already has the "other" application-security-domain
> defined as I mentioned before.
>
> As a last try, try this:
>
> * /subsystem=ejb3/application-security-domain=other:add(security-
> domain=KeycloakDomain)
> * Leave the undertow subsystem with the default settings defined by the
> elytron adapter CLI scripts
> * Remove any reference to "security-domain" from your EJB archives/beans
> so that "other" will be the default
>
> What I'm trying to do is to make both web and ejb layers to use the same
> elytron security domain so that you can access the security identity in
> both layers.
>
> If this doesn't work, I'll try to find some code that I think I have
> somewhere that is doing this.
>
> On Wed, Apr 3, 2019 at 9:28 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> I'm not familiar with how the Elytron Keycloak client adapter works.
> How do I change the application-security-domain in both ejb3 and undertow
> subsystems to "other"?
>
> If I try:
>
> /subsystem=undertow/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)
>
> Then I get the following on deploy:
>
> "{\"WFLYCTL0080: Failed services\" =>
> {\"jboss.deployment.unit.\\\"staff.war\\\".undertow-deployment\" =>
> \"java.lang.RuntimeException: java.lang.IllegalStateException: The required
> mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT,
> FORM] from the HttpAuthenticationFactory.
>     Caused by: java.lang.RuntimeException:
> java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not
> available in mechanisms [BASIC, CLIENT_CERT, FORM] from the
> HttpAuthenticationFactory.
>     Caused by: java.lang.IllegalStateException: The required mechanism
> 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from
> the HttpAuthenticationFactory.\"}}"
>
>
> If I try:
>
>
> /subsystem=undertow/application-security-domain=other:add(security-domain=KeycloakDomain)
>
> The command fails with:
>
> {
>     "outcome" => "failed",
>     "failure-description" => "WFLYCTL0212: Duplicate resource [
>     (\"subsystem\" => \"undertow\"),
>     (\"application-security-domain\" => \"other\")
> ]",
>     "rolled-back" => true
> }
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 8:15 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> This seem to be related with your WAR deployment though. Did you try to
> change the application-security-domain in both ejb3 and undertow subsystems
> to "other". That way you don't need to specify a security domain as "other"
> will be the default. IIRC, when you run the elytron adapter scripts an
> "other" application-security-domain is created in the undertow subsystem.
>
> On Wed, Apr 3, 2019 at 9:08 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Using the command:
>
>
> /subsystem=ejb3/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)
>
> Results in different error upon application deploy:
>
> 08:03:35,017 ERROR [org.jboss.as.controller.management-operation]
> (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed -
> address: ([("deployment" => "staff.war")]) - failure description: {
>     "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"],
>     "WFLYCTL0180: Services with missing/unavailable dependencies" =>
> ["jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.KeycloakDomain]"]
> }
>
>
> More log context attached.
>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 7:53 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> I found an error in the command that I gave to you. Could try to change
> the name of the application-security-domain to "KeycloakDomain", instead of
> "other".
>
> If it doesn't work I would prefer to try this out first before opening the
> JIRA. But I appreciate if you can at least try the change above first.
>
> On Wed, Apr 3, 2019 at 8:40 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Thanks for the idea.  Unfortunately it didn't work.  I still see:
>
> "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"]
>
> I am using only local EJBs.   I guess I must stick with the legacy Wildfly
> client adapter.  Looks like the JIRA to addresss the EJB propagation issue
> has been closed.  Can we re-open it?
>
> See:  https://issues.jboss.org/browse/KEYCLOAK-5665
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7C164e3b69eaf5413ff75108d6b8330cae%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898926735905977&sdata=OD6hjD1CJSzWLvWe5BcNLdECsXs9o6Nkny8q9RU2nbw%3D&reserved=0>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Tuesday, April 2, 2019 9:07 PM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Hi,
>
> I guess it is a local EJB ? If so, could you try configuring the EJB
> subsystem with an application-security-domain as follows:
>
>
> /subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)
>
> Regards.
>
> On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org> wrote:
>
> Has anyone been able to propagate the Keycloak security domain in Wildfly
> Elytron client adapter to EJBs in an application using jboss-ejb3.xml?
> Creating a single file that is bundled with the application war seems like
> a better solution than importing  and apply a JBOSS specific annotation
> (@SecurityDomain) to hundreds of EJBs.
>
> I placed the file into WEB-INF with contents:
>
> <?xml version="1.1" encoding="UTF-8"?>
> <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C164e3b69eaf5413ff75108d6b8330cae%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898926735905977&sdata=eV%2BTJMVBvgSthU2DUMGhLysmipbPy4JDGze%2B6u2%2Buak%3D&reserved=0>
> "
>     xmlns="http://java.sun.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjava.sun.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C164e3b69eaf5413ff75108d6b8330cae%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898926735915987&sdata=%2FGBNua2sEtcNF5PoaAvK5iDKXEe5KP5Qbc4Igl03mKw%3D&reserved=0>
> "
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Cryans%40jlab.org%7C164e3b69eaf5413ff75108d6b8330cae%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898926735925992&sdata=8%2Fvz7nL0iklapF6kl14jtC%2FvU1Slx0JyJSVUAMJWarI%3D&reserved=0>
> "
>     xmlns:s="urn:security"
>     xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C164e3b69eaf5413ff75108d6b8330cae%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898926735925992&sdata=bP7wKrifvTnfZiWOMoW1EG5Z97ONQbc9xnlTcfnHCdo%3D&reserved=0>
> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.org%2Fj2ee%2Fschema%2Fjboss-ejb3-2_0.xsd&data=02%7C01%7Cryans%40jlab.org%7C164e3b69eaf5413ff75108d6b8330cae%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898926735936001&sdata=7NQi7PisGaoEZQ1FhCguAEGwEsVe4aYNu9uBXFj%2FCGE%3D&reserved=0>
> "
>     version="3.1" impl-version="2.0">
>     <assembly-descriptor>
>         <s:security>
>             <ejb-name>*</ejb-name>
>             <s:security-domain>keycloak</s:security-domain>
>         </s:security>
>     </assembly-descriptor>
> </jboss:ejb-jar>
>
> I also tried label "KeycloakDomain" instead of "keycloak".  In either case
> I get the following error when I attempt to deploy the war file:
>
>     "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"],
>     "WFLYCTL0180: Services with missing/unavailable dependencies" => [
>         "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is
> missing [jboss.security.security-domain.KeycloakDomain]"
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7C164e3b69eaf5413ff75108d6b8330cae%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898926735946019&sdata=CZ7rBpsIoZji2kR3cvm4KfJvc%2FNyr%2Bdr%2BH0aqT%2F3vPI%3D&reserved=0>
>
>

From gedik at salih.xyz  Wed Apr  3 09:37:44 2019
From: gedik at salih.xyz (Salih Gedik)
Date: Wed, 03 Apr 2019 16:37:44 +0300
Subject: [keycloak-user] Error Adapter requires SSL on logs
Message-ID: <7813291554298664@iva5-be053096037b.qloud-c.yandex.net>


From ryans at jlab.org  Wed Apr  3 09:55:57 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 3 Apr 2019 13:55:57 +0000
Subject: [keycloak-user] Wildfly Elytron client adapter - Propagate
 security domain to EJB
In-Reply-To: <CAJrcDBekuOj5RxdvuxVoY-pdKVMjTmHZVCmdqiUk158U-kk4Aw@mail.gmail.com>
References: <BL0PR0901MB30595AC6A5F6BAE4E4D8C687DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBci7vm0Wqy9g0Wo2L32=e16yitTvM1wBPmC9nTwgS3wfQ@mail.gmail.com>
	<BL0PR0901MB3059B5856929773225CCC8D7DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBf8pjF_sEL5srEXuDdxDk7u+XDBk3aif_E0q7id5=4Jsg@mail.gmail.com>
	<BL0PR0901MB3059954514559103A89AAEC5DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBd7mP+AbQs9ScJRPZLxKyZF06RP4B28LLxWCk-37y8Q5A@mail.gmail.com>
	<BL0PR0901MB30598AA78C547D5F46AEE32DDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBcLrPcju40AGjGwAFozvTh=LBucV6OWzmBQqVv69aMyUA@mail.gmail.com>
	<BL0PR0901MB3059F02DD954E00352E2706FDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>,
	<CAJrcDBekuOj5RxdvuxVoY-pdKVMjTmHZVCmdqiUk158U-kk4Aw@mail.gmail.com>
Message-ID: <BL0PR0901MB30594B3878C17B0D8F712A0CDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>

I have it working now.  I had an entry in jboss-web.xml that I had added when trying various theories and I forgot to remove it, and it was preventing deployment:

<security-domain>KeycloakDomain</security-domain>

I'll work on building the server from scratch to confirm but it appears the solution to set this up is:


  1.  Copy Eltyron client adapter files into Wildfly
  2.  Execute jboss-cli.sh -c --file=bin/adapter-elytron-install.cli
  3.  Execute jboss-cli.sh -c --command="/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)"

________________________________
From: Pedro Igor Silva <psilva at redhat.com>
Sent: Wednesday, April 3, 2019 9:16 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

Not sure. I need to check this. I'll look at the that later this week.

Thank you for your feedbacks. Will ping you back once I've something to share.

On Wed, Apr 3, 2019 at 10:11 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Thanks for the guidance, but I'm unable to get this working.  Here is what I tried:


  1.  Logged into Wildfly admin console and navigated to Configuration > Subsystems > EJB > Security Domain
     *   Ensured I only have one entry: "other" and that it's own "Security Domain" sub-field is "KeycloakDomain"
  2.  Navigated to Configuration > Subsystems > Web (Undertow) > Settings > Application Security Domain > other
     *   Ensured "Security Domain" sub-field is blank (actually tried with blank  and value "KeycloakDomain"; doesn't make a difference)
  3.  I deleted the jboss-ejb3.xml file from my web application WEB-INF directory

Still seeing the following error on deployment of war file:

"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"]

I am using the latest version of Wildfly (16.0.0.Final), so perhaps the latest Keycloak Elytron client adapter simply doesn't work with this version of Wildfly?


________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 8:50 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

The undertow subsystem already has the "other" application-security-domain defined as I mentioned before.

As a last try, try this:

* /subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)
* Leave the undertow subsystem with the default settings defined by the elytron adapter CLI scripts
* Remove any reference to "security-domain" from your EJB archives/beans so that "other" will be the default

What I'm trying to do is to make both web and ejb layers to use the same elytron security domain so that you can access the security identity in both layers.

If this doesn't work, I'll try to find some code that I think I have somewhere that is doing this.

On Wed, Apr 3, 2019 at 9:28 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
I'm not familiar with how the Elytron Keycloak client adapter works.    How do I change the application-security-domain in both ejb3 and undertow subsystems to "other"?

If I try:
/subsystem=undertow/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)

Then I get the following on deploy:

"{\"WFLYCTL0080: Failed services\" => {\"jboss.deployment.unit.\\\"staff.war\\\".undertow-deployment\" => \"java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.
    Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.
    Caused by: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.\"}}"


If I try:

/subsystem=undertow/application-security-domain=other:add(security-domain=KeycloakDomain)

The command fails with:

{
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0212: Duplicate resource [
    (\"subsystem\" => \"undertow\"),
    (\"application-security-domain\" => \"other\")
]",
    "rolled-back" => true
}
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 8:15 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

This seem to be related with your WAR deployment though. Did you try to change the application-security-domain in both ejb3 and undertow subsystems to "other". That way you don't need to specify a security domain as "other" will be the default. IIRC, when you run the elytron adapter scripts an "other" application-security-domain is created in the undertow subsystem.

On Wed, Apr 3, 2019 at 9:08 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Using the command:

/subsystem=ejb3/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)

Results in different error upon application deploy:

08:03:35,017 ERROR [org.jboss.as.controller.management-operation] (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "staff.war")]) - failure description: {
    "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => ["jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]"]
}


More log context attached.


________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 7:53 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

I found an error in the command that I gave to you. Could try to change the name of the application-security-domain to "KeycloakDomain", instead of "other".

If it doesn't work I would prefer to try this out first before opening the JIRA. But I appreciate if you can at least try the change above first.

On Wed, Apr 3, 2019 at 8:40 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Thanks for the idea.  Unfortunately it didn't work.  I still see:

"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"]

I am using only local EJBs.   I guess I must stick with the legacy Wildfly client adapter.  Looks like the JIRA to addresss the EJB propagation issue has been closed.  Can we re-open it?

See:  https://issues.jboss.org/browse/KEYCLOAK-5665<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7C163763d376744528c3ad08d6b836adbf%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898942317769037&sdata=LZ7suUSbQFBGjVPU6zO1aVP0bMNYOVRXJ25QR0mTs7Y%3D&reserved=0>
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Tuesday, April 2, 2019 9:07 PM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

Hi,

I guess it is a local EJB ? If so, could you try configuring the EJB subsystem with an application-security-domain as follows:

/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)

Regards.

On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Has anyone been able to propagate the Keycloak security domain in Wildfly Elytron client adapter to EJBs in an application using jboss-ejb3.xml?  Creating a single file that is bundled with the application war seems like a better solution than importing  and apply a JBOSS specific annotation (@SecurityDomain) to hundreds of EJBs.

I placed the file into WEB-INF with contents:

<?xml version="1.1" encoding="UTF-8"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C163763d376744528c3ad08d6b836adbf%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898942317779046&sdata=dcGJrRRsuMslljnJInzGkmhrqIgbw6U4lbV%2BqrCxjgY%3D&reserved=0>"
    xmlns="http://java.sun.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjava.sun.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C163763d376744528c3ad08d6b836adbf%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898942317789051&sdata=MZUpDaTH5FDiDuoEKjst6uhjoQ3n0P9KxAAsX6ZqZLE%3D&reserved=0>"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Cryans%40jlab.org%7C163763d376744528c3ad08d6b836adbf%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898942317789051&sdata=2GEH3WZLjxFFpIWsl64JvbE0kUICV7uFDxgoLdr2mzs%3D&reserved=0>"
    xmlns:s="urn:security"
    xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C163763d376744528c3ad08d6b836adbf%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898942317799181&sdata=eFirpd6oVxLK9u5wMgCPQ5D3JZCXQguaRbLmcetB%2FHg%3D&reserved=0> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.org%2Fj2ee%2Fschema%2Fjboss-ejb3-2_0.xsd&data=02%7C01%7Cryans%40jlab.org%7C163763d376744528c3ad08d6b836adbf%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898942317809065&sdata=7uLwK29Cr0qK7gqzxz7volBUY4c0ptPdDyWbt17UXlw%3D&reserved=0>"
    version="3.1" impl-version="2.0">
    <assembly-descriptor>
        <s:security>
            <ejb-name>*</ejb-name>
            <s:security-domain>keycloak</s:security-domain>
        </s:security>
    </assembly-descriptor>
</jboss:ejb-jar>

I also tried label "KeycloakDomain" instead of "keycloak".  In either case I get the following error when I attempt to deploy the war file:

    "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => [
        "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]",
        "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]",
        "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]"
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7C163763d376744528c3ad08d6b836adbf%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898942317809065&sdata=n1rEcYLOhyJd9m53IK8b3rqU61%2FsDQTyqz%2ByNRX4ogk%3D&reserved=0>

From psilva at redhat.com  Wed Apr  3 10:13:46 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 3 Apr 2019 11:13:46 -0300
Subject: [keycloak-user] Wildfly Elytron client adapter - Propagate
 security domain to EJB
In-Reply-To: <BL0PR0901MB30594B3878C17B0D8F712A0CDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB30595AC6A5F6BAE4E4D8C687DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBci7vm0Wqy9g0Wo2L32=e16yitTvM1wBPmC9nTwgS3wfQ@mail.gmail.com>
	<BL0PR0901MB3059B5856929773225CCC8D7DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBf8pjF_sEL5srEXuDdxDk7u+XDBk3aif_E0q7id5=4Jsg@mail.gmail.com>
	<BL0PR0901MB3059954514559103A89AAEC5DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBd7mP+AbQs9ScJRPZLxKyZF06RP4B28LLxWCk-37y8Q5A@mail.gmail.com>
	<BL0PR0901MB30598AA78C547D5F46AEE32DDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBcLrPcju40AGjGwAFozvTh=LBucV6OWzmBQqVv69aMyUA@mail.gmail.com>
	<BL0PR0901MB3059F02DD954E00352E2706FDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBekuOj5RxdvuxVoY-pdKVMjTmHZVCmdqiUk158U-kk4Aw@mail.gmail.com>
	<BL0PR0901MB30594B3878C17B0D8F712A0CDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <CAJrcDBd2poFrWsng+qRMErkhfcuvuAfQ9q3sYZGuZYQog2ykrA@mail.gmail.com>

Nice. That is what I was expecting. In a nutshell, you are basically saying
"Please, use the same security domain across these deployments so that I
can fetch the security identity".

Thanks again for moving this forward.

On Wed, Apr 3, 2019 at 10:56 AM Ryan Slominski <ryans at jlab.org> wrote:

> I have it working now.  I had an entry in jboss-web.xml that I had added
> when trying various theories and I forgot to remove it, and it was
> preventing deployment:
>
> <security-domain>KeycloakDomain</security-domain>
>
> I'll work on building the server from scratch to confirm but it appears
> the solution to set this up is:
>
>
>    1. Copy Eltyron client adapter files into Wildfly
>    2. Execute jboss-cli.sh -c --file=bin/adapter-elytron-install.cli
>    3. Execute jboss-cli.sh -c
>    --command="/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)"
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 9:16 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Not sure. I need to check this. I'll look at the that later this week.
>
> Thank you for your feedbacks. Will ping you back once I've something to
> share.
>
> On Wed, Apr 3, 2019 at 10:11 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Thanks for the guidance, but I'm unable to get this working.  Here is what
> I tried:
>
>
>    1. Logged into Wildfly admin console and navigated to Configuration >
>    Subsystems > EJB > Security Domain
>       1. Ensured I only have one entry: "other" and that it's own
>       "Security Domain" sub-field is "KeycloakDomain"
>    2. Navigated to Configuration > Subsystems > Web (Undertow) > Settings
>    > Application Security Domain > other
>       1. Ensured "Security Domain" sub-field is blank (actually tried
>       with blank  and value "KeycloakDomain"; doesn't make a difference)
>    3. I deleted the jboss-ejb3.xml file from my web application WEB-INF
>    directory
>
> Still seeing the following error on deployment of war file:
>
> "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"]
>
> I am using the latest version of Wildfly (16.0.0.Final), so perhaps the
> latest Keycloak Elytron client adapter simply doesn't work with this
> version of Wildfly?
>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 8:50 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> The undertow subsystem already has the "other" application-security-domain
> defined as I mentioned before.
>
> As a last try, try this:
>
> * /subsystem=ejb3/application-security-domain=other:add(security-
> domain=KeycloakDomain)
> * Leave the undertow subsystem with the default settings defined by the
> elytron adapter CLI scripts
> * Remove any reference to "security-domain" from your EJB archives/beans
> so that "other" will be the default
>
> What I'm trying to do is to make both web and ejb layers to use the same
> elytron security domain so that you can access the security identity in
> both layers.
>
> If this doesn't work, I'll try to find some code that I think I have
> somewhere that is doing this.
>
> On Wed, Apr 3, 2019 at 9:28 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> I'm not familiar with how the Elytron Keycloak client adapter works.
> How do I change the application-security-domain in both ejb3 and undertow
> subsystems to "other"?
>
> If I try:
>
> /subsystem=undertow/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)
>
> Then I get the following on deploy:
>
> "{\"WFLYCTL0080: Failed services\" =>
> {\"jboss.deployment.unit.\\\"staff.war\\\".undertow-deployment\" =>
> \"java.lang.RuntimeException: java.lang.IllegalStateException: The required
> mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT,
> FORM] from the HttpAuthenticationFactory.
>     Caused by: java.lang.RuntimeException:
> java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not
> available in mechanisms [BASIC, CLIENT_CERT, FORM] from the
> HttpAuthenticationFactory.
>     Caused by: java.lang.IllegalStateException: The required mechanism
> 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from
> the HttpAuthenticationFactory.\"}}"
>
>
> If I try:
>
>
> /subsystem=undertow/application-security-domain=other:add(security-domain=KeycloakDomain)
>
> The command fails with:
>
> {
>     "outcome" => "failed",
>     "failure-description" => "WFLYCTL0212: Duplicate resource [
>     (\"subsystem\" => \"undertow\"),
>     (\"application-security-domain\" => \"other\")
> ]",
>     "rolled-back" => true
> }
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 8:15 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> This seem to be related with your WAR deployment though. Did you try to
> change the application-security-domain in both ejb3 and undertow subsystems
> to "other". That way you don't need to specify a security domain as "other"
> will be the default. IIRC, when you run the elytron adapter scripts an
> "other" application-security-domain is created in the undertow subsystem.
>
> On Wed, Apr 3, 2019 at 9:08 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Using the command:
>
>
> /subsystem=ejb3/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)
>
> Results in different error upon application deploy:
>
> 08:03:35,017 ERROR [org.jboss.as.controller.management-operation]
> (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed -
> address: ([("deployment" => "staff.war")]) - failure description: {
>     "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"],
>     "WFLYCTL0180: Services with missing/unavailable dependencies" =>
> ["jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.KeycloakDomain]"]
> }
>
>
> More log context attached.
>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 7:53 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> I found an error in the command that I gave to you. Could try to change
> the name of the application-security-domain to "KeycloakDomain", instead of
> "other".
>
> If it doesn't work I would prefer to try this out first before opening the
> JIRA. But I appreciate if you can at least try the change above first.
>
> On Wed, Apr 3, 2019 at 8:40 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Thanks for the idea.  Unfortunately it didn't work.  I still see:
>
> "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"]
>
> I am using only local EJBs.   I guess I must stick with the legacy Wildfly
> client adapter.  Looks like the JIRA to addresss the EJB propagation issue
> has been closed.  Can we re-open it?
>
> See:  https://issues.jboss.org/browse/KEYCLOAK-5665
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7C163763d376744528c3ad08d6b836adbf%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898942317769037&sdata=LZ7suUSbQFBGjVPU6zO1aVP0bMNYOVRXJ25QR0mTs7Y%3D&reserved=0>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Tuesday, April 2, 2019 9:07 PM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Hi,
>
> I guess it is a local EJB ? If so, could you try configuring the EJB
> subsystem with an application-security-domain as follows:
>
>
> /subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)
>
> Regards.
>
> On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org> wrote:
>
> Has anyone been able to propagate the Keycloak security domain in Wildfly
> Elytron client adapter to EJBs in an application using jboss-ejb3.xml?
> Creating a single file that is bundled with the application war seems like
> a better solution than importing  and apply a JBOSS specific annotation
> (@SecurityDomain) to hundreds of EJBs.
>
> I placed the file into WEB-INF with contents:
>
> <?xml version="1.1" encoding="UTF-8"?>
> <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C163763d376744528c3ad08d6b836adbf%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898942317779046&sdata=dcGJrRRsuMslljnJInzGkmhrqIgbw6U4lbV%2BqrCxjgY%3D&reserved=0>
> "
>     xmlns="http://java.sun.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjava.sun.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C163763d376744528c3ad08d6b836adbf%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898942317789051&sdata=MZUpDaTH5FDiDuoEKjst6uhjoQ3n0P9KxAAsX6ZqZLE%3D&reserved=0>
> "
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Cryans%40jlab.org%7C163763d376744528c3ad08d6b836adbf%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898942317789051&sdata=2GEH3WZLjxFFpIWsl64JvbE0kUICV7uFDxgoLdr2mzs%3D&reserved=0>
> "
>     xmlns:s="urn:security"
>     xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C163763d376744528c3ad08d6b836adbf%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898942317799181&sdata=eFirpd6oVxLK9u5wMgCPQ5D3JZCXQguaRbLmcetB%2FHg%3D&reserved=0>
> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.org%2Fj2ee%2Fschema%2Fjboss-ejb3-2_0.xsd&data=02%7C01%7Cryans%40jlab.org%7C163763d376744528c3ad08d6b836adbf%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898942317809065&sdata=7uLwK29Cr0qK7gqzxz7volBUY4c0ptPdDyWbt17UXlw%3D&reserved=0>
> "
>     version="3.1" impl-version="2.0">
>     <assembly-descriptor>
>         <s:security>
>             <ejb-name>*</ejb-name>
>             <s:security-domain>keycloak</s:security-domain>
>         </s:security>
>     </assembly-descriptor>
> </jboss:ejb-jar>
>
> I also tried label "KeycloakDomain" instead of "keycloak".  In either case
> I get the following error when I attempt to deploy the war file:
>
>     "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"],
>     "WFLYCTL0180: Services with missing/unavailable dependencies" => [
>         "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is
> missing [jboss.security.security-domain.KeycloakDomain]"
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7C163763d376744528c3ad08d6b836adbf%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898942317809065&sdata=n1rEcYLOhyJd9m53IK8b3rqU61%2FsDQTyqz%2ByNRX4ogk%3D&reserved=0>
>
>

From vandana0242 at gmail.com  Wed Apr  3 10:33:34 2019
From: vandana0242 at gmail.com (vandana thota)
Date: Wed, 3 Apr 2019 09:33:34 -0500
Subject: [keycloak-user] Need Support
Message-ID: <CAL_K0ez9yd58ZD=fP9M3D=Mx6O_o=wW24Uxcwdiw5ZwSdFZO7w@mail.gmail.com>

Hello


Please contact me if any one can support below technologies:

1)Puppet
2) Middleware Technologies (Wildfly( jboss) , Weblogic, MQ)
3)Bash , Ruby, python scritpting,
4)ELK products


Thanks,

From bruno at abstractj.org  Wed Apr  3 10:36:59 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 3 Apr 2019 11:36:59 -0300
Subject: [keycloak-user] Need Support
In-Reply-To: <CAL_K0ez9yd58ZD=fP9M3D=Mx6O_o=wW24Uxcwdiw5ZwSdFZO7w@mail.gmail.com>
References: <CAL_K0ez9yd58ZD=fP9M3D=Mx6O_o=wW24Uxcwdiw5ZwSdFZO7w@mail.gmail.com>
Message-ID: <CAM5SUC4t6n=qr2Bf5c5ZwyELc6TnM52Tp9VekHiZ5Wf1CC1kDQ@mail.gmail.com>

This mailing list is used exclusively to discuss topics related with Keycloak.

Please, don't do this.

On Wed, Apr 3, 2019 at 11:33 AM vandana thota <vandana0242 at gmail.com> wrote:
>
> Hello
>
>
> Please contact me if any one can support below technologies:
>
> 1)Puppet
> 2) Middleware Technologies (Wildfly( jboss) , Weblogic, MQ)
> 3)Bash , Ruby, python scritpting,
> 4)ELK products
>
>
> Thanks,
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
- abstractj

From vandana0242 at gmail.com  Wed Apr  3 10:38:28 2019
From: vandana0242 at gmail.com (vandana thota)
Date: Wed, 3 Apr 2019 09:38:28 -0500
Subject: [keycloak-user] Need Support
In-Reply-To: <CAM5SUC4t6n=qr2Bf5c5ZwyELc6TnM52Tp9VekHiZ5Wf1CC1kDQ@mail.gmail.com>
References: <CAL_K0ez9yd58ZD=fP9M3D=Mx6O_o=wW24Uxcwdiw5ZwSdFZO7w@mail.gmail.com>
	<CAM5SUC4t6n=qr2Bf5c5ZwyELc6TnM52Tp9VekHiZ5Wf1CC1kDQ@mail.gmail.com>
Message-ID: <CAL_K0eyN7cj52COhkOErtiOfP-MbD9yg=n6NR2aoJxiKbwpAcw@mail.gmail.com>

Ok, no problem.

On Wed, Apr 3, 2019 at 9:37 AM Bruno Oliveira <bruno at abstractj.org> wrote:

> This mailing list is used exclusively to discuss topics related with
> Keycloak.
>
> Please, don't do this.
>
> On Wed, Apr 3, 2019 at 11:33 AM vandana thota <vandana0242 at gmail.com>
> wrote:
> >
> > Hello
> >
> >
> > Please contact me if any one can support below technologies:
> >
> > 1)Puppet
> > 2) Middleware Technologies (Wildfly( jboss) , Weblogic, MQ)
> > 3)Bash , Ruby, python scritpting,
> > 4)ELK products
> >
> >
> > Thanks,
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
> - abstractj
>

From ryans at jlab.org  Wed Apr  3 11:04:22 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 3 Apr 2019 15:04:22 +0000
Subject: [keycloak-user] Wildfly Elytron client adapter - Propagate
 security domain to EJB
In-Reply-To: <CAJrcDBd2poFrWsng+qRMErkhfcuvuAfQ9q3sYZGuZYQog2ykrA@mail.gmail.com>
References: <BL0PR0901MB30595AC6A5F6BAE4E4D8C687DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBci7vm0Wqy9g0Wo2L32=e16yitTvM1wBPmC9nTwgS3wfQ@mail.gmail.com>
	<BL0PR0901MB3059B5856929773225CCC8D7DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBf8pjF_sEL5srEXuDdxDk7u+XDBk3aif_E0q7id5=4Jsg@mail.gmail.com>
	<BL0PR0901MB3059954514559103A89AAEC5DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBd7mP+AbQs9ScJRPZLxKyZF06RP4B28LLxWCk-37y8Q5A@mail.gmail.com>
	<BL0PR0901MB30598AA78C547D5F46AEE32DDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBcLrPcju40AGjGwAFozvTh=LBucV6OWzmBQqVv69aMyUA@mail.gmail.com>
	<BL0PR0901MB3059F02DD954E00352E2706FDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBekuOj5RxdvuxVoY-pdKVMjTmHZVCmdqiUk158U-kk4Aw@mail.gmail.com>
	<BL0PR0901MB30594B3878C17B0D8F712A0CDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>,
	<CAJrcDBd2poFrWsng+qRMErkhfcuvuAfQ9q3sYZGuZYQog2ykrA@mail.gmail.com>
Message-ID: <BL0PR0901MB3059C4228F48FCAA24679AA9DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>

Thanks for your help Pedro.

I can confirm that after installing a fresh instance of Wildfly 16.0.0.Final and copying the latest Keycloak Elytron client adapter code over top the install directory the only extra step needed besides executing the "jboss-cli --file=adapter-elytron-install.cli" command was the command you originally suggested:

jboss-cli.sh -c --command="/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)"

We should probably update the documentation to indicate this as an alternative option to the @SecurityDomain annotation.  In fact, it might make sense to actually add this command to the adapter-elytron-install.cli file (and offline version too) so that users don't have to do anything extra.  This assumes setting the EJB other security-domain to KeycloakDomain is safe to do in the general case, which I assume it is.
________________________________
From: Pedro Igor Silva <psilva at redhat.com>
Sent: Wednesday, April 3, 2019 10:13 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

Nice. That is what I was expecting. In a nutshell, you are basically saying "Please, use the same security domain across these deployments so that I can fetch the security identity".

Thanks again for moving this forward.

On Wed, Apr 3, 2019 at 10:56 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
I have it working now.  I had an entry in jboss-web.xml that I had added when trying various theories and I forgot to remove it, and it was preventing deployment:

<security-domain>KeycloakDomain</security-domain>

I'll work on building the server from scratch to confirm but it appears the solution to set this up is:


  1.  Copy Eltyron client adapter files into Wildfly
  2.  Execute jboss-cli.sh -c --file=bin/adapter-elytron-install.cli
  3.  Execute jboss-cli.sh -c --command="/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)"

________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 9:16 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

Not sure. I need to check this. I'll look at the that later this week.

Thank you for your feedbacks. Will ping you back once I've something to share.

On Wed, Apr 3, 2019 at 10:11 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Thanks for the guidance, but I'm unable to get this working.  Here is what I tried:


  1.  Logged into Wildfly admin console and navigated to Configuration > Subsystems > EJB > Security Domain
     *   Ensured I only have one entry: "other" and that it's own "Security Domain" sub-field is "KeycloakDomain"
  2.  Navigated to Configuration > Subsystems > Web (Undertow) > Settings > Application Security Domain > other
     *   Ensured "Security Domain" sub-field is blank (actually tried with blank  and value "KeycloakDomain"; doesn't make a difference)
  3.  I deleted the jboss-ejb3.xml file from my web application WEB-INF directory

Still seeing the following error on deployment of war file:

"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"]

I am using the latest version of Wildfly (16.0.0.Final), so perhaps the latest Keycloak Elytron client adapter simply doesn't work with this version of Wildfly?


________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 8:50 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

The undertow subsystem already has the "other" application-security-domain defined as I mentioned before.

As a last try, try this:

* /subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)
* Leave the undertow subsystem with the default settings defined by the elytron adapter CLI scripts
* Remove any reference to "security-domain" from your EJB archives/beans so that "other" will be the default

What I'm trying to do is to make both web and ejb layers to use the same elytron security domain so that you can access the security identity in both layers.

If this doesn't work, I'll try to find some code that I think I have somewhere that is doing this.

On Wed, Apr 3, 2019 at 9:28 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
I'm not familiar with how the Elytron Keycloak client adapter works.    How do I change the application-security-domain in both ejb3 and undertow subsystems to "other"?

If I try:
/subsystem=undertow/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)

Then I get the following on deploy:

"{\"WFLYCTL0080: Failed services\" => {\"jboss.deployment.unit.\\\"staff.war\\\".undertow-deployment\" => \"java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.
    Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.
    Caused by: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.\"}}"


If I try:

/subsystem=undertow/application-security-domain=other:add(security-domain=KeycloakDomain)

The command fails with:

{
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0212: Duplicate resource [
    (\"subsystem\" => \"undertow\"),
    (\"application-security-domain\" => \"other\")
]",
    "rolled-back" => true
}
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 8:15 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

This seem to be related with your WAR deployment though. Did you try to change the application-security-domain in both ejb3 and undertow subsystems to "other". That way you don't need to specify a security domain as "other" will be the default. IIRC, when you run the elytron adapter scripts an "other" application-security-domain is created in the undertow subsystem.

On Wed, Apr 3, 2019 at 9:08 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Using the command:

/subsystem=ejb3/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)

Results in different error upon application deploy:

08:03:35,017 ERROR [org.jboss.as.controller.management-operation] (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "staff.war")]) - failure description: {
    "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => ["jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]"]
}


More log context attached.


________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 7:53 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

I found an error in the command that I gave to you. Could try to change the name of the application-security-domain to "KeycloakDomain", instead of "other".

If it doesn't work I would prefer to try this out first before opening the JIRA. But I appreciate if you can at least try the change above first.

On Wed, Apr 3, 2019 at 8:40 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Thanks for the idea.  Unfortunately it didn't work.  I still see:

"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"]

I am using only local EJBs.   I guess I must stick with the legacy Wildfly client adapter.  Looks like the JIRA to addresss the EJB propagation issue has been closed.  Can we re-open it?

See:  https://issues.jboss.org/browse/KEYCLOAK-5665<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7C324b935978d34a57272508d6b83e9da0%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898976409596707&sdata=ikkTUObWhnSmu8xdiDbFN50gRpe8vSu5SH7fDV%2BQyv4%3D&reserved=0>
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Tuesday, April 2, 2019 9:07 PM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

Hi,

I guess it is a local EJB ? If so, could you try configuring the EJB subsystem with an application-security-domain as follows:

/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)

Regards.

On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Has anyone been able to propagate the Keycloak security domain in Wildfly Elytron client adapter to EJBs in an application using jboss-ejb3.xml?  Creating a single file that is bundled with the application war seems like a better solution than importing  and apply a JBOSS specific annotation (@SecurityDomain) to hundreds of EJBs.

I placed the file into WEB-INF with contents:

<?xml version="1.1" encoding="UTF-8"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C324b935978d34a57272508d6b83e9da0%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898976409606712&sdata=ujMfG6QlOufw1pv6h2FNqmjqABfXvAGVjXfZqZrmatQ%3D&reserved=0>"
    xmlns="http://java.sun.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjava.sun.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C324b935978d34a57272508d6b83e9da0%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898976409606712&sdata=LDGPNictCbxC2%2BIKZi0glRsg%2BCD8mhzZNGikvEZgDDI%3D&reserved=0>"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Cryans%40jlab.org%7C324b935978d34a57272508d6b83e9da0%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898976409616748&sdata=yW93XlOQ8%2FT01sZOrIvByWc6FWJEDX7jIh%2BBkbhUOoo%3D&reserved=0>"
    xmlns:s="urn:security"
    xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C324b935978d34a57272508d6b83e9da0%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898976409626771&sdata=7i8TpG51k5fvQ%2BJtRabds5bR7e9d17Zz0Zdc4sWZHRk%3D&reserved=0> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.org%2Fj2ee%2Fschema%2Fjboss-ejb3-2_0.xsd&data=02%7C01%7Cryans%40jlab.org%7C324b935978d34a57272508d6b83e9da0%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898976409626771&sdata=F%2FAMuPQ%2BxgDweMGQ6C36enaaT8%2FyoJMyIJmYbdOM07o%3D&reserved=0>"
    version="3.1" impl-version="2.0">
    <assembly-descriptor>
        <s:security>
            <ejb-name>*</ejb-name>
            <s:security-domain>keycloak</s:security-domain>
        </s:security>
    </assembly-descriptor>
</jboss:ejb-jar>

I also tried label "KeycloakDomain" instead of "keycloak".  In either case I get the following error when I attempt to deploy the war file:

    "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => [
        "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]",
        "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]",
        "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]"
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7C324b935978d34a57272508d6b83e9da0%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898976409636731&sdata=eAQnNAHg43qEJJBKZZNWKJ2O%2B8QyfxUY4WWSWuRgEDA%3D&reserved=0>

From kkcmadhu at yahoo.com  Wed Apr  3 11:09:08 2019
From: kkcmadhu at yahoo.com (Madhu)
Date: Wed, 3 Apr 2019 15:09:08 +0000 (UTC)
Subject: [keycloak-user] horizontally scaling keycloak cluster using a
 cluster farm on Cloud (AWS) -> any body tried out such a thing?
References: <34865490.14926868.1554304148560.ref@mail.yahoo.com>
Message-ID: <34865490.14926868.1554304148560@mail.yahoo.com>

Hi All,

Inorder to scale keycloak to handle about 2000 to 3000 realms i am thinking of running keycloak in a cluster farm..
something like have one keycloak cluster per 500 tenants? and manage? 5 or 6 such keycloak clusters (a farm).
But , i want my end users to be totally unware of this .. they should just be talking to keycloak on single url??something like?https://kecloak-yourserver/auth/realms/realm1/
Internally, i am planning? resolve realm-names to a specific farm.. e.g. realm1 -> keycloakCluster2, realmA-> keycloakCluster1 etc..

Any body out there tried such a thing on? Cloud (AWS) ?
if so, please share your experience/pain points..
This will go a long way in helping me scale keycloak horizontally in one of my prod deployments.
Madhu

From ssilvert at redhat.com  Wed Apr  3 12:18:36 2019
From: ssilvert at redhat.com (Stan Silvert)
Date: Wed, 3 Apr 2019 12:18:36 -0400
Subject: [keycloak-user] Need Support
In-Reply-To: <CAL_K0ez9yd58ZD=fP9M3D=Mx6O_o=wW24Uxcwdiw5ZwSdFZO7w@mail.gmail.com>
References: <CAL_K0ez9yd58ZD=fP9M3D=Mx6O_o=wW24Uxcwdiw5ZwSdFZO7w@mail.gmail.com>
Message-ID: <fa3eda64-fe37-07a6-4364-db4aef289752@redhat.com>

Of course, Red Hat can give you outstanding support for WildFly/JBoss 
products.

On 4/3/2019 10:33 AM, vandana thota wrote:
> Hello
>
>
> Please contact me if any one can support below technologies:
>
> 1)Puppet
> 2) Middleware Technologies (Wildfly( jboss) , Weblogic, MQ)
> 3)Bash , Ruby, python scritpting,
> 4)ELK products
>
>
> Thanks,
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mizuki0621 at gmail.com  Wed Apr  3 13:25:59 2019
From: mizuki0621 at gmail.com (mizuki)
Date: Wed, 3 Apr 2019 13:25:59 -0400
Subject: [keycloak-user] problem with social identity providers with
	broker (only google works)
In-Reply-To: <CAKCDg-Dd-otjWOnn7KpTOFNdHXdNa4AZmkn8Q0i_zg4FeGy-Eg@mail.gmail.com>
References: <CAKCDg-BCPfNeybj_045wN+DbTR_ckXeVm=h0zdX6wNn2oFjFtA@mail.gmail.com>
	<CAKCDg-Dd-otjWOnn7KpTOFNdHXdNa4AZmkn8Q0i_zg4FeGy-Eg@mail.gmail.com>
Message-ID: <CAKCDg-BmnTV4LDusfRxUiZMnZh39FEPYDOkXP9QVXb3HiqXJfA@mail.gmail.com>

Further debugging logs from keycloak when failed with LinkedIn, while the
connection with google.com is successful using the same TLSv1 protocol +
Cipher suites.

2019-04-03 13:07:41,444 DEBUG [io.undertow.request] (default I/O-5) Matched
prefix path /auth for path /auth/realms/SDCC1/broker/linkedin/endpoint
2019-04-03 13:07:41,445 DEBUG [io.undertow.request.security] (default
task-4) Attempting to authenticate
/auth/realms/SDCC1/broker/linkedin/endpoint, authentication required: false
2019-04-03 13:07:41,445 DEBUG [io.undertow.request.security] (default
task-4) Authentication outcome was NOT_ATTEMPTED with method
io.undertow.security.impl.CachedAuthenticatedSessionMechanism at 11511aa9 for
/auth/realms/SDCC1/broker/linkedin/endpoint
2019-04-03 13:07:41,445 DEBUG [io.undertow.request.security] (default
task-4) Authentication result was ATTEMPTED for
/auth/realms/SDCC1/broker/linkedin/endpoint
2019-04-03 13:07:41,446 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-4) new
JtaTransactionWrapper
2019-04-03 13:07:41,446 DEBUG
[org.keycloak.transaction.JtaTransactionWrapper] (default task-4) was
existing? false
2019-04-03 13:07:41,447 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
(default task-4) RESTEASY002315: PathInfo:
/realms/SDCC1/broker/linkedin/endpoint
2019-04-03 13:07:41,450 DEBUG [org.jboss.resteasy.plugins.validation.i18n]
(default task-4) RESTEASY008510: ResteasyCdiExtension is on the classpath.
2019-04-03 13:07:41,453 DEBUG
[org.apache.http.client.protocol.RequestAuthCache] (default task-4) Auth
cache not set in the context
2019-04-03 13:07:41,454 DEBUG
[org.apache.http.impl.conn.PoolingHttpClientConnectionManager] (default
task-4) Connection request: [route: {s}->https://www.linkedin.com:443][total
kept alive: 2; route allocated: 0 of 64; total allocated: 2 of 128]
2019-04-03 13:07:41,454 DEBUG
[org.apache.http.impl.conn.PoolingHttpClientConnectionManager] (default
task-4) Connection leased: [id: 2][route:
{s}->https://www.linkedin.com:443][total
kept alive: 2; route allocated: 1 of 64; total allocated: 3 of 128]
2019-04-03 13:07:41,454 DEBUG
[org.apache.http.impl.execchain.MainClientExec] (default task-4) Opening
connection {s}->https://www.linkedin.com:443
2019-04-03 13:07:41,468 DEBUG
[org.apache.http.impl.conn.DefaultHttpClientConnectionOperator] (default
task-4) Connecting to www.linkedin.com/108.174.11.17:443
2019-04-03 13:07:41,468 DEBUG
[org.apache.http.conn.ssl.SSLConnectionSocketFactory] (default task-4)
Connecting socket to www.linkedin.com/108.174.11.17:443 with timeout 0
2019-04-03 13:07:41,500 DEBUG
[org.apache.http.conn.ssl.SSLConnectionSocketFactory] (default task-4)
Enabled protocols: [TLSv1]
2019-04-03 13:07:41,500 DEBUG
[org.apache.http.conn.ssl.SSLConnectionSocketFactory] (default task-4)
Enabled cipher suites:[TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256,
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,
SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA,
SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA,
SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA,
SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256,
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,
SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA,
SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,
SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_256_GCM_SHA384,
SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,
SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,
SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]
*2019-04-03 13:07:41,500 DEBUG
[org.apache.http.conn.ssl.SSLConnectionSocketFactory] (default task-4)
Starting handshake*
*2019-04-03 13:07:41,544 DEBUG
[org.apache.http.impl.conn.DefaultManagedHttpClientConnection] (default
task-4) http-outgoing-2: Shutdown connection*
2019-04-03 13:07:41,545 DEBUG
[org.apache.http.impl.execchain.MainClientExec] (default task-4) Connection
discarded
2019-04-03 13:07:41,545 DEBUG
[org.apache.http.impl.conn.PoolingHttpClientConnectionManager] (default
task-4) Connection released: [id: 2][route:
{s}->https://www.linkedin.com:443][total kept alive: 2; route allocated: 0
of 64; total allocated: 2 of 128]
2019-04-03 13:07:41,545 ERROR
[org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-4)
Failed to make identity provider oauth callback:
javax.net.ssl.SSLException: Received fatal alert: protocol_version
        at com.ibm.jsse2.k.a(k.java:32)
        at com.ibm.jsse2.k.a(k.java:37)
        at com.ibm.jsse2.av.b(av.java:549)
        at com.ibm.jsse2.k.a(k.java:37)
        at com.ibm.jsse2.av.b(av.java:549)
        at com.ibm.jsse2.av.a(av.java:715)
        at com.ibm.jsse2.av.i(av.java:574)
        at com.ibm.jsse2.av.a(av.java:280)
        at com.ibm.jsse2.av.startHandshake(av.java:431)
        at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
        at
org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
        at
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
        at
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
        at
org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
        at
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
        at
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
        at
org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
        at
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
        at
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
        at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
        at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
        at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
        at
org.keycloak.broker.provider.util.SimpleHttp.makeRequest(SimpleHttp.java:199)
        at
org.keycloak.broker.provider.util.SimpleHttp.asResponse(SimpleHttp.java:163)
        at
org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:155)
        at
org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:418)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
        at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
        at java.lang.reflect.Method.invoke(Method.java:508)
        at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
        at
org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$815.00000000811AC040.get(Unknown
Source)
        at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
        at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
        at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
        at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:439)

Mizuki

On Tue, Apr 2, 2019 at 4:33 PM mizuki <mizuki0621 at gmail.com> wrote:

> Just a comment:
> I do not want to unnecessarily complicate the case by involving proxy.
>  From the packets flow, it seems like Keycloak started initiating
> communication with those social providers using TLSv1 (after password was
> submitted and possible during code-for-token stage), any reasons triggered
> this or any work-arounds? is it because the social providers are using
> TLSv1?
>
> Cheers.
> Mizuki
>
>
>
> On Tue, Apr 2, 2019 at 1:05 PM mizuki <mizuki0621 at gmail.com> wrote:
>
>> Hi,
>>
>> I've verified this problem with keycloak latest version as well as
>> v4.8.x, using broker only works with google, with other social identify
>> providers, all throws the same error 'Unexpected error when
>> authenticating with identity provider' to the browser and in server.log:
>>
>> 10:46:59,838 ERROR
>> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-2)
>> Failed to make identity provider oauth callback:
>> javax.net.ssl.SSLException: Received fatal alert: protocol_version
>> at com.ibm.jsse2.k.a(k.java:32)
>> at com.ibm.jsse2.k.a(k.java:37)
>> at com.ibm.jsse2.av.b(av.java:549)
>> at com.ibm.jsse2.av.a(av.java:715)
>> at com.ibm.jsse2.av.i(av.java:574)
>> at com.ibm.jsse2.av.a(av.java:280)
>> at com.ibm.jsse2.av.startHandshake(av.java:431)
>> at
>> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
>> at
>> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
>> at
>> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
>> at
>> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
>> at
>> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
>> at
>> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
>> at
>> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
>> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
>> at
>> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
>>
>> That happens after the correct credentials being put in. So far, I've
>> tested:
>> - linkedin
>> - facebook
>> - microsoft
>> - github
>>
>> The error almost suggest the error is with incorrect TLS version. To
>> troubleshoot, I sniffed network packets, comparing Google  with non-working
>> providers (ex, LInkedIn).
>> Interesting thing found out was that, the keycloak instance is hosted
>> behind a proxy, when authenticating with external providers, all
>> communication shall go through proxy,
>> in google's case it went well and communication was successful, however
>> with Linkedin for example, after username/password successfully
>> authenticated, the backend keycloak instance all in sudden start to talk to
>> LinkedIn server itself instead of going through proxy. Of course the
>> communication will fail and error returned.
>>
>> Can anyone advice?
>>
>> PS: keycloak mailing list seems to have trouble with google email, I
>> apologize in advance if the reply is delayed or resent multiple times.
>>
>> Thanks!
>> Mizuki
>>
>

From luis at luissantos.pt  Wed Apr  3 13:40:56 2019
From: luis at luissantos.pt (Luis Santos)
Date: Wed, 3 Apr 2019 19:40:56 +0200
Subject: [keycloak-user] Preserving IDs while Importing and Exporting
Message-ID: <CAKBa7BSywLh2sc+1bMCErS22bueUuh+_i_kfpyOHGS4ViZqGWQ@mail.gmail.com>

Hi everyone,

I'm currently working on a Keycloak migration/upgrade. We are trying to
export (kc 3.x.x) all our realms and users and import them again into a new
instance(kc 5.0.0).

Unfortunately, the import process generates new uuids and our existing
services break because they rely on the keycloak user ID.

Did anyone come across a similar problem? If yes how did you solve it?

I did some digging and I found a bug (
https://issues.jboss.org/browse/KEYCLOAK-4336) referring to a similar
problem but it was rejected without any details.

I also find the code that overrides the UUID and I'm planning to change it.
Is this approach wrong? I'm not familiar with the code base and maybe these
changes will
lead me to a dead end.

https://github.com/keycloak/keycloak/blob/a516a795a2147128b4c26bafaba95a8477614aab/services/src/main/java/org/keycloak/partialimport/UsersPartialImport.java#L113

I would be grateful if someone could send in the right direction.

Kind regards / Mit freundlichen Gr??en
Luis Santos

From vramik at redhat.com  Wed Apr  3 14:15:01 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Wed, 3 Apr 2019 20:15:01 +0200
Subject: [keycloak-user] Preserving IDs while Importing and Exporting
In-Reply-To: <CAKBa7BSywLh2sc+1bMCErS22bueUuh+_i_kfpyOHGS4ViZqGWQ@mail.gmail.com>
References: <CAKBa7BSywLh2sc+1bMCErS22bueUuh+_i_kfpyOHGS4ViZqGWQ@mail.gmail.com>
Message-ID: <c7d59a2d-6e52-9617-caea-72918868b190@redhat.com>

Hey Luis,

I believe you should try migration via Automatic Relational Database 
Migration [1]

[1] https://www.keycloak.org/docs/latest/upgrading/index.html#_migrate_db

On 4/3/19 7:40 PM, Luis Santos wrote:
> Hi everyone,
>
> I'm currently working on a Keycloak migration/upgrade. We are trying to
> export (kc 3.x.x) all our realms and users and import them again into a new
> instance(kc 5.0.0).
>
> Unfortunately, the import process generates new uuids and our existing
> services break because they rely on the keycloak user ID.
>
> Did anyone come across a similar problem? If yes how did you solve it?
>
> I did some digging and I found a bug (
> https://issues.jboss.org/browse/KEYCLOAK-4336) referring to a similar
> problem but it was rejected without any details.
>
> I also find the code that overrides the UUID and I'm planning to change it.
> Is this approach wrong? I'm not familiar with the code base and maybe these
> changes will
> lead me to a dead end.
>
> https://github.com/keycloak/keycloak/blob/a516a795a2147128b4c26bafaba95a8477614aab/services/src/main/java/org/keycloak/partialimport/UsersPartialImport.java#L113
>
> I would be grateful if someone could send in the right direction.
>
> Kind regards / Mit freundlichen Gr??en
> Luis Santos
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From luis at luissantos.pt  Wed Apr  3 14:26:12 2019
From: luis at luissantos.pt (Luis Santos)
Date: Wed, 3 Apr 2019 20:26:12 +0200
Subject: [keycloak-user] Preserving IDs while Importing and Exporting
In-Reply-To: <c7d59a2d-6e52-9617-caea-72918868b190@redhat.com>
References: <CAKBa7BSywLh2sc+1bMCErS22bueUuh+_i_kfpyOHGS4ViZqGWQ@mail.gmail.com>
	<c7d59a2d-6e52-9617-caea-72918868b190@redhat.com>
Message-ID: <CAKBa7BQ3eSBmVAOQkf6Dbt8R+j0=uMBtv3F-Je8RrAJ9zKLYjA@mail.gmail.com>

Hi Vlasta,

Thanks for the quick reply.

Unfortunately I believe this is not an option for us because we are trying
to migrate from Ms sql server to postgresql. There are several reasons why
we want to use postgresql but I don't think they are relevant in this
discussion.

I forgot to mention this. Sorry.

On Wed, Apr 3, 2019, 20:15 Vlasta Ramik <vramik at redhat.com> wrote:

> Hey Luis,
>
> I believe you should try migration via Automatic Relational Database
> Migration [1]
>
> [1] https://www.keycloak.org/docs/latest/upgrading/index.html#_migrate_db
>
> On 4/3/19 7:40 PM, Luis Santos wrote:
> > Hi everyone,
> >
> > I'm currently working on a Keycloak migration/upgrade. We are trying to
> > export (kc 3.x.x) all our realms and users and import them again into a
> new
> > instance(kc 5.0.0).
> >
> > Unfortunately, the import process generates new uuids and our existing
> > services break because they rely on the keycloak user ID.
> >
> > Did anyone come across a similar problem? If yes how did you solve it?
> >
> > I did some digging and I found a bug (
> > https://issues.jboss.org/browse/KEYCLOAK-4336) referring to a similar
> > problem but it was rejected without any details.
> >
> > I also find the code that overrides the UUID and I'm planning to change
> it.
> > Is this approach wrong? I'm not familiar with the code base and maybe
> these
> > changes will
> > lead me to a dead end.
> >
> >
> https://github.com/keycloak/keycloak/blob/a516a795a2147128b4c26bafaba95a8477614aab/services/src/main/java/org/keycloak/partialimport/UsersPartialImport.java#L113
> >
> > I would be grateful if someone could send in the right direction.
> >
> > Kind regards / Mit freundlichen Gr??en
> > Luis Santos
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From psilva at redhat.com  Wed Apr  3 15:43:04 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 3 Apr 2019 16:43:04 -0300
Subject: [keycloak-user] Wildfly Elytron client adapter - Propagate
 security domain to EJB
In-Reply-To: <BL0PR0901MB3059C4228F48FCAA24679AA9DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB30595AC6A5F6BAE4E4D8C687DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBci7vm0Wqy9g0Wo2L32=e16yitTvM1wBPmC9nTwgS3wfQ@mail.gmail.com>
	<BL0PR0901MB3059B5856929773225CCC8D7DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBf8pjF_sEL5srEXuDdxDk7u+XDBk3aif_E0q7id5=4Jsg@mail.gmail.com>
	<BL0PR0901MB3059954514559103A89AAEC5DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBd7mP+AbQs9ScJRPZLxKyZF06RP4B28LLxWCk-37y8Q5A@mail.gmail.com>
	<BL0PR0901MB30598AA78C547D5F46AEE32DDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBcLrPcju40AGjGwAFozvTh=LBucV6OWzmBQqVv69aMyUA@mail.gmail.com>
	<BL0PR0901MB3059F02DD954E00352E2706FDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBekuOj5RxdvuxVoY-pdKVMjTmHZVCmdqiUk158U-kk4Aw@mail.gmail.com>
	<BL0PR0901MB30594B3878C17B0D8F712A0CDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBd2poFrWsng+qRMErkhfcuvuAfQ9q3sYZGuZYQog2ykrA@mail.gmail.com>
	<BL0PR0901MB3059C4228F48FCAA24679AA9DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <CAJrcDBf1SkqS2z5f_Zb_FHGSmhEOHicLraNHTuwMrLM=FrJkyw@mail.gmail.com>

Thanks, Ryan.

I think this specific configuration is covered in Elytron/Wildfly docs
already. As well as how to propagate identities to remote EJBs (which is a
bit more complex to set up).

In regards to adding the command to the CLI scripts, although it seems a
good OOTB config we don't see much demand from the community. However, you
can still open a JIRA if you like and ask people to rank it.

On Wed, Apr 3, 2019 at 12:04 PM Ryan Slominski <ryans at jlab.org> wrote:

> Thanks for your help Pedro.
>
> I can confirm that after installing a fresh instance of Wildfly
> 16.0.0.Final and copying the latest Keycloak Elytron client adapter code
> over top the install directory the only extra step needed besides executing
> the "jboss-cli --file=adapter-elytron-install.cli" command was the command
> you originally suggested:
>
> jboss-cli.sh -c
> --command="/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)"
>
> We should probably update the documentation to indicate this as an
> alternative option to the @SecurityDomain annotation.  In fact, it might
> make sense to actually add this command to the adapter-elytron-install.cli
> file (and offline version too) so that users don't have to do anything
> extra.  This assumes setting the EJB other security-domain to
> KeycloakDomain is safe to do in the general case, which I assume it is.
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 10:13 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Nice. That is what I was expecting. In a nutshell, you are basically
> saying "Please, use the same security domain across these deployments so
> that I can fetch the security identity".
>
> Thanks again for moving this forward.
>
> On Wed, Apr 3, 2019 at 10:56 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> I have it working now.  I had an entry in jboss-web.xml that I had added
> when trying various theories and I forgot to remove it, and it was
> preventing deployment:
>
> <security-domain>KeycloakDomain</security-domain>
>
> I'll work on building the server from scratch to confirm but it appears
> the solution to set this up is:
>
>
>    1. Copy Eltyron client adapter files into Wildfly
>    2. Execute jboss-cli.sh -c --file=bin/adapter-elytron-install.cli
>    3. Execute jboss-cli.sh -c
>    --command="/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)"
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 9:16 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Not sure. I need to check this. I'll look at the that later this week.
>
> Thank you for your feedbacks. Will ping you back once I've something to
> share.
>
> On Wed, Apr 3, 2019 at 10:11 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Thanks for the guidance, but I'm unable to get this working.  Here is what
> I tried:
>
>
>    1. Logged into Wildfly admin console and navigated to Configuration >
>    Subsystems > EJB > Security Domain
>       1. Ensured I only have one entry: "other" and that it's own
>       "Security Domain" sub-field is "KeycloakDomain"
>    2. Navigated to Configuration > Subsystems > Web (Undertow) > Settings
>    > Application Security Domain > other
>       1. Ensured "Security Domain" sub-field is blank (actually tried
>       with blank  and value "KeycloakDomain"; doesn't make a difference)
>    3. I deleted the jboss-ejb3.xml file from my web application WEB-INF
>    directory
>
> Still seeing the following error on deployment of war file:
>
> "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"]
>
> I am using the latest version of Wildfly (16.0.0.Final), so perhaps the
> latest Keycloak Elytron client adapter simply doesn't work with this
> version of Wildfly?
>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 8:50 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> The undertow subsystem already has the "other" application-security-domain
> defined as I mentioned before.
>
> As a last try, try this:
>
> * /subsystem=ejb3/application-security-domain=other:add(security-
> domain=KeycloakDomain)
> * Leave the undertow subsystem with the default settings defined by the
> elytron adapter CLI scripts
> * Remove any reference to "security-domain" from your EJB archives/beans
> so that "other" will be the default
>
> What I'm trying to do is to make both web and ejb layers to use the same
> elytron security domain so that you can access the security identity in
> both layers.
>
> If this doesn't work, I'll try to find some code that I think I have
> somewhere that is doing this.
>
> On Wed, Apr 3, 2019 at 9:28 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> I'm not familiar with how the Elytron Keycloak client adapter works.
> How do I change the application-security-domain in both ejb3 and undertow
> subsystems to "other"?
>
> If I try:
>
> /subsystem=undertow/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)
>
> Then I get the following on deploy:
>
> "{\"WFLYCTL0080: Failed services\" =>
> {\"jboss.deployment.unit.\\\"staff.war\\\".undertow-deployment\" =>
> \"java.lang.RuntimeException: java.lang.IllegalStateException: The required
> mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT,
> FORM] from the HttpAuthenticationFactory.
>     Caused by: java.lang.RuntimeException:
> java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not
> available in mechanisms [BASIC, CLIENT_CERT, FORM] from the
> HttpAuthenticationFactory.
>     Caused by: java.lang.IllegalStateException: The required mechanism
> 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from
> the HttpAuthenticationFactory.\"}}"
>
>
> If I try:
>
>
> /subsystem=undertow/application-security-domain=other:add(security-domain=KeycloakDomain)
>
> The command fails with:
>
> {
>     "outcome" => "failed",
>     "failure-description" => "WFLYCTL0212: Duplicate resource [
>     (\"subsystem\" => \"undertow\"),
>     (\"application-security-domain\" => \"other\")
> ]",
>     "rolled-back" => true
> }
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 8:15 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> This seem to be related with your WAR deployment though. Did you try to
> change the application-security-domain in both ejb3 and undertow subsystems
> to "other". That way you don't need to specify a security domain as "other"
> will be the default. IIRC, when you run the elytron adapter scripts an
> "other" application-security-domain is created in the undertow subsystem.
>
> On Wed, Apr 3, 2019 at 9:08 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Using the command:
>
>
> /subsystem=ejb3/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)
>
> Results in different error upon application deploy:
>
> 08:03:35,017 ERROR [org.jboss.as.controller.management-operation]
> (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed -
> address: ([("deployment" => "staff.war")]) - failure description: {
>     "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"],
>     "WFLYCTL0180: Services with missing/unavailable dependencies" =>
> ["jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.KeycloakDomain]"]
> }
>
>
> More log context attached.
>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 7:53 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> I found an error in the command that I gave to you. Could try to change
> the name of the application-security-domain to "KeycloakDomain", instead of
> "other".
>
> If it doesn't work I would prefer to try this out first before opening the
> JIRA. But I appreciate if you can at least try the change above first.
>
> On Wed, Apr 3, 2019 at 8:40 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Thanks for the idea.  Unfortunately it didn't work.  I still see:
>
> "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"]
>
> I am using only local EJBs.   I guess I must stick with the legacy Wildfly
> client adapter.  Looks like the JIRA to addresss the EJB propagation issue
> has been closed.  Can we re-open it?
>
> See:  https://issues.jboss.org/browse/KEYCLOAK-5665
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7C324b935978d34a57272508d6b83e9da0%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898976409596707&sdata=ikkTUObWhnSmu8xdiDbFN50gRpe8vSu5SH7fDV%2BQyv4%3D&reserved=0>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Tuesday, April 2, 2019 9:07 PM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Hi,
>
> I guess it is a local EJB ? If so, could you try configuring the EJB
> subsystem with an application-security-domain as follows:
>
>
> /subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)
>
> Regards.
>
> On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org> wrote:
>
> Has anyone been able to propagate the Keycloak security domain in Wildfly
> Elytron client adapter to EJBs in an application using jboss-ejb3.xml?
> Creating a single file that is bundled with the application war seems like
> a better solution than importing  and apply a JBOSS specific annotation
> (@SecurityDomain) to hundreds of EJBs.
>
> I placed the file into WEB-INF with contents:
>
> <?xml version="1.1" encoding="UTF-8"?>
> <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C324b935978d34a57272508d6b83e9da0%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898976409606712&sdata=ujMfG6QlOufw1pv6h2FNqmjqABfXvAGVjXfZqZrmatQ%3D&reserved=0>
> "
>     xmlns="http://java.sun.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjava.sun.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C324b935978d34a57272508d6b83e9da0%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898976409606712&sdata=LDGPNictCbxC2%2BIKZi0glRsg%2BCD8mhzZNGikvEZgDDI%3D&reserved=0>
> "
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Cryans%40jlab.org%7C324b935978d34a57272508d6b83e9da0%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898976409616748&sdata=yW93XlOQ8%2FT01sZOrIvByWc6FWJEDX7jIh%2BBkbhUOoo%3D&reserved=0>
> "
>     xmlns:s="urn:security"
>     xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C324b935978d34a57272508d6b83e9da0%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898976409626771&sdata=7i8TpG51k5fvQ%2BJtRabds5bR7e9d17Zz0Zdc4sWZHRk%3D&reserved=0>
> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.org%2Fj2ee%2Fschema%2Fjboss-ejb3-2_0.xsd&data=02%7C01%7Cryans%40jlab.org%7C324b935978d34a57272508d6b83e9da0%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898976409626771&sdata=F%2FAMuPQ%2BxgDweMGQ6C36enaaT8%2FyoJMyIJmYbdOM07o%3D&reserved=0>
> "
>     version="3.1" impl-version="2.0">
>     <assembly-descriptor>
>         <s:security>
>             <ejb-name>*</ejb-name>
>             <s:security-domain>keycloak</s:security-domain>
>         </s:security>
>     </assembly-descriptor>
> </jboss:ejb-jar>
>
> I also tried label "KeycloakDomain" instead of "keycloak".  In either case
> I get the following error when I attempt to deploy the war file:
>
>     "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"],
>     "WFLYCTL0180: Services with missing/unavailable dependencies" => [
>         "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is
> missing [jboss.security.security-domain.KeycloakDomain]"
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7C324b935978d34a57272508d6b83e9da0%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636898976409636731&sdata=eAQnNAHg43qEJJBKZZNWKJ2O%2B8QyfxUY4WWSWuRgEDA%3D&reserved=0>
>
>

From ryans at jlab.org  Wed Apr  3 15:57:53 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 3 Apr 2019 19:57:53 +0000
Subject: [keycloak-user] Wildfly Elytron client adapter - Propagate
 security domain to EJB
In-Reply-To: <CAJrcDBf1SkqS2z5f_Zb_FHGSmhEOHicLraNHTuwMrLM=FrJkyw@mail.gmail.com>
References: <BL0PR0901MB30595AC6A5F6BAE4E4D8C687DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBci7vm0Wqy9g0Wo2L32=e16yitTvM1wBPmC9nTwgS3wfQ@mail.gmail.com>
	<BL0PR0901MB3059B5856929773225CCC8D7DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBf8pjF_sEL5srEXuDdxDk7u+XDBk3aif_E0q7id5=4Jsg@mail.gmail.com>
	<BL0PR0901MB3059954514559103A89AAEC5DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBd7mP+AbQs9ScJRPZLxKyZF06RP4B28LLxWCk-37y8Q5A@mail.gmail.com>
	<BL0PR0901MB30598AA78C547D5F46AEE32DDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBcLrPcju40AGjGwAFozvTh=LBucV6OWzmBQqVv69aMyUA@mail.gmail.com>
	<BL0PR0901MB3059F02DD954E00352E2706FDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBekuOj5RxdvuxVoY-pdKVMjTmHZVCmdqiUk158U-kk4Aw@mail.gmail.com>
	<BL0PR0901MB30594B3878C17B0D8F712A0CDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBd2poFrWsng+qRMErkhfcuvuAfQ9q3sYZGuZYQog2ykrA@mail.gmail.com>
	<BL0PR0901MB3059C4228F48FCAA24679AA9DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>,
	<CAJrcDBf1SkqS2z5f_Zb_FHGSmhEOHicLraNHTuwMrLM=FrJkyw@mail.gmail.com>
Message-ID: <BL0PR0901MB305910572D0FE3E2403F5BEADC570@BL0PR0901MB3059.namprd09.prod.outlook.com>

I'm not able to find the command in the Keycloak documentation.   Please link to it if I missed it.

As far as propagating to EJB tier goes I only found two places where it is mentioned and they both say use @SecurityDomain annotation:

  1.  For OIDC: https://www.keycloak.org/docs/latest/securing_apps/index.html#security-domain
  2.  For SAML: https://www.keycloak.org/docs/latest/securing_apps/index.html#jboss-eap-wildfly-adapter-2

The SAML document says:

"We hope to improve our integration in the future so that you don't have to specify the @SecurityDomain annotation when you want to propagate a keycloak security context to the EJB tier."

I've created a pull request to make this automatic (I don't see why not?):  https://github.com/keycloak/keycloak/pull/5977

I've added comments to the original JIRA:  https://issues.jboss.org/browse/KEYCLOAK-5665

________________________________
From: Pedro Igor Silva <psilva at redhat.com>
Sent: Wednesday, April 3, 2019 3:43 PM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

Thanks, Ryan.

I think this specific configuration is covered in Elytron/Wildfly docs already. As well as how to propagate identities to remote EJBs (which is a bit more complex to set up).

In regards to adding the command to the CLI scripts, although it seems a good OOTB config we don't see much demand from the community. However, you can still open a JIRA if you like and ask people to rank it.

On Wed, Apr 3, 2019 at 12:04 PM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Thanks for your help Pedro.

I can confirm that after installing a fresh instance of Wildfly 16.0.0.Final and copying the latest Keycloak Elytron client adapter code over top the install directory the only extra step needed besides executing the "jboss-cli --file=adapter-elytron-install.cli" command was the command you originally suggested:

jboss-cli.sh -c --command="/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)"

We should probably update the documentation to indicate this as an alternative option to the @SecurityDomain annotation.  In fact, it might make sense to actually add this command to the adapter-elytron-install.cli file (and offline version too) so that users don't have to do anything extra.  This assumes setting the EJB other security-domain to KeycloakDomain is safe to do in the general case, which I assume it is.
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 10:13 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

Nice. That is what I was expecting. In a nutshell, you are basically saying "Please, use the same security domain across these deployments so that I can fetch the security identity".

Thanks again for moving this forward.

On Wed, Apr 3, 2019 at 10:56 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
I have it working now.  I had an entry in jboss-web.xml that I had added when trying various theories and I forgot to remove it, and it was preventing deployment:

<security-domain>KeycloakDomain</security-domain>

I'll work on building the server from scratch to confirm but it appears the solution to set this up is:


  1.  Copy Eltyron client adapter files into Wildfly
  2.  Execute jboss-cli.sh -c --file=bin/adapter-elytron-install.cli
  3.  Execute jboss-cli.sh -c --command="/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)"

________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 9:16 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

Not sure. I need to check this. I'll look at the that later this week.

Thank you for your feedbacks. Will ping you back once I've something to share.

On Wed, Apr 3, 2019 at 10:11 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Thanks for the guidance, but I'm unable to get this working.  Here is what I tried:


  1.  Logged into Wildfly admin console and navigated to Configuration > Subsystems > EJB > Security Domain
     *   Ensured I only have one entry: "other" and that it's own "Security Domain" sub-field is "KeycloakDomain"
  2.  Navigated to Configuration > Subsystems > Web (Undertow) > Settings > Application Security Domain > other
     *   Ensured "Security Domain" sub-field is blank (actually tried with blank  and value "KeycloakDomain"; doesn't make a difference)
  3.  I deleted the jboss-ejb3.xml file from my web application WEB-INF directory

Still seeing the following error on deployment of war file:

"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"]

I am using the latest version of Wildfly (16.0.0.Final), so perhaps the latest Keycloak Elytron client adapter simply doesn't work with this version of Wildfly?


________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 8:50 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

The undertow subsystem already has the "other" application-security-domain defined as I mentioned before.

As a last try, try this:

* /subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)
* Leave the undertow subsystem with the default settings defined by the elytron adapter CLI scripts
* Remove any reference to "security-domain" from your EJB archives/beans so that "other" will be the default

What I'm trying to do is to make both web and ejb layers to use the same elytron security domain so that you can access the security identity in both layers.

If this doesn't work, I'll try to find some code that I think I have somewhere that is doing this.

On Wed, Apr 3, 2019 at 9:28 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
I'm not familiar with how the Elytron Keycloak client adapter works.    How do I change the application-security-domain in both ejb3 and undertow subsystems to "other"?

If I try:
/subsystem=undertow/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)

Then I get the following on deploy:

"{\"WFLYCTL0080: Failed services\" => {\"jboss.deployment.unit.\\\"staff.war\\\".undertow-deployment\" => \"java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.
    Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.
    Caused by: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.\"}}"


If I try:

/subsystem=undertow/application-security-domain=other:add(security-domain=KeycloakDomain)

The command fails with:

{
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0212: Duplicate resource [
    (\"subsystem\" => \"undertow\"),
    (\"application-security-domain\" => \"other\")
]",
    "rolled-back" => true
}
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 8:15 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

This seem to be related with your WAR deployment though. Did you try to change the application-security-domain in both ejb3 and undertow subsystems to "other". That way you don't need to specify a security domain as "other" will be the default. IIRC, when you run the elytron adapter scripts an "other" application-security-domain is created in the undertow subsystem.

On Wed, Apr 3, 2019 at 9:08 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Using the command:

/subsystem=ejb3/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)

Results in different error upon application deploy:

08:03:35,017 ERROR [org.jboss.as.controller.management-operation] (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "staff.war")]) - failure description: {
    "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => ["jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]"]
}


More log context attached.


________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 7:53 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

I found an error in the command that I gave to you. Could try to change the name of the application-security-domain to "KeycloakDomain", instead of "other".

If it doesn't work I would prefer to try this out first before opening the JIRA. But I appreciate if you can at least try the change above first.

On Wed, Apr 3, 2019 at 8:40 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Thanks for the idea.  Unfortunately it didn't work.  I still see:

"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"]

I am using only local EJBs.   I guess I must stick with the legacy Wildfly client adapter.  Looks like the JIRA to addresss the EJB propagation issue has been closed.  Can we re-open it?

See:  https://issues.jboss.org/browse/KEYCLOAK-5665<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7C03b3b11e1dca4fb032cb08d6b86c9e21%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899173988586643&sdata=zeQg5e6Ew9xyzTXpwLBWqdfISzpxdxJm1d6eQsK4SMU%3D&reserved=0>
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Tuesday, April 2, 2019 9:07 PM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

Hi,

I guess it is a local EJB ? If so, could you try configuring the EJB subsystem with an application-security-domain as follows:

/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)

Regards.

On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Has anyone been able to propagate the Keycloak security domain in Wildfly Elytron client adapter to EJBs in an application using jboss-ejb3.xml?  Creating a single file that is bundled with the application war seems like a better solution than importing  and apply a JBOSS specific annotation (@SecurityDomain) to hundreds of EJBs.

I placed the file into WEB-INF with contents:

<?xml version="1.1" encoding="UTF-8"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C03b3b11e1dca4fb032cb08d6b86c9e21%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899173988596661&sdata=fiSlZjxh9GVjQQa5%2Bkhvg2W2tI9ghH7uFO8Em6p50Vg%3D&reserved=0>"
    xmlns="http://java.sun.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjava.sun.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C03b3b11e1dca4fb032cb08d6b86c9e21%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899173988606662&sdata=3FLtj7Dj5SOPHMYq7yfh1vYp5FE4f1gaeQWNlGAp9G4%3D&reserved=0>"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Cryans%40jlab.org%7C03b3b11e1dca4fb032cb08d6b86c9e21%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899173988606662&sdata=LD6pFlemFgqoWllMV%2BO5JUJXm9OIbgyh%2FVveajc8dN8%3D&reserved=0>"
    xmlns:s="urn:security"
    xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C03b3b11e1dca4fb032cb08d6b86c9e21%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899173988616667&sdata=IwTVcYLITkrm9apzqMv9dWbjKoREoN%2BxOju8Xdo0lZc%3D&reserved=0> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.org%2Fj2ee%2Fschema%2Fjboss-ejb3-2_0.xsd&data=02%7C01%7Cryans%40jlab.org%7C03b3b11e1dca4fb032cb08d6b86c9e21%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899173988616667&sdata=D%2BFp78IL76IJM5NbEs9o2ajfFcDGc9iWAJY7L6NyF7o%3D&reserved=0>"
    version="3.1" impl-version="2.0">
    <assembly-descriptor>
        <s:security>
            <ejb-name>*</ejb-name>
            <s:security-domain>keycloak</s:security-domain>
        </s:security>
    </assembly-descriptor>
</jboss:ejb-jar>

I also tried label "KeycloakDomain" instead of "keycloak".  In either case I get the following error when I attempt to deploy the war file:

    "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => [
        "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]",
        "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]",
        "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]"
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7C03b3b11e1dca4fb032cb08d6b86c9e21%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899173988626676&sdata=W7%2FONKsSM2ljRBhXkibYos1nmDKAvzlLtSXexgzQkGg%3D&reserved=0>

From psilva at redhat.com  Wed Apr  3 16:05:32 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 3 Apr 2019 17:05:32 -0300
Subject: [keycloak-user] Wildfly Elytron client adapter - Propagate
 security domain to EJB
In-Reply-To: <BL0PR0901MB305910572D0FE3E2403F5BEADC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB30595AC6A5F6BAE4E4D8C687DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBci7vm0Wqy9g0Wo2L32=e16yitTvM1wBPmC9nTwgS3wfQ@mail.gmail.com>
	<BL0PR0901MB3059B5856929773225CCC8D7DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBf8pjF_sEL5srEXuDdxDk7u+XDBk3aif_E0q7id5=4Jsg@mail.gmail.com>
	<BL0PR0901MB3059954514559103A89AAEC5DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBd7mP+AbQs9ScJRPZLxKyZF06RP4B28LLxWCk-37y8Q5A@mail.gmail.com>
	<BL0PR0901MB30598AA78C547D5F46AEE32DDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBcLrPcju40AGjGwAFozvTh=LBucV6OWzmBQqVv69aMyUA@mail.gmail.com>
	<BL0PR0901MB3059F02DD954E00352E2706FDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBekuOj5RxdvuxVoY-pdKVMjTmHZVCmdqiUk158U-kk4Aw@mail.gmail.com>
	<BL0PR0901MB30594B3878C17B0D8F712A0CDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBd2poFrWsng+qRMErkhfcuvuAfQ9q3sYZGuZYQog2ykrA@mail.gmail.com>
	<BL0PR0901MB3059C4228F48FCAA24679AA9DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBf1SkqS2z5f_Zb_FHGSmhEOHicLraNHTuwMrLM=FrJkyw@mail.gmail.com>
	<BL0PR0901MB305910572D0FE3E2403F5BEADC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <CAJrcDBcX+PT3iPT+EF9O0Zt=JRueejo62Bz7WmxC0kOz_yYHdQ@mail.gmail.com>

I meant in Elytron/Wildfly docs. That JIRA will help so I can try to talk
with people here if we can consider it in the some future sprint.

On Wed, Apr 3, 2019 at 4:58 PM Ryan Slominski <ryans at jlab.org> wrote:

> I'm not able to find the command in the Keycloak documentation.   Please
> link to it if I missed it.
>
> As far as propagating to EJB tier goes I only found two places where it is
> mentioned and they both say use @SecurityDomain annotation:
>
>    1. For OIDC:
>    https://www.keycloak.org/docs/latest/securing_apps/index.html#security-domain
>    2. For SAML:
>    https://www.keycloak.org/docs/latest/securing_apps/index.html#jboss-eap-wildfly-adapter-2
>
> The SAML document says:
>
> "We hope to improve our integration in the future so that you don?t have
> to specify the @SecurityDomain annotation when you want to propagate a
> keycloak security context to the EJB tier."
>
> I've created a pull request to make this automatic (I don't see why
> not?):  https://github.com/keycloak/keycloak/pull/5977
>
> I've added comments to the original JIRA:
> https://issues.jboss.org/browse/KEYCLOAK-5665
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 3:43 PM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Thanks, Ryan.
>
> I think this specific configuration is covered in Elytron/Wildfly docs
> already. As well as how to propagate identities to remote EJBs (which is a
> bit more complex to set up).
>
> In regards to adding the command to the CLI scripts, although it seems a
> good OOTB config we don't see much demand from the community. However, you
> can still open a JIRA if you like and ask people to rank it.
>
> On Wed, Apr 3, 2019 at 12:04 PM Ryan Slominski <ryans at jlab.org> wrote:
>
> Thanks for your help Pedro.
>
> I can confirm that after installing a fresh instance of Wildfly
> 16.0.0.Final and copying the latest Keycloak Elytron client adapter code
> over top the install directory the only extra step needed besides executing
> the "jboss-cli --file=adapter-elytron-install.cli" command was the command
> you originally suggested:
>
> jboss-cli.sh -c
> --command="/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)"
>
> We should probably update the documentation to indicate this as an
> alternative option to the @SecurityDomain annotation.  In fact, it might
> make sense to actually add this command to the adapter-elytron-install.cli
> file (and offline version too) so that users don't have to do anything
> extra.  This assumes setting the EJB other security-domain to
> KeycloakDomain is safe to do in the general case, which I assume it is.
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 10:13 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Nice. That is what I was expecting. In a nutshell, you are basically
> saying "Please, use the same security domain across these deployments so
> that I can fetch the security identity".
>
> Thanks again for moving this forward.
>
> On Wed, Apr 3, 2019 at 10:56 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> I have it working now.  I had an entry in jboss-web.xml that I had added
> when trying various theories and I forgot to remove it, and it was
> preventing deployment:
>
> <security-domain>KeycloakDomain</security-domain>
>
> I'll work on building the server from scratch to confirm but it appears
> the solution to set this up is:
>
>
>    1. Copy Eltyron client adapter files into Wildfly
>    2. Execute jboss-cli.sh -c --file=bin/adapter-elytron-install.cli
>    3. Execute jboss-cli.sh -c
>    --command="/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)"
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 9:16 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Not sure. I need to check this. I'll look at the that later this week.
>
> Thank you for your feedbacks. Will ping you back once I've something to
> share.
>
> On Wed, Apr 3, 2019 at 10:11 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Thanks for the guidance, but I'm unable to get this working.  Here is what
> I tried:
>
>
>    1. Logged into Wildfly admin console and navigated to Configuration >
>    Subsystems > EJB > Security Domain
>       1. Ensured I only have one entry: "other" and that it's own
>       "Security Domain" sub-field is "KeycloakDomain"
>    2. Navigated to Configuration > Subsystems > Web (Undertow) > Settings
>    > Application Security Domain > other
>       1. Ensured "Security Domain" sub-field is blank (actually tried
>       with blank  and value "KeycloakDomain"; doesn't make a difference)
>    3. I deleted the jboss-ejb3.xml file from my web application WEB-INF
>    directory
>
> Still seeing the following error on deployment of war file:
>
> "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"]
>
> I am using the latest version of Wildfly (16.0.0.Final), so perhaps the
> latest Keycloak Elytron client adapter simply doesn't work with this
> version of Wildfly?
>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 8:50 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> The undertow subsystem already has the "other" application-security-domain
> defined as I mentioned before.
>
> As a last try, try this:
>
> * /subsystem=ejb3/application-security-domain=other:add(security-
> domain=KeycloakDomain)
> * Leave the undertow subsystem with the default settings defined by the
> elytron adapter CLI scripts
> * Remove any reference to "security-domain" from your EJB archives/beans
> so that "other" will be the default
>
> What I'm trying to do is to make both web and ejb layers to use the same
> elytron security domain so that you can access the security identity in
> both layers.
>
> If this doesn't work, I'll try to find some code that I think I have
> somewhere that is doing this.
>
> On Wed, Apr 3, 2019 at 9:28 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> I'm not familiar with how the Elytron Keycloak client adapter works.
> How do I change the application-security-domain in both ejb3 and undertow
> subsystems to "other"?
>
> If I try:
>
> /subsystem=undertow/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)
>
> Then I get the following on deploy:
>
> "{\"WFLYCTL0080: Failed services\" =>
> {\"jboss.deployment.unit.\\\"staff.war\\\".undertow-deployment\" =>
> \"java.lang.RuntimeException: java.lang.IllegalStateException: The required
> mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT,
> FORM] from the HttpAuthenticationFactory.
>     Caused by: java.lang.RuntimeException:
> java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not
> available in mechanisms [BASIC, CLIENT_CERT, FORM] from the
> HttpAuthenticationFactory.
>     Caused by: java.lang.IllegalStateException: The required mechanism
> 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from
> the HttpAuthenticationFactory.\"}}"
>
>
> If I try:
>
>
> /subsystem=undertow/application-security-domain=other:add(security-domain=KeycloakDomain)
>
> The command fails with:
>
> {
>     "outcome" => "failed",
>     "failure-description" => "WFLYCTL0212: Duplicate resource [
>     (\"subsystem\" => \"undertow\"),
>     (\"application-security-domain\" => \"other\")
> ]",
>     "rolled-back" => true
> }
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 8:15 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> This seem to be related with your WAR deployment though. Did you try to
> change the application-security-domain in both ejb3 and undertow subsystems
> to "other". That way you don't need to specify a security domain as "other"
> will be the default. IIRC, when you run the elytron adapter scripts an
> "other" application-security-domain is created in the undertow subsystem.
>
> On Wed, Apr 3, 2019 at 9:08 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Using the command:
>
>
> /subsystem=ejb3/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)
>
> Results in different error upon application deploy:
>
> 08:03:35,017 ERROR [org.jboss.as.controller.management-operation]
> (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed -
> address: ([("deployment" => "staff.war")]) - failure description: {
>     "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"],
>     "WFLYCTL0180: Services with missing/unavailable dependencies" =>
> ["jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.KeycloakDomain]"]
> }
>
>
> More log context attached.
>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 7:53 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> I found an error in the command that I gave to you. Could try to change
> the name of the application-security-domain to "KeycloakDomain", instead of
> "other".
>
> If it doesn't work I would prefer to try this out first before opening the
> JIRA. But I appreciate if you can at least try the change above first.
>
> On Wed, Apr 3, 2019 at 8:40 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Thanks for the idea.  Unfortunately it didn't work.  I still see:
>
> "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"]
>
> I am using only local EJBs.   I guess I must stick with the legacy Wildfly
> client adapter.  Looks like the JIRA to addresss the EJB propagation issue
> has been closed.  Can we re-open it?
>
> See:  https://issues.jboss.org/browse/KEYCLOAK-5665
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7C03b3b11e1dca4fb032cb08d6b86c9e21%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899173988586643&sdata=zeQg5e6Ew9xyzTXpwLBWqdfISzpxdxJm1d6eQsK4SMU%3D&reserved=0>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Tuesday, April 2, 2019 9:07 PM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Hi,
>
> I guess it is a local EJB ? If so, could you try configuring the EJB
> subsystem with an application-security-domain as follows:
>
>
> /subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)
>
> Regards.
>
> On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org> wrote:
>
> Has anyone been able to propagate the Keycloak security domain in Wildfly
> Elytron client adapter to EJBs in an application using jboss-ejb3.xml?
> Creating a single file that is bundled with the application war seems like
> a better solution than importing  and apply a JBOSS specific annotation
> (@SecurityDomain) to hundreds of EJBs.
>
> I placed the file into WEB-INF with contents:
>
> <?xml version="1.1" encoding="UTF-8"?>
> <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C03b3b11e1dca4fb032cb08d6b86c9e21%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899173988596661&sdata=fiSlZjxh9GVjQQa5%2Bkhvg2W2tI9ghH7uFO8Em6p50Vg%3D&reserved=0>
> "
>     xmlns="http://java.sun.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjava.sun.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C03b3b11e1dca4fb032cb08d6b86c9e21%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899173988606662&sdata=3FLtj7Dj5SOPHMYq7yfh1vYp5FE4f1gaeQWNlGAp9G4%3D&reserved=0>
> "
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Cryans%40jlab.org%7C03b3b11e1dca4fb032cb08d6b86c9e21%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899173988606662&sdata=LD6pFlemFgqoWllMV%2BO5JUJXm9OIbgyh%2FVveajc8dN8%3D&reserved=0>
> "
>     xmlns:s="urn:security"
>     xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7C03b3b11e1dca4fb032cb08d6b86c9e21%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899173988616667&sdata=IwTVcYLITkrm9apzqMv9dWbjKoREoN%2BxOju8Xdo0lZc%3D&reserved=0>
> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.org%2Fj2ee%2Fschema%2Fjboss-ejb3-2_0.xsd&data=02%7C01%7Cryans%40jlab.org%7C03b3b11e1dca4fb032cb08d6b86c9e21%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899173988616667&sdata=D%2BFp78IL76IJM5NbEs9o2ajfFcDGc9iWAJY7L6NyF7o%3D&reserved=0>
> "
>     version="3.1" impl-version="2.0">
>     <assembly-descriptor>
>         <s:security>
>             <ejb-name>*</ejb-name>
>             <s:security-domain>keycloak</s:security-domain>
>         </s:security>
>     </assembly-descriptor>
> </jboss:ejb-jar>
>
> I also tried label "KeycloakDomain" instead of "keycloak".  In either case
> I get the following error when I attempt to deploy the war file:
>
>     "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"],
>     "WFLYCTL0180: Services with missing/unavailable dependencies" => [
>         "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is
> missing [jboss.security.security-domain.KeycloakDomain]"
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7C03b3b11e1dca4fb032cb08d6b86c9e21%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899173988626676&sdata=W7%2FONKsSM2ljRBhXkibYos1nmDKAvzlLtSXexgzQkGg%3D&reserved=0>
>
>

From ryans at jlab.org  Wed Apr  3 16:17:19 2019
From: ryans at jlab.org (Ryan Slominski)
Date: Wed, 3 Apr 2019 20:17:19 +0000
Subject: [keycloak-user] Wildfly Elytron client adapter - Propagate
 security domain to EJB
In-Reply-To: <CAJrcDBcX+PT3iPT+EF9O0Zt=JRueejo62Bz7WmxC0kOz_yYHdQ@mail.gmail.com>
References: <BL0PR0901MB30595AC6A5F6BAE4E4D8C687DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBci7vm0Wqy9g0Wo2L32=e16yitTvM1wBPmC9nTwgS3wfQ@mail.gmail.com>
	<BL0PR0901MB3059B5856929773225CCC8D7DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBf8pjF_sEL5srEXuDdxDk7u+XDBk3aif_E0q7id5=4Jsg@mail.gmail.com>
	<BL0PR0901MB3059954514559103A89AAEC5DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBd7mP+AbQs9ScJRPZLxKyZF06RP4B28LLxWCk-37y8Q5A@mail.gmail.com>
	<BL0PR0901MB30598AA78C547D5F46AEE32DDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBcLrPcju40AGjGwAFozvTh=LBucV6OWzmBQqVv69aMyUA@mail.gmail.com>
	<BL0PR0901MB3059F02DD954E00352E2706FDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBekuOj5RxdvuxVoY-pdKVMjTmHZVCmdqiUk158U-kk4Aw@mail.gmail.com>
	<BL0PR0901MB30594B3878C17B0D8F712A0CDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBd2poFrWsng+qRMErkhfcuvuAfQ9q3sYZGuZYQog2ykrA@mail.gmail.com>
	<BL0PR0901MB3059C4228F48FCAA24679AA9DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBf1SkqS2z5f_Zb_FHGSmhEOHicLraNHTuwMrLM=FrJkyw@mail.gmail.com>
	<BL0PR0901MB305910572D0FE3E2403F5BEADC570@BL0PR0901MB3059.namprd09.prod.outlook.com>,
	<CAJrcDBcX+PT3iPT+EF9O0Zt=JRueejo62Bz7WmxC0kOz_yYHdQ@mail.gmail.com>
Message-ID: <BL0PR0901MB30598F6D8B773AD4BE9D13FFDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>

OK, great.

The "legacy" client adapter already automatically propagates the security context to EJBs (local ones anyways).   So from this user's point-of-view switching to the shiny new Elytron system was a step backwards.  If automatic propagation (to local EJBs) harms no-one then I see it as a good enhancement.  If rejected, at least I have updated my build notes on how to set it up working again ??





________________________________
From: Pedro Igor Silva <psilva at redhat.com>
Sent: Wednesday, April 3, 2019 4:05 PM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

I meant in Elytron/Wildfly docs. That JIRA will help so I can try to talk with people here if we can consider it in the some future sprint.

On Wed, Apr 3, 2019 at 4:58 PM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
I'm not able to find the command in the Keycloak documentation.   Please link to it if I missed it.

As far as propagating to EJB tier goes I only found two places where it is mentioned and they both say use @SecurityDomain annotation:

  1.  For OIDC: https://www.keycloak.org/docs/latest/securing_apps/index.html#security-domain<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fsecuring_apps%2Findex.html%23security-domain&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464312552&sdata=0UBiXoXV%2FOU3hthsI624v3wk5fcl4u8sXLZ00ka2NGs%3D&reserved=0>
  2.  For SAML: https://www.keycloak.org/docs/latest/securing_apps/index.html#jboss-eap-wildfly-adapter-2<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fsecuring_apps%2Findex.html%23jboss-eap-wildfly-adapter-2&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464322561&sdata=pCKWZeB%2B1Qph%2FW9pmH0DkIHXbBj2DC9nsRaTyFG3BIA%3D&reserved=0>

The SAML document says:

"We hope to improve our integration in the future so that you don?t have to specify the @SecurityDomain annotation when you want to propagate a keycloak security context to the EJB tier."

I've created a pull request to make this automatic (I don't see why not?):  https://github.com/keycloak/keycloak/pull/5977<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkeycloak%2Fkeycloak%2Fpull%2F5977&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464322561&sdata=qzA1SQFRnAL05%2Fw6MHNWKRUl0FpnyhpkKzw9U4srjmQ%3D&reserved=0>

I've added comments to the original JIRA:  https://issues.jboss.org/browse/KEYCLOAK-5665<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464332566&sdata=oZzK7MjMb0sTqVVFcRf72xKCr5ZFCO%2BbqKBaUAYW9Dg%3D&reserved=0>

________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 3:43 PM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

Thanks, Ryan.

I think this specific configuration is covered in Elytron/Wildfly docs already. As well as how to propagate identities to remote EJBs (which is a bit more complex to set up).

In regards to adding the command to the CLI scripts, although it seems a good OOTB config we don't see much demand from the community. However, you can still open a JIRA if you like and ask people to rank it.

On Wed, Apr 3, 2019 at 12:04 PM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Thanks for your help Pedro.

I can confirm that after installing a fresh instance of Wildfly 16.0.0.Final and copying the latest Keycloak Elytron client adapter code over top the install directory the only extra step needed besides executing the "jboss-cli --file=adapter-elytron-install.cli" command was the command you originally suggested:

jboss-cli.sh -c --command="/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)"

We should probably update the documentation to indicate this as an alternative option to the @SecurityDomain annotation.  In fact, it might make sense to actually add this command to the adapter-elytron-install.cli file (and offline version too) so that users don't have to do anything extra.  This assumes setting the EJB other security-domain to KeycloakDomain is safe to do in the general case, which I assume it is.
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 10:13 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

Nice. That is what I was expecting. In a nutshell, you are basically saying "Please, use the same security domain across these deployments so that I can fetch the security identity".

Thanks again for moving this forward.

On Wed, Apr 3, 2019 at 10:56 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
I have it working now.  I had an entry in jboss-web.xml that I had added when trying various theories and I forgot to remove it, and it was preventing deployment:

<security-domain>KeycloakDomain</security-domain>

I'll work on building the server from scratch to confirm but it appears the solution to set this up is:


  1.  Copy Eltyron client adapter files into Wildfly
  2.  Execute jboss-cli.sh -c --file=bin/adapter-elytron-install.cli
  3.  Execute jboss-cli.sh -c --command="/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)"

________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 9:16 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

Not sure. I need to check this. I'll look at the that later this week.

Thank you for your feedbacks. Will ping you back once I've something to share.

On Wed, Apr 3, 2019 at 10:11 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Thanks for the guidance, but I'm unable to get this working.  Here is what I tried:


  1.  Logged into Wildfly admin console and navigated to Configuration > Subsystems > EJB > Security Domain
     *   Ensured I only have one entry: "other" and that it's own "Security Domain" sub-field is "KeycloakDomain"
  2.  Navigated to Configuration > Subsystems > Web (Undertow) > Settings > Application Security Domain > other
     *   Ensured "Security Domain" sub-field is blank (actually tried with blank  and value "KeycloakDomain"; doesn't make a difference)
  3.  I deleted the jboss-ejb3.xml file from my web application WEB-INF directory

Still seeing the following error on deployment of war file:

"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"]

I am using the latest version of Wildfly (16.0.0.Final), so perhaps the latest Keycloak Elytron client adapter simply doesn't work with this version of Wildfly?


________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 8:50 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

The undertow subsystem already has the "other" application-security-domain defined as I mentioned before.

As a last try, try this:

* /subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)
* Leave the undertow subsystem with the default settings defined by the elytron adapter CLI scripts
* Remove any reference to "security-domain" from your EJB archives/beans so that "other" will be the default

What I'm trying to do is to make both web and ejb layers to use the same elytron security domain so that you can access the security identity in both layers.

If this doesn't work, I'll try to find some code that I think I have somewhere that is doing this.

On Wed, Apr 3, 2019 at 9:28 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
I'm not familiar with how the Elytron Keycloak client adapter works.    How do I change the application-security-domain in both ejb3 and undertow subsystems to "other"?

If I try:
/subsystem=undertow/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)

Then I get the following on deploy:

"{\"WFLYCTL0080: Failed services\" => {\"jboss.deployment.unit.\\\"staff.war\\\".undertow-deployment\" => \"java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.
    Caused by: java.lang.RuntimeException: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.
    Caused by: java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from the HttpAuthenticationFactory.\"}}"


If I try:

/subsystem=undertow/application-security-domain=other:add(security-domain=KeycloakDomain)

The command fails with:

{
    "outcome" => "failed",
    "failure-description" => "WFLYCTL0212: Duplicate resource [
    (\"subsystem\" => \"undertow\"),
    (\"application-security-domain\" => \"other\")
]",
    "rolled-back" => true
}
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 8:15 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

This seem to be related with your WAR deployment though. Did you try to change the application-security-domain in both ejb3 and undertow subsystems to "other". That way you don't need to specify a security domain as "other" will be the default. IIRC, when you run the elytron adapter scripts an "other" application-security-domain is created in the undertow subsystem.

On Wed, Apr 3, 2019 at 9:08 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Using the command:

/subsystem=ejb3/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)

Results in different error upon application deploy:

08:03:35,017 ERROR [org.jboss.as.controller.management-operation] (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "staff.war")]) - failure description: {
    "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => ["jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]"]
}


More log context attached.


________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Wednesday, April 3, 2019 7:53 AM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

I found an error in the command that I gave to you. Could try to change the name of the application-security-domain to "KeycloakDomain", instead of "other".

If it doesn't work I would prefer to try this out first before opening the JIRA. But I appreciate if you can at least try the change above first.

On Wed, Apr 3, 2019 at 8:40 AM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Thanks for the idea.  Unfortunately it didn't work.  I still see:

"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"]

I am using only local EJBs.   I guess I must stick with the legacy Wildfly client adapter.  Looks like the JIRA to addresss the EJB propagation issue has been closed.  Can we re-open it?

See:  https://issues.jboss.org/browse/KEYCLOAK-5665<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464332566&sdata=oZzK7MjMb0sTqVVFcRf72xKCr5ZFCO%2BbqKBaUAYW9Dg%3D&reserved=0>
________________________________
From: Pedro Igor Silva <psilva at redhat.com<mailto:psilva at redhat.com>>
Sent: Tuesday, April 2, 2019 9:07 PM
To: Ryan Slominski
Cc: keycloak-user
Subject: Re: [keycloak-user] Wildfly Elytron client adapter - Propagate security domain to EJB

Hi,

I guess it is a local EJB ? If so, could you try configuring the EJB subsystem with an application-security-domain as follows:

/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)

Regards.

On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org<mailto:ryans at jlab.org>> wrote:
Has anyone been able to propagate the Keycloak security domain in Wildfly Elytron client adapter to EJBs in an application using jboss-ejb3.xml?  Creating a single file that is bundled with the application war seems like a better solution than importing  and apply a JBOSS specific annotation (@SecurityDomain) to hundreds of EJBs.

I placed the file into WEB-INF with contents:

<?xml version="1.1" encoding="UTF-8"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464342575&sdata=as%2BksxrwH7ZKN%2Fka3qHinjoQ2hQC90sa%2F8x8vfHbFlU%3D&reserved=0>"
    xmlns="http://java.sun.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjava.sun.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464352580&sdata=qvZZuFFg5vn3xgykc1cxV0AxQA5xuPJwakPy6%2FQZTVA%3D&reserved=0>"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464352580&sdata=qxUqEgm4UzNcwk5wORR5HU%2BzIxSag1S4d8ul3tVUrfA%3D&reserved=0>"
    xmlns:s="urn:security"
    xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464362589&sdata=PyKAqVzld26c6CbZjwh6XyaZnfdjMxQDYGj869yHya0%3D&reserved=0> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd<https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.org%2Fj2ee%2Fschema%2Fjboss-ejb3-2_0.xsd&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464362589&sdata=S2mx2tkxKv1Gi2%2B6APaXqbH7rqPnCFE%2BN6DzDfmGIGM%3D&reserved=0>"
    version="3.1" impl-version="2.0">
    <assembly-descriptor>
        <s:security>
            <ejb-name>*</ejb-name>
            <s:security-domain>keycloak</s:security-domain>
        </s:security>
    </assembly-descriptor>
</jboss:ejb-jar>

I also tried label "KeycloakDomain" instead of "keycloak".  In either case I get the following error when I attempt to deploy the war file:

    "WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.KeycloakDomain"],
    "WFLYCTL0180: Services with missing/unavailable dependencies" => [
        "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]",
        "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService is missing [jboss.security.security-domain.KeycloakDomain]",
        "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is missing [jboss.security.security-domain.KeycloakDomain]"
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464372598&sdata=Ra4IIclmql7hfIleGChRdZC0FNU1BTiDJRs7DFZ4FaQ%3D&reserved=0>

From psilva at redhat.com  Wed Apr  3 16:22:15 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 3 Apr 2019 17:22:15 -0300
Subject: [keycloak-user] Wildfly Elytron client adapter - Propagate
 security domain to EJB
In-Reply-To: <BL0PR0901MB30598F6D8B773AD4BE9D13FFDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
References: <BL0PR0901MB30595AC6A5F6BAE4E4D8C687DC560@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBci7vm0Wqy9g0Wo2L32=e16yitTvM1wBPmC9nTwgS3wfQ@mail.gmail.com>
	<BL0PR0901MB3059B5856929773225CCC8D7DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBf8pjF_sEL5srEXuDdxDk7u+XDBk3aif_E0q7id5=4Jsg@mail.gmail.com>
	<BL0PR0901MB3059954514559103A89AAEC5DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBd7mP+AbQs9ScJRPZLxKyZF06RP4B28LLxWCk-37y8Q5A@mail.gmail.com>
	<BL0PR0901MB30598AA78C547D5F46AEE32DDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBcLrPcju40AGjGwAFozvTh=LBucV6OWzmBQqVv69aMyUA@mail.gmail.com>
	<BL0PR0901MB3059F02DD954E00352E2706FDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBekuOj5RxdvuxVoY-pdKVMjTmHZVCmdqiUk158U-kk4Aw@mail.gmail.com>
	<BL0PR0901MB30594B3878C17B0D8F712A0CDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBd2poFrWsng+qRMErkhfcuvuAfQ9q3sYZGuZYQog2ykrA@mail.gmail.com>
	<BL0PR0901MB3059C4228F48FCAA24679AA9DC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBf1SkqS2z5f_Zb_FHGSmhEOHicLraNHTuwMrLM=FrJkyw@mail.gmail.com>
	<BL0PR0901MB305910572D0FE3E2403F5BEADC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
	<CAJrcDBcX+PT3iPT+EF9O0Zt=JRueejo62Bz7WmxC0kOz_yYHdQ@mail.gmail.com>
	<BL0PR0901MB30598F6D8B773AD4BE9D13FFDC570@BL0PR0901MB3059.namprd09.prod.outlook.com>
Message-ID: <CAJrcDBd3SY+kfLo=_oEnuiRkGdXeUuU+xYaEGTsZf-izhab_xQ@mail.gmail.com>

Yeah, you are right. Maybe this is another argument to consider that issue.

The legacy is using a JAAS LoginModule which is configured automatically
when installing the adapter.

On Wed, Apr 3, 2019 at 5:17 PM Ryan Slominski <ryans at jlab.org> wrote:

> OK, great.
>
> The "legacy" client adapter already automatically propagates the security
> context to EJBs (local ones anyways).   So from this user's point-of-view
> switching to the shiny new Elytron system was a step backwards.  If
> automatic propagation (to local EJBs) harms no-one then I see it as a good
> enhancement.  If rejected, at least I have updated my build notes on how to
> set it up working again ?
>
>
>
>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 4:05 PM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> I meant in Elytron/Wildfly docs. That JIRA will help so I can try to talk
> with people here if we can consider it in the some future sprint.
>
> On Wed, Apr 3, 2019 at 4:58 PM Ryan Slominski <ryans at jlab.org> wrote:
>
> I'm not able to find the command in the Keycloak documentation.   Please
> link to it if I missed it.
>
> As far as propagating to EJB tier goes I only found two places where it is
> mentioned and they both say use @SecurityDomain annotation:
>
>    1. For OIDC:
>    https://www.keycloak.org/docs/latest/securing_apps/index.html#security-domain
>    <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fsecuring_apps%2Findex.html%23security-domain&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464312552&sdata=0UBiXoXV%2FOU3hthsI624v3wk5fcl4u8sXLZ00ka2NGs%3D&reserved=0>
>    2. For SAML:
>    https://www.keycloak.org/docs/latest/securing_apps/index.html#jboss-eap-wildfly-adapter-2
>    <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.keycloak.org%2Fdocs%2Flatest%2Fsecuring_apps%2Findex.html%23jboss-eap-wildfly-adapter-2&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464322561&sdata=pCKWZeB%2B1Qph%2FW9pmH0DkIHXbBj2DC9nsRaTyFG3BIA%3D&reserved=0>
>
> The SAML document says:
>
> "We hope to improve our integration in the future so that you don?t have
> to specify the @SecurityDomain annotation when you want to propagate a
> keycloak security context to the EJB tier."
>
> I've created a pull request to make this automatic (I don't see why
> not?):  https://github.com/keycloak/keycloak/pull/5977
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fkeycloak%2Fkeycloak%2Fpull%2F5977&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464322561&sdata=qzA1SQFRnAL05%2Fw6MHNWKRUl0FpnyhpkKzw9U4srjmQ%3D&reserved=0>
>
> I've added comments to the original JIRA:
> https://issues.jboss.org/browse/KEYCLOAK-5665
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464332566&sdata=oZzK7MjMb0sTqVVFcRf72xKCr5ZFCO%2BbqKBaUAYW9Dg%3D&reserved=0>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 3:43 PM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Thanks, Ryan.
>
> I think this specific configuration is covered in Elytron/Wildfly docs
> already. As well as how to propagate identities to remote EJBs (which is a
> bit more complex to set up).
>
> In regards to adding the command to the CLI scripts, although it seems a
> good OOTB config we don't see much demand from the community. However, you
> can still open a JIRA if you like and ask people to rank it.
>
> On Wed, Apr 3, 2019 at 12:04 PM Ryan Slominski <ryans at jlab.org> wrote:
>
> Thanks for your help Pedro.
>
> I can confirm that after installing a fresh instance of Wildfly
> 16.0.0.Final and copying the latest Keycloak Elytron client adapter code
> over top the install directory the only extra step needed besides executing
> the "jboss-cli --file=adapter-elytron-install.cli" command was the command
> you originally suggested:
>
> jboss-cli.sh -c
> --command="/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)"
>
> We should probably update the documentation to indicate this as an
> alternative option to the @SecurityDomain annotation.  In fact, it might
> make sense to actually add this command to the adapter-elytron-install.cli
> file (and offline version too) so that users don't have to do anything
> extra.  This assumes setting the EJB other security-domain to
> KeycloakDomain is safe to do in the general case, which I assume it is.
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 10:13 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Nice. That is what I was expecting. In a nutshell, you are basically
> saying "Please, use the same security domain across these deployments so
> that I can fetch the security identity".
>
> Thanks again for moving this forward.
>
> On Wed, Apr 3, 2019 at 10:56 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> I have it working now.  I had an entry in jboss-web.xml that I had added
> when trying various theories and I forgot to remove it, and it was
> preventing deployment:
>
> <security-domain>KeycloakDomain</security-domain>
>
> I'll work on building the server from scratch to confirm but it appears
> the solution to set this up is:
>
>
>    1. Copy Eltyron client adapter files into Wildfly
>    2. Execute jboss-cli.sh -c --file=bin/adapter-elytron-install.cli
>    3. Execute jboss-cli.sh -c
>    --command="/subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)"
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 9:16 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Not sure. I need to check this. I'll look at the that later this week.
>
> Thank you for your feedbacks. Will ping you back once I've something to
> share.
>
> On Wed, Apr 3, 2019 at 10:11 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Thanks for the guidance, but I'm unable to get this working.  Here is what
> I tried:
>
>
>    1. Logged into Wildfly admin console and navigated to Configuration >
>    Subsystems > EJB > Security Domain
>       1. Ensured I only have one entry: "other" and that it's own
>       "Security Domain" sub-field is "KeycloakDomain"
>    2. Navigated to Configuration > Subsystems > Web (Undertow) > Settings
>    > Application Security Domain > other
>       1. Ensured "Security Domain" sub-field is blank (actually tried
>       with blank  and value "KeycloakDomain"; doesn't make a difference)
>    3. I deleted the jboss-ejb3.xml file from my web application WEB-INF
>    directory
>
> Still seeing the following error on deployment of war file:
>
> "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"]
>
> I am using the latest version of Wildfly (16.0.0.Final), so perhaps the
> latest Keycloak Elytron client adapter simply doesn't work with this
> version of Wildfly?
>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 8:50 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> The undertow subsystem already has the "other" application-security-domain
> defined as I mentioned before.
>
> As a last try, try this:
>
> * /subsystem=ejb3/application-security-domain=other:add(security-
> domain=KeycloakDomain)
> * Leave the undertow subsystem with the default settings defined by the
> elytron adapter CLI scripts
> * Remove any reference to "security-domain" from your EJB archives/beans
> so that "other" will be the default
>
> What I'm trying to do is to make both web and ejb layers to use the same
> elytron security domain so that you can access the security identity in
> both layers.
>
> If this doesn't work, I'll try to find some code that I think I have
> somewhere that is doing this.
>
> On Wed, Apr 3, 2019 at 9:28 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> I'm not familiar with how the Elytron Keycloak client adapter works.
> How do I change the application-security-domain in both ejb3 and undertow
> subsystems to "other"?
>
> If I try:
>
> /subsystem=undertow/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)
>
> Then I get the following on deploy:
>
> "{\"WFLYCTL0080: Failed services\" =>
> {\"jboss.deployment.unit.\\\"staff.war\\\".undertow-deployment\" =>
> \"java.lang.RuntimeException: java.lang.IllegalStateException: The required
> mechanism 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT,
> FORM] from the HttpAuthenticationFactory.
>     Caused by: java.lang.RuntimeException:
> java.lang.IllegalStateException: The required mechanism 'KEYCLOAK' is not
> available in mechanisms [BASIC, CLIENT_CERT, FORM] from the
> HttpAuthenticationFactory.
>     Caused by: java.lang.IllegalStateException: The required mechanism
> 'KEYCLOAK' is not available in mechanisms [BASIC, CLIENT_CERT, FORM] from
> the HttpAuthenticationFactory.\"}}"
>
>
> If I try:
>
>
> /subsystem=undertow/application-security-domain=other:add(security-domain=KeycloakDomain)
>
> The command fails with:
>
> {
>     "outcome" => "failed",
>     "failure-description" => "WFLYCTL0212: Duplicate resource [
>     (\"subsystem\" => \"undertow\"),
>     (\"application-security-domain\" => \"other\")
> ]",
>     "rolled-back" => true
> }
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 8:15 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> This seem to be related with your WAR deployment though. Did you try to
> change the application-security-domain in both ejb3 and undertow subsystems
> to "other". That way you don't need to specify a security domain as "other"
> will be the default. IIRC, when you run the elytron adapter scripts an
> "other" application-security-domain is created in the undertow subsystem.
>
> On Wed, Apr 3, 2019 at 9:08 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Using the command:
>
>
> /subsystem=ejb3/application-security-domain=KeycloakDomain:add(security-domain=KeycloakDomain)
>
> Results in different error upon application deploy:
>
> 08:03:35,017 ERROR [org.jboss.as.controller.management-operation]
> (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed -
> address: ([("deployment" => "staff.war")]) - failure description: {
>     "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"],
>     "WFLYCTL0180: Services with missing/unavailable dependencies" =>
> ["jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.KeycloakDomain]"]
> }
>
>
> More log context attached.
>
>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Wednesday, April 3, 2019 7:53 AM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> I found an error in the command that I gave to you. Could try to change
> the name of the application-security-domain to "KeycloakDomain", instead of
> "other".
>
> If it doesn't work I would prefer to try this out first before opening the
> JIRA. But I appreciate if you can at least try the change above first.
>
> On Wed, Apr 3, 2019 at 8:40 AM Ryan Slominski <ryans at jlab.org> wrote:
>
> Thanks for the idea.  Unfortunately it didn't work.  I still see:
>
> "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"]
>
> I am using only local EJBs.   I guess I must stick with the legacy Wildfly
> client adapter.  Looks like the JIRA to addresss the EJB propagation issue
> has been closed.  Can we re-open it?
>
> See:  https://issues.jboss.org/browse/KEYCLOAK-5665
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.jboss.org%2Fbrowse%2FKEYCLOAK-5665&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464332566&sdata=oZzK7MjMb0sTqVVFcRf72xKCr5ZFCO%2BbqKBaUAYW9Dg%3D&reserved=0>
> ------------------------------
> *From:* Pedro Igor Silva <psilva at redhat.com>
> *Sent:* Tuesday, April 2, 2019 9:07 PM
> *To:* Ryan Slominski
> *Cc:* keycloak-user
> *Subject:* Re: [keycloak-user] Wildfly Elytron client adapter - Propagate
> security domain to EJB
>
> Hi,
>
> I guess it is a local EJB ? If so, could you try configuring the EJB
> subsystem with an application-security-domain as follows:
>
>
> /subsystem=ejb3/application-security-domain=other:add(security-domain=KeycloakDomain)
>
> Regards.
>
> On Tue, Apr 2, 2019 at 6:14 PM Ryan Slominski <ryans at jlab.org> wrote:
>
> Has anyone been able to propagate the Keycloak security domain in Wildfly
> Elytron client adapter to EJBs in an application using jboss-ejb3.xml?
> Creating a single file that is bundled with the application war seems like
> a better solution than importing  and apply a JBOSS specific annotation
> (@SecurityDomain) to hundreds of EJBs.
>
> I placed the file into WEB-INF with contents:
>
> <?xml version="1.1" encoding="UTF-8"?>
> <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464342575&sdata=as%2BksxrwH7ZKN%2Fka3qHinjoQ2hQC90sa%2F8x8vfHbFlU%3D&reserved=0>
> "
>     xmlns="http://java.sun.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fjava.sun.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464352580&sdata=qvZZuFFg5vn3xgykc1cxV0AxQA5xuPJwakPy6%2FQZTVA%3D&reserved=0>
> "
>     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464352580&sdata=qxUqEgm4UzNcwk5wORR5HU%2BzIxSag1S4d8ul3tVUrfA%3D&reserved=0>
> "
>     xmlns:s="urn:security"
>     xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.com%2Fxml%2Fns%2Fjavaee&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464362589&sdata=PyKAqVzld26c6CbZjwh6XyaZnfdjMxQDYGj869yHya0%3D&reserved=0>
> http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd
> <https://gcc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.jboss.org%2Fj2ee%2Fschema%2Fjboss-ejb3-2_0.xsd&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464362589&sdata=S2mx2tkxKv1Gi2%2B6APaXqbH7rqPnCFE%2BN6DzDfmGIGM%3D&reserved=0>
> "
>     version="3.1" impl-version="2.0">
>     <assembly-descriptor>
>         <s:security>
>             <ejb-name>*</ejb-name>
>             <s:security-domain>keycloak</s:security-domain>
>         </s:security>
>     </assembly-descriptor>
> </jboss:ejb-jar>
>
> I also tried label "KeycloakDomain" instead of "keycloak".  In either case
> I get the following error when I attempt to deploy the war file:
>
>     "WFLYCTL0412: Required services that are not installed:" =>
> ["jboss.security.security-domain.KeycloakDomain"],
>     "WFLYCTL0180: Services with missing/unavailable dependencies" => [
>         "jboss.deployment.unit.\"staff.war\".component.StaffFacade.CREATE
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".undertow-deployment.UndertowDeploymentInfoService
> is missing [jboss.security.security-domain.KeycloakDomain]",
>
> "jboss.deployment.unit.\"staff.war\".component.WorkgroupFacade.CREATE is
> missing [jboss.security.security-domain.KeycloakDomain]"
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> <https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-user&data=02%7C01%7Cryans%40jlab.org%7Ca6cc5353df824f19799508d6b86fc15e%7Cb4d7ee1f4fb34f0690372b5b522042ab%7C1%7C0%7C636899187464372598&sdata=Ra4IIclmql7hfIleGChRdZC0FNU1BTiDJRs7DFZ4FaQ%3D&reserved=0>
>
>

From leandronunes85 at gmail.com  Thu Apr  4 04:39:26 2019
From: leandronunes85 at gmail.com (Leandro Nunes)
Date: Thu, 4 Apr 2019 09:39:26 +0100
Subject: [keycloak-user] Mapping provider user ID to user attribute
Message-ID: <CAJnpR19KzXdNfa4sLVzWKsrfc-MS9no879H8HsTkdJPHLMyX0Q@mail.gmail.com>

Hi Garret, Simon, community,

We were recently trying to achieve something similar but, after trying a
similar approach to the one you discuss here we decided not to use that
because even though this seemed to work at a first glance, we soon realise
that things would quick get out-of-sync if the users removed and/or added
links after the creation of their accounts. It seemed odd at the beginning
but after giving it some thought it made sense: we were adding an attribute
to the user (not to the link) so, removing the link won't remove this
property (we then wrote an EventListener to circumvent this) but the whole
set up seemed very convoluted so we decided to try a different approach:

Why not extract the "Provider User ID" from the link itself instead of a
User Attribute? Well this approach seemed to work quite well. No more
problems maintaining mappings from Provider to User Attribute and then from
User Attribute to token and no more out-of-date information that we needed
to address.
Is this approach correct? Am I missing an obvious reason not to use this
approach (can you see a reason why this may be unsafe or fall in some
problems in the future)?

I've written a SPI that does exactly this:
https://github.com/leandronunes85/idp-user-id-token-mapper and I would
really appreciate if someone could take a look and peer-review it :)

Thanks,
Leandro Nunes

From bruno at abstractj.org  Thu Apr  4 08:27:11 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 4 Apr 2019 09:27:11 -0300
Subject: [keycloak-user] Keycloak demo
In-Reply-To: <21cdb5d73422e5ad27905533fe1f69cf15e8b462.camel@netknights.it>
References: <21cdb5d73422e5ad27905533fe1f69cf15e8b462.camel@netknights.it>
Message-ID: <20190404122711.GA29478@abstractj.org>

Hi Micha, moving this to keycloak-user mailing list. Because it's the
appropriate place for questions like this.

I could not find the link you mentioned, but I suggest you to try 
our quickstarts https://github.com/keycloak/keycloak-quickstarts/archive/latest.zip

I hope it helps.

On 2019-04-04, Micha Preu?er wrote:
> Hey there,
> 
> this is not really a development question (not yet), but I think
> somebody can help me out here.
> 
> In the latest (5.0.0) documentation for server development, you
> have the topic 8.3. Authenticator SPI Walk Through. There you can find
> an example for third auth plugins, but the latest "demo distribution",
> which contains this example, could I found for the version 4.3.0.
> 
> Is there any newer version, I didn't found or how can I go on to take a
> look at this example and deploy it?
> 
> Thanks a lot.
> Micha Preu?er
> 
> _______________________________________________

-- 

abstractj

From bruno at abstractj.org  Thu Apr  4 08:54:27 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 4 Apr 2019 09:54:27 -0300
Subject: [keycloak-user] no nameid leads to npe in SAMLEndpoint.java
In-Reply-To: <a802b1efde174e8a8ab5ddde8c653a4a@EXMBX24.SFP-Net.skyfillers.local>
References: <a802b1efde174e8a8ab5ddde8c653a4a@EXMBX24.SFP-Net.skyfillers.local>
Message-ID: <20190404125427.GB29478@abstractj.org>

Hi Manuel, it seems like a bug to me. Is this happening with the latest
release?

If yes, could you please file a bug providing all the steps to reproduce
it?

On 2019-03-19, Manuel Waltschek wrote:
> Hello,
> 
> I try to configure a kc-saml idp broker for an external IdP. The logout request from the external idp to the saml broker unfortunately does not contain NameID and therefore org.keycloak.dom.saml.v2.protocol.LogoutRequestType.getNameID() returns null in org.keycloak.broker.saml.SAMLEndpoint. This leads to a nullpointerexception to be thrown.
> 
> There is a requirement for us to support nameid-format:unspecified, since USERID is delivered via saml attribute. I configured this in IdP configuration, but it seems that settintg nameid-format to unspecified has no effect (does this also default to persistent?). Am I mixing up these things? Is there a workaround for this issue?
> 
> I hope anyone can help me or at least answer me this time. Regards,
> 
> [Logo]
> 
> Manuel Waltschek BSc.
> 
> +43 660 86655 47<tel:+436608665547>
> manuel.waltschek at prisma-solutions.at<mailto:manuel.waltschek at prisma-solutions.at>
> https://www.prisma-solutions.com
> 
> PRISMA solutions EDV-Dienstleistungen GmbH
> Klostergasse 18, 2340 M?dling, Austria
> Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt



> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user


-- 

abstractj

From bruno at abstractj.org  Thu Apr  4 08:56:44 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 4 Apr 2019 09:56:44 -0300
Subject: [keycloak-user] Keycloak Gatekeeper + API Key + Service Account
In-Reply-To: <000f01d4de25$e5c64700$b152d500$@lyra-network.com>
References: <000f01d4de25$e5c64700$b152d500$@lyra-network.com>
Message-ID: <20190404125644.GC29478@abstractj.org>

Hi Sylvain, unfortunatelly that's not possible. Act as a proxy is out of scope for
Gatekeeper.

On 2019-03-19, Sylvain Malnuit wrote:
> Hi,
> 
>  
> 
> Using  Keycloak , it's possible to declare client like a service account .
> Client secret becomes API key.
> 
> In my case, I'm going to generate 10 clients (10 API keys).
> 
>  
> 
> I have tried to use Keycloak-gatekeeper to cover this use case but GK
> support only one client.
> 
> In my case, I 'm understanding that I must create 10 instances of GT :(.
> 
>  
> 
> Is there a way to associate  various client to one instance of GT
> (different paths .) ?
> 
>  
> 
> Thxs for your help.
> 
>  
> 
> Regards, 
> 
> Sylvain 
> 
>  
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From sylvain.malnuit at lyra-network.com  Thu Apr  4 09:16:25 2019
From: sylvain.malnuit at lyra-network.com (Sylvain Malnuit)
Date: Thu, 4 Apr 2019 15:16:25 +0200 (CEST)
Subject: [keycloak-user] Keycloak Gatekeeper + API Key + Service Account
In-Reply-To: <20190404125644.GC29478@abstractj.org>
References: <000f01d4de25$e5c64700$b152d500$@lyra-network.com>
	<20190404125644.GC29478@abstractj.org>
Message-ID: <003201d4eae8$9aee7ca0$d0cb75e0$@lyra-network.com>

Hi,
 I have found a solution.
In the same realm, you must create a common client "common" for your 
specific realm.
You create serviceaccount client and override aud and clientId claims to use 
common and username must be "serviceaccount"(client/Mapper or Client 
Templates/Create + Client/Mapper/Inherit Template Mappers)
In Gatekeeper configuration, you declare common client for your realm.

Customer gets token using  the secret of serviceaccount. (aud=common, 
clientid=common and username=serviceaccount)
It uses it to consume a service protected by Gatekeeper.
Gatekeeper will receive this token and compare aud and client with this 
configuration.
Abracadabra!!!
It will allow this request and add serviceaccount as username in the header.

Thanks to spend time to answer.
Bye,



-----Message d'origine-----
De : Bruno Oliveira [mailto:bruno at abstractj.org]
Envoy? : jeudi 4 avril 2019 14:57
? : Sylvain Malnuit <sylvain.malnuit at lyra-network.com>
Cc : keycloak-user at lists.jboss.org
Objet : Re: [keycloak-user] Keycloak Gatekeeper + API Key + Service Account

Hi Sylvain, unfortunatelly that's not possible. Act as a proxy is out of 
scope for Gatekeeper.

On 2019-03-19, Sylvain Malnuit wrote:
> Hi,
>
>
>
> Using  Keycloak , it's possible to declare client like a service account .
> Client secret becomes API key.
>
> In my case, I'm going to generate 10 clients (10 API keys).
>
>
>
> I have tried to use Keycloak-gatekeeper to cover this use case but GK
> support only one client.
>
> In my case, I 'm understanding that I must create 10 instances of GT :(.
>
>
>
> Is there a way to associate  various client to one instance of GT
> (different paths .) ?
>
>
>
> Thxs for your help.
>
>
>
> Regards,
>
> Sylvain
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj


From katariakhyati11 at gmail.com  Thu Apr  4 10:17:34 2019
From: katariakhyati11 at gmail.com (Khyati Kataria)
Date: Thu, 4 Apr 2019 10:17:34 -0400
Subject: [keycloak-user] Need guidance on auto login
Message-ID: <CACVn=vo9yHHcbmHMXBDgdvudnukraNXxWqG0mM_y9D2F6nzo4g@mail.gmail.com>

Hi,

I would like to get some guidance on following scenario.

I have a requirement to skip keycloak login page by setting up header
using bearer token. Is this a right approach ? or is there any way I
can skip login page and be able to logged in customer service console

Scenario:
1) create bearer token invoking:
POST to http://<server>/auth/realms/test/protocol/openid-connect/token/
with post data:
grant_type=password&client_id=client&username=admin&password=admin1

read the token from response
2) do a get using new XMLHttpRequest() and setting the header
xhr.open("GET", "http://<server>/csc/", true);
xhr.setRequestHeader('Authorization', 'Bearer ' + token);

after doing this we can see on network traces that it actually bring
the subscribed ID page but with this we do only a "static" get, and we
see all cookies are set

3) finally from page we do a redirect to http://server/csc so browser
really opens the  portal (and not just get the content), but at this
stage we get redirected to Keycloak login form

I don't want redirect to login form, I need guidance on this. Is this
possible to have auto login ? or anyway we can skip login page  ?

From hylton.peimer at datos-health.com  Thu Apr  4 11:29:42 2019
From: hylton.peimer at datos-health.com (Hylton Peimer)
Date: Thu, 4 Apr 2019 18:29:42 +0300
Subject: [keycloak-user] Adding alwaysHttps to Hostname SPI in Docker
Message-ID: <CACGrZesCQDA6V-k_HvhCRFP9Bzn8t0wSnaoT=sT3JGpYeKenqg@mail.gmail.com>

I'm trying to figure out how to add the "alwaysHttps=true" to the Hostname
Provider in Keycloak running under Docker.

I've tried the following:

1) Modifying the standalone.xml and adding with sed:
name=properties.alwaysHttps,value="true"

2) Adding a CLI to the startup-scripts directory, but this fails since the
server isn't running and the connect doesn't happen.

3) Modifying the tools/cli/hostname.cli file and adding:

/subsystem=keycloak-server/spi=hostname/provider=fixed:write-attribute(name=properties.alwaysHttps,value="true")

What is the correct approach to adding the alwaysHttps when overriding the
default Dockerfile ?

From mizuki0621 at gmail.com  Thu Apr  4 11:42:58 2019
From: mizuki0621 at gmail.com (mizuki)
Date: Thu, 4 Apr 2019 11:42:58 -0400
Subject: [keycloak-user] problem with social identity providers with
	broker (only google works)
In-Reply-To: <CAKCDg-BmnTV4LDusfRxUiZMnZh39FEPYDOkXP9QVXb3HiqXJfA@mail.gmail.com>
References: <CAKCDg-BCPfNeybj_045wN+DbTR_ckXeVm=h0zdX6wNn2oFjFtA@mail.gmail.com>
	<CAKCDg-Dd-otjWOnn7KpTOFNdHXdNa4AZmkn8Q0i_zg4FeGy-Eg@mail.gmail.com>
	<CAKCDg-BmnTV4LDusfRxUiZMnZh39FEPYDOkXP9QVXb3HiqXJfA@mail.gmail.com>
Message-ID: <CAKCDg-Ad6dLy1HAv8_S5zAbMk+oWEdPXSmTL2R6mxY4tGB3LBg@mail.gmail.com>

Just want to give a status update regarding the issue, seems to be related
with particular the Java provided by IBM. The regular openjdk java works
find with most social providers.

Cheers.

On Wed, Apr 3, 2019 at 1:25 PM mizuki <mizuki0621 at gmail.com> wrote:

> Further debugging logs from keycloak when failed with LinkedIn, while the
> connection with google.com is successful using the same TLSv1 protocol +
> Cipher suites.
>
> 2019-04-03 13:07:41,444 DEBUG [io.undertow.request] (default I/O-5)
> Matched prefix path /auth for path
> /auth/realms/SDCC1/broker/linkedin/endpoint
> 2019-04-03 13:07:41,445 DEBUG [io.undertow.request.security] (default
> task-4) Attempting to authenticate
> /auth/realms/SDCC1/broker/linkedin/endpoint, authentication required: false
> 2019-04-03 13:07:41,445 DEBUG [io.undertow.request.security] (default
> task-4) Authentication outcome was NOT_ATTEMPTED with method
> io.undertow.security.impl.CachedAuthenticatedSessionMechanism at 11511aa9
> for /auth/realms/SDCC1/broker/linkedin/endpoint
> 2019-04-03 13:07:41,445 DEBUG [io.undertow.request.security] (default
> task-4) Authentication result was ATTEMPTED for
> /auth/realms/SDCC1/broker/linkedin/endpoint
> 2019-04-03 13:07:41,446 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4) new
> JtaTransactionWrapper
> 2019-04-03 13:07:41,446 DEBUG
> [org.keycloak.transaction.JtaTransactionWrapper] (default task-4) was
> existing? false
> 2019-04-03 13:07:41,447 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n]
> (default task-4) RESTEASY002315: PathInfo:
> /realms/SDCC1/broker/linkedin/endpoint
> 2019-04-03 13:07:41,450 DEBUG [org.jboss.resteasy.plugins.validation.i18n]
> (default task-4) RESTEASY008510: ResteasyCdiExtension is on the classpath.
> 2019-04-03 13:07:41,453 DEBUG
> [org.apache.http.client.protocol.RequestAuthCache] (default task-4) Auth
> cache not set in the context
> 2019-04-03 13:07:41,454 DEBUG
> [org.apache.http.impl.conn.PoolingHttpClientConnectionManager] (default
> task-4) Connection request: [route: {s}->https://www.linkedin.com:443][total
> kept alive: 2; route allocated: 0 of 64; total allocated: 2 of 128]
> 2019-04-03 13:07:41,454 DEBUG
> [org.apache.http.impl.conn.PoolingHttpClientConnectionManager] (default
> task-4) Connection leased: [id: 2][route: {s}->https://www.linkedin.com:443][total
> kept alive: 2; route allocated: 1 of 64; total allocated: 3 of 128]
> 2019-04-03 13:07:41,454 DEBUG
> [org.apache.http.impl.execchain.MainClientExec] (default task-4) Opening
> connection {s}->https://www.linkedin.com:443
> 2019-04-03 13:07:41,468 DEBUG
> [org.apache.http.impl.conn.DefaultHttpClientConnectionOperator] (default
> task-4) Connecting to www.linkedin.com/108.174.11.17:443
> 2019-04-03 13:07:41,468 DEBUG
> [org.apache.http.conn.ssl.SSLConnectionSocketFactory] (default task-4)
> Connecting socket to www.linkedin.com/108.174.11.17:443 with timeout 0
> 2019-04-03 13:07:41,500 DEBUG
> [org.apache.http.conn.ssl.SSLConnectionSocketFactory] (default task-4)
> Enabled protocols: [TLSv1]
> 2019-04-03 13:07:41,500 DEBUG
> [org.apache.http.conn.ssl.SSLConnectionSocketFactory] (default task-4)
> Enabled cipher suites:[TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
> SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
> SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384, SSL_RSA_WITH_AES_256_CBC_SHA256,
> SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
> SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384, SSL_DHE_RSA_WITH_AES_256_CBC_SHA256,
> SSL_DHE_DSS_WITH_AES_256_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
> SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_AES_256_CBC_SHA,
> SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA, SSL_ECDH_RSA_WITH_AES_256_CBC_SHA,
> SSL_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_DSS_WITH_AES_256_CBC_SHA,
> SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
> SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256, SSL_RSA_WITH_AES_128_CBC_SHA256,
> SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
> SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256, SSL_DHE_RSA_WITH_AES_128_CBC_SHA256,
> SSL_DHE_DSS_WITH_AES_128_CBC_SHA256, SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
> SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_AES_128_CBC_SHA,
> SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA, SSL_ECDH_RSA_WITH_AES_128_CBC_SHA,
> SSL_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_DHE_DSS_WITH_AES_128_CBC_SHA,
> SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
> SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
> SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384, SSL_RSA_WITH_AES_256_GCM_SHA384,
> SSL_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
> SSL_ECDH_RSA_WITH_AES_256_GCM_SHA384, SSL_DHE_DSS_WITH_AES_256_GCM_SHA384,
> SSL_DHE_RSA_WITH_AES_256_GCM_SHA384, SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
> SSL_RSA_WITH_AES_128_GCM_SHA256, SSL_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
> SSL_ECDH_RSA_WITH_AES_128_GCM_SHA256, SSL_DHE_RSA_WITH_AES_128_GCM_SHA256,
> SSL_DHE_DSS_WITH_AES_128_GCM_SHA256]
> *2019-04-03 13:07:41,500 DEBUG
> [org.apache.http.conn.ssl.SSLConnectionSocketFactory] (default task-4)
> Starting handshake*
> *2019-04-03 13:07:41,544 DEBUG
> [org.apache.http.impl.conn.DefaultManagedHttpClientConnection] (default
> task-4) http-outgoing-2: Shutdown connection*
> 2019-04-03 13:07:41,545 DEBUG
> [org.apache.http.impl.execchain.MainClientExec] (default task-4) Connection
> discarded
> 2019-04-03 13:07:41,545 DEBUG
> [org.apache.http.impl.conn.PoolingHttpClientConnectionManager] (default
> task-4) Connection released: [id: 2][route:
> {s}->https://www.linkedin.com:443][total kept alive: 2; route allocated:
> 0 of 64; total allocated: 2 of 128]
> 2019-04-03 13:07:41,545 ERROR
> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-4)
> Failed to make identity provider oauth callback:
> javax.net.ssl.SSLException: Received fatal alert: protocol_version
>         at com.ibm.jsse2.k.a(k.java:32)
>         at com.ibm.jsse2.k.a(k.java:37)
>         at com.ibm.jsse2.av.b(av.java:549)
>         at com.ibm.jsse2.k.a(k.java:37)
>         at com.ibm.jsse2.av.b(av.java:549)
>         at com.ibm.jsse2.av.a(av.java:715)
>         at com.ibm.jsse2.av.i(av.java:574)
>         at com.ibm.jsse2.av.a(av.java:280)
>         at com.ibm.jsse2.av.startHandshake(av.java:431)
>         at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
>         at
> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
>         at
> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
>         at
> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
>         at
> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
>         at
> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
>         at
> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
>         at
> org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
>         at
> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
>         at
> org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
>         at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
>         at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
>         at
> org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
>         at
> org.keycloak.broker.provider.util.SimpleHttp.makeRequest(SimpleHttp.java:199)
>         at
> org.keycloak.broker.provider.util.SimpleHttp.asResponse(SimpleHttp.java:163)
>         at
> org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:155)
>         at
> org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:418)
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>         at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)
>         at java.lang.reflect.Method.invoke(Method.java:508)
>         at
> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
>         at
> org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>         at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>         at
> org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>         at
> org.jboss.resteasy.core.ResourceMethodInvoker$$Lambda$815.00000000811AC040.get(Unknown
> Source)
>         at
> org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
>         at
> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>         at
> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
>         at
> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>         at
> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:439)
>
> Mizuki
>
> On Tue, Apr 2, 2019 at 4:33 PM mizuki <mizuki0621 at gmail.com> wrote:
>
>> Just a comment:
>> I do not want to unnecessarily complicate the case by involving proxy.
>>  From the packets flow, it seems like Keycloak started initiating
>> communication with those social providers using TLSv1 (after password was
>> submitted and possible during code-for-token stage), any reasons triggered
>> this or any work-arounds? is it because the social providers are using
>> TLSv1?
>>
>> Cheers.
>> Mizuki
>>
>>
>>
>> On Tue, Apr 2, 2019 at 1:05 PM mizuki <mizuki0621 at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I've verified this problem with keycloak latest version as well as
>>> v4.8.x, using broker only works with google, with other social identify
>>> providers, all throws the same error 'Unexpected error when
>>> authenticating with identity provider' to the browser and in server.log:
>>>
>>> 10:46:59,838 ERROR
>>> [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-2)
>>> Failed to make identity provider oauth callback:
>>> javax.net.ssl.SSLException: Received fatal alert: protocol_version
>>> at com.ibm.jsse2.k.a(k.java:32)
>>> at com.ibm.jsse2.k.a(k.java:37)
>>> at com.ibm.jsse2.av.b(av.java:549)
>>> at com.ibm.jsse2.av.a(av.java:715)
>>> at com.ibm.jsse2.av.i(av.java:574)
>>> at com.ibm.jsse2.av.a(av.java:280)
>>> at com.ibm.jsse2.av.startHandshake(av.java:431)
>>> at
>>> org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
>>> at
>>> org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
>>> at
>>> org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
>>> at
>>> org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
>>> at
>>> org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
>>> at
>>> org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
>>> at
>>> org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
>>> at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
>>> at
>>> org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
>>>
>>> That happens after the correct credentials being put in. So far, I've
>>> tested:
>>> - linkedin
>>> - facebook
>>> - microsoft
>>> - github
>>>
>>> The error almost suggest the error is with incorrect TLS version. To
>>> troubleshoot, I sniffed network packets, comparing Google  with non-working
>>> providers (ex, LInkedIn).
>>> Interesting thing found out was that, the keycloak instance is hosted
>>> behind a proxy, when authenticating with external providers, all
>>> communication shall go through proxy,
>>> in google's case it went well and communication was successful, however
>>> with Linkedin for example, after username/password successfully
>>> authenticated, the backend keycloak instance all in sudden start to talk to
>>> LinkedIn server itself instead of going through proxy. Of course the
>>> communication will fail and error returned.
>>>
>>> Can anyone advice?
>>>
>>> PS: keycloak mailing list seems to have trouble with google email, I
>>> apologize in advance if the reply is delayed or resent multiple times.
>>>
>>> Thanks!
>>> Mizuki
>>>
>>

From aechols at bfcsaz.com  Thu Apr  4 19:02:08 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Thu, 4 Apr 2019 16:02:08 -0700
Subject: [keycloak-user] Access Forbidden
Message-ID: <CAHj77GVYMriW=RW113VmNQ3icg7HJ0_nHDbTdtFDuiCKsmFBnA@mail.gmail.com>

Hello All,

I was running 4.1.0.Final and decided to upgrade this week to 4.8.3.Final.
I'm running into an issue where we set a group up with the `manage-users`
Role Mapping. In 4.1.0.Final, the members of said group were able to login
and reset passwords for users successfully in the realm they are in.

Now when they attempt to access the Security Admin Console under
Applications in their profile, they get the following message on the user
side:

Forbidden
You don't have access to the requested resource.

All I see in the Events log:

LOGIN
Client: security-admin-console
User: <identifier>
IP Address: <local-ip>
Details:
auth_method: openid-connect
auth_type: code
response_type: code
redirect_uri: /auth/admin/realm/console/
consent: no_consent_required
code_id: <code-id>
response_mode: fragment
username: <username>

CODE_TO_TOKEN
Client: security-admin-console
User: <identifier>
Details:
token_id: <token-id>
grant_type: authorization_code
refresh_token_type: refresh
scope: openid
refresh_token_id: <refresh-token-id>
code_id: <code-id>
client_auth_method: client-secret

I've verified that they have the proper roles assigned, why isn't this
working now and anyone have any help to be able to troubleshoot?

Thanks in advance for any help or recommendations. :)
--
*Aaron Echols*

From aechols at bfcsaz.com  Thu Apr  4 19:19:15 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Thu, 4 Apr 2019 16:19:15 -0700
Subject: [keycloak-user] Access Forbidden
In-Reply-To: <CAHj77GVYMriW=RW113VmNQ3icg7HJ0_nHDbTdtFDuiCKsmFBnA@mail.gmail.com>
References: <CAHj77GVYMriW=RW113VmNQ3icg7HJ0_nHDbTdtFDuiCKsmFBnA@mail.gmail.com>
Message-ID: <CAHj77GW=L9hYs99xM=8dJnVgPd+otYpqDziDxJk+r6e560eNjA@mail.gmail.com>

Ok, so further testing shows:

Assigning `manage-users` Role doesn't work, assigning `manage-realm` role
does allow them to login to the Security Console, applying `manage-users`
role lets them reset passwords. This isn't a good solution though, since
they get access to settings that they shouldn't be able to access.

Seems like the role got broken during the upgrade possibly. Is there a way
to reset or reinstall a role?
--
*Aaron Echols*

On Thu, Apr 4, 2019 at 4:02 PM Aaron Echols <aechols at bfcsaz.com> wrote:

> Hello All,
>
> I was running 4.1.0.Final and decided to upgrade this week to 4.8.3.Final.
> I'm running into an issue where we set a group up with the `manage-users`
> Role Mapping. In 4.1.0.Final, the members of said group were able to login
> and reset passwords for users successfully in the realm they are in.
>
> Now when they attempt to access the Security Admin Console under
> Applications in their profile, they get the following message on the user
> side:
>
> Forbidden
> You don't have access to the requested resource.
>
> All I see in the Events log:
>
> LOGIN
> Client: security-admin-console
> User: <identifier>
> IP Address: <local-ip>
> Details:
> auth_method: openid-connect
> auth_type: code
> response_type: code
> redirect_uri: /auth/admin/realm/console/
> consent: no_consent_required
> code_id: <code-id>
> response_mode: fragment
> username: <username>
>
> CODE_TO_TOKEN
> Client: security-admin-console
> User: <identifier>
> Details:
> token_id: <token-id>
> grant_type: authorization_code
> refresh_token_type: refresh
> scope: openid
> refresh_token_id: <refresh-token-id>
> code_id: <code-id>
> client_auth_method: client-secret
>
> I've verified that they have the proper roles assigned, why isn't this
> working now and anyone have any help to be able to troubleshoot?
>
> Thanks in advance for any help or recommendations. :)
> --
> *Aaron Echols*
>

From spahr at puzzle.ch  Fri Apr  5 02:41:39 2019
From: spahr at puzzle.ch (Ramon Spahr)
Date: Fri, 5 Apr 2019 08:41:39 +0200
Subject: [keycloak-user] Keycloak Import/Export an proper exit status.
Message-ID: <0c345c31-5d57-9a3d-3d73-5caaf4fd441c@puzzle.ch>

Hy,

I already searched the documentation, issues and user mailing list with
no result.

I'm looking for a way to let the Keycloak import/export properly exit
after work done with exit status 0 or non-zero when command failed. Is
this a new feature? Then i will create a feature request.

This is a important feature for us to automate backup, migration and
test scenarios in our container environment.

Currently we do this by grepping the log output but this is kind of a
work around and no proper solution.

Regards
Ramon

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190405/05953bc1/attachment.bin 

From hylton.peimer at datos-health.com  Fri Apr  5 05:02:02 2019
From: hylton.peimer at datos-health.com (Hylton Peimer)
Date: Fri, 5 Apr 2019 12:02:02 +0300
Subject: [keycloak-user] Older Java Spring client libraries with newer
	Keycloak server
Message-ID: <CACGrZesdK7uvwZY7fqh6p+nAYZw8Xf0ZywW5VFdTZ41EVvEVDw@mail.gmail.com>

I'm using   keycloak-spring-security-adapter  version 4.4.0-Final.

This library works perfectly with SpringBoot 1.5.

I've tried to upgrade my Keycloak server to 4.8.3 and also Spring client
libraries to 4.8.3, but there is a problem with redirects. [The actual
problem seems connected to reported issues].

The 4.4.0-Final client libraries seem to work with 4.8.3 Keycloak server.

My question: is it safe to use to older client libraries with a newer
Keycloak server?

From tdudgeon.ml at gmail.com  Fri Apr  5 06:56:12 2019
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Fri, 5 Apr 2019 11:56:12 +0100
Subject: [keycloak-user] obtaining token for CLI when using identity
	brokering
Message-ID: <abf52130-30f4-7856-c8e7-2b3c1c6a64bb@gmail.com>

My scenario:

1. My keycloak realm is set up to mange users with identity brokering 
(e.g. they login through GitHub etc.)
2. I have public client in that realm that has REST API that requires 
access to be authenticated
3. I want to access that API using curl or other CLI tool so need to 
provide an access token.

If my users were added to Keycloak directly I could get that token like 
this:

curl --data 
"grant_type=password&client_id=myclientid&username=user1&password=user1" 
https://<server:port>/auth/realms/realmname/protocol/openid-connect/token

But this will not work when using identity brokering.
So I was a assuming the user could login to keycloak with a browser and 
then find a token there and copy it.
But if I login as a user at this URL 
https://<server:port>/auth/realms/realmname/account I get logged in 
using the identity broker but I can't find a token anywhere.

How do I manage this?

Tim


From rafaelweingartner at gmail.com  Fri Apr  5 08:08:38 2019
From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=)
Date: Fri, 5 Apr 2019 09:08:38 -0300
Subject: [keycloak-user] Doubts regarding fine grained permission on
	groups
In-Reply-To: <CAG97rae4ZS5+=HKUKq2OTV02Y7gULD-xj8327uiFkV-Wk68K9A@mail.gmail.com>
References: <CAG97rae4ZS5+=HKUKq2OTV02Y7gULD-xj8327uiFkV-Wk68K9A@mail.gmail.com>
Message-ID: <CAG97rad7OmH1=s++ocdfqOoYxmNhPdPG9hyrkBivQ9_yf+j1-w@mail.gmail.com>

Hello volks,
Any takers here? it would be very helpful to have feedback regarding the
intended design before checking the code to confirm these features.

On Wed, Apr 3, 2019 at 9:49 AM Rafael Weing?rtner <
rafaelweingartner at gmail.com> wrote:

> Hello Keycloak community,
> We seem to have stumbled across a feature that we do not fully understand
> (after reading and re-reading, and testing). Could somebody help to clarify
> the design of this feature?
>
> When enabling fine grained group permissions, we see the option to assign
> the scope "manage" to users in specific groups. According to our
> understand, this scope would allow us to create the "role" of users
> ("group-admins") to manage (update user information, reset credentials,
> enable/disable) other users in the same group; users with this "role" would
> also not be able to see the other users in the realm that are not assigned
> to the group where they have this special permissions. Therefore, the
> actions of creating and removing users would still be restricted to the
> manage-users permission that can be set to "user-managers" in the whole
> realm.
>
> During our tests, we noticed the the users that receive the "manage" scope
> permission in a group are able to delete users of the group. Is this the
> expected behavior? After noticing this, we also thought that they would
> then be able to create users in the group (if they can remove, why not
> enabling them to create as well?); however, these users are not able to
> create other users in the group that they have permission to manage (even
> when assigning explicitly the group to the user being created). Is this a
> bug? Or something that is not completely documented?
>
> --
> Rafael Weing?rtner
>


-- 
Rafael Weing?rtner

From psilva at redhat.com  Fri Apr  5 08:45:20 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 5 Apr 2019 09:45:20 -0300
Subject: [keycloak-user] Doubts regarding fine grained permission on
	groups
In-Reply-To: <CAG97rad7OmH1=s++ocdfqOoYxmNhPdPG9hyrkBivQ9_yf+j1-w@mail.gmail.com>
References: <CAG97rae4ZS5+=HKUKq2OTV02Y7gULD-xj8327uiFkV-Wk68K9A@mail.gmail.com>
	<CAG97rad7OmH1=s++ocdfqOoYxmNhPdPG9hyrkBivQ9_yf+j1-w@mail.gmail.com>
Message-ID: <CAJrcDBcV+VVjav+bLUjTiWZKX==oV0d-EvUWdj_SWSzX_4uh8w@mail.gmail.com>

Hi Rafael,

Yeah, this is how it was implement. I understand your point and this is one
of the things that we need to review in regards to fine-grained permissions
in admin console.

We have a few open JIRAs that we are looking forward to work in the future.
Could you please file a new JIRA for this problem in particular ?

Regards.
Pedro Igor


On Fri, Apr 5, 2019 at 9:28 AM Rafael Weing?rtner <
rafaelweingartner at gmail.com> wrote:

> Hello volks,
> Any takers here? it would be very helpful to have feedback regarding the
> intended design before checking the code to confirm these features.
>
> On Wed, Apr 3, 2019 at 9:49 AM Rafael Weing?rtner <
> rafaelweingartner at gmail.com> wrote:
>
> > Hello Keycloak community,
> > We seem to have stumbled across a feature that we do not fully understand
> > (after reading and re-reading, and testing). Could somebody help to
> clarify
> > the design of this feature?
> >
> > When enabling fine grained group permissions, we see the option to assign
> > the scope "manage" to users in specific groups. According to our
> > understand, this scope would allow us to create the "role" of users
> > ("group-admins") to manage (update user information, reset credentials,
> > enable/disable) other users in the same group; users with this "role"
> would
> > also not be able to see the other users in the realm that are not
> assigned
> > to the group where they have this special permissions. Therefore, the
> > actions of creating and removing users would still be restricted to the
> > manage-users permission that can be set to "user-managers" in the whole
> > realm.
> >
> > During our tests, we noticed the the users that receive the "manage"
> scope
> > permission in a group are able to delete users of the group. Is this the
> > expected behavior? After noticing this, we also thought that they would
> > then be able to create users in the group (if they can remove, why not
> > enabling them to create as well?); however, these users are not able to
> > create other users in the group that they have permission to manage (even
> > when assigning explicitly the group to the user being created). Is this a
> > bug? Or something that is not completely documented?
> >
> > --
> > Rafael Weing?rtner
> >
>
>
> --
> Rafael Weing?rtner
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From rafaelweingartner at gmail.com  Fri Apr  5 08:47:58 2019
From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=)
Date: Fri, 5 Apr 2019 09:47:58 -0300
Subject: [keycloak-user] Doubts regarding fine grained permission on
	groups
In-Reply-To: <CAJrcDBcV+VVjav+bLUjTiWZKX==oV0d-EvUWdj_SWSzX_4uh8w@mail.gmail.com>
References: <CAG97rae4ZS5+=HKUKq2OTV02Y7gULD-xj8327uiFkV-Wk68K9A@mail.gmail.com>
	<CAG97rad7OmH1=s++ocdfqOoYxmNhPdPG9hyrkBivQ9_yf+j1-w@mail.gmail.com>
	<CAJrcDBcV+VVjav+bLUjTiWZKX==oV0d-EvUWdj_SWSzX_4uh8w@mail.gmail.com>
Message-ID: <CAG97rafU92OMnWdnqukZ76DwpBAavznvSesmFr4y-58gATn46w@mail.gmail.com>

Thanks for the feedback Pedro!
Sure, I will do that. However, just to make sure I understood. The ability
to delete users accounts for the "group admin" users is considered a bug,
and will be removed/addressed in the upcoming release. Is that correct?

On Fri, Apr 5, 2019 at 9:45 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi Rafael,
>
> Yeah, this is how it was implement. I understand your point and this is
> one of the things that we need to review in regards to fine-grained
> permissions in admin console.
>
> We have a few open JIRAs that we are looking forward to work in the
> future. Could you please file a new JIRA for this problem in particular ?
>
> Regards.
> Pedro Igor
>
>
> On Fri, Apr 5, 2019 at 9:28 AM Rafael Weing?rtner <
> rafaelweingartner at gmail.com> wrote:
>
>> Hello volks,
>> Any takers here? it would be very helpful to have feedback regarding the
>> intended design before checking the code to confirm these features.
>>
>> On Wed, Apr 3, 2019 at 9:49 AM Rafael Weing?rtner <
>> rafaelweingartner at gmail.com> wrote:
>>
>> > Hello Keycloak community,
>> > We seem to have stumbled across a feature that we do not fully
>> understand
>> > (after reading and re-reading, and testing). Could somebody help to
>> clarify
>> > the design of this feature?
>> >
>> > When enabling fine grained group permissions, we see the option to
>> assign
>> > the scope "manage" to users in specific groups. According to our
>> > understand, this scope would allow us to create the "role" of users
>> > ("group-admins") to manage (update user information, reset credentials,
>> > enable/disable) other users in the same group; users with this "role"
>> would
>> > also not be able to see the other users in the realm that are not
>> assigned
>> > to the group where they have this special permissions. Therefore, the
>> > actions of creating and removing users would still be restricted to the
>> > manage-users permission that can be set to "user-managers" in the whole
>> > realm.
>> >
>> > During our tests, we noticed the the users that receive the "manage"
>> scope
>> > permission in a group are able to delete users of the group. Is this the
>> > expected behavior? After noticing this, we also thought that they would
>> > then be able to create users in the group (if they can remove, why not
>> > enabling them to create as well?); however, these users are not able to
>> > create other users in the group that they have permission to manage
>> (even
>> > when assigning explicitly the group to the user being created). Is this
>> a
>> > bug? Or something that is not completely documented?
>> >
>> > --
>> > Rafael Weing?rtner
>> >
>>
>>
>> --
>> Rafael Weing?rtner
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

-- 
Rafael Weing?rtner

From psilva at redhat.com  Fri Apr  5 08:59:06 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 5 Apr 2019 09:59:06 -0300
Subject: [keycloak-user] horizontally scaling keycloak cluster using a
 cluster farm on Cloud (AWS) -> any body tried out such a thing?
In-Reply-To: <34865490.14926868.1554304148560@mail.yahoo.com>
References: <34865490.14926868.1554304148560.ref@mail.yahoo.com>
	<34865490.14926868.1554304148560@mail.yahoo.com>
Message-ID: <CAJrcDBdGjO_33=9hjP1sWUGOUmUX8GVGmrKs0s3DRfgQ0kE1YQ@mail.gmail.com>

I don't. But I'm interested to discuss how you could achieve this.

* Are you using kubernetes ?
* Do each cluster have its own database ?

On Wed, Apr 3, 2019 at 12:11 PM Madhu <kkcmadhu at yahoo.com> wrote:

> Hi All,
>
> Inorder to scale keycloak to handle about 2000 to 3000 realms i am
> thinking of running keycloak in a cluster farm..
> something like have one keycloak cluster per 500 tenants  and manage  5 or
> 6 such keycloak clusters (a farm).
> But , i want my end users to be totally unware of this .. they should just
> be talking to keycloak on single url  something like
> https://kecloak-yourserver/auth/realms/realm1/
> Internally, i am planning  resolve realm-names to a specific farm.. e.g.
> realm1 -> keycloakCluster2, realmA-> keycloakCluster1 etc..
>
> Any body out there tried such a thing on  Cloud (AWS) ?
> if so, please share your experience/pain points..
> This will go a long way in helping me scale keycloak horizontally in one
> of my prod deployments.
> Madhu
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From psilva at redhat.com  Fri Apr  5 09:15:19 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 5 Apr 2019 10:15:19 -0300
Subject: [keycloak-user] Doubts regarding fine grained permission on
	groups
In-Reply-To: <CAG97rafU92OMnWdnqukZ76DwpBAavznvSesmFr4y-58gATn46w@mail.gmail.com>
References: <CAG97rae4ZS5+=HKUKq2OTV02Y7gULD-xj8327uiFkV-Wk68K9A@mail.gmail.com>
	<CAG97rad7OmH1=s++ocdfqOoYxmNhPdPG9hyrkBivQ9_yf+j1-w@mail.gmail.com>
	<CAJrcDBcV+VVjav+bLUjTiWZKX==oV0d-EvUWdj_SWSzX_4uh8w@mail.gmail.com>
	<CAG97rafU92OMnWdnqukZ76DwpBAavznvSesmFr4y-58gATn46w@mail.gmail.com>
Message-ID: <CAJrcDBey4kGmP7D1wP_40LiW_LxJw2+eNuuu1Xw9KKDroTNuJA@mail.gmail.com>

That is some to discuss. Right now, I think that group admins can delete
*and* create users. IIRC, the issue here is that the "create" button is
only shown if you have the "manage-users" role which conflicts with the
permissioning model provided by the fine-grained admin permissions.

On Fri, Apr 5, 2019 at 9:48 AM Rafael Weing?rtner <
rafaelweingartner at gmail.com> wrote:

> Thanks for the feedback Pedro!
> Sure, I will do that. However, just to make sure I understood. The ability
> to delete users accounts for the "group admin" users is considered a bug,
> and will be removed/addressed in the upcoming release. Is that correct?
>
> On Fri, Apr 5, 2019 at 9:45 AM Pedro Igor Silva <psilva at redhat.com> wrote:
>
>> Hi Rafael,
>>
>> Yeah, this is how it was implement. I understand your point and this is
>> one of the things that we need to review in regards to fine-grained
>> permissions in admin console.
>>
>> We have a few open JIRAs that we are looking forward to work in the
>> future. Could you please file a new JIRA for this problem in particular ?
>>
>> Regards.
>> Pedro Igor
>>
>>
>> On Fri, Apr 5, 2019 at 9:28 AM Rafael Weing?rtner <
>> rafaelweingartner at gmail.com> wrote:
>>
>>> Hello volks,
>>> Any takers here? it would be very helpful to have feedback regarding the
>>> intended design before checking the code to confirm these features.
>>>
>>> On Wed, Apr 3, 2019 at 9:49 AM Rafael Weing?rtner <
>>> rafaelweingartner at gmail.com> wrote:
>>>
>>> > Hello Keycloak community,
>>> > We seem to have stumbled across a feature that we do not fully
>>> understand
>>> > (after reading and re-reading, and testing). Could somebody help to
>>> clarify
>>> > the design of this feature?
>>> >
>>> > When enabling fine grained group permissions, we see the option to
>>> assign
>>> > the scope "manage" to users in specific groups. According to our
>>> > understand, this scope would allow us to create the "role" of users
>>> > ("group-admins") to manage (update user information, reset credentials,
>>> > enable/disable) other users in the same group; users with this "role"
>>> would
>>> > also not be able to see the other users in the realm that are not
>>> assigned
>>> > to the group where they have this special permissions. Therefore, the
>>> > actions of creating and removing users would still be restricted to the
>>> > manage-users permission that can be set to "user-managers" in the whole
>>> > realm.
>>> >
>>> > During our tests, we noticed the the users that receive the "manage"
>>> scope
>>> > permission in a group are able to delete users of the group. Is this
>>> the
>>> > expected behavior? After noticing this, we also thought that they would
>>> > then be able to create users in the group (if they can remove, why not
>>> > enabling them to create as well?); however, these users are not able to
>>> > create other users in the group that they have permission to manage
>>> (even
>>> > when assigning explicitly the group to the user being created). Is
>>> this a
>>> > bug? Or something that is not completely documented?
>>> >
>>> > --
>>> > Rafael Weing?rtner
>>> >
>>>
>>>
>>> --
>>> Rafael Weing?rtner
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>
> --
> Rafael Weing?rtner
>

From psilva at redhat.com  Fri Apr  5 09:16:41 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 5 Apr 2019 10:16:41 -0300
Subject: [keycloak-user] Access Forbidden
In-Reply-To: <CAHj77GW=L9hYs99xM=8dJnVgPd+otYpqDziDxJk+r6e560eNjA@mail.gmail.com>
References: <CAHj77GVYMriW=RW113VmNQ3icg7HJ0_nHDbTdtFDuiCKsmFBnA@mail.gmail.com>
	<CAHj77GW=L9hYs99xM=8dJnVgPd+otYpqDziDxJk+r6e560eNjA@mail.gmail.com>
Message-ID: <CAJrcDBdcVNMJF-AKFbK8tmXZ_hgNJDR45y4V9gDZKd-L=rTbOw@mail.gmail.com>

Hi, this was an issue that was fixed in 5.0.0. You are not the first one to
query this :)

On Thu, Apr 4, 2019 at 8:23 PM Aaron Echols <aechols at bfcsaz.com> wrote:

> Ok, so further testing shows:
>
> Assigning `manage-users` Role doesn't work, assigning `manage-realm` role
> does allow them to login to the Security Console, applying `manage-users`
> role lets them reset passwords. This isn't a good solution though, since
> they get access to settings that they shouldn't be able to access.
>
> Seems like the role got broken during the upgrade possibly. Is there a way
> to reset or reinstall a role?
> --
> *Aaron Echols*
>
> On Thu, Apr 4, 2019 at 4:02 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>
> > Hello All,
> >
> > I was running 4.1.0.Final and decided to upgrade this week to
> 4.8.3.Final.
> > I'm running into an issue where we set a group up with the `manage-users`
> > Role Mapping. In 4.1.0.Final, the members of said group were able to
> login
> > and reset passwords for users successfully in the realm they are in.
> >
> > Now when they attempt to access the Security Admin Console under
> > Applications in their profile, they get the following message on the user
> > side:
> >
> > Forbidden
> > You don't have access to the requested resource.
> >
> > All I see in the Events log:
> >
> > LOGIN
> > Client: security-admin-console
> > User: <identifier>
> > IP Address: <local-ip>
> > Details:
> > auth_method: openid-connect
> > auth_type: code
> > response_type: code
> > redirect_uri: /auth/admin/realm/console/
> > consent: no_consent_required
> > code_id: <code-id>
> > response_mode: fragment
> > username: <username>
> >
> > CODE_TO_TOKEN
> > Client: security-admin-console
> > User: <identifier>
> > Details:
> > token_id: <token-id>
> > grant_type: authorization_code
> > refresh_token_type: refresh
> > scope: openid
> > refresh_token_id: <refresh-token-id>
> > code_id: <code-id>
> > client_auth_method: client-secret
> >
> > I've verified that they have the proper roles assigned, why isn't this
> > working now and anyone have any help to be able to troubleshoot?
> >
> > Thanks in advance for any help or recommendations. :)
> > --
> > *Aaron Echols*
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From rafaelweingartner at gmail.com  Fri Apr  5 09:25:17 2019
From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=)
Date: Fri, 5 Apr 2019 10:25:17 -0300
Subject: [keycloak-user] Doubts regarding fine grained permission on
	groups
In-Reply-To: <CAJrcDBey4kGmP7D1wP_40LiW_LxJw2+eNuuu1Xw9KKDroTNuJA@mail.gmail.com>
References: <CAG97rae4ZS5+=HKUKq2OTV02Y7gULD-xj8327uiFkV-Wk68K9A@mail.gmail.com>
	<CAG97rad7OmH1=s++ocdfqOoYxmNhPdPG9hyrkBivQ9_yf+j1-w@mail.gmail.com>
	<CAJrcDBcV+VVjav+bLUjTiWZKX==oV0d-EvUWdj_SWSzX_4uh8w@mail.gmail.com>
	<CAG97rafU92OMnWdnqukZ76DwpBAavznvSesmFr4y-58gATn46w@mail.gmail.com>
	<CAJrcDBey4kGmP7D1wP_40LiW_LxJw2+eNuuu1Xw9KKDroTNuJA@mail.gmail.com>
Message-ID: <CAG97racJbojRL4nQ4PHh6ex6tjwktTxRv1ZJOaog+amcUhoucg@mail.gmail.com>

Thanks for the clarification.

On Fri, Apr 5, 2019 at 10:15 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> That is some to discuss. Right now, I think that group admins can delete
> *and* create users. IIRC, the issue here is that the "create" button is
> only shown if you have the "manage-users" role which conflicts with the
> permissioning model provided by the fine-grained admin permissions.
>
> On Fri, Apr 5, 2019 at 9:48 AM Rafael Weing?rtner <
> rafaelweingartner at gmail.com> wrote:
>
>> Thanks for the feedback Pedro!
>> Sure, I will do that. However, just to make sure I understood. The
>> ability to delete users accounts for the "group admin" users is considered
>> a bug, and will be removed/addressed in the upcoming release. Is that
>> correct?
>>
>> On Fri, Apr 5, 2019 at 9:45 AM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi Rafael,
>>>
>>> Yeah, this is how it was implement. I understand your point and this is
>>> one of the things that we need to review in regards to fine-grained
>>> permissions in admin console.
>>>
>>> We have a few open JIRAs that we are looking forward to work in the
>>> future. Could you please file a new JIRA for this problem in particular ?
>>>
>>> Regards.
>>> Pedro Igor
>>>
>>>
>>> On Fri, Apr 5, 2019 at 9:28 AM Rafael Weing?rtner <
>>> rafaelweingartner at gmail.com> wrote:
>>>
>>>> Hello volks,
>>>> Any takers here? it would be very helpful to have feedback regarding the
>>>> intended design before checking the code to confirm these features.
>>>>
>>>> On Wed, Apr 3, 2019 at 9:49 AM Rafael Weing?rtner <
>>>> rafaelweingartner at gmail.com> wrote:
>>>>
>>>> > Hello Keycloak community,
>>>> > We seem to have stumbled across a feature that we do not fully
>>>> understand
>>>> > (after reading and re-reading, and testing). Could somebody help to
>>>> clarify
>>>> > the design of this feature?
>>>> >
>>>> > When enabling fine grained group permissions, we see the option to
>>>> assign
>>>> > the scope "manage" to users in specific groups. According to our
>>>> > understand, this scope would allow us to create the "role" of users
>>>> > ("group-admins") to manage (update user information, reset
>>>> credentials,
>>>> > enable/disable) other users in the same group; users with this "role"
>>>> would
>>>> > also not be able to see the other users in the realm that are not
>>>> assigned
>>>> > to the group where they have this special permissions. Therefore, the
>>>> > actions of creating and removing users would still be restricted to
>>>> the
>>>> > manage-users permission that can be set to "user-managers" in the
>>>> whole
>>>> > realm.
>>>> >
>>>> > During our tests, we noticed the the users that receive the "manage"
>>>> scope
>>>> > permission in a group are able to delete users of the group. Is this
>>>> the
>>>> > expected behavior? After noticing this, we also thought that they
>>>> would
>>>> > then be able to create users in the group (if they can remove, why not
>>>> > enabling them to create as well?); however, these users are not able
>>>> to
>>>> > create other users in the group that they have permission to manage
>>>> (even
>>>> > when assigning explicitly the group to the user being created). Is
>>>> this a
>>>> > bug? Or something that is not completely documented?
>>>> >
>>>> > --
>>>> > Rafael Weing?rtner
>>>> >
>>>>
>>>>
>>>> --
>>>> Rafael Weing?rtner
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>>
>>
>> --
>> Rafael Weing?rtner
>>
>

-- 
Rafael Weing?rtner

From rafaelweingartner at gmail.com  Fri Apr  5 09:44:12 2019
From: rafaelweingartner at gmail.com (=?UTF-8?Q?Rafael_Weing=C3=A4rtner?=)
Date: Fri, 5 Apr 2019 10:44:12 -0300
Subject: [keycloak-user] Doubts regarding fine grained permission on
	groups
In-Reply-To: <CAG97racJbojRL4nQ4PHh6ex6tjwktTxRv1ZJOaog+amcUhoucg@mail.gmail.com>
References: <CAG97rae4ZS5+=HKUKq2OTV02Y7gULD-xj8327uiFkV-Wk68K9A@mail.gmail.com>
	<CAG97rad7OmH1=s++ocdfqOoYxmNhPdPG9hyrkBivQ9_yf+j1-w@mail.gmail.com>
	<CAJrcDBcV+VVjav+bLUjTiWZKX==oV0d-EvUWdj_SWSzX_4uh8w@mail.gmail.com>
	<CAG97rafU92OMnWdnqukZ76DwpBAavznvSesmFr4y-58gATn46w@mail.gmail.com>
	<CAJrcDBey4kGmP7D1wP_40LiW_LxJw2+eNuuu1Xw9KKDroTNuJA@mail.gmail.com>
	<CAG97racJbojRL4nQ4PHh6ex6tjwktTxRv1ZJOaog+amcUhoucg@mail.gmail.com>
Message-ID: <CAG97raeA4u6PXZ_g67a2kvaSOAY+9hw6Ey4DxXw_znP1pxxoCQ@mail.gmail.com>

Jira ticket created: https://issues.jboss.org/browse/KEYCLOAK-10000

On Fri, Apr 5, 2019 at 10:25 AM Rafael Weing?rtner <
rafaelweingartner at gmail.com> wrote:

> Thanks for the clarification.
>
> On Fri, Apr 5, 2019 at 10:15 AM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> That is some to discuss. Right now, I think that group admins can delete
>> *and* create users. IIRC, the issue here is that the "create" button is
>> only shown if you have the "manage-users" role which conflicts with the
>> permissioning model provided by the fine-grained admin permissions.
>>
>> On Fri, Apr 5, 2019 at 9:48 AM Rafael Weing?rtner <
>> rafaelweingartner at gmail.com> wrote:
>>
>>> Thanks for the feedback Pedro!
>>> Sure, I will do that. However, just to make sure I understood. The
>>> ability to delete users accounts for the "group admin" users is considered
>>> a bug, and will be removed/addressed in the upcoming release. Is that
>>> correct?
>>>
>>> On Fri, Apr 5, 2019 at 9:45 AM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Hi Rafael,
>>>>
>>>> Yeah, this is how it was implement. I understand your point and this is
>>>> one of the things that we need to review in regards to fine-grained
>>>> permissions in admin console.
>>>>
>>>> We have a few open JIRAs that we are looking forward to work in the
>>>> future. Could you please file a new JIRA for this problem in particular ?
>>>>
>>>> Regards.
>>>> Pedro Igor
>>>>
>>>>
>>>> On Fri, Apr 5, 2019 at 9:28 AM Rafael Weing?rtner <
>>>> rafaelweingartner at gmail.com> wrote:
>>>>
>>>>> Hello volks,
>>>>> Any takers here? it would be very helpful to have feedback regarding
>>>>> the
>>>>> intended design before checking the code to confirm these features.
>>>>>
>>>>> On Wed, Apr 3, 2019 at 9:49 AM Rafael Weing?rtner <
>>>>> rafaelweingartner at gmail.com> wrote:
>>>>>
>>>>> > Hello Keycloak community,
>>>>> > We seem to have stumbled across a feature that we do not fully
>>>>> understand
>>>>> > (after reading and re-reading, and testing). Could somebody help to
>>>>> clarify
>>>>> > the design of this feature?
>>>>> >
>>>>> > When enabling fine grained group permissions, we see the option to
>>>>> assign
>>>>> > the scope "manage" to users in specific groups. According to our
>>>>> > understand, this scope would allow us to create the "role" of users
>>>>> > ("group-admins") to manage (update user information, reset
>>>>> credentials,
>>>>> > enable/disable) other users in the same group; users with this
>>>>> "role" would
>>>>> > also not be able to see the other users in the realm that are not
>>>>> assigned
>>>>> > to the group where they have this special permissions. Therefore, the
>>>>> > actions of creating and removing users would still be restricted to
>>>>> the
>>>>> > manage-users permission that can be set to "user-managers" in the
>>>>> whole
>>>>> > realm.
>>>>> >
>>>>> > During our tests, we noticed the the users that receive the "manage"
>>>>> scope
>>>>> > permission in a group are able to delete users of the group. Is this
>>>>> the
>>>>> > expected behavior? After noticing this, we also thought that they
>>>>> would
>>>>> > then be able to create users in the group (if they can remove, why
>>>>> not
>>>>> > enabling them to create as well?); however, these users are not able
>>>>> to
>>>>> > create other users in the group that they have permission to manage
>>>>> (even
>>>>> > when assigning explicitly the group to the user being created). Is
>>>>> this a
>>>>> > bug? Or something that is not completely documented?
>>>>> >
>>>>> > --
>>>>> > Rafael Weing?rtner
>>>>> >
>>>>>
>>>>>
>>>>> --
>>>>> Rafael Weing?rtner
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>>
>>>
>>> --
>>> Rafael Weing?rtner
>>>
>>
>
> --
> Rafael Weing?rtner
>


-- 
Rafael Weing?rtner

From mrestelli at cuebiq.com  Fri Apr  5 11:14:01 2019
From: mrestelli at cuebiq.com (Matteo Restelli)
Date: Fri, 5 Apr 2019 17:14:01 +0200
Subject: [keycloak-user] Token Exchange AWS Cognito & Keycloak
Message-ID: <CAHpjjTb3AZHeGOu5_FbQ421sS9Fie8rZ7y5=2-y0jSdW+2r4hg@mail.gmail.com>

Hi all,
We're using AWS Cognito as our Identity provider for our platform. We're
trying to use an internal instance of Keycloak, in order to check the
possibility to use KC for authorization purposes (this because Keycloak has
a wonderful and powerful authorization system that fulfill our needs, and
for that i want to say you "Thank you very much" :) ). For this reason we
want to use the token exchange feature of Keycloak.
More specifically we want to follow this flow:

- User authenticates on AWS Cognito via SRP auth flow (which basically is
not a standard OIDC/OAuth2 authentication flow)
- User sends the access token to contact the backend service and, in the
middle, this token is translated to an internal one, minted by Keycloak

If we provide the AWS Cognito access token to the token exchange endpoint,
with the subject_token_type parameter set to
"urn:ietf:params:oauth:token-type:access_token", an error is returned
stating that the access token doesn't contain the "openid" scope. Despite
this we've tried another way, providing the id token to the token exchange
endpoint with the subject_token_parameter set to
"urn:ietf:params:oauth:token-type:id_token", and we discovered that this
alternative way works. So, my questions are:

- Is the "exchange with id token" approach a feasible and good one? Or is
completely a bad approach?
- From an OIDC point of view, can be a right approach accessing a backend
resource from a single page application, using an id token? I've always
read that if you want to access to a backend resource, from a client
application, is better to use the access token, because the id token
contains a lot of user informations and must be used only by the client
application

Thank you very much,
Matteo


PS:  As a side note, i want to clarify that if we follow an authorization
code grant flow, or an implicit flow, during the authentication against AWS
Cognito, the access token exchange works as expected. So this means that
the problem is related to the shape of the token released by Cognito.

-- 

Like <https://www.facebook.com/cuebiq/> I Follow  
<https://twitter.com/Cuebiq>I Connect 
<https://www.linkedin.com/company/cuebiq>


This email is reserved 
exclusively for sending and receiving messages inherent working activities, 
and is not intended nor authorized for personal use. Therefore, any 
outgoing messages or incoming response messages will be treated as company 
messages and will be subject to the corporate IT policy and may possibly to 
be read by persons other than by the subscriber of the box. Confidential 
information may be contained in this message. If you are not the address 
indicated in this message, please do not copy or deliver this message to 
anyone. In such case, you should notify the sender immediately and delete 
the original message.

From kkcmadhu at yahoo.com  Fri Apr  5 11:41:02 2019
From: kkcmadhu at yahoo.com (Madhu)
Date: Fri, 5 Apr 2019 15:41:02 +0000 (UTC)
Subject: [keycloak-user] horizontally scaling keycloak cluster using a
 cluster farm on Cloud (AWS) -> any body tried out such a thing?
In-Reply-To: <CAJrcDBdGjO_33=9hjP1sWUGOUmUX8GVGmrKs0s3DRfgQ0kE1YQ@mail.gmail.com>
References: <34865490.14926868.1554304148560.ref@mail.yahoo.com>
	<34865490.14926868.1554304148560@mail.yahoo.com>
	<CAJrcDBdGjO_33=9hjP1sWUGOUmUX8GVGmrKs0s3DRfgQ0kE1YQ@mail.gmail.com>
Message-ID: <1835093477.16159924.1554478862644@mail.yahoo.com>

 Thanks for showing interest Pedro.
* No not on k8s yet, but may soon do that ( in couple of months time).* Yes thats , to have each cluster have its own keycloak db (mysql) ( and jdbc_ping) for each cluster, may be separate? each farm? by a security group so that there is no cross talks on (7600, jdbc ping ports)..* I am thinking of have a forward proxy? with rewrite urls (farm specific url)or enrich the request with a header to so that ALB/load balancer can identify the farm and dispatch the request to keycloak nodes in that cluster farm.
* I am also thinking of having service registry (simple keyvalue pair cache/db) to maintain list of cluster and a mapping of realm to farm so that i will be able to locate the farm for each realm.* POST realms calls may need special handing which checks the registry first and dispatches request to one of the farm ( which ever has the least no of tenants) so that all farm grows equally.
* I am additionally planning to run these farms with differnt keycloak version (farm A cloud be on keycloak 4.5, farm b on keycloak 5.0), things should not break as long as the apis are backward compatible and as long as i am posting a request in a format which can be understood by keycloak farm with the old version) i.e 4.5 in my case ( i use a template for creating tenants), i may have to now maintain multiple templates - one for each version of keycloak..??
Another model i am thinking of is side car each cluster farm? and use envoy to route request to correct farm..

Either way, one thing which is evident is i need a registry/store where i maintain mapping of realms-to-farm and rewrite urls/ add header so that the correct farm is resolved and request get redirected there.

Another thing to take care is to ensure that the master realm is consistent across all the 4 farms (i.e. if i add a user to master, i need to ensure that it is replicated across all the 4 farms).. this could be bit challenging... again i might have to take help of envoy/nginx to multicast that request to each farm :)
Basically.. do things around keycloak, and keep the central piece un altered...
Let me know if you have any innovative idea here.. eagerly waiting to see whats in store from keycloak-6.. any hints ;)?
Regards,Madhu    On Friday, 5 April, 2019, 6:29:20 pm IST, Pedro Igor Silva <psilva at redhat.com> wrote:  
 
 I don't. But I'm interested to discuss how you could achieve?this.
* Are you using kubernetes??* Do each cluster have its own database ?
On Wed, Apr 3, 2019 at 12:11 PM Madhu <kkcmadhu at yahoo.com> wrote:

Hi All,

Inorder to scale keycloak to handle about 2000 to 3000 realms i am thinking of running keycloak in a cluster farm..
something like have one keycloak cluster per 500 tenants? and manage? 5 or 6 such keycloak clusters (a farm).
But , i want my end users to be totally unware of this .. they should just be talking to keycloak on single url??something like?https://kecloak-yourserver/auth/realms/realm1/
Internally, i am planning? resolve realm-names to a specific farm.. e.g. realm1 -> keycloakCluster2, realmA-> keycloakCluster1 etc..

Any body out there tried such a thing on? Cloud (AWS) ?
if so, please share your experience/pain points..
This will go a long way in helping me scale keycloak horizontally in one of my prod deployments.
Madhu
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
  

From aechols at bfcsaz.com  Fri Apr  5 12:21:33 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Fri, 5 Apr 2019 09:21:33 -0700
Subject: [keycloak-user] Access Forbidden
In-Reply-To: <CAJrcDBdcVNMJF-AKFbK8tmXZ_hgNJDR45y4V9gDZKd-L=rTbOw@mail.gmail.com>
References: <CAHj77GVYMriW=RW113VmNQ3icg7HJ0_nHDbTdtFDuiCKsmFBnA@mail.gmail.com>
	<CAHj77GW=L9hYs99xM=8dJnVgPd+otYpqDziDxJk+r6e560eNjA@mail.gmail.com>
	<CAJrcDBdcVNMJF-AKFbK8tmXZ_hgNJDR45y4V9gDZKd-L=rTbOw@mail.gmail.com>
Message-ID: <CAHj77GXzodWqQPQLKZdSPQN3q-ZSZkHnLak+qqyAVvAZ3mp7zw@mail.gmail.com>

Alright, I guess I'm doing another upgrade. Thanks. :)
--
*Aaron Echols*

On Fri, Apr 5, 2019 at 6:16 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi, this was an issue that was fixed in 5.0.0. You are not the first one
> to query this :)
>
> On Thu, Apr 4, 2019 at 8:23 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>
>> Ok, so further testing shows:
>>
>> Assigning `manage-users` Role doesn't work, assigning `manage-realm` role
>> does allow them to login to the Security Console, applying `manage-users`
>> role lets them reset passwords. This isn't a good solution though, since
>> they get access to settings that they shouldn't be able to access.
>>
>> Seems like the role got broken during the upgrade possibly. Is there a way
>> to reset or reinstall a role?
>> --
>> *Aaron Echols*
>>
>> On Thu, Apr 4, 2019 at 4:02 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>>
>> > Hello All,
>> >
>> > I was running 4.1.0.Final and decided to upgrade this week to
>> 4.8.3.Final.
>> > I'm running into an issue where we set a group up with the
>> `manage-users`
>> > Role Mapping. In 4.1.0.Final, the members of said group were able to
>> login
>> > and reset passwords for users successfully in the realm they are in.
>> >
>> > Now when they attempt to access the Security Admin Console under
>> > Applications in their profile, they get the following message on the
>> user
>> > side:
>> >
>> > Forbidden
>> > You don't have access to the requested resource.
>> >
>> > All I see in the Events log:
>> >
>> > LOGIN
>> > Client: security-admin-console
>> > User: <identifier>
>> > IP Address: <local-ip>
>> > Details:
>> > auth_method: openid-connect
>> > auth_type: code
>> > response_type: code
>> > redirect_uri: /auth/admin/realm/console/
>> > consent: no_consent_required
>> > code_id: <code-id>
>> > response_mode: fragment
>> > username: <username>
>> >
>> > CODE_TO_TOKEN
>> > Client: security-admin-console
>> > User: <identifier>
>> > Details:
>> > token_id: <token-id>
>> > grant_type: authorization_code
>> > refresh_token_type: refresh
>> > scope: openid
>> > refresh_token_id: <refresh-token-id>
>> > code_id: <code-id>
>> > client_auth_method: client-secret
>> >
>> > I've verified that they have the proper roles assigned, why isn't this
>> > working now and anyone have any help to be able to troubleshoot?
>> >
>> > Thanks in advance for any help or recommendations. :)
>> > --
>> > *Aaron Echols*
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From guido_99 at gmx.de  Sat Apr  6 04:39:41 2019
From: guido_99 at gmx.de (Guido Wimmel)
Date: Sat, 6 Apr 2019 10:39:41 +0200
Subject: [keycloak-user] Show Username in Admin Events / Login Events
Message-ID: <339f02c8-c80f-4434-323f-f14be4f4c48d@gmx.de>

Hi,

in the Admin Events / Login Events - View in the Administration Console
in Keycloak, I can see e.g. if users logged in or were assigned to a role.
However, the users are only referenced by their id.

I can determine the username by constructing an URL (e.g.
.../realms/<MY_REALM>/users/<UserId> ) and navigating to it.

Is there an easier way?

Best regards,
 ?? Guido


From mimendo at gmail.com  Sat Apr  6 12:00:53 2019
From: mimendo at gmail.com (mimendo)
Date: Sat, 06 Apr 2019 18:00:53 +0200
Subject: [keycloak-user] Keycloak v5 final?
Message-ID: <bbed65cafec82ba0b7541aa645a7939e89177b50.camel@gmail.com>

Hello,

In the documentation page for Keycloak 5.0.0 I see:

"This is a release candidate. The latest final release is 4.8."

I am not sure whether this was mistakenly left there from a pre-
release, of actually 5.0.0 is just a release candidate.

In this last case, any news about when a V5 final release is scheduled?

Thank you.


From aechols at bfcsaz.com  Sat Apr  6 13:41:23 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Sat, 6 Apr 2019 10:41:23 -0700
Subject: [keycloak-user] Access Forbidden
In-Reply-To: <CAJrcDBdcVNMJF-AKFbK8tmXZ_hgNJDR45y4V9gDZKd-L=rTbOw@mail.gmail.com>
References: <CAHj77GVYMriW=RW113VmNQ3icg7HJ0_nHDbTdtFDuiCKsmFBnA@mail.gmail.com>
	<CAHj77GW=L9hYs99xM=8dJnVgPd+otYpqDziDxJk+r6e560eNjA@mail.gmail.com>
	<CAJrcDBdcVNMJF-AKFbK8tmXZ_hgNJDR45y4V9gDZKd-L=rTbOw@mail.gmail.com>
Message-ID: <CAHj77GWL9n0jhrf0P8toS2aO19LSfrmE7ytaQmaQQh9zjAJVRQ@mail.gmail.com>

Upgrading to 5.0.0 doesn't resolve the issue. I reduced the roles on the
users group to `manage-users` and its' members forbidden access on the
Security Admin Console.
--
*Aaron Echols*
Systems Architect (IT)
Benjamin Franklin Charter School | IT
Email: aechols at bfcsaz.com
Phone: (480) 677-8400
Website: http://www.bfcsaz.com
IT Website: https://it.bfcsaz.com
Support Email: techsupport at bfcsaz.com
Support Portal: https://bfcs.freshservice.com/support/home
Common Questions: https://bfcs.freshservice.com/support/solutions
Forgot your password: https://accounts.bfcsaz.com

<https://www.facebook.com/bfcsaz/>  <https://twitter.com/bfcs_k12>
<https://www.instagram.com/bfcs_k12>


*CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, copy, use, disclosure,
or distribution is prohibited. If you are not the intended recipient,
please contact the sender by reply e-mail and destroy all copies of the
original message.


On Fri, Apr 5, 2019 at 6:16 AM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi, this was an issue that was fixed in 5.0.0. You are not the first one
> to query this :)
>
> On Thu, Apr 4, 2019 at 8:23 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>
>> Ok, so further testing shows:
>>
>> Assigning `manage-users` Role doesn't work, assigning `manage-realm` role
>> does allow them to login to the Security Console, applying `manage-users`
>> role lets them reset passwords. This isn't a good solution though, since
>> they get access to settings that they shouldn't be able to access.
>>
>> Seems like the role got broken during the upgrade possibly. Is there a way
>> to reset or reinstall a role?
>> --
>> *Aaron Echols*
>>
>> On Thu, Apr 4, 2019 at 4:02 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>>
>> > Hello All,
>> >
>> > I was running 4.1.0.Final and decided to upgrade this week to
>> 4.8.3.Final.
>> > I'm running into an issue where we set a group up with the
>> `manage-users`
>> > Role Mapping. In 4.1.0.Final, the members of said group were able to
>> login
>> > and reset passwords for users successfully in the realm they are in.
>> >
>> > Now when they attempt to access the Security Admin Console under
>> > Applications in their profile, they get the following message on the
>> user
>> > side:
>> >
>> > Forbidden
>> > You don't have access to the requested resource.
>> >
>> > All I see in the Events log:
>> >
>> > LOGIN
>> > Client: security-admin-console
>> > User: <identifier>
>> > IP Address: <local-ip>
>> > Details:
>> > auth_method: openid-connect
>> > auth_type: code
>> > response_type: code
>> > redirect_uri: /auth/admin/realm/console/
>> > consent: no_consent_required
>> > code_id: <code-id>
>> > response_mode: fragment
>> > username: <username>
>> >
>> > CODE_TO_TOKEN
>> > Client: security-admin-console
>> > User: <identifier>
>> > Details:
>> > token_id: <token-id>
>> > grant_type: authorization_code
>> > refresh_token_type: refresh
>> > scope: openid
>> > refresh_token_id: <refresh-token-id>
>> > code_id: <code-id>
>> > client_auth_method: client-secret
>> >
>> > I've verified that they have the proper roles assigned, why isn't this
>> > working now and anyone have any help to be able to troubleshoot?
>> >
>> > Thanks in advance for any help or recommendations. :)
>> > --
>> > *Aaron Echols*
>> >
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From aechols at bfcsaz.com  Sat Apr  6 14:06:33 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Sat, 6 Apr 2019 11:06:33 -0700
Subject: [keycloak-user] Access Forbidden
In-Reply-To: <CAHj77GWL9n0jhrf0P8toS2aO19LSfrmE7ytaQmaQQh9zjAJVRQ@mail.gmail.com>
References: <CAHj77GVYMriW=RW113VmNQ3icg7HJ0_nHDbTdtFDuiCKsmFBnA@mail.gmail.com>
	<CAHj77GW=L9hYs99xM=8dJnVgPd+otYpqDziDxJk+r6e560eNjA@mail.gmail.com>
	<CAJrcDBdcVNMJF-AKFbK8tmXZ_hgNJDR45y4V9gDZKd-L=rTbOw@mail.gmail.com>
	<CAHj77GWL9n0jhrf0P8toS2aO19LSfrmE7ytaQmaQQh9zjAJVRQ@mail.gmail.com>
Message-ID: <CAHj77GVM-dGizqHnFNZE1PuUqywXTsV2MOL0weN2oMvnOoo3Ng@mail.gmail.com>

So it does work giving the group the following permissions:

   - `view-users`
   - `manage-users`

Not sure if this is the intended behaviour or not, but it does work. The
way it worked previously was just adding `manage-users` and they could do
what they needed to. Thanks. :)
--
*Aaron Echols*

On Sat, Apr 6, 2019 at 10:41 AM Aaron Echols <aechols at bfcsaz.com> wrote:

> Upgrading to 5.0.0 doesn't resolve the issue. I reduced the roles on the
> users group to `manage-users` and its' members forbidden access on the
> Security Admin Console.
> --
> *Aaron Echols*
> Systems Architect (IT)
> Benjamin Franklin Charter School | IT
> Email: aechols at bfcsaz.com
> Phone: (480) 677-8400
> Website: http://www.bfcsaz.com
> IT Website: https://it.bfcsaz.com
> Support Email: techsupport at bfcsaz.com
> Support Portal: https://bfcs.freshservice.com/support/home
> Common Questions: https://bfcs.freshservice.com/support/solutions
> Forgot your password: https://accounts.bfcsaz.com
>
> <https://www.facebook.com/bfcsaz/>  <https://twitter.com/bfcs_k12>
> <https://www.instagram.com/bfcs_k12>
>
>
> *CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
> is for the sole use of the intended recipient(s) and may contain
> confidential and privileged information. Any unauthorized review, copy,
> use, disclosure, or distribution is prohibited. If you are not the intended
> recipient, please contact the sender by reply e-mail and destroy all copies
> of the original message.
>
>
> On Fri, Apr 5, 2019 at 6:16 AM Pedro Igor Silva <psilva at redhat.com> wrote:
>
>> Hi, this was an issue that was fixed in 5.0.0. You are not the first one
>> to query this :)
>>
>> On Thu, Apr 4, 2019 at 8:23 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>>
>>> Ok, so further testing shows:
>>>
>>> Assigning `manage-users` Role doesn't work, assigning `manage-realm` role
>>> does allow them to login to the Security Console, applying `manage-users`
>>> role lets them reset passwords. This isn't a good solution though, since
>>> they get access to settings that they shouldn't be able to access.
>>>
>>> Seems like the role got broken during the upgrade possibly. Is there a
>>> way
>>> to reset or reinstall a role?
>>> --
>>> *Aaron Echols*
>>>
>>> On Thu, Apr 4, 2019 at 4:02 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>>>
>>> > Hello All,
>>> >
>>> > I was running 4.1.0.Final and decided to upgrade this week to
>>> 4.8.3.Final.
>>> > I'm running into an issue where we set a group up with the
>>> `manage-users`
>>> > Role Mapping. In 4.1.0.Final, the members of said group were able to
>>> login
>>> > and reset passwords for users successfully in the realm they are in.
>>> >
>>> > Now when they attempt to access the Security Admin Console under
>>> > Applications in their profile, they get the following message on the
>>> user
>>> > side:
>>> >
>>> > Forbidden
>>> > You don't have access to the requested resource.
>>> >
>>> > All I see in the Events log:
>>> >
>>> > LOGIN
>>> > Client: security-admin-console
>>> > User: <identifier>
>>> > IP Address: <local-ip>
>>> > Details:
>>> > auth_method: openid-connect
>>> > auth_type: code
>>> > response_type: code
>>> > redirect_uri: /auth/admin/realm/console/
>>> > consent: no_consent_required
>>> > code_id: <code-id>
>>> > response_mode: fragment
>>> > username: <username>
>>> >
>>> > CODE_TO_TOKEN
>>> > Client: security-admin-console
>>> > User: <identifier>
>>> > Details:
>>> > token_id: <token-id>
>>> > grant_type: authorization_code
>>> > refresh_token_type: refresh
>>> > scope: openid
>>> > refresh_token_id: <refresh-token-id>
>>> > code_id: <code-id>
>>> > client_auth_method: client-secret
>>> >
>>> > I've verified that they have the proper roles assigned, why isn't this
>>> > working now and anyone have any help to be able to troubleshoot?
>>> >
>>> > Thanks in advance for any help or recommendations. :)
>>> > --
>>> > *Aaron Echols*
>>> >
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>

From ronallevatech at gmail.com  Sun Apr  7 22:51:36 2019
From: ronallevatech at gmail.com (Ron Alleva)
Date: Sun, 7 Apr 2019 22:51:36 -0400
Subject: [keycloak-user] Setting NameID to Unspecified
Message-ID: <CAEwFaXKFJ-N2VTOBorHjAmgm4=dF7_u1PaxKe9SuyezXnETOXA@mail.gmail.com>

Hi all,

I'm working with a particular IdP client, and they have requested that I
set the NameID field to an attribute on the user that is neither username
or email, and that it must be in the "unspecified" format.

I've been trying a bunch of different configuration options to get it work,
but none seem to do what I need it to do. I know about
"saml.persistent.name.id.for.$clientId" on a user, and I've been trying
variations on that.

Does anyone have any guidance on how to have a attribute of the user be
populated in the NameID field, with a format of "unspecified"?

Thanks,
Ron

From guo.zhming at gmail.com  Sun Apr  7 23:44:29 2019
From: guo.zhming at gmail.com (Zhiming Guo)
Date: Mon, 8 Apr 2019 13:44:29 +1000
Subject: [keycloak-user] Best practices for Infrastructure/Configuration as
	Code
Message-ID: <CAKBVoAQXPz2R0nB9f0_Bj5vvg34z0vvS4VRMGMusEZnje68jdw@mail.gmail.com>

Hi Keycloak Team,

Thank you so much for making this wonderful project! I'm in the process of
adopting it and need some advices.

I'm a believer of Infrastructure as Code (IaC) and configuration as code.
So just wondering how I can achieve this properly in Keycloak?

I am aware of and have tried the realm export/import feature. But I found
it difficult to maintain/share/develop the realm.json file mainly because
there seems to be no documents around its syntax, supported fields etc. And
I'm not sure what's the best way to apply the realm.json file using CI/CD:
new image containing new realm.json?

Or maybe I should focus on using the REST API to achieve IaC?

My apology for these unorganized questions. Any advice will be appreciated!

Thank you for your time

Ming

From lorenzo.luconi at iit.cnr.it  Mon Apr  8 03:00:48 2019
From: lorenzo.luconi at iit.cnr.it (Lorenzo Luconi Trombacchi)
Date: Mon, 8 Apr 2019 09:00:48 +0200
Subject: [keycloak-user] Keycloak v5 final?
In-Reply-To: <bbed65cafec82ba0b7541aa645a7939e89177b50.camel@gmail.com>
References: <bbed65cafec82ba0b7541aa645a7939e89177b50.camel@gmail.com>
Message-ID: <8698A124-4F56-48AD-A859-B87B81C3768A@iit.cnr.it>

http://lists.jboss.org/pipermail/keycloak-user/2019-March/017661.html

Lorenzo


> Il giorno 6 apr 2019, alle ore 18:00, mimendo <mimendo at gmail.com> ha scritto:
> 
> Hello,
> 
> In the documentation page for Keycloak 5.0.0 I see:
> 
> "This is a release candidate. The latest final release is 4.8."
> 
> I am not sure whether this was mistakenly left there from a pre-
> release, of actually 5.0.0 is just a release candidate.
> 
> In this last case, any news about when a V5 final release is scheduled?
> 
> Thank you.
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From ronallevatech at gmail.com  Mon Apr  8 08:03:33 2019
From: ronallevatech at gmail.com (Ron Alleva)
Date: Mon, 8 Apr 2019 08:03:33 -0400
Subject: [keycloak-user] Setting NameID to Unspecified
In-Reply-To: <55b322c286ab424e8245f7d2806c7a99@EXMBX24.SFP-Net.skyfillers.local>
References: <CAEwFaXKFJ-N2VTOBorHjAmgm4=dF7_u1PaxKe9SuyezXnETOXA@mail.gmail.com>
	<55b322c286ab424e8245f7d2806c7a99@EXMBX24.SFP-Net.skyfillers.local>
Message-ID: <CAEwFaXKcryXOYRTpr+FA25b9DNz0Ruz8G6a86GCNvO2HyZn-QA@mail.gmail.com>

Hi Manuel,

Thanks for replying. That url does help me understand the difference
between the different identifier types.

However, the client I'm working with has it set in their IdP that the SAML
message sent to it should contain one of the user's attributes (specific
string of numbers, like a special user id) in the NameID field, with a
format of unspecified. In Keycloak (at least 4.4 and 5.0, that I checked),
there's no option for "unspecified" in the NameID format setting, or a way
to remove it altogether to default to unspecified.

Is this something Keycloak can support out of the box? Is it something I
can accomplish with a JavaScript protocol mapper, or do I have to code my
own mapper for that purpose?

Thanks,

Ron

On Mon, Apr 8, 2019, 05:03 Manuel Waltschek <
manuel.waltschek at prisma-solutions.at> wrote:

> Hello Ron,
>
> maybe this url will help you:
> https://stackoverflow.com/questions/11693297/what-are-the-different-nameid-format-used-for
>
> As the answer states unspecified can be used and it purely depends on the
> entities implementation on their own wish. So as I understand you have to
> send the nameId in some format, but have to decide for one format to send
> the client on keycloak site. Unspecified often defaults to the
> implementation specific default settings.
>
> Regards,
>
> Manuel
>
>
>
> -----Urspr?ngliche Nachricht-----
> Von: keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> Im Auftrag von Ron Alleva
> Gesendet: Montag, 08. April 2019 04:52
> An: keycloak-user at lists.jboss.org
> Betreff: [keycloak-user] Setting NameID to Unspecified
>
> Hi all,
>
> I'm working with a particular IdP client, and they have requested that I
> set the NameID field to an attribute on the user that is neither username
> or email, and that it must be in the "unspecified" format.
>
> I've been trying a bunch of different configuration options to get it
> work, but none seem to do what I need it to do. I know about
> "saml.persistent.name.id.for.$clientId" on a user, and I've been trying
> variations on that.
>
> Does anyone have any guidance on how to have a attribute of the user be
> populated in the NameID field, with a format of "unspecified"?
>
> Thanks,
> Ron
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From kelsey.rider at ineat-conseil.fr  Mon Apr  8 08:38:08 2019
From: kelsey.rider at ineat-conseil.fr (Kelsey RIDER)
Date: Mon, 8 Apr 2019 12:38:08 +0000
Subject: [keycloak-user] Keycloak JS library: iframe redirect when already
	logged in
Message-ID: <PR0P264MB03950E54FFB2657A704D1AC5A02C0@PR0P264MB0395.FRAP264.PROD.OUTLOOK.COM>

Hello,

I?m working on an SPA that uses keycloak.js to interact with my Keycloak. I initialize the Keycloak object with onload = ?check-sso? and checkLoginIFrame enabled.

If I perform the following steps:

  *   Load my site
  *   Click my ?login? button (call Keycloak.login())
  *   get redirected to Keycloak?s login page, login, get redirected back to my app
  *   Reload my site
I observe that when the site reloads, it does a quick redirection (the URL briefly changes from mysite.com to mysite.com/#state=?.. then back to mysite.com).
I would like to avoid having this redirection when I?m already logged in.

By debugging the code, I found out why this happens:

  *   The login-status-iframe.html page is essentially just a wrapper for some static JS to manage a cookie that stores the auth tokens.
  *   Its main method checkState() is called from keycloak.js during initialization?with no token (sessionState is empty since keycloak.js is not aware of the cookie).
  *   The login iFrame?s code reads the cookie and creates an XHR request to ?/login-status-iframe.html/init?... with the cookie in the request headers.
  *   When it gets a 204 response (which I take to mean: the cookie is valid, everything?s OK), it compares the token (from the cookie) with what it was given from keycloak.js (i.e. nothing).
  *   Since they are not equal, it responds to the callback with ?changed?.
  *   This is interpreted in keycloak.js to mean that (the token changed?) and thus it calls doLogin(false), which is where it changes the URL, creating the unwanted redirect.

So my questions are thus:

  *   Where is the documentation for API for the call to login-status-iframe.html/init?
  *   Would it be possible to do something like:
     *   Have the login-status-iframe return the token, when the KC server informs it that the token is still valid (e.g. ?update XXXXX? instead of ?changed?)
     *   keycloak.js would then take this and update its token, without having to call doLogin()

Many thanks,

Kelsey Rider


From moreno at netguardians.ch  Mon Apr  8 10:00:09 2019
From: moreno at netguardians.ch (Kevin Perez Moreno)
Date: Mon, 8 Apr 2019 14:00:09 +0000
Subject: [keycloak-user] Client not found error in keycloak
Message-ID: <DB7PR03MB388444C24DA007C59464345AC42C0@DB7PR03MB3884.eurprd03.prod.outlook.com>

Hello,

I am currently trying to integrate Celoxis into our SSO provided by keycloak. Celoxis is configured to send SAML requests to our keycloak server. However, after initiating the SAML exchange I get the following error:

  *   The web UI shows "Unknown login requester"
  *   In keycloak CLI, I can see the following "client_not_found" error:
15:53:03,293 DEBUG [io.undertow.request] (default I/O-2) Matched prefix path /auth for path /auth/realms/Demo/protocol/saml
15:53:03,294 DEBUG [io.undertow.request.security] (default task-2) Attempting to authenticate /auth/realms/Demo/protocol/saml, authentication required: false
15:53:03,294 DEBUG [io.undertow.request.security] (default task-2) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism at 6c2221a0 for /auth/realms/Demo/protocol/saml
15:53:03,294 DEBUG [io.undertow.request.security] (default task-2) Authentication result was ATTEMPTED for /auth/realms/Demo/protocol/saml
15:53:03,294 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-2) new JtaTransactionWrapper
15:53:03,294 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-2) was existing? false
15:53:03,295 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002315: PathInfo: /realms/Demo/protocol/saml
15:53:03,295 DEBUG [org.keycloak.protocol.saml.SamlService] (default task-2) SAML GET
15:53:03,295 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-2) SAML Redirect Binding
15:53:03,295 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-2) <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="ONELOGIN_c4606c22-dc34-44a9-86c0-b157a90c8691" Version="2.0" IssueInstant="2019-04-08T13:53:03Z" Destination="https://sso.netguardians.ch:64020/auth/realms/Demo/protocol/saml" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://app.celoxis.com/psa/person.Login.do?code=netguardians"><saml:Issuer>celoxis.com</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /></samlp:AuthnRequest>
15:53:03,296 DEBUG [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] (default task-2) Hibernate RegisteredSynchronization successfully registered with JTA platform
15:53:03,296 DEBUG [org.hibernate.SQL] (default task-2)
    select
        cliententi0_.ID as col_0_0_
    from
        CLIENT cliententi0_
    where
        cliententi0_.CLIENT_ID=?
        and cliententi0_.REALM_ID=?
15:53:03,297 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-2) Initiating JDBC connection release from afterStatement
15:53:03,297 WARN  [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=Demo, clientId=celoxis.com, userId=null, ipAddress=10.7.4.12, error=client_not_found
It seems that both the client ID and the realm ID are not found by keycloak.
I wonder if any of you has experienced this issue before
Thank you in advance

Kevin


[https://cdn.netguardians.ch/images/banner_new_web.jpg]<https://www.netguardians.ch/>

From katariakhyati11 at gmail.com  Mon Apr  8 10:12:47 2019
From: katariakhyati11 at gmail.com (Khyati Kataria)
Date: Mon, 8 Apr 2019 10:12:47 -0400
Subject: [keycloak-user] Need guidance on auto login feature
Message-ID: <CACVn=vq9uzR_Dm5fKxcQYFS92pAmdn_5jzMH3qcsD33ySsKfNQ@mail.gmail.com>

Hi,

I would like to get some guidance on following scenario.

I have a requirement to skip keycloak login page by setting up header
using bearer token. Is this a right approach ? or is there any way I
can skip login page and be able to logged in customer service console

Scenario:
1) create bearer token invoking:
POST to http://<server>/auth/realms/test/protocol/openid-connect/token/
with post data:
grant_type=password&client_id=client&username=admin&password=admin1

read the token from response
2) do a get using new XMLHttpRequest() and setting the header
xhr.open("GET", "http://<server>/csc/", true);
xhr.setRequestHeader('Authorization', 'Bearer ' + token);

after doing this we can see on network traces that it actually bring
the subscribed ID page but with this we do only a "static" get, and we
see all cookies are set

3) finally from page we do a redirect to http://server/csc so browser
really opens the  portal (and not just get the content), but at this
stage we get redirected to Keycloak login form

I don't want redirect to login form, I need guidance on this. Is this
possible to have auto login ? or anyway we can skip login page  ?



Regards,
Khyati

From sblanc at redhat.com  Mon Apr  8 10:27:49 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Mon, 8 Apr 2019 16:27:49 +0200
Subject: [keycloak-user] Client not found error in keycloak
In-Reply-To: <DB7PR03MB388444C24DA007C59464345AC42C0@DB7PR03MB3884.eurprd03.prod.outlook.com>
References: <DB7PR03MB388444C24DA007C59464345AC42C0@DB7PR03MB3884.eurprd03.prod.outlook.com>
Message-ID: <CAMZCGg-i4gO8zfPMt+rWdhG+uFSb418MwefYTT-kKbdM9gQ1eQ@mail.gmail.com>

Hi,
The realm is found (Demo) but no the client, are you sure you have a client
configured and named "celoxis.com" in your "Demo" realm ?

On Mon, Apr 8, 2019 at 4:08 PM Kevin Perez Moreno <moreno at netguardians.ch>
wrote:

> Hello,
>
> I am currently trying to integrate Celoxis into our SSO provided by
> keycloak. Celoxis is configured to send SAML requests to our keycloak
> server. However, after initiating the SAML exchange I get the following
> error:
>
>   *   The web UI shows "Unknown login requester"
>   *   In keycloak CLI, I can see the following "client_not_found" error:
> 15:53:03,293 DEBUG [io.undertow.request] (default I/O-2) Matched prefix
> path /auth for path /auth/realms/Demo/protocol/saml
> 15:53:03,294 DEBUG [io.undertow.request.security] (default task-2)
> Attempting to authenticate /auth/realms/Demo/protocol/saml, authentication
> required: false
> 15:53:03,294 DEBUG [io.undertow.request.security] (default task-2)
> Authentication outcome was NOT_ATTEMPTED with method
> io.undertow.security.impl.CachedAuthenticatedSessionMechanism at 6c2221a0
> for /auth/realms/Demo/protocol/saml
> 15:53:03,294 DEBUG [io.undertow.request.security] (default task-2)
> Authentication result was ATTEMPTED for /auth/realms/Demo/protocol/saml
> 15:53:03,294 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
> (default task-2) new JtaTransactionWrapper
> 15:53:03,294 DEBUG [org.keycloak.transaction.JtaTransactionWrapper]
> (default task-2) was existing? false
> 15:53:03,295 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
> task-2) RESTEASY002315: PathInfo: /realms/Demo/protocol/saml
> 15:53:03,295 DEBUG [org.keycloak.protocol.saml.SamlService] (default
> task-2) SAML GET
> 15:53:03,295 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-2)
> SAML Redirect Binding
> 15:53:03,295 DEBUG [org.keycloak.saml.SAMLRequestParser] (default task-2)
> <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
> xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
> ID="ONELOGIN_c4606c22-dc34-44a9-86c0-b157a90c8691" Version="2.0"
> IssueInstant="2019-04-08T13:53:03Z" Destination="
> https://sso.netguardians.ch:64020/auth/realms/Demo/protocol/saml"
> ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
> AssertionConsumerServiceURL="
> https://app.celoxis.com/psa/person.Login.do?code=netguardians
> "><saml:Issuer>celoxis.com</saml:Issuer><samlp:NameIDPolicy
> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"
> AllowCreate="true" /></samlp:AuthnRequest>
> 15:53:03,296 DEBUG
> [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl]
> (default task-2) Hibernate RegisteredSynchronization successfully
> registered with JTA platform
> 15:53:03,296 DEBUG [org.hibernate.SQL] (default task-2)
>     select
>         cliententi0_.ID as col_0_0_
>     from
>         CLIENT cliententi0_
>     where
>         cliententi0_.CLIENT_ID=?
>         and cliententi0_.REALM_ID=?
> 15:53:03,297 DEBUG
> [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl]
> (default task-2) Initiating JDBC connection release from afterStatement
> 15:53:03,297 WARN  [org.keycloak.events] (default task-2)
> type=LOGIN_ERROR, realmId=Demo, clientId=celoxis.com, userId=null,
> ipAddress=10.7.4.12, error=client_not_found
> It seems that both the client ID and the realm ID are not found by
> keycloak.
> I wonder if any of you has experienced this issue before
> Thank you in advance
>
> Kevin
>
>
> [https://cdn.netguardians.ch/images/banner_new_web.jpg]<
> https://www.netguardians.ch/>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From vaslion13 at yahoo.gr  Mon Apr  8 09:36:47 2019
From: vaslion13 at yahoo.gr (vasleon)
Date: Mon, 8 Apr 2019 15:36:47 +0200
Subject: [keycloak-user] Redirect URI Manipulation
Message-ID: <5d32f88f-d1d4-9f9c-ddc4-27478f82e9c2@yahoo.gr>

Hello everyone

i am testing keycloak server and so far I am impressed on how light it 
is compared to other solutions of the same kind and how clean and 
concise is the interface of the server.

I would like to use keycloak as a platform to introduce several 
vulnerabilities in order to have a live example of a vulnerable open-id 
provider.

Those of you who do have a good understanding of the structure of 
keycloak do you believe it is a good choice or should i head to 
something else?

For example if I want to bypass the check of the redirect URI, would 
that require edits in multiple files?

Could someone indicate which files in that case?


thank you for your time

Vas


From Tony.Harris at oneadvanced.com  Mon Apr  8 12:11:35 2019
From: Tony.Harris at oneadvanced.com (Tony Harris)
Date: Mon, 8 Apr 2019 16:11:35 +0000
Subject: [keycloak-user] Need guidance on auto login feature
In-Reply-To: <CACVn=vq9uzR_Dm5fKxcQYFS92pAmdn_5jzMH3qcsD33ySsKfNQ@mail.gmail.com>
References: <CACVn=vq9uzR_Dm5fKxcQYFS92pAmdn_5jzMH3qcsD33ySsKfNQ@mail.gmail.com>
Message-ID: <1d98fd57a52c4f6f8633464c2a19b0b4@SL1ACSEXCMB01.acsresource.com>

If you add the header X-Requested-With: XMLHttpRequest then Keycloak will switch into beaer-only mode and not direct these XMLHTTPRequests to the login page when your token expires, instead it will return a HTTP 401 response.

You may need to add  autoDetectBearerOnly="true" to your keycloak application config json file too as well.

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org [mailto:keycloak-user-bounces at lists.jboss.org] On Behalf Of Khyati Kataria
Sent: 08 April 2019 15:13
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Need guidance on auto login feature

Hi,

I would like to get some guidance on following scenario.

I have a requirement to skip keycloak login page by setting up header using bearer token. Is this a right approach ? or is there any way I can skip login page and be able to logged in customer service console

Scenario:
1) create bearer token invoking:
POST to http://<server>/auth/realms/test/protocol/openid-connect/token/
with post data:
grant_type=password&client_id=client&username=admin&password=admin1

read the token from response
2) do a get using new XMLHttpRequest() and setting the header xhr.open("GET", "http://<server>/csc/", true); xhr.setRequestHeader('Authorization', 'Bearer ' + token);

after doing this we can see on network traces that it actually bring the subscribed ID page but with this we do only a "static" get, and we see all cookies are set

3) finally from page we do a redirect to http://server/csc so browser really opens the  portal (and not just get the content), but at this stage we get redirected to Keycloak login form

I don't want redirect to login form, I need guidance on this. Is this possible to have auto login ? or anyway we can skip login page  ?



Regards,
Khyati
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

________________________________

Please consider the environment: Think before you print!


This message has been scanned for malware by Websense. www.websense.com


From melissa.palmer at gmail.com  Mon Apr  8 12:40:07 2019
From: melissa.palmer at gmail.com (Melissa Palmer)
Date: Mon, 8 Apr 2019 18:40:07 +0200
Subject: [keycloak-user] keycloak-quickstarts: docker and/or docker-compose?
Message-ID: <CAHTQH9Job+dCKHBpqOTH38sViXpJ5kpjd8Hj-CtpnfeOWTFAWA@mail.gmail.com>

Hi

Are there any docker images and or docker-compose files from Keycloak
quickstarts?

ie: that setup the Keycloak server (with imported Realm), WildFly server
with Keycloak client adapter into it

Thanks in Advance
Melissa

From bruno at abstractj.org  Mon Apr  8 13:52:34 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Mon, 8 Apr 2019 14:52:34 -0300
Subject: [keycloak-user] keycloak-quickstarts: docker and/or
	docker-compose?
In-Reply-To: <CAHTQH9Job+dCKHBpqOTH38sViXpJ5kpjd8Hj-CtpnfeOWTFAWA@mail.gmail.com>
References: <CAHTQH9Job+dCKHBpqOTH38sViXpJ5kpjd8Hj-CtpnfeOWTFAWA@mail.gmail.com>
Message-ID: <CAM5SUC5BMxmCeFOuJK5ZhBNx3yp70E=K85NCH7WwbzP=pHjn4A@mail.gmail.com>

Hi Melissa, I believe this is what you're looking for
https://github.com/jboss-dockerfiles/keycloak

I hope it helps.

On Mon, Apr 8, 2019 at 1:51 PM Melissa Palmer <melissa.palmer at gmail.com> wrote:
>
> Hi
>
> Are there any docker images and or docker-compose files from Keycloak
> quickstarts?
>
> ie: that setup the Keycloak server (with imported Realm), WildFly server
> with Keycloak client adapter into it
>
> Thanks in Advance
> Melissa
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
- abstractj

From psilva at redhat.com  Mon Apr  8 13:55:35 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 8 Apr 2019 14:55:35 -0300
Subject: [keycloak-user] horizontally scaling keycloak cluster using a
 cluster farm on Cloud (AWS) -> any body tried out such a thing?
In-Reply-To: <1835093477.16159924.1554478862644@mail.yahoo.com>
References: <34865490.14926868.1554304148560.ref@mail.yahoo.com>
	<34865490.14926868.1554304148560@mail.yahoo.com>
	<CAJrcDBdGjO_33=9hjP1sWUGOUmUX8GVGmrKs0s3DRfgQ0kE1YQ@mail.gmail.com>
	<1835093477.16159924.1554478862644@mail.yahoo.com>
Message-ID: <CAJrcDBfqzeg+o0G9XMnkRPDk1FNOdVs_7F2PvJ7RncGN47bd1A@mail.gmail.com>

On Fri, Apr 5, 2019 at 12:41 PM Madhu <kkcmadhu at yahoo.com> wrote:

> Thanks for showing interest Pedro.
>
> * No not on k8s yet, but may soon do that ( in couple of months time).
> * Yes thats , to have each cluster have its own keycloak db (mysql) ( and
> jdbc_ping) for each cluster, may be separate  each farm  by a security
> group so that there is no cross talks on (7600, jdbc ping ports)..
> * I am thinking of have a forward proxy  with rewrite urls (farm specific
> url)or enrich the request with a header to so that ALB/load balancer can
> identify the farm and dispatch the request to keycloak nodes in that
> cluster farm.
>

When you move to k8s I think you could use ingress to dispatch requests to
a specific cluster ?


>
> * I am also thinking of having service registry (simple keyvalue pair
> cache/db) to maintain list of cluster and a mapping of realm to farm so
> that i will be able to locate the farm for each realm.
>
* POST realms calls may need special handing which checks the registry
> first and dispatches request to one of the farm ( which ever has the least
> no of tenants) so that all farm grows equally.
>
> * I am additionally planning to run these farms with differnt keycloak
> version (farm A cloud be on keycloak 4.5, farm b on keycloak 5.0), things
> should not break as long as the apis are backward compatible and as long as
> i am posting a request in a format which can be understood by keycloak farm
> with the old version) i.e 4.5 in my case ( i use a template for creating
> tenants), i may have to now maintain multiple templates - one for each
> version of keycloak..
>
> Another model i am thinking of is side car each cluster farm  and use
> envoy to route request to correct farm..
>
>
> Either way, one thing which is evident is i need a registry/store where i
> maintain mapping of realms-to-farm and rewrite urls/ add header so that the
> correct farm is resolved and request get redirected there.
>
>
> Another thing to take care is to ensure that the master realm is
> consistent across all the 4 farms (i.e. if i add a user to master, i need
> to ensure that it is replicated across all the 4 farms).. this could be bit
> challenging... again i might have to take help of envoy/nginx to multicast
> that request to each farm :)
>

In addition to add users, what other configuration you might need to
replicate across the master realms of the farms ? Permissions maybe ?


>
> Basically.. do things around keycloak, and keep the central piece un
> altered...
>
> Let me know if you have any innovative idea here.. eagerly waiting to see
> whats in store from keycloak-6.. any hints ;)?
>
> Regards,
> Madhu
> On Friday, 5 April, 2019, 6:29:20 pm IST, Pedro Igor Silva <
> psilva at redhat.com> wrote:
>
>
> I don't. But I'm interested to discuss how you could achieve this.
>
> * Are you using kubernetes ?
> * Do each cluster have its own database ?
>
> On Wed, Apr 3, 2019 at 12:11 PM Madhu <kkcmadhu at yahoo.com> wrote:
>
> Hi All,
>
> Inorder to scale keycloak to handle about 2000 to 3000 realms i am
> thinking of running keycloak in a cluster farm..
> something like have one keycloak cluster per 500 tenants  and manage  5 or
> 6 such keycloak clusters (a farm).
> But , i want my end users to be totally unware of this .. they should just
> be talking to keycloak on single url  something like
> https://kecloak-yourserver/auth/realms/realm1/
> Internally, i am planning  resolve realm-names to a specific farm.. e.g.
> realm1 -> keycloakCluster2, realmA-> keycloakCluster1 etc..
>
> Any body out there tried such a thing on  Cloud (AWS) ?
> if so, please share your experience/pain points..
> This will go a long way in helping me scale keycloak horizontally in one
> of my prod deployments.
> Madhu
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>

From melissa.palmer at gmail.com  Mon Apr  8 14:20:56 2019
From: melissa.palmer at gmail.com (Melissa Palmer)
Date: Mon, 8 Apr 2019 20:20:56 +0200
Subject: [keycloak-user] keycloak-quickstarts: docker and/or
	docker-compose?
In-Reply-To: <CAM5SUC5BMxmCeFOuJK5ZhBNx3yp70E=K85NCH7WwbzP=pHjn4A@mail.gmail.com>
References: <CAHTQH9Job+dCKHBpqOTH38sViXpJ5kpjd8Hj-CtpnfeOWTFAWA@mail.gmail.com>
	<CAM5SUC5BMxmCeFOuJK5ZhBNx3yp70E=K85NCH7WwbzP=pHjn4A@mail.gmail.com>
Message-ID: <CAHTQH9LrMycYw6ni=W3pSSf-FQi_7FoV-cPPV52+phTFgYMDCA@mail.gmail.com>

Hi Bruno

Thanks, for that link but its not quite what I am looking for.

I am looking for a Docker way of getting the keycloak quickstarts running
ie:
https://github.com/keycloak/keycloak-quickstarts/

For example to get the
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz
currently you need to get Keycloak, WildFly running, WildFly needs to have
the Keycloak Adapter client installed and so on...

I am looking for a docker image and/or docker-compose file which would
start up all of the above for the
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz
quick start.

I have started to set something up myself, along the lines of
```
git clone git at github.com:keycloak/keycloak-quickstarts.git
git checkout tags/4.7.0.Final

cd keycloak-quickstarts/app-authz-uma-photoz

docker run -d -p 8080:8080 -e KEYCLOAK_USER=admin -e
KEYCLOAK_PASSWORD=admin -e DB_VENDOR=h2 -e
KEYCLOAK_IMPORT=/tmp/photoz-realm.json -v
photoz-realm.json:/tmp/photoz-realm.json --name kc
jboss/keycloak:4.7.0.Final


docker run -d -p 8081:8080 -p 9991:9990 -it --name wildfly
jboss/keycloak-adapter-wildfly:4.7.0.Final
```

But wondering if there is already something for this out there, I have not
been able to find myself.

Thanks
Melissa


On Mon, 8 Apr 2019 at 19:53, Bruno Oliveira <bruno at abstractj.org> wrote:

> Hi Melissa, I believe this is what you're looking for
> https://github.com/jboss-dockerfiles/keycloak
>
> I hope it helps.
>
> On Mon, Apr 8, 2019 at 1:51 PM Melissa Palmer <melissa.palmer at gmail.com>
> wrote:
> >
> > Hi
> >
> > Are there any docker images and or docker-compose files from Keycloak
> > quickstarts?
> >
> > ie: that setup the Keycloak server (with imported Realm), WildFly server
> > with Keycloak client adapter into it
> >
> > Thanks in Advance
> > Melissa
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
> - abstractj
>

From bruno at abstractj.org  Mon Apr  8 21:46:47 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Mon, 8 Apr 2019 22:46:47 -0300
Subject: [keycloak-user] keycloak-quickstarts: docker and/or
 docker-compose?
In-Reply-To: <CAHTQH9LrMycYw6ni=W3pSSf-FQi_7FoV-cPPV52+phTFgYMDCA@mail.gmail.com>
References: <CAHTQH9Job+dCKHBpqOTH38sViXpJ5kpjd8Hj-CtpnfeOWTFAWA@mail.gmail.com>
	<CAM5SUC5BMxmCeFOuJK5ZhBNx3yp70E=K85NCH7WwbzP=pHjn4A@mail.gmail.com>
	<CAHTQH9LrMycYw6ni=W3pSSf-FQi_7FoV-cPPV52+phTFgYMDCA@mail.gmail.com>
Message-ID: <20190409014647.GA12882@abstractj.org>

Hi Melissa, you are correct. Unfortunately we still don't have a Docker
image for the quickstarts. 

We had this Jira https://issues.jboss.org/browse/KEYCLOAK-6307 to track
this. Feel free to reopen if you would like to help on it, we would be more 
than happy to review a pull-request.

On 2019-04-08, Melissa Palmer wrote:
> Hi Bruno
> 
> Thanks, for that link but its not quite what I am looking for.
> 
> I am looking for a Docker way of getting the keycloak quickstarts running
> ie:
> https://github.com/keycloak/keycloak-quickstarts/
> 
> For example to get the
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz
> currently you need to get Keycloak, WildFly running, WildFly needs to have
> the Keycloak Adapter client installed and so on...
> 
> I am looking for a docker image and/or docker-compose file which would
> start up all of the above for the
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz
> quick start.
> 
> I have started to set something up myself, along the lines of
> ```
> git clone git at github.com:keycloak/keycloak-quickstarts.git
> git checkout tags/4.7.0.Final
> 
> cd keycloak-quickstarts/app-authz-uma-photoz
> 
> docker run -d -p 8080:8080 -e KEYCLOAK_USER=admin -e
> KEYCLOAK_PASSWORD=admin -e DB_VENDOR=h2 -e
> KEYCLOAK_IMPORT=/tmp/photoz-realm.json -v
> photoz-realm.json:/tmp/photoz-realm.json --name kc
> jboss/keycloak:4.7.0.Final
> 
> 
> docker run -d -p 8081:8080 -p 9991:9990 -it --name wildfly
> jboss/keycloak-adapter-wildfly:4.7.0.Final
> ```
> 
> But wondering if there is already something for this out there, I have not
> been able to find myself.
> 
> Thanks
> Melissa
> 
> 
> On Mon, 8 Apr 2019 at 19:53, Bruno Oliveira <bruno at abstractj.org> wrote:
> 
> > Hi Melissa, I believe this is what you're looking for
> > https://github.com/jboss-dockerfiles/keycloak
> >
> > I hope it helps.
> >
> > On Mon, Apr 8, 2019 at 1:51 PM Melissa Palmer <melissa.palmer at gmail.com>
> > wrote:
> > >
> > > Hi
> > >
> > > Are there any docker images and or docker-compose files from Keycloak
> > > quickstarts?
> > >
> > > ie: that setup the Keycloak server (with imported Realm), WildFly server
> > > with Keycloak client adapter into it
> > >
> > > Thanks in Advance
> > > Melissa
> > > _______________________________________________
> > > keycloak-user mailing list
> > > keycloak-user at lists.jboss.org
> > > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> >
> >
> > --
> > - abstractj
> >

-- 

abstractj

From melissa.palmer at gmail.com  Tue Apr  9 00:27:33 2019
From: melissa.palmer at gmail.com (Melissa Palmer)
Date: Tue, 9 Apr 2019 06:27:33 +0200
Subject: [keycloak-user] keycloak-quickstarts: docker and/or
	docker-compose?
In-Reply-To: <20190409014647.GA12882@abstractj.org>
References: <CAHTQH9Job+dCKHBpqOTH38sViXpJ5kpjd8Hj-CtpnfeOWTFAWA@mail.gmail.com>
	<CAM5SUC5BMxmCeFOuJK5ZhBNx3yp70E=K85NCH7WwbzP=pHjn4A@mail.gmail.com>
	<CAHTQH9LrMycYw6ni=W3pSSf-FQi_7FoV-cPPV52+phTFgYMDCA@mail.gmail.com>
	<20190409014647.GA12882@abstractj.org>
Message-ID: <29B463CD-2B51-4FEB-AC1D-CBA49D7F1CF1@gmail.com>

Thanks Bruno, ok will see what I can do. 

A question on this: with regard to the deployment of the api?s or ui?s protected by keycloak (ie: those deployed to the WildFly server). What is approach you?d be looking for/suggest? 
- ability to deploy the app to WildFly still via maven command 
- or that?s built into a custom docker image with the WildFly-adapter too? 

Thanks 
Melissa 

> On 09 Apr 2019, at 3:46 AM, Bruno Oliveira <bruno at abstractj.org> wrote:
> 
> Hi Melissa, you are correct. Unfortunately we still don't have a Docker
> image for the quickstarts. 
> 
> We had this Jira https://issues.jboss.org/browse/KEYCLOAK-6307 to track
> this. Feel free to reopen if you would like to help on it, we would be more 
> than happy to review a pull-request.
> 
>> On 2019-04-08, Melissa Palmer wrote:
>> Hi Bruno
>> 
>> Thanks, for that link but its not quite what I am looking for.
>> 
>> I am looking for a Docker way of getting the keycloak quickstarts running
>> ie:
>> https://github.com/keycloak/keycloak-quickstarts/
>> 
>> For example to get the
>> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz
>> currently you need to get Keycloak, WildFly running, WildFly needs to have
>> the Keycloak Adapter client installed and so on...
>> 
>> I am looking for a docker image and/or docker-compose file which would
>> start up all of the above for the
>> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz
>> quick start.
>> 
>> I have started to set something up myself, along the lines of
>> ```
>> git clone git at github.com:keycloak/keycloak-quickstarts.git
>> git checkout tags/4.7.0.Final
>> 
>> cd keycloak-quickstarts/app-authz-uma-photoz
>> 
>> docker run -d -p 8080:8080 -e KEYCLOAK_USER=admin -e
>> KEYCLOAK_PASSWORD=admin -e DB_VENDOR=h2 -e
>> KEYCLOAK_IMPORT=/tmp/photoz-realm.json -v
>> photoz-realm.json:/tmp/photoz-realm.json --name kc
>> jboss/keycloak:4.7.0.Final
>> 
>> 
>> docker run -d -p 8081:8080 -p 9991:9990 -it --name wildfly
>> jboss/keycloak-adapter-wildfly:4.7.0.Final
>> ```
>> 
>> But wondering if there is already something for this out there, I have not
>> been able to find myself.
>> 
>> Thanks
>> Melissa
>> 
>> 
>>> On Mon, 8 Apr 2019 at 19:53, Bruno Oliveira <bruno at abstractj.org> wrote:
>>> 
>>> Hi Melissa, I believe this is what you're looking for
>>> https://github.com/jboss-dockerfiles/keycloak
>>> 
>>> I hope it helps.
>>> 
>>> On Mon, Apr 8, 2019 at 1:51 PM Melissa Palmer <melissa.palmer at gmail.com>
>>> wrote:
>>>> 
>>>> Hi
>>>> 
>>>> Are there any docker images and or docker-compose files from Keycloak
>>>> quickstarts?
>>>> 
>>>> ie: that setup the Keycloak server (with imported Realm), WildFly server
>>>> with Keycloak client adapter into it
>>>> 
>>>> Thanks in Advance
>>>> Melissa
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> 
>>> 
>>> 
>>> --
>>> - abstractj
>>> 
> 
> -- 
> 
> abstractj


From triton.oidc at gmail.com  Tue Apr  9 05:41:11 2019
From: triton.oidc at gmail.com (triton oidc)
Date: Tue, 9 Apr 2019 09:41:11 +0000
Subject: [keycloak-user] Error linking users between realm
Message-ID: <CAGE7c6C2vPZ38ENFv5RuY6K2cCVPoCLR_QFNnd=z21Rhu4iKGQ@mail.gmail.com>

Hi,

in my current scenario, i have an error in linking user between two
Keycloak IDP
i got two servers in 4.8.3.Final
both in debug mode
./jboss-cli.sh --connect
--command='/subsystem=logging/root-logger=ROOT:change-root-log-level(level=DEBUG)'
./jboss-cli.sh --connect
--command='/subsystem=logging/logger=org.keycloak:write-attribute(name=level,value=DEBUG)'

When i try to link a user, i get an error
"An internal server error has occurred"
after login on the second IDP

In the log i see a :
 WARN  [org.keycloak.events] (default task-3) type=LOGIN_ERROR,
realmId=RedAirlines, clientId=null, userId=null, ipAddress=172.18.56.212,
error=invalid_code

Nothing in the log for the second IDP

If i reload the webpage, i see the user is linked.
However when i try an exchange token scenario, i got a
"Not present cache item for key LoginFailureKey [ realmId=RedAirlines.
userId=XXX" error
which i'm pretty sure is related to the linking issue (because the token
exchange scenario works, when i login my user using "another realm
authentication")

I can paste some more details if it can help,
Thanks for any clue

Amaury

From calltosenthil at rediffmail.com  Tue Apr  9 05:57:42 2019
From: calltosenthil at rediffmail.com (senthil  nathan)
Date: 9 Apr 2019 09:57:42 -0000
Subject: [keycloak-user] =?utf-8?q?Regarding_the_exception_seen_after_upgr?=
	=?utf-8?q?ading_the_version_from_3=2E4_to_4=2E5?=
Message-ID: <20190409095742.11825.qmail@f4mail-235-149.rediffmail.com>

HI All

In our environment we are seeing exception after upgrading the keycloak server version from 3.4 to 4.5 
and enabling the event listener.



2019-04-09 06:25:43,325 ERROR [org.keycloak.services] (default task-6) KC-SERVICES0088: Failed to send 
execute actions email: org.keycloak.email.EmailException: javax.mail.AuthenticationFailedException: ;
  nested exception is:
        javax.mail.MessagingException: Exception reading response;
  nested exception is:
        java.net.SocketTimeoutException: Read timed out
        at org.keycloak.email.DefaultEmailSenderProvider.send(DefaultEmailSenderProvider.java:145)
        at 
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java
:251)
        at 
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java
:246)
        at 
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java
:237)
        at 
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.send(FreeMarkerEmailTemplateProvider.java
:197)
        at 
org.keycloak.email.freemarker.FreeMarkerEmailTemplateProvider.sendExecuteActions(FreeMarkerEmailTemplat
eProvider.java:163)
        at 
org.keycloak.services.resources.admin.UserResource.executeActionsEmail(UserResource.java:709)
        at org.keycloak.services.resources.admin.UserResource.sendVerifyEmail(UserResource.java:739)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                                                                        \






2019-04-09 08:41:10,606 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper) ARJUNA012117: 
TransactionReaper::check timeout for TX 0:ffffac1f0dea:2f1df5ed:5cac520e:504 in state  RUN
2019-04-09 08:41:10,608 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012095: Abort 
of action id 0:ffffac1f0dea:2f1df5ed:5cac520e:504 invoked while multiple threads active within it.
2019-04-09 08:41:10,609 WARN  [com.arjuna.ats.arjuna] (Transaction Reaper Worker 0) ARJUNA012381: 
Action id 0:ffffac1f0dea:2f1df5ed:5cac520e:504 completed with multiple threads - thread default task-11 
was in progress with sun.misc.Unsafe.park(Native Method)
java.util.concurrent.locks.LockSupport.park(LockSupport.java:175)
java.util.concurrent.locks.AbstractQueuedSynchronizer$ConditionObject.await(AbstractQueuedSynchronizer.
java:2039)
org.apache.http.pool.PoolEntryFuture.await(PoolEntryFuture.java:138)
org.apache.http.pool.AbstractConnPool.getPoolEntryBlocking(AbstractConnPool.java:306)
org.apache.http.pool.AbstractConnPool.access$000(AbstractConnPool.java:64)
org.apache.http.pool.AbstractConnPool$2.getPoolEntry(AbstractConnPool.java:192)
org.apache.http.pool.AbstractConnPool$2.getPoolEntry(AbstractConnPool.java:185)
org.apache.http.pool.PoolEntryFuture.get(PoolEntryFuture.java:107)
org.apache.http.impl.conn.PoolingHttpClientConnectionManager.leaseConnection(PoolingHttpClientConnectio
nManager.java:276)
org.apache.http.impl.conn.PoolingHttpClientConnectionManager$1.get(PoolingHttpClientConnectionManager.j
ava:263)
org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:190)
org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
com.nokia.csf.keycloak.notifications.HTTPJsonNotifier.send(HTTPJsonNotifier.java:42)
com.nokia.csf.keycloak.notifications.URLCallBackNotification.process(URLCallBackNotification.java:47)
com.nokia.csf.keycloak.providers.events.CSFGenericEventListenerProvider.onEvent(CSFGenericEventListener
Provider.java:57)


Regards
SPS.Nathan

From shiva.prasad.thagadur.prakash at ericsson.com  Tue Apr  9 08:11:44 2019
From: shiva.prasad.thagadur.prakash at ericsson.com (Shiva Prasad Thagadur Prakash)
Date: Tue, 9 Apr 2019 12:11:44 +0000
Subject: [keycloak-user]  Few Admin events not getting raised
Message-ID: <1554811904.6059.2.camel@ericsson.com>

Hi Guys,

We see that few admin events are not getting logged to syslog/logfile.
Creating scope, Creating New policy for a client and Creating new
permission for a client. COuld anyone please help us?

Steps to reproduce:
New permisson event
????1. Create new client f.i. in master realm
????2. Set "Authorization Enabled"
????3. Go to clients->clientName->Authorization ->Permissions - Scope
based
????4. Create New permission

Failed Symptoms: No any events generated.

????1. Create new client f.i. in master realm
????2. Set "Authorization Enabled"
????Go to clients->clientName->Authorization ->Policies - Create
POlicy??-> Role
????3. Create New policy

Failed Symptoms: No any events generated.


????1. Create new client f.i. in master realm
????2. Set "Authorization Enabled"
????3. Go to clients->clientName->Authorization ->Authorization Scopes
????4. Create New scope event_scope
Failed Symptoms: No any events generated.

Thanks & regards,
Shiva


From csnyder at iland.com  Tue Apr  9 10:01:25 2019
From: csnyder at iland.com (Cory Snyder)
Date: Tue, 9 Apr 2019 10:01:25 -0400
Subject: [keycloak-user] Upgrading from 1.9.8.Final to 4.8.3.Final
Message-ID: <7180730A-1FAA-4BE4-94C7-79E5ECDB5FA9@iland.com>

Hi all,

We?re currently running Keycloak version 1.9.8.Final and are now investigating the upgrade path to 4.8.3.Final. The question is, can we upgrade to 4.8.3.Final directly or do you advise proceeding one major version at a time?

Thanks for your time!

Cory

From aechols at bfcsaz.com  Tue Apr  9 13:26:04 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Tue, 9 Apr 2019 10:26:04 -0700
Subject: [keycloak-user] Keycloak and Clever
Message-ID: <CAHj77GXFqjO3EhoHHwNJOkEcG16ZAftqCQpq0ZEO3-yhMS0j=g@mail.gmail.com>

Hi All,

I'm in k12edu and have been working on implementing Clever. I've
successfully setup and configured Clever as a SP in Keycloak using the
Active Directory Authentication login method. I wanted to share it here, in
case there are others that would like to use it.

Also, it might be useful to have a wiki in the Keycloak documentation for
users to contribute how-to articles on configuring services with Keycloak.
Please consider this. I'd gladly contribute my Clever and Google
configurations there.

I'm not sure how this is going to format, hopefully, it doesn't get too
botched. :)

Create new client


   -

   Go to the Clients page under the {your} realm.
   -

   Click: Create
   -

   Download federation metadata: https://clever.com/oauth/saml/metadata.xml
   -

   Click: Select file
   -

   Browse to the metadata.xml downloaded in the previous step
   -

   Click: Save
   -

   Set the following options:


Setting

Flag/Option/String

Name

{Give it a user facing name}

Enabled

ON

Include AuthnStatement

ON

Sign Documents

ON

Sign Assertions

ON

Signature Algorithm

RSA_SHA256

SAML Signature Key Name

KEY_ID

Canonicalization Method

EXCLUSIVE

Encrypt Assertions

ON

Client Signature Required

OFF

Force POST Binding

ON

Front Channel Logout

ON

Force Name ID Format

ON

Name ID Format

email

Valid Redirect URIs

https://clever.com/oauth/saml/assert

Base URL

/auth/realms/{realm}/protocol/saml/clients/clever&RelayState=true

IDP Initiated SSO URL Name

clever

Assertion Consumer Service POST Binding URL

https://clever.com/oauth/saml/assert

Logout Service POST Binding URL

https://clever.com/oauth/saml/assert

Create Mapper(s)


   -

   Go to: Clients > https://clever.com/oauth/saml/metadata.xml > Edit >
   Mappers > Create
   -

   Set the following options:


Setting

Flag/Option/String

Name

clever.any.email

Mapper Type

User Property

Property

email

Friendly Name

Email

SAML Attribute Name

clever.any.email

SAML Attribute NameFormat


Setting

Flag/Option/String

Name

clever.any.sis_id

Mapper Type

User Property

Property

username

Friendly Name

Username

SAML Attribute Name

clever.any.sis_id

SAML Attribute NameFormat


Import Custom idP Metadata



   -

   Login to https://clever.com/in/<your-portal>
   -

   Go to: Portal > SSO Settings > Add Login Method > Active Directory
   Authentication
   -

   Click: or upload metadata file instead (not recommended)
   -

   Download and modify the Auth Mellon idp-metadata.xml file from your
   clever client in Keycloak and add the missing information below:


<?xml version="1.0" encoding="UTF-8"?>

<EntityDescriptor entityID="https://{vip}/auth/realms/{realm}"

                  xmlns="urn:oasis:names:tc:SAML:2.0:metadata"

                  xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"

                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

  <IDPSSODescriptor WantAuthnRequestsSigned="true"

     protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

     <SingleLogoutService

        Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

        Location="https://{vip}/auth/realms/{realm}/protocol/saml" />

 <SingleLogoutService

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"

Location="https://{vip}/auth/realms/{realm}/protocol/saml" />

     <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

     <SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

        Location="https://{vip}/auth/realms/{realm}/protocol/saml" />

 <SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"

Location="https://{vip}/auth/realms/{realm}/protocol/saml" />

     <KeyDescriptor use="signing">

       <dsig:KeyInfo>

         <dsig:KeyName>{kID}</dsig:KeyName>

         <dsig:X509Data>

           <dsig:X509Certificate>{cert}</dsig:X509Certificate>

         </dsig:X509Data>

       </dsig:KeyInfo>

     </KeyDescriptor>

  </IDPSSODescriptor>

</EntityDescriptor>


   -

   Click the cloud symbol with an up arrow through it to upload the
   idp-metadata.xml you created.
   -

   Click: Save
   -

   You should see a message in green saying: Your settings have been saved


References

https://support.clever.com/hc/en-us/articles/218050687-Single-sign-on-SSO-with-a-custom-SAML-connection

https://support.clever.com/hc/en-us/articles/215176617
--
*Aaron Echols*

From aechols at bfcsaz.com  Tue Apr  9 14:17:19 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Tue, 9 Apr 2019 11:17:19 -0700
Subject: [keycloak-user] Setting NameID to Unspecified
In-Reply-To: <CAEwFaXKcryXOYRTpr+FA25b9DNz0Ruz8G6a86GCNvO2HyZn-QA@mail.gmail.com>
References: <CAEwFaXKFJ-N2VTOBorHjAmgm4=dF7_u1PaxKe9SuyezXnETOXA@mail.gmail.com>
	<55b322c286ab424e8245f7d2806c7a99@EXMBX24.SFP-Net.skyfillers.local>
	<CAEwFaXKcryXOYRTpr+FA25b9DNz0Ruz8G6a86GCNvO2HyZn-QA@mail.gmail.com>
Message-ID: <CAHj77GXHqfxoYW8AKNtNR=xaVs_mgehhZ9ZgLKyJKUFjOT5How@mail.gmail.com>

Wouldn't you just need to add a mapper under your client to map to
username, then set SAML Attribute NameFormat to unspecified there? Maybe
I'm wrong, but that seems like the correct way to do this per client.
--
Aaron Echols

On Mon, Apr 8, 2019 at 5:07 AM Ron Alleva <ronallevatech at gmail.com> wrote:

> Hi Manuel,
>
> Thanks for replying. That url does help me understand the difference
> between the different identifier types.
>
> However, the client I'm working with has it set in their IdP that the SAML
> message sent to it should contain one of the user's attributes (specific
> string of numbers, like a special user id) in the NameID field, with a
> format of unspecified. In Keycloak (at least 4.4 and 5.0, that I checked),
> there's no option for "unspecified" in the NameID format setting, or a way
> to remove it altogether to default to unspecified.
>
> Is this something Keycloak can support out of the box? Is it something I
> can accomplish with a JavaScript protocol mapper, or do I have to code my
> own mapper for that purpose?
>
> Thanks,
>
> Ron
>
> On Mon, Apr 8, 2019, 05:03 Manuel Waltschek <
> manuel.waltschek at prisma-solutions.at> wrote:
>
> > Hello Ron,
> >
> > maybe this url will help you:
> >
> https://stackoverflow.com/questions/11693297/what-are-the-different-nameid-format-used-for
> >
> > As the answer states unspecified can be used and it purely depends on the
> > entities implementation on their own wish. So as I understand you have to
> > send the nameId in some format, but have to decide for one format to send
> > the client on keycloak site. Unspecified often defaults to the
> > implementation specific default settings.
> >
> > Regards,
> >
> > Manuel
> >
> >
> >
> > -----Urspr?ngliche Nachricht-----
> > Von: keycloak-user-bounces at lists.jboss.org <
> > keycloak-user-bounces at lists.jboss.org> Im Auftrag von Ron Alleva
> > Gesendet: Montag, 08. April 2019 04:52
> > An: keycloak-user at lists.jboss.org
> > Betreff: [keycloak-user] Setting NameID to Unspecified
> >
> > Hi all,
> >
> > I'm working with a particular IdP client, and they have requested that I
> > set the NameID field to an attribute on the user that is neither username
> > or email, and that it must be in the "unspecified" format.
> >
> > I've been trying a bunch of different configuration options to get it
> > work, but none seem to do what I need it to do. I know about
> > "saml.persistent.name.id.for.$clientId" on a user, and I've been trying
> > variations on that.
> >
> > Does anyone have any guidance on how to have a attribute of the user be
> > populated in the NameID field, with a format of "unspecified"?
> >
> > Thanks,
> > Ron
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From jdennis at redhat.com  Tue Apr  9 16:05:46 2019
From: jdennis at redhat.com (John Dennis)
Date: Tue, 9 Apr 2019 16:05:46 -0400
Subject: [keycloak-user] Setting NameID to Unspecified
In-Reply-To: <CAHj77GXHqfxoYW8AKNtNR=xaVs_mgehhZ9ZgLKyJKUFjOT5How@mail.gmail.com>
References: <CAEwFaXKFJ-N2VTOBorHjAmgm4=dF7_u1PaxKe9SuyezXnETOXA@mail.gmail.com>
	<55b322c286ab424e8245f7d2806c7a99@EXMBX24.SFP-Net.skyfillers.local>
	<CAEwFaXKcryXOYRTpr+FA25b9DNz0Ruz8G6a86GCNvO2HyZn-QA@mail.gmail.com>
	<CAHj77GXHqfxoYW8AKNtNR=xaVs_mgehhZ9ZgLKyJKUFjOT5How@mail.gmail.com>
Message-ID: <a5be01b6-5f94-bd73-7adb-7ca8ded1d7b9@redhat.com>

There is a bit of misinformation floating around this thread, hopefully 
I can clarify a few things.

The SAML spec defines the following NameIDFormats:

unspecified
emailAddress
X509SubjectName
WindowsDomainQualifiedName
kerberos
entity
persistent
transient

NOTE: there are some extension formats defined outside the SAML core 
spec, for example: eduPersonTargetedID

If you want to know what each of these mean refer to the saml-core 2.0 
specification.

The spec defines unspecified as: "The interpretation of the content of 
the element is left to individual implementations." But note this means 
both the relying party (e.g. SP) and the assertion provider (e.g. IdP, 
Keycloak) must agree. There would have to be mechanisms in place for 
Keycloak to extract a certain value on a per client (relying party) 
basis when the format is unspecified. To the best of my knowledge there 
is no such mechanism in Keycloak (yet).

Out of the above list Keycloak supports the following NameIDFormats:

unspecified
emailAddress
persistent
transient

With unspecified or an unsupported format Keycloak returns the user's 
username.

IMPORTANT: nameID's are NOT the same as attributes!

IMPORTANT: Traditionally relying parties that need a specific subject 
identifier are supposed to either extract that from one of the returned 
attributes or synthesize it from one or more of the returned attributes. 
This is where Keycloak's attribute mappers come into play. You can 
configure what attributes to return to facilitate this. But remember 
attributes != nameID and it's the client's job to do this.

IMPORTANT: Abusing SAML's nameID is a common problem usually born out of 
a misunderstanding of SAML concepts. The usual recommendation is to fix 
non-compliant implementations rather than introduce hacks to accommodate 
them.

Note: The Shibboleth IdP has support for per relying party custom nameID 
generation (to the best of my knowledge Keycloak has nothing like this). 
This is described here:

https://wiki.shibboleth.net/confluence/display/IDP30/CustomNameIDGenerationConfiguration 


But please note the section on the use of the unspecified format where 
it says: "We strongly urge deployers to avoid the use of this Format 
when possible. Note that in many cases when vendors claim to "require" 
its use, what they really mean (aside from "we're not interesting in 
supporting SAML properly") is that they don't care what Format you use."

You might also find this Shibboleth wiki entry on NameID useful:

https://wiki.shibboleth.net/confluence/display/CONCEPT/NameIdentifiers

FINALLY: NameID's in SAML have been a long standing source of pain, 
there is an effort to replace this part of SAML with a better mechanism, 
see this RFC:

http://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/csprd02/saml-subject-id-attr-v1.0-csprd02.html

FOOTNOTE: My references to Shibboleth in the context of Keycloak are not 
meant to diminish Keycloak in any fashion whatsoever. Rather since 
Shibboleth is the oldest SAML implementation and it's architect Scott 
Cantor is a key member of the SAML committee and the fact it has 
widespread adoption means when it comes to finding any kind of decent 
documentation on SAML it's often found among the Shibboleth docs and/or 
mailing list. Keycloak has many features, including OpenID support that 
are absent in Shibboleth making Keycloak an excellent implementation 
choice among a host of other reasons to select Keycloak. No reason not 
to refer to the Shibboleth doc just to expand your conceptual 
understanding though.

On 4/9/19 2:17 PM, Aaron Echols wrote:
> Wouldn't you just need to add a mapper under your client to map to
> username, then set SAML Attribute NameFormat to unspecified there? Maybe
> I'm wrong, but that seems like the correct way to do this per client.
> --
> Aaron Echols
> 
> On Mon, Apr 8, 2019 at 5:07 AM Ron Alleva <ronallevatech at gmail.com> wrote:
> 
>> Hi Manuel,
>>
>> Thanks for replying. That url does help me understand the difference
>> between the different identifier types.
>>
>> However, the client I'm working with has it set in their IdP that the SAML
>> message sent to it should contain one of the user's attributes (specific
>> string of numbers, like a special user id) in the NameID field, with a
>> format of unspecified. In Keycloak (at least 4.4 and 5.0, that I checked),
>> there's no option for "unspecified" in the NameID format setting, or a way
>> to remove it altogether to default to unspecified.
>>
>> Is this something Keycloak can support out of the box? Is it something I
>> can accomplish with a JavaScript protocol mapper, or do I have to code my
>> own mapper for that purpose?
>>
>> Thanks,
>>
>> Ron
>>
>> On Mon, Apr 8, 2019, 05:03 Manuel Waltschek <
>> manuel.waltschek at prisma-solutions.at> wrote:
>>
>>> Hello Ron,
>>>
>>> maybe this url will help you:
>>>
>> https://stackoverflow.com/questions/11693297/what-are-the-different-nameid-format-used-for
>>>
>>> As the answer states unspecified can be used and it purely depends on the
>>> entities implementation on their own wish. So as I understand you have to
>>> send the nameId in some format, but have to decide for one format to send
>>> the client on keycloak site. Unspecified often defaults to the
>>> implementation specific default settings.
>>>
>>> Regards,
>>>
>>> Manuel
>>>
>>>
>>>
>>> -----Urspr?ngliche Nachricht-----
>>> Von: keycloak-user-bounces at lists.jboss.org <
>>> keycloak-user-bounces at lists.jboss.org> Im Auftrag von Ron Alleva
>>> Gesendet: Montag, 08. April 2019 04:52
>>> An: keycloak-user at lists.jboss.org
>>> Betreff: [keycloak-user] Setting NameID to Unspecified
>>>
>>> Hi all,
>>>
>>> I'm working with a particular IdP client, and they have requested that I
>>> set the NameID field to an attribute on the user that is neither username
>>> or email, and that it must be in the "unspecified" format.
>>>
>>> I've been trying a bunch of different configuration options to get it
>>> work, but none seem to do what I need it to do. I know about
>>> "saml.persistent.name.id.for.$clientId" on a user, and I've been trying
>>> variations on that.
>>>
>>> Does anyone have any guidance on how to have a attribute of the user be
>>> populated in the NameID field, with a format of "unspecified"?
>>>
>>> Thanks,
>>> Ron
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 


-- 
John Dennis

From kd190409 at gmail.com  Tue Apr  9 16:19:11 2019
From: kd190409 at gmail.com (Keycloak Deploy)
Date: Tue, 9 Apr 2019 22:19:11 +0200
Subject: [keycloak-user] Add custom user attributes update password page
Message-ID: <CAHBKwEoPw0JMaBpCetGZJDYCbFVFLU4fwU9qt9J=HQstm+ZZ_A@mail.gmail.com>

Hi,

I need to add custom attributes on update password page set by required
action: UPDATE_PASSWORD but when I edit the login-update-password.ftl file
I get a 500 error because I can't get user attributes on this page.

Is necessary to use SPI to do this, or exist another solution?

Thanks in advance for your help

From ronallevatech at gmail.com  Wed Apr 10 01:13:51 2019
From: ronallevatech at gmail.com (Ron Alleva)
Date: Wed, 10 Apr 2019 01:13:51 -0400
Subject: [keycloak-user] Setting NameID to Unspecified
In-Reply-To: <a5be01b6-5f94-bd73-7adb-7ca8ded1d7b9@redhat.com>
References: <CAEwFaXKFJ-N2VTOBorHjAmgm4=dF7_u1PaxKe9SuyezXnETOXA@mail.gmail.com>
	<55b322c286ab424e8245f7d2806c7a99@EXMBX24.SFP-Net.skyfillers.local>
	<CAEwFaXKcryXOYRTpr+FA25b9DNz0Ruz8G6a86GCNvO2HyZn-QA@mail.gmail.com>
	<CAHj77GXHqfxoYW8AKNtNR=xaVs_mgehhZ9ZgLKyJKUFjOT5How@mail.gmail.com>
	<a5be01b6-5f94-bd73-7adb-7ca8ded1d7b9@redhat.com>
Message-ID: <CAEwFaXL5Au6Qqp9rH2ZhwN5agBkBp_+kZnRJe72rfZJmXLRT+A@mail.gmail.com>

Thanks John for the fantastic explanation. I'm pretty clear on the whole
business now. I think I will try to convince the SP I'm working with to not
require "unspecified" as a format.

One of the confusions to me, before your email, is that in KeyCloak's
settings for a SAML client (at least in 4.4 and 5.0) say that these are the
"Name ID Formats":

username
email
transient
persistent

It's clear to me now that "username" implies "unspecified". I can
understand and agree with the decision to use "username" instead of
"unspecified" in that dropdown...users care about what's going into the
field more than it's format, I'd guess.

Thanks again,
Ron

On Tue, Apr 9, 2019 at 4:05 PM John Dennis <jdennis at redhat.com> wrote:

> There is a bit of misinformation floating around this thread, hopefully
> I can clarify a few things.
>
> The SAML spec defines the following NameIDFormats:
>
> unspecified
> emailAddress
> X509SubjectName
> WindowsDomainQualifiedName
> kerberos
> entity
> persistent
> transient
>
> NOTE: there are some extension formats defined outside the SAML core
> spec, for example: eduPersonTargetedID
>
> If you want to know what each of these mean refer to the saml-core 2.0
> specification.
>
> The spec defines unspecified as: "The interpretation of the content of
> the element is left to individual implementations." But note this means
> both the relying party (e.g. SP) and the assertion provider (e.g. IdP,
> Keycloak) must agree. There would have to be mechanisms in place for
> Keycloak to extract a certain value on a per client (relying party)
> basis when the format is unspecified. To the best of my knowledge there
> is no such mechanism in Keycloak (yet).
>
> Out of the above list Keycloak supports the following NameIDFormats:
>
> unspecified
> emailAddress
> persistent
> transient
>
> With unspecified or an unsupported format Keycloak returns the user's
> username.
>
> IMPORTANT: nameID's are NOT the same as attributes!
>
> IMPORTANT: Traditionally relying parties that need a specific subject
> identifier are supposed to either extract that from one of the returned
> attributes or synthesize it from one or more of the returned attributes.
> This is where Keycloak's attribute mappers come into play. You can
> configure what attributes to return to facilitate this. But remember
> attributes != nameID and it's the client's job to do this.
>
> IMPORTANT: Abusing SAML's nameID is a common problem usually born out of
> a misunderstanding of SAML concepts. The usual recommendation is to fix
> non-compliant implementations rather than introduce hacks to accommodate
> them.
>
> Note: The Shibboleth IdP has support for per relying party custom nameID
> generation (to the best of my knowledge Keycloak has nothing like this).
> This is described here:
>
>
> https://wiki.shibboleth.net/confluence/display/IDP30/CustomNameIDGenerationConfiguration
>
>
> But please note the section on the use of the unspecified format where
> it says: "We strongly urge deployers to avoid the use of this Format
> when possible. Note that in many cases when vendors claim to "require"
> its use, what they really mean (aside from "we're not interesting in
> supporting SAML properly") is that they don't care what Format you use."
>
> You might also find this Shibboleth wiki entry on NameID useful:
>
> https://wiki.shibboleth.net/confluence/display/CONCEPT/NameIdentifiers
>
> FINALLY: NameID's in SAML have been a long standing source of pain,
> there is an effort to replace this part of SAML with a better mechanism,
> see this RFC:
>
>
> http://docs.oasis-open.org/security/saml-subject-id-attr/v1.0/csprd02/saml-subject-id-attr-v1.0-csprd02.html
>
> FOOTNOTE: My references to Shibboleth in the context of Keycloak are not
> meant to diminish Keycloak in any fashion whatsoever. Rather since
> Shibboleth is the oldest SAML implementation and it's architect Scott
> Cantor is a key member of the SAML committee and the fact it has
> widespread adoption means when it comes to finding any kind of decent
> documentation on SAML it's often found among the Shibboleth docs and/or
> mailing list. Keycloak has many features, including OpenID support that
> are absent in Shibboleth making Keycloak an excellent implementation
> choice among a host of other reasons to select Keycloak. No reason not
> to refer to the Shibboleth doc just to expand your conceptual
> understanding though.
>
> On 4/9/19 2:17 PM, Aaron Echols wrote:
> > Wouldn't you just need to add a mapper under your client to map to
> > username, then set SAML Attribute NameFormat to unspecified there? Maybe
> > I'm wrong, but that seems like the correct way to do this per client.
> > --
> > Aaron Echols
> >
> > On Mon, Apr 8, 2019 at 5:07 AM Ron Alleva <ronallevatech at gmail.com>
> wrote:
> >
> >> Hi Manuel,
> >>
> >> Thanks for replying. That url does help me understand the difference
> >> between the different identifier types.
> >>
> >> However, the client I'm working with has it set in their IdP that the
> SAML
> >> message sent to it should contain one of the user's attributes (specific
> >> string of numbers, like a special user id) in the NameID field, with a
> >> format of unspecified. In Keycloak (at least 4.4 and 5.0, that I
> checked),
> >> there's no option for "unspecified" in the NameID format setting, or a
> way
> >> to remove it altogether to default to unspecified.
> >>
> >> Is this something Keycloak can support out of the box? Is it something I
> >> can accomplish with a JavaScript protocol mapper, or do I have to code
> my
> >> own mapper for that purpose?
> >>
> >> Thanks,
> >>
> >> Ron
> >>
> >> On Mon, Apr 8, 2019, 05:03 Manuel Waltschek <
> >> manuel.waltschek at prisma-solutions.at> wrote:
> >>
> >>> Hello Ron,
> >>>
> >>> maybe this url will help you:
> >>>
> >>
> https://stackoverflow.com/questions/11693297/what-are-the-different-nameid-format-used-for
> >>>
> >>> As the answer states unspecified can be used and it purely depends on
> the
> >>> entities implementation on their own wish. So as I understand you have
> to
> >>> send the nameId in some format, but have to decide for one format to
> send
> >>> the client on keycloak site. Unspecified often defaults to the
> >>> implementation specific default settings.
> >>>
> >>> Regards,
> >>>
> >>> Manuel
> >>>
> >>>
> >>>
> >>> -----Urspr?ngliche Nachricht-----
> >>> Von: keycloak-user-bounces at lists.jboss.org <
> >>> keycloak-user-bounces at lists.jboss.org> Im Auftrag von Ron Alleva
> >>> Gesendet: Montag, 08. April 2019 04:52
> >>> An: keycloak-user at lists.jboss.org
> >>> Betreff: [keycloak-user] Setting NameID to Unspecified
> >>>
> >>> Hi all,
> >>>
> >>> I'm working with a particular IdP client, and they have requested that
> I
> >>> set the NameID field to an attribute on the user that is neither
> username
> >>> or email, and that it must be in the "unspecified" format.
> >>>
> >>> I've been trying a bunch of different configuration options to get it
> >>> work, but none seem to do what I need it to do. I know about
> >>> "saml.persistent.name.id.for.$clientId" on a user, and I've been trying
> >>> variations on that.
> >>>
> >>> Does anyone have any guidance on how to have a attribute of the user be
> >>> populated in the NameID field, with a format of "unspecified"?
> >>>
> >>> Thanks,
> >>> Ron
> >>> _______________________________________________
> >>> keycloak-user mailing list
> >>> keycloak-user at lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>
>
> --
> John Dennis
>

From vramik at redhat.com  Wed Apr 10 02:55:48 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Wed, 10 Apr 2019 08:55:48 +0200
Subject: [keycloak-user] Upgrading from 1.9.8.Final to 4.8.3.Final
In-Reply-To: <7180730A-1FAA-4BE4-94C7-79E5ECDB5FA9@iland.com>
References: <7180730A-1FAA-4BE4-94C7-79E5ECDB5FA9@iland.com>
Message-ID: <feadc985-659a-472c-efe9-d7a011edbb78@redhat.com>

Hey Cory,

it should be possible to upgrade directly from 1.9.8 to 4.8.3. There is 
migration guide [1]. If you hit any issue let us know, thanks.

[1] https://www.keycloak.org/docs/latest/upgrading/index.html

On 4/9/19 4:01 PM, Cory Snyder wrote:
> Hi all,
>
> We?re currently running Keycloak version 1.9.8.Final and are now investigating the upgrade path to 4.8.3.Final. The question is, can we upgrade to 4.8.3.Final directly or do you advise proceeding one major version at a time?
>
> Thanks for your time!
>
> Cory
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From kelsey.rider at ineat-conseil.fr  Wed Apr 10 03:28:10 2019
From: kelsey.rider at ineat-conseil.fr (Kelsey RIDER)
Date: Wed, 10 Apr 2019 07:28:10 +0000
Subject: [keycloak-user] Keycloak JS library: iframe redirect when
	already	logged in
In-Reply-To: <PR0P264MB03950E54FFB2657A704D1AC5A02C0@PR0P264MB0395.FRAP264.PROD.OUTLOOK.COM>
References: <PR0P264MB03950E54FFB2657A704D1AC5A02C0@PR0P264MB0395.FRAP264.PROD.OUTLOOK.COM>
Message-ID: <PR0P264MB0395E4FF868DC4E3D7AAC85FA02E0@PR0P264MB0395.FRAP264.PROD.OUTLOOK.COM>

Bump...does anybody have any information?

I also asked the question on StackOverflow: https://stackoverflow.com/questions/55606931/keycloak-js-library-iframe-redirect-when-alreadylogged-in


-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Kelsey RIDER
Sent: lundi 8 avril 2019 14:38
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Keycloak JS library: iframe redirect when already logged in

Hello,

I?m working on an SPA that uses keycloak.js to interact with my Keycloak. I initialize the Keycloak object with onload = ?check-sso? and checkLoginIFrame enabled.

If I perform the following steps:

  *   Load my site
  *   Click my ?login? button (call Keycloak.login())
  *   get redirected to Keycloak?s login page, login, get redirected back to my app
  *   Reload my site
I observe that when the site reloads, it does a quick redirection (the URL briefly changes from mysite.com to mysite.com/#state=?.. then back to mysite.com).
I would like to avoid having this redirection when I?m already logged in.

By debugging the code, I found out why this happens:

  *   The login-status-iframe.html page is essentially just a wrapper for some static JS to manage a cookie that stores the auth tokens.
  *   Its main method checkState() is called from keycloak.js during initialization?with no token (sessionState is empty since keycloak.js is not aware of the cookie).
  *   The login iFrame?s code reads the cookie and creates an XHR request to ?/login-status-iframe.html/init?... with the cookie in the request headers.
  *   When it gets a 204 response (which I take to mean: the cookie is valid, everything?s OK), it compares the token (from the cookie) with what it was given from keycloak.js (i.e. nothing).
  *   Since they are not equal, it responds to the callback with ?changed?.
  *   This is interpreted in keycloak.js to mean that (the token changed?) and thus it calls doLogin(false), which is where it changes the URL, creating the unwanted redirect.

So my questions are thus:

  *   Where is the documentation for API for the call to login-status-iframe.html/init?
  *   Would it be possible to do something like:
     *   Have the login-status-iframe return the token, when the KC server informs it that the token is still valid (e.g. ?update XXXXX? instead of ?changed?)
     *   keycloak.js would then take this and update its token, without having to call doLogin()

Many thanks,

Kelsey Rider

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user
Suite ? l??volution des dispositifs de r?glementation du travail, si vous recevez ce mail avant 7h00, en soir?e, durant le week-end ou vos cong?s merci, sauf cas d?urgence exceptionnelle, de ne pas le traiter ni d?y r?pondre imm?diatement.


From namikbarisidil at hotmail.com  Wed Apr 10 03:34:21 2019
From: namikbarisidil at hotmail.com (=?utf-8?B?TmFtxLFrIEJhcsSxxZ8gxLBExLBM?=)
Date: Wed, 10 Apr 2019 07:34:21 +0000
Subject: [keycloak-user] Send Access Token via Header
Message-ID: <VI1PR06MB580631B923D979262FE41464CC2E0@VI1PR06MB5806.eurprd06.prod.outlook.com>

Hi,

I have an application which redirects user to client login page of Keycloak and after a successful authentication, Keycloak redirects it back to my site with access token embedded in query string. What I want to ask is that if there is any way to configure Keycloak to send this access token in header instead of query string.

Thanks in advance.

Bar??


From sblanc at redhat.com  Wed Apr 10 04:13:28 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 10 Apr 2019 10:13:28 +0200
Subject: [keycloak-user] Send Access Token via Header
In-Reply-To: <VI1PR06MB580631B923D979262FE41464CC2E0@VI1PR06MB5806.eurprd06.prod.outlook.com>
References: <VI1PR06MB580631B923D979262FE41464CC2E0@VI1PR06MB5806.eurprd06.prod.outlook.com>
Message-ID: <CAMZCGg-aVUKp_E3haSzMd47q1Djg=V4PHH0oZ3EkVm_6jf=Lhw@mail.gmail.com>

AFAIK this is not possible but if your application is a server-side app
(thus not a web only app using the JS adapter) then you could put  the
Keycloak Gatekeeper in front of your app and the gatekeeper put the token
in the header
https://www.keycloak.org/docs/latest/securing_apps/index.html#upstream-headers


On Wed, Apr 10, 2019 at 9:35 AM Nam?k Bar?? ?D?L <namikbarisidil at hotmail.com>
wrote:

> Hi,
>
> I have an application which redirects user to client login page of
> Keycloak and after a successful authentication, Keycloak redirects it back
> to my site with access token embedded in query string. What I want to ask
> is that if there is any way to configure Keycloak to send this access token
> in header instead of query string.
>
> Thanks in advance.
>
> Bar??
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From georgi.matev at dominodatalab.com  Wed Apr 10 04:36:34 2019
From: georgi.matev at dominodatalab.com (Georgi Matev)
Date: Wed, 10 Apr 2019 03:36:34 -0500
Subject: [keycloak-user] State mismatch on oidc-client login
In-Reply-To: <CAEauZ0__KY6tf-TeDD9EqP+UVReM84dTPrXyysQqkOYeU__M0Q@mail.gmail.com>
References: <CAEauZ0__KY6tf-TeDD9EqP+UVReM84dTPrXyysQqkOYeU__M0Q@mail.gmail.com>
Message-ID: <CAEauZ0-ntbzKZ+HToTaua8gvC6XoCkQ0wYLSK2hNf5y33szH0Q@mail.gmail.com>

We have a realm with an openid-connect client configured to provide
authentication for an application using Keycloak. The application is using
the Keycloak hosted login page to handle auth redirects. We have this
working well except that when one stays on the login page a little longer,
the authentication attempt fails with a state mismatch error.

We understand the protection this provides. To handle it gracefully, we
redirect the user back to login when the mismatch is detected. This creates
a weird user experience, where the user just entered their credentials and
seemingly nothing happened the first time but succeeds the second time.

Have not been able to figure out how to do the following

(1) Pass some parameter indicating that the mismatched state happened so
that when we get back to the login redirect the second time, we can use the
parameter to trigger an appropriate message on the login page (through
customizing the theme) to indicate that the user took too long to login. We
have tried adding URL parameters when redirecting back to login but this
has not worked since these get stripped.

(2) What setting in Keycloak determines how long the state parameter from
the login redirect is valid. Played with long values for "Client login
timeout", "Login timeout", "Login action timeout" under Tokens in the Realm
but none of these seems to help.

Any advice would be much appreciated.

Thanks,
-Georgi

From zgmode at gmail.com  Wed Apr 10 05:01:14 2019
From: zgmode at gmail.com (=?UTF-8?B?VGFtw6FzIFTDs3Ro?=)
Date: Wed, 10 Apr 2019 11:01:14 +0200
Subject: [keycloak-user] Plugin: Get a list of users by custom attribute
	value
Message-ID: <CACLRbfVORe9XgQB1ggOywR-WDNUn7xQ-=rOA_6nwjKV1KfMiww@mail.gmail.com>

Hello,
I'm using keycloak:latest with postgres background in docker.
I need to get list of users, but I'm unable to use groups.
The user query in keycloak returns a user in 300ms, which is really slow
for me.

As this link suggests
http://lists.jboss.org/pipermail/keycloak-user/2017-February/009548.html
I'm trying to create a plugin, but I have difficulties.

I need UserPermissionEvaluator to auth:
 - UserPermissionEvaluator userPermissionEvaluator = auth.users();

When I use the following imports in my plugin:
 - import
org.keycloak.services.resources.admin.permissions.UserPermissionEvaluator;
I'm gettin this exception:
 - java.lang.NoClassDefFoundError:
org/keycloak/services/resources/admin/permissions/UserPermissionEvaluator

 You can access my code on github (
https://github.com/zingz0r/Keycloak.Plugin).

 Could you please help me to solve this issue?

 Thanks in advance;
 Tam?s T?th

From sblanc at redhat.com  Wed Apr 10 05:32:56 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 10 Apr 2019 11:32:56 +0200
Subject: [keycloak-user] State mismatch on oidc-client login
In-Reply-To: <CAEauZ0-ntbzKZ+HToTaua8gvC6XoCkQ0wYLSK2hNf5y33szH0Q@mail.gmail.com>
References: <CAEauZ0__KY6tf-TeDD9EqP+UVReM84dTPrXyysQqkOYeU__M0Q@mail.gmail.com>
	<CAEauZ0-ntbzKZ+HToTaua8gvC6XoCkQ0wYLSK2hNf5y33szH0Q@mail.gmail.com>
Message-ID: <CAMZCGg-Gb2mT8OGEDGM9R2yjft4bR+ys0QzBgRxLTZnBNOxpgg@mail.gmail.com>

Which version of Keycloak are you using ?

When I wait too long on kc 5.0.0, it brings me back to the login page with
the warning "You took too long to login. Login process starting from
beginning." Isn't that what you want ?

On Wed, Apr 10, 2019 at 10:40 AM Georgi Matev <
georgi.matev at dominodatalab.com> wrote:

> We have a realm with an openid-connect client configured to provide
> authentication for an application using Keycloak. The application is using
> the Keycloak hosted login page to handle auth redirects. We have this
> working well except that when one stays on the login page a little longer,
> the authentication attempt fails with a state mismatch error.
>
> We understand the protection this provides. To handle it gracefully, we
> redirect the user back to login when the mismatch is detected. This creates
> a weird user experience, where the user just entered their credentials and
> seemingly nothing happened the first time but succeeds the second time.
>
> Have not been able to figure out how to do the following
>
> (1) Pass some parameter indicating that the mismatched state happened so
> that when we get back to the login redirect the second time, we can use the
> parameter to trigger an appropriate message on the login page (through
> customizing the theme) to indicate that the user took too long to login. We
> have tried adding URL parameters when redirecting back to login but this
> has not worked since these get stripped.
>
> (2) What setting in Keycloak determines how long the state parameter from
> the login redirect is valid. Played with long values for "Client login
> timeout", "Login timeout", "Login action timeout" under Tokens in the Realm
> but none of these seems to help.
>
> Any advice would be much appreciated.
>
> Thanks,
> -Georgi
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Wed Apr 10 05:45:57 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 10 Apr 2019 11:45:57 +0200
Subject: [keycloak-user] Keycloak and Clever
In-Reply-To: <CAHj77GXFqjO3EhoHHwNJOkEcG16ZAftqCQpq0ZEO3-yhMS0j=g@mail.gmail.com>
References: <CAHj77GXFqjO3EhoHHwNJOkEcG16ZAftqCQpq0ZEO3-yhMS0j=g@mail.gmail.com>
Message-ID: <CAMZCGg8s3wurD5g4r=ZZPyQgNLVpT+zkrgaMOEii0GWKz_fM6g@mail.gmail.com>

Hey Aaron !

Thanks a lot for sharing this with the community. And I agree we must find
a nice solution to persist these kind of "How-to" articles. I have some
ideas in mind and I will come back to you about this.

Sebi


On Tue, Apr 9, 2019 at 7:31 PM Aaron Echols <aechols at bfcsaz.com> wrote:

> Hi All,
>
> I'm in k12edu and have been working on implementing Clever. I've
> successfully setup and configured Clever as a SP in Keycloak using the
> Active Directory Authentication login method. I wanted to share it here, in
> case there are others that would like to use it.
>
> Also, it might be useful to have a wiki in the Keycloak documentation for
> users to contribute how-to articles on configuring services with Keycloak.
> Please consider this. I'd gladly contribute my Clever and Google
> configurations there.
>
> I'm not sure how this is going to format, hopefully, it doesn't get too
> botched. :)
>
> Create new client
>
>
>    -
>
>    Go to the Clients page under the {your} realm.
>    -
>
>    Click: Create
>    -
>
>    Download federation metadata:
> https://clever.com/oauth/saml/metadata.xml
>    -
>
>    Click: Select file
>    -
>
>    Browse to the metadata.xml downloaded in the previous step
>    -
>
>    Click: Save
>    -
>
>    Set the following options:
>
>
> Setting
>
> Flag/Option/String
>
> Name
>
> {Give it a user facing name}
>
> Enabled
>
> ON
>
> Include AuthnStatement
>
> ON
>
> Sign Documents
>
> ON
>
> Sign Assertions
>
> ON
>
> Signature Algorithm
>
> RSA_SHA256
>
> SAML Signature Key Name
>
> KEY_ID
>
> Canonicalization Method
>
> EXCLUSIVE
>
> Encrypt Assertions
>
> ON
>
> Client Signature Required
>
> OFF
>
> Force POST Binding
>
> ON
>
> Front Channel Logout
>
> ON
>
> Force Name ID Format
>
> ON
>
> Name ID Format
>
> email
>
> Valid Redirect URIs
>
> https://clever.com/oauth/saml/assert
>
> Base URL
>
> /auth/realms/{realm}/protocol/saml/clients/clever&RelayState=true
>
> IDP Initiated SSO URL Name
>
> clever
>
> Assertion Consumer Service POST Binding URL
>
> https://clever.com/oauth/saml/assert
>
> Logout Service POST Binding URL
>
> https://clever.com/oauth/saml/assert
>
> Create Mapper(s)
>
>
>    -
>
>    Go to: Clients > https://clever.com/oauth/saml/metadata.xml > Edit >
>    Mappers > Create
>    -
>
>    Set the following options:
>
>
> Setting
>
> Flag/Option/String
>
> Name
>
> clever.any.email
>
> Mapper Type
>
> User Property
>
> Property
>
> email
>
> Friendly Name
>
> Email
>
> SAML Attribute Name
>
> clever.any.email
>
> SAML Attribute NameFormat
>
>
> Setting
>
> Flag/Option/String
>
> Name
>
> clever.any.sis_id
>
> Mapper Type
>
> User Property
>
> Property
>
> username
>
> Friendly Name
>
> Username
>
> SAML Attribute Name
>
> clever.any.sis_id
>
> SAML Attribute NameFormat
>
>
> Import Custom idP Metadata
>
>
>
>    -
>
>    Login to https://clever.com/in/<your-portal>
>    -
>
>    Go to: Portal > SSO Settings > Add Login Method > Active Directory
>    Authentication
>    -
>
>    Click: or upload metadata file instead (not recommended)
>    -
>
>    Download and modify the Auth Mellon idp-metadata.xml file from your
>    clever client in Keycloak and add the missing information below:
>
>
> <?xml version="1.0" encoding="UTF-8"?>
>
> <EntityDescriptor entityID="https://{vip}/auth/realms/{realm}"
>
>                   xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
>
>                   xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
>
>                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>
>   <IDPSSODescriptor WantAuthnRequestsSigned="true"
>
>      protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>
>      <SingleLogoutService
>
>         Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
>         Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
>
>  <SingleLogoutService
>
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>
> Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
>
>
>  <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
>
>      <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>
>         Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
>
>  <SingleSignOnService
> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>
> Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
>
>      <KeyDescriptor use="signing">
>
>        <dsig:KeyInfo>
>
>          <dsig:KeyName>{kID}</dsig:KeyName>
>
>          <dsig:X509Data>
>
>            <dsig:X509Certificate>{cert}</dsig:X509Certificate>
>
>          </dsig:X509Data>
>
>        </dsig:KeyInfo>
>
>      </KeyDescriptor>
>
>   </IDPSSODescriptor>
>
> </EntityDescriptor>
>
>
>    -
>
>    Click the cloud symbol with an up arrow through it to upload the
>    idp-metadata.xml you created.
>    -
>
>    Click: Save
>    -
>
>    You should see a message in green saying: Your settings have been saved
>
>
> References
>
>
> https://support.clever.com/hc/en-us/articles/218050687-Single-sign-on-SSO-with-a-custom-SAML-connection
>
> https://support.clever.com/hc/en-us/articles/215176617
> --
> *Aaron Echols*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From melissa.palmer at gmail.com  Wed Apr 10 06:50:05 2019
From: melissa.palmer at gmail.com (Melissa Palmer)
Date: Wed, 10 Apr 2019 12:50:05 +0200
Subject: [keycloak-user] Difference Between 'Client scopes vs. Scopes vs
	Authorization Scopes'
Message-ID: <CAHTQH9Jkc3mRa+R8CS-rWOBzRzz7o1UOwVr+QeGDzxDvOHNLJg@mail.gmail.com>

Hi

Please may someone explain the differences between 'Client scopes vs.
Scopes vs Authorization Scopes' seen on the admin console of Keycloak ..

Thanks in Advance
Melissa

From sg at salih.xyz  Wed Apr 10 07:13:17 2019
From: sg at salih.xyz (Salih Gedik)
Date: Wed, 10 Apr 2019 14:13:17 +0300
Subject: [keycloak-user] Error Adapter requires SSL. Request: http://XXXX
Message-ID: <10262721554894797@iva5-e99a26c42780.qloud-c.yandex.net>


From psilva at redhat.com  Wed Apr 10 08:35:36 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 10 Apr 2019 09:35:36 -0300
Subject: [keycloak-user] Difference Between 'Client scopes vs. Scopes vs
 Authorization Scopes'
In-Reply-To: <CAHTQH9Jkc3mRa+R8CS-rWOBzRzz7o1UOwVr+QeGDzxDvOHNLJg@mail.gmail.com>
References: <CAHTQH9Jkc3mRa+R8CS-rWOBzRzz7o1UOwVr+QeGDzxDvOHNLJg@mail.gmail.com>
Message-ID: <CAJrcDBfRzBzbKMMDGu0VdPoq5AqUKHFV2VCU+47=E-vTuqSmOg@mail.gmail.com>

Hi Melissa,

I understand the confusion and I'll try to make more clear.

Clients scope is about managing protocol mappers and role mappings in a
single place, where these scopes may be requested by clients when they are
sending authorization requests to the server (using the scope parameter).
One of the main differences between Client Scope vs Scope (in client
details) is that Client Scope configuration is shared across multiple
clients and it includes the configuration you usually do in the Scope tab
for clients. In addition to that, Client Scope is more OAuth related given
that you have more control over how the server should deal with the scopes
requested by clients. For instance, show in consent page (if user consent
is enabled to the client), etc.

Authorization Scopes are related to fine-grained permissions, an extension
to the standard OAuth implementation (there is a specific grant type[1] for
this) that allows you to manage your protected resources and the scopes
(e.g: actions you can perform, attributes, etc) associated with them where
access to these resources/scopes is enforced based on policies. In this
context, the authorization scopes are granted to clients based on the
evaluation of these policies. These scopes are not granted by default (when
clients request them) and are not granted based on user consent.

I hope it helps.

[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_service_obtaining_permissions

On Wed, Apr 10, 2019 at 8:04 AM Melissa Palmer <melissa.palmer at gmail.com>
wrote:

> Hi
>
> Please may someone explain the differences between 'Client scopes vs.
> Scopes vs Authorization Scopes' seen on the admin console of Keycloak ..
>
> Thanks in Advance
> Melissa
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mrestelli at cuebiq.com  Wed Apr 10 08:43:28 2019
From: mrestelli at cuebiq.com (Matteo Restelli)
Date: Wed, 10 Apr 2019 14:43:28 +0200
Subject: [keycloak-user] Token Exchange AWS Cognito & Keycloak
Message-ID: <CAHpjjTYE=hN02=i+vojzviAv1bK547VFxAZC-Lqy9eRkB6sVPA@mail.gmail.com>

Any news on that?

Thank you!
Matteo

=============================


Hi all,
We're using AWS Cognito as our Identity provider for our platform. We're
trying to use an internal instance of Keycloak, in order to check the
possibility to use KC for authorization purposes (this because Keycloak has
a wonderful and powerful authorization system that fulfill our needs, and
for that i want to say you "Thank you very much" :) ). For this reason we
want to use the token exchange feature of Keycloak.
More specifically we want to follow this flow:

- User authenticates on AWS Cognito via SRP auth flow (which basically is
not a standard OIDC/OAuth2 authentication flow)
- User sends the access token to contact the backend service and, in the
middle, this token is translated to an internal one, minted by Keycloak

If we provide the AWS Cognito access token to the token exchange endpoint,
with the subject_token_type parameter set to
"urn:ietf:params:oauth:token-type:access_token", an error is returned
stating that the access token doesn't contain the "openid" scope. Despite
this we've tried another way, providing the id token to the token exchange
endpoint with the subject_token_parameter set to
"urn:ietf:params:oauth:token-type:id_token", and we discovered that this
alternative way works. So, my questions are:

- Is the "exchange with id token" approach a feasible and good one? Or is
completely a bad approach?
- From an OIDC point of view, can be a right approach accessing a backend
resource from a single page application, using an id token? I've always
read that if you want to access to a backend resource, from a client
application, is better to use the access token, because the id token
contains a lot of user informations and must be used only by the client
application

Thank you very much,
Matteo


PS:  As a side note, i want to clarify that if we follow an authorization
code grant flow, or an implicit flow, during the authentication against AWS
Cognito, the access token exchange works as expected. So this means that
the problem is related to the shape of the token released by Cognito.

-- 

Like <https://www.facebook.com/cuebiq/> I Follow
<https://twitter.com/Cuebiq>I Connect
<https://www.linkedin.com/company/cuebiq>


This email is reserved
exclusively for sending and receiving messages inherent working activities,
and is not intended nor authorized for personal use. Therefore, any
outgoing messages or incoming response messages will be treated as company
messages and will be subject to the corporate IT policy and may possibly to
be read by persons other than by the subscriber of the box. Confidential
information may be contained in this message. If you are not the address
indicated in this message, please do not copy or deliver this message to
anyone. In such case, you should notify the sender immediately and delete
the original message.

-- 

Like <https://www.facebook.com/cuebiq/> I Follow  
<https://twitter.com/Cuebiq>I Connect 
<https://www.linkedin.com/company/cuebiq>


This email is reserved 
exclusively for sending and receiving messages inherent working activities, 
and is not intended nor authorized for personal use. Therefore, any 
outgoing messages or incoming response messages will be treated as company 
messages and will be subject to the corporate IT policy and may possibly to 
be read by persons other than by the subscriber of the box. Confidential 
information may be contained in this message. If you are not the address 
indicated in this message, please do not copy or deliver this message to 
anyone. In such case, you should notify the sender immediately and delete 
the original message.

From mrestelli at cuebiq.com  Wed Apr 10 08:51:24 2019
From: mrestelli at cuebiq.com (Matteo Restelli)
Date: Wed, 10 Apr 2019 14:51:24 +0200
Subject: [keycloak-user] Token Exchange AWS Cognito & Keycloak
Message-ID: <CAHpjjTZKd661f-0=phcOb__+Wkm4MJb4EwcaFOeW+fZChXMg1Q@mail.gmail.com>

Hi all,
We're using AWS Cognito as our Identity provider for our platform. We're
trying to use an internal instance of Keycloak, in order to check the
possibility to use KC for authorization purposes (this because Keycloak has
a wonderful and powerful authorization system that fulfill our needs, and
for that i want to say you "Thank you very much" :) ). For this reason we
want to use the token exchange feature of Keycloak.
More specifically we want to follow this flow:

- User authenticates on AWS Cognito via SRP auth flow (which basically is
not a standard OIDC/OAuth2 authentication flow)
- User sends the access token to contact the backend service and, in the
middle, this token is translated to an internal one, minted by Keycloak

If we provide the AWS Cognito access token to the token exchange endpoint,
with the subject_token_type parameter set to
"urn:ietf:params:oauth:token-type:access_token", an error is returned
stating that the access token doesn't contain the "openid" scope. Despite
this we've tried another way, providing the id token to the token exchange
endpoint with the subject_token_parameter set to
"urn:ietf:params:oauth:token-type:id_token", and we discovered that this
alternative way works. So, my questions are:

- Is the "exchange with id token" approach a feasible and good one? Or is
completely a bad approach?
- From an OIDC point of view, can be a right approach accessing a backend
resource from a single page application, using an id token? I've always
read that if you want to access to a backend resource, from a client
application, is better to use the access token, because the id token
contains a lot of user informations and must be used only by the client
application

Thank you very much,
Matteo


PS:  As a side note, i want to clarify that if we follow an authorization
code grant flow, or an implicit flow, during the authentication against AWS
Cognito, the access token exchange works as expected. So this means that
the problem is related to the shape of the token released by Cognito.

-- 

Like <https://www.facebook.com/cuebiq/> I Follow  
<https://twitter.com/Cuebiq>I Connect 
<https://www.linkedin.com/company/cuebiq>


This email is reserved 
exclusively for sending and receiving messages inherent working activities, 
and is not intended nor authorized for personal use. Therefore, any 
outgoing messages or incoming response messages will be treated as company 
messages and will be subject to the corporate IT policy and may possibly to 
be read by persons other than by the subscriber of the box. Confidential 
information may be contained in this message. If you are not the address 
indicated in this message, please do not copy or deliver this message to 
anyone. In such case, you should notify the sender immediately and delete 
the original message.

From georgi.matev at dominodatalab.com  Wed Apr 10 09:02:25 2019
From: georgi.matev at dominodatalab.com (Georgi Matev)
Date: Wed, 10 Apr 2019 06:02:25 -0700
Subject: [keycloak-user] State mismatch on oidc-client login
In-Reply-To: <CAMZCGg-Gb2mT8OGEDGM9R2yjft4bR+ys0QzBgRxLTZnBNOxpgg@mail.gmail.com>
References: <CAEauZ0__KY6tf-TeDD9EqP+UVReM84dTPrXyysQqkOYeU__M0Q@mail.gmail.com>
	<CAEauZ0-ntbzKZ+HToTaua8gvC6XoCkQ0wYLSK2hNf5y33szH0Q@mail.gmail.com>
	<CAMZCGg-Gb2mT8OGEDGM9R2yjft4bR+ys0QzBgRxLTZnBNOxpgg@mail.gmail.com>
Message-ID: <CAEauZ0-aHLe-faO89BgBH6raFRz5=a24oYzNody0WPvxTDYKNA@mail.gmail.com>

Using 4.8.3.Final. The warning you describe is what we ideally want.

Based on what I can see (this reference for example
https://issues.jboss.org/browse/KEYCLOAK-3374), this should not be unique
to 5.0.0.

I was able to get the behavior to trigger if I use something pretty short
for "Login timeout" na "Login action timeout". This is progress!

That said, even if these login timeout periods are long, I would still
get "State
parameter is different from the one sent in authentication request. Session
expired or possible threat of cross-site request forgery" after a shorter
period. It does seem it could be related to the version of pac4j we are
using on the application side. If this ends up being a pac4j quirk, is
there a way for us to force Keycloak to think it is in "Login timeout"
state when redirected to the login when the above occurs?

On Wed, Apr 10, 2019 at 2:33 AM Sebastien Blanc <sblanc at redhat.com> wrote:

> Which version of Keycloak are you using ?
>
> When I wait too long on kc 5.0.0, it brings me back to the login page with
> the warning "You took too long to login. Login process starting from
> beginning." Isn't that what you want ?
>
> On Wed, Apr 10, 2019 at 10:40 AM Georgi Matev <
> georgi.matev at dominodatalab.com> wrote:
>
>> We have a realm with an openid-connect client configured to provide
>> authentication for an application using Keycloak. The application is using
>> the Keycloak hosted login page to handle auth redirects. We have this
>> working well except that when one stays on the login page a little longer,
>> the authentication attempt fails with a state mismatch error.
>>
>> We understand the protection this provides. To handle it gracefully, we
>> redirect the user back to login when the mismatch is detected. This
>> creates
>> a weird user experience, where the user just entered their credentials and
>> seemingly nothing happened the first time but succeeds the second time.
>>
>> Have not been able to figure out how to do the following
>>
>> (1) Pass some parameter indicating that the mismatched state happened so
>> that when we get back to the login redirect the second time, we can use
>> the
>> parameter to trigger an appropriate message on the login page (through
>> customizing the theme) to indicate that the user took too long to login.
>> We
>> have tried adding URL parameters when redirecting back to login but this
>> has not worked since these get stripped.
>>
>> (2) What setting in Keycloak determines how long the state parameter from
>> the login redirect is valid. Played with long values for "Client login
>> timeout", "Login timeout", "Login action timeout" under Tokens in the
>> Realm
>> but none of these seems to help.
>>
>> Any advice would be much appreciated.
>>
>> Thanks,
>> -Georgi
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From tdudgeon.ml at gmail.com  Wed Apr 10 09:28:44 2019
From: tdudgeon.ml at gmail.com (Tim Dudgeon)
Date: Wed, 10 Apr 2019 14:28:44 +0100
Subject: [keycloak-user] obtaining token for CLI when using identity
	brokering
Message-ID: <32f5d80e-4c6b-69a9-af99-1a4d33383265@gmail.com>

Apologies if this was already sent/answered, by my subscription to the 
ML was cut without my realising it, so I think my first attempt to send 
was not successful.
And there seems to be no archive of the ML for me to check.

My scenario:

1. My keycloak realm is set up to manage users with identity brokering 
(e.g. they login through GitHub etc.)
2. I have public client in that realm that has REST API that requires 
access to be authenticated
3. I want to access that API using curl or other CLI tool so need to 
provide an access token.

If my users were added to Keycloak directly I could get that token like 
this:

curl --data 
"grant_type=password&client_id=myclientid&username=user1&password=user1" 
https://<server:port>/auth/realms/realmname/protocol/openid-connect/token

But this will not work when using identity brokering.
So I was a assuming the user could login to keycloak with a browser and 
then find a token there and copy it.
But if I login as a user at this URL 
https://<server:port>/auth/realms/realmname/account I get logged in 
using the identity broker but I can't find a token anywhere.

How do I manage this?

Tim


From psilva at redhat.com  Wed Apr 10 09:40:41 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 10 Apr 2019 10:40:41 -0300
Subject: [keycloak-user] Token Exchange AWS Cognito & Keycloak
In-Reply-To: <CAHpjjTYE=hN02=i+vojzviAv1bK547VFxAZC-Lqy9eRkB6sVPA@mail.gmail.com>
References: <CAHpjjTYE=hN02=i+vojzviAv1bK547VFxAZC-Lqy9eRkB6sVPA@mail.gmail.com>
Message-ID: <CAJrcDBeHZUtdC7N0im1hRePyxntC3zEL5d2=KtuXRvX2Ny3epw@mail.gmail.com>

Hi,

So you are doing external to internal exchange. It is not clear to me how
you configured AWS Cognito as an identity provider and what/how the SRP
flow works. Could you provide more details, please? Is the token issued by
Cognito a JWT ?

In addition to that, how your token exchange request looks like when using
both id_token and access_token as a subject_token ?

On Wed, Apr 10, 2019 at 9:56 AM Matteo Restelli <mrestelli at cuebiq.com>
wrote:

> Any news on that?
>
> Thank you!
> Matteo
>
> =============================
>
>
> Hi all,
> We're using AWS Cognito as our Identity provider for our platform. We're
> trying to use an internal instance of Keycloak, in order to check the
> possibility to use KC for authorization purposes (this because Keycloak has
> a wonderful and powerful authorization system that fulfill our needs, and
> for that i want to say you "Thank you very much" :) ). For this reason we
> want to use the token exchange feature of Keycloak.
> More specifically we want to follow this flow:
>
> - User authenticates on AWS Cognito via SRP auth flow (which basically is
> not a standard OIDC/OAuth2 authentication flow)
> - User sends the access token to contact the backend service and, in the
> middle, this token is translated to an internal one, minted by Keycloak
>
> If we provide the AWS Cognito access token to the token exchange endpoint,
> with the subject_token_type parameter set to
> "urn:ietf:params:oauth:token-type:access_token", an error is returned
> stating that the access token doesn't contain the "openid" scope. Despite
> this we've tried another way, providing the id token to the token exchange
> endpoint with the subject_token_parameter set to
> "urn:ietf:params:oauth:token-type:id_token", and we discovered that this
> alternative way works. So, my questions are:
>
> - Is the "exchange with id token" approach a feasible and good one? Or is
> completely a bad approach?
> - From an OIDC point of view, can be a right approach accessing a backend
> resource from a single page application, using an id token? I've always
> read that if you want to access to a backend resource, from a client
> application, is better to use the access token, because the id token
> contains a lot of user informations and must be used only by the client
> application
>
> Thank you very much,
> Matteo
>
>
> PS:  As a side note, i want to clarify that if we follow an authorization
> code grant flow, or an implicit flow, during the authentication against AWS
> Cognito, the access token exchange works as expected. So this means that
> the problem is related to the shape of the token released by Cognito.
>
> --
>
> Like <https://www.facebook.com/cuebiq/> I Follow
> <https://twitter.com/Cuebiq>I Connect
> <https://www.linkedin.com/company/cuebiq>
>
>
> This email is reserved
> exclusively for sending and receiving messages inherent working activities,
> and is not intended nor authorized for personal use. Therefore, any
> outgoing messages or incoming response messages will be treated as company
> messages and will be subject to the corporate IT policy and may possibly to
> be read by persons other than by the subscriber of the box. Confidential
> information may be contained in this message. If you are not the address
> indicated in this message, please do not copy or deliver this message to
> anyone. In such case, you should notify the sender immediately and delete
> the original message.
>
> --
>
> Like <https://www.facebook.com/cuebiq/> I Follow
> <https://twitter.com/Cuebiq>I Connect
> <https://www.linkedin.com/company/cuebiq>
>
>
> This email is reserved
> exclusively for sending and receiving messages inherent working
> activities,
> and is not intended nor authorized for personal use. Therefore, any
> outgoing messages or incoming response messages will be treated as company
> messages and will be subject to the corporate IT policy and may possibly
> to
> be read by persons other than by the subscriber of the box. Confidential
> information may be contained in this message. If you are not the address
> indicated in this message, please do not copy or deliver this message to
> anyone. In such case, you should notify the sender immediately and delete
> the original message.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sg at salih.xyz  Wed Apr 10 10:32:40 2019
From: sg at salih.xyz (Salih Gedik)
Date: Wed, 10 Apr 2019 17:32:40 +0300
Subject: [keycloak-user] SSL load balancer causes problem on HTTP backend
Message-ID: <682131554906760@myt2-cd7fa496c4f7.qloud-c.yandex.net>

Hello community,

We have an application that uses Keycloak starters and service itself is running on Spring Boot 2. ?However when requested through load balancers it fails to authenticate. Backend servers themselves are not HTTPS and SSL load balancers are passing the traffic to backends insecure. I tried enabling ssl-required flag but this time it failed to redirect to correct page for login since backends are not SSL. I tried to override commenceLoginRedirect method on KeycloakAuthenticationEntryPoint which resolved the issue. But this time after successful login, redirection page fails to authenticate and returns 403.

I can see from the log that it says "Adapter requires SSL. Request: http://xx.yyy.zzzz.local" Which request endpoint should be https://xx instead of http? Here is the log message:
[http-nio-8080-exec-7] DEBUG o.k.a.OAuthRequestAuthenticator - there was a code, resolving
[http-nio-8080-exec-7] ERROR o.k.a.OAuthRequestAuthenticator - Adapter requires SSL. Request: http://xx.yyy.zzzz.local/sso/login?state=abcdef&code=uss.BRA-eewrerrew.8ddaea7f-erewererw-65e2d6aa381ad
[http-nio-8080-exec-7] DEBUG o.k.a.s.f.KeycloakAuthenticationProcessingFilter - Auth outcome: FAILED
[http-nio-8080-exec-7] DEBUG o.k.a.s.f.KeycloakAuthenticationProcessingFilter - Authentication request failed: org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details
org.keycloak.adapters.springsecurity.KeycloakAuthenticationException: Invalid authorization header, see WWW-Authenticate header for details
at org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter.attemptAuthentication(KeycloakAuthenticationProcessingFilter.java:157)
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:212)

I would really appreciate if you guys have any idea/suggestion about this? 

Thank you

-- 

From eduardr at softwareplanetgroup.com  Wed Apr 10 11:24:41 2019
From: eduardr at softwareplanetgroup.com (Eduard Rakov)
Date: Wed, 10 Apr 2019 18:24:41 +0300
Subject: [keycloak-user] Several profiles for same user in keycloak
Message-ID: <CAH-4A4tdXs1mD0XSc7+xzL1QCh+kJBQrnZT+-p6Mni=ynynSSQ@mail.gmail.com>

Hi guys, I need your help with the following question I need to provide the
ability to the user creates several profiles inside my app (I use keycloak
for login and SSO) e.g. let's imagine that user wants to have two profiles
within my application:
Name: Bruce Wayne, email: brucew at example.com, login: bruce.wayne and
password:  secret
Name "Dark Knight", email: batman at example.com, login: bruce.wayne and
password:  secret (credentials to login are the same)
Bruce log into my app using his creds (login: bruce.wayne and password:
secret) and when he decides to use his account for 3rd resource using SSO
he can select which profile about himself to share with this 3rd party
resource - Bruce Wayne (businessman) or Dark Knight (batman, superhero). Is
it possible to implement such use case using keycloak? Thanks.
-- 

_________

Best regards

From titantins at gmail.com  Wed Apr 10 11:36:28 2019
From: titantins at gmail.com (Pavel Drankov)
Date: Wed, 10 Apr 2019 18:36:28 +0300
Subject: [keycloak-user] User creation
Message-ID: <CAO5GBXc1xAqPjuCg+CXwNoKNa4t8EkYNCyo9W19AZs_8JtGP7Q@mail.gmail.com>

Hello,

I'm trying to implement a two-step registration process based keylock. On
the first step enters the same information as in the default registration
form, but with the addition of telephone number. On the second step, he
enters a code received via an SMS message.

The problem I faced is that if a user successfully filled the first step
registration form and failed to enter a valid code on the second step, he
is not able to use the same email address on the first step(because of "Email
already exists." error). Is there a way to clean up not fully registered
users and allow them to re-register if they have not finished all the step
from the registration flow.

Best wishes,
Pavel

From firozpalapra at outlook.com  Wed Apr 10 23:23:31 2019
From: firozpalapra at outlook.com (Firoz Ahamed)
Date: Thu, 11 Apr 2019 03:23:31 +0000
Subject: [keycloak-user] Getting token directly in keycloak-js
Message-ID: <HK0PR02MB32025FA020E54D52E392A404CB2F0@HK0PR02MB3202.apcprd02.prod.outlook.com>

Hi guys,

Could someone let me know if there is anyway to get a token by sending the username and password directly using the keycloak-js adapter without the browser redirecting to the login page? Something similar to the obtainGrant in keycloak-connect adapter.

Thanks!

Regards,
Firoz



From lists at merit.unu.edu  Thu Apr 11 03:09:41 2019
From: lists at merit.unu.edu (mj)
Date: Thu, 11 Apr 2019 09:09:41 +0200
Subject: [keycloak-user] Keycloak and Clever
In-Reply-To: <CAMZCGg8s3wurD5g4r=ZZPyQgNLVpT+zkrgaMOEii0GWKz_fM6g@mail.gmail.com>
References: <CAHj77GXFqjO3EhoHHwNJOkEcG16ZAftqCQpq0ZEO3-yhMS0j=g@mail.gmail.com>
	<CAMZCGg8s3wurD5g4r=ZZPyQgNLVpT+zkrgaMOEii0GWKz_fM6g@mail.gmail.com>
Message-ID: <f4b5bad7-ad42-1651-eced-2a53b3175e75@merit.unu.edu>

Hi,

On 4/10/19 11:45 AM, Sebastien Blanc wrote:
> a nice solution to persist these kind of "How-to" articles. I have some
> ideas in mind and I will come back to you about this.

YES! We wouold *really* appreciate that, as the area 
keycloak/sso/saml/oidc is a difficut one to enter, and the 
keycloak-specific examples are very rare.

So, *please* do implement some kind of 'knowledge sharing' platform!

MJ

From slaskawi at redhat.com  Thu Apr 11 04:01:48 2019
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Thu, 11 Apr 2019 10:01:48 +0200
Subject: [keycloak-user] TCP for JGroups and bind options
Message-ID: <CAA9R9O7yL5WatFAKFDy=FL7ey--SgwzZjbCATT+LsikqqXRsEw@mail.gmail.com>

Hey,

I've been working on JGroups bind settings for Keycloak Container Image
recently and we had a discussion with Stian about changing both binding
options and transport for JGroups.

As you probably know, we use standalone-ha.xml as a default configuration
for our image. This means, that Infinispan boots up in clustered mode. At
the moment, we use the default transport from the configuration, which is
UDP (with PING as discovery).

Even though UDP transport is a bit faster for larger clusters, it often
doesn't work out of the box in cloud environments (like AWS for the
instance). Of course, the JGroups stack can easily be changed by using the
`-Djboss.default.jgroups.stack=tcp` switch.

I'm planning to revise this piece and change the default transport to TCP
(probably by adding `-Djboss.default.jgroups.stack=tcp` switch to the
default options).

I also proposed, and would like to ask you to try it out, changing the bind
parameters to match IPv4 [1]. Previously, JGroups tried to bind to wrong
interfaces, including `fe80::5003:8eff:fefa:3e53%tap0` exposed by Podman.

Please have a look at the Pull Request [1], check if it works for you and
let me know what you think about using TCP as default transport for JGroups.

Thanks,
Sebastian

[1] https://github.com/jboss-dockerfiles/keycloak/pull/186

From manuel.waltschek at prisma-solutions.at  Thu Apr 11 05:07:55 2019
From: manuel.waltschek at prisma-solutions.at (Manuel Waltschek)
Date: Thu, 11 Apr 2019 09:07:55 +0000
Subject: [keycloak-user] SAML securing application via browser / REST API
	via ECP on wildfly
Message-ID: <fb049443c0c644baa52c109c32364144@EXMBX24.SFP-Net.skyfillers.local>

Hello KC Community!

We are currently securing our war via browser SSO with SAML. We are deploying on wildfly 10 and are using keycloak as an IdP broker.
We have the requirement to also secure a REST endpoint which is invoked by a thrid party. I read about ECP shortly in KC docs and some forum discussions, but I could not find out how to set this up. It is also unclear if keycloak even supports this feature. If not ECP, are there any other known ways to support this behaviour?

Regards,


[Logo]

Manuel Waltschek BSc.

+43 660 86655 47<tel:+436608665547>
manuel.waltschek at prisma-solutions.at<mailto:manuel.waltschek at prisma-solutions.at>
https://www.prisma-solutions.com

PRISMA solutions EDV-Dienstleistungen GmbH
Klostergasse 18, 2340 M?dling, Austria
Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 6418 bytes
Desc: image001.png
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190411/4caf45cd/attachment.png 

From titantins at gmail.com  Thu Apr 11 05:34:35 2019
From: titantins at gmail.com (Pavel Drankov)
Date: Thu, 11 Apr 2019 12:34:35 +0300
Subject: [keycloak-user] SPI for removing user
Message-ID: <CAO5GBXfONub+MwVDr2RBUtpDd4qL1BKKHDKFeLUqj96zHHFT4g@mail.gmail.com>

Hi,

Is there any SPI, which allow removing users from keycloak?

Best wishes,
Pavel

From sblanc at redhat.com  Thu Apr 11 05:47:42 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 11 Apr 2019 11:47:42 +0200
Subject: [keycloak-user] SPI for removing user
In-Reply-To: <CAO5GBXfONub+MwVDr2RBUtpDd4qL1BKKHDKFeLUqj96zHHFT4g@mail.gmail.com>
References: <CAO5GBXfONub+MwVDr2RBUtpDd4qL1BKKHDKFeLUqj96zHHFT4g@mail.gmail.com>
Message-ID: <CAMZCGg8_SG9wphybBX_v7=9op=M4D6RVKsBCaKeBAmNkxmxL2Q@mail.gmail.com>

You can use the Rest API to delete an user :
https://www.keycloak.org/docs-api/5.0/rest-api/index.html#_users_resource
DELETE /{realm}/users/{id}

On Thu, Apr 11, 2019 at 11:43 AM Pavel Drankov <titantins at gmail.com> wrote:

> Hi,
>
> Is there any SPI, which allow removing users from keycloak?
>
> Best wishes,
> Pavel
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From vaslion13 at yahoo.gr  Thu Apr 11 07:19:19 2019
From: vaslion13 at yahoo.gr (vasleon)
Date: Thu, 11 Apr 2019 13:19:19 +0200
Subject: [keycloak-user] Remove check for redirect_uri
Message-ID: <98a70e2e-453e-c3be-6407-2dcc84db83c0@yahoo.gr>

Hello everyone

it is required to specify a valid redirect_uri for each client in order 
for the login form to appear.

how could I remove the check that verifies the redirect_uri exists? I 
would like to make it possible to be able for an application to redirect 
anywhere. ( it is for educational purposes)

thank you


From Ondrej.Scerba at zoomint.com  Thu Apr 11 07:47:48 2019
From: Ondrej.Scerba at zoomint.com (Ondrej Scerba)
Date: Thu, 11 Apr 2019 11:47:48 +0000
Subject: [keycloak-user] Multivalue attributes delimiter
Message-ID: <4703d62dac684e1dae56d63a740be878@zoomint.com>

Hi,

Is there any option to configure delimiter for multivalue attributes in Keycloak? I would like to use ',' instead of "##".

Thanks,
Ondrej

From lorenzo.luconi at iit.cnr.it  Thu Apr 11 07:50:45 2019
From: lorenzo.luconi at iit.cnr.it (Lorenzo Luconi Trombacchi)
Date: Thu, 11 Apr 2019 13:50:45 +0200
Subject: [keycloak-user] Remove check for redirect_uri
In-Reply-To: <98a70e2e-453e-c3be-6407-2dcc84db83c0@yahoo.gr>
References: <98a70e2e-453e-c3be-6407-2dcc84db83c0@yahoo.gr>
Message-ID: <A5160CD1-21F6-4E9A-92B7-7AFB5B8BB60E@iit.cnr.it>

Hello,
I think you can use the wildcard * to rederict anywhere.

Lorenzo

> Il giorno 11 apr 2019, alle ore 13:19, vasleon <vaslion13 at yahoo.gr> ha scritto:
> 
> Hello everyone
> 
> it is required to specify a valid redirect_uri for each client in order 
> for the login form to appear.
> 
> how could I remove the check that verifies the redirect_uri exists? I 
> would like to make it possible to be able for an application to redirect 
> anywhere. ( it is for educational purposes)
> 
> thank you
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From titantins at gmail.com  Thu Apr 11 07:58:32 2019
From: titantins at gmail.com (Pavel Drankov)
Date: Thu, 11 Apr 2019 14:58:32 +0300
Subject: [keycloak-user] Lookup user during registration
Message-ID: <CAO5GBXfgsD_F3usJh5r==OMnvSKBAO=XS1yVaGe5Z0GCxqv2-Q@mail.gmail.com>

Hi,

What I have to do if I want to check if a user with a specific email
already exists during the registration flow? How can I do this on the SPI
module side?

Best wishes,
Pavel

From ssilvert at redhat.com  Thu Apr 11 08:10:40 2019
From: ssilvert at redhat.com (Stan Silvert)
Date: Thu, 11 Apr 2019 08:10:40 -0400
Subject: [keycloak-user] Remove check for redirect_uri
In-Reply-To: <A5160CD1-21F6-4E9A-92B7-7AFB5B8BB60E@iit.cnr.it>
References: <98a70e2e-453e-c3be-6407-2dcc84db83c0@yahoo.gr>
	<A5160CD1-21F6-4E9A-92B7-7AFB5B8BB60E@iit.cnr.it>
Message-ID: <e127672b-856b-92b9-7803-da84ed1c03df@redhat.com>

On 4/11/2019 7:50 AM, Lorenzo Luconi Trombacchi wrote:
> Hello,
> I think you can use the wildcard * to rederict anywhere.
>
> Lorenzo
That is correct.? Details are in the admin console help text for Clients 
--> client_name --> Settings --> Valid Redirect URIs
>
>> Il giorno 11 apr 2019, alle ore 13:19, vasleon <vaslion13 at yahoo.gr> ha scritto:
>>
>> Hello everyone
>>
>> it is required to specify a valid redirect_uri for each client in order
>> for the login form to appear.
>>
>> how could I remove the check that verifies the redirect_uri exists? I
>> would like to make it possible to be able for an application to redirect
>> anywhere. ( it is for educational purposes)
>>
>> thank you
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From titantins at gmail.com  Thu Apr 11 09:49:19 2019
From: titantins at gmail.com (Pavel Drankov)
Date: Thu, 11 Apr 2019 16:49:19 +0300
Subject: [keycloak-user] Import realm settings without removing users
Message-ID: <CAO5GBXcDBCN2bYqw-54u4W-TdrrQvDYcGZNN1ubUoH174NaHag@mail.gmail.com>

Hi,

Is there any command-line way to import realms settings without erasing all
the users?  If import realm settings with OVERWRITE_EXISTING, keycloak also
removes all the users.

Best wishes,
Pavel

From kapilkumarjoshi001 at gmail.com  Thu Apr 11 09:59:19 2019
From: kapilkumarjoshi001 at gmail.com (kapil joshi)
Date: Thu, 11 Apr 2019 19:29:19 +0530
Subject: [keycloak-user] Login with email in keycloak not working for
	federated user
Message-ID: <CAMLZ2vnrYOxLwE0EaeAkAfKQndC9HwWvdZ2OiaDFpNKyS5bAsQ@mail.gmail.com>

Hi Team,

Login with email in Keycloak not working for federated user, please note
that we have enabled the switch to Login With Email.
Can some point us what are we missing.

Thanks & regards
Kapil

From kapilkumarjoshi001 at gmail.com  Thu Apr 11 10:02:19 2019
From: kapilkumarjoshi001 at gmail.com (kapil joshi)
Date: Thu, 11 Apr 2019 19:32:19 +0530
Subject: [keycloak-user] Password expiry policy not working for federated
	user
Message-ID: <CAMLZ2vkBsaXZOfWGLUrzbefVa1mW6YAFRHXbCCS5cf6X5EuR4g@mail.gmail.com>

Hi All,

Password expiry policy not working for federated user. We can see that the
password has expired for LDAP user, which was set to 90 days, but user can
still login to UI via keycloak authentication.

Kindly point us what are we missing.

Please note we have enabled the switch to sync password policy with
federated user.

Thanks & regards

Kapil

From valsarajpv at gmail.com  Thu Apr 11 10:05:51 2019
From: valsarajpv at gmail.com (valsaraj pv)
Date: Thu, 11 Apr 2019 19:35:51 +0530
Subject: [keycloak-user] Issue in importing realm from old version to
	version 5
Message-ID: <CAOA-0XsKQt7um9t6o2cZ6KjSn+GyN6cLaSZk4zfr9m-=bQbodg@mail.gmail.com>

Hi,

We need to export & import configuration from an old version 3.4 to new
Keycloak version 5. But it shows error on import:
{"errorMessage":"App doesn't exist in role definitions: realm-management"}

Is there any option to import realm to new version?

Thanks!

From nolan at thewordnerd.info  Thu Apr 11 10:28:07 2019
From: nolan at thewordnerd.info (Nolan Darilek)
Date: Thu, 11 Apr 2019 09:28:07 -0500
Subject: [keycloak-user] Keycloak and shared JWT secrets
Message-ID: <2b20c86f-f1e3-ccab-215a-4b3231c9c7eb@thewordnerd.info>

Apologies if the answer to this is simple. I've poured through every doc 
I can get my hands on and am a bit overwhelmed.


I'm trying to set up a shared account service that works across my 
static website, forum, and eventually on mobile apps. Given that 
security isn't a core competency, I decided to try using Keycloak for this.


My first goal is to require authentication to example.com/members. I'm 
using the Caddy web server which has a JWT-based protection scheme 
built-in. Keycloak is running at example.com/auth.


What I *thought* I'd do is set up my website as a confidential client 
with authorization enabled. Caddy needs a shared secret for the JWT, so 
I thought this would be the client secret. Also, since my website and 
Keycloak are on the same domain, I thought that if they shared a secret 
and if Caddy looked to the KEYCLOAK_IDENTITY cookie, that authentication 
would just work. Alas, no. Here's my Caddy JWT configuration block:


jwt {
 ? path /members
 ? redirect /auth/realms/myrealm/account
 ? token_source header
 ? token_source cookie KEYCLOAK_IDENTITY
}

Visiting /members just redirects me to my account page again and again, 
even if I'm logged in.


Am I completely off the rails here? I thought about using the client 
library, but I don't know if that works for confidential authorization 
setups. I don't even know if I *need* a confidential authorization setup 
here, or if I'm completely misunderstanding. It also occurs to me that 
I'm redirecting to /auth/realms/myrealm/account. There's nothing in that 
URL indicating which client to use, and as such, which secret to 
generate the JWT with. So before I go too much further down this rabbit 
hole, I wanted to check my assumptions.


Thanks for any help.


From lorenzo.luconi at iit.cnr.it  Thu Apr 11 10:40:52 2019
From: lorenzo.luconi at iit.cnr.it (Lorenzo Luconi Trombacchi)
Date: Thu, 11 Apr 2019 16:40:52 +0200
Subject: [keycloak-user] Login with email in keycloak not working for
 federated user
In-Reply-To: <CAMLZ2vnrYOxLwE0EaeAkAfKQndC9HwWvdZ2OiaDFpNKyS5bAsQ@mail.gmail.com>
References: <CAMLZ2vnrYOxLwE0EaeAkAfKQndC9HwWvdZ2OiaDFpNKyS5bAsQ@mail.gmail.com>
Message-ID: <2F9C94E5-FF63-49BC-AAC1-44895E9D2889@iit.cnr.it>

Just tested with my user federation implementation and it works (4.8.3.Final). I can login to my app using email address.
You must implements UserLookupProvider interface and getUsersByEmail method.

Lorenzo


> Il giorno 11 apr 2019, alle ore 15:59, kapil joshi <kapilkumarjoshi001 at gmail.com> ha scritto:
> 
> Hi Team,
> 
> Login with email in Keycloak not working for federated user, please note
> that we have enabled the switch to Login With Email.
> Can some point us what are we missing.
> 
> Thanks & regards
> Kapil
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From Kevin.Fox at pnnl.gov  Thu Apr 11 11:51:08 2019
From: Kevin.Fox at pnnl.gov (Fox, Kevin M)
Date: Thu, 11 Apr 2019 15:51:08 +0000
Subject: [keycloak-user] Keycloak and Clever
In-Reply-To: <f4b5bad7-ad42-1651-eced-2a53b3175e75@merit.unu.edu>
References: <CAHj77GXFqjO3EhoHHwNJOkEcG16ZAftqCQpq0ZEO3-yhMS0j=g@mail.gmail.com>
	<CAMZCGg8s3wurD5g4r=ZZPyQgNLVpT+zkrgaMOEii0GWKz_fM6g@mail.gmail.com>,
	<f4b5bad7-ad42-1651-eced-2a53b3175e75@merit.unu.edu>
Message-ID: <1A3C52DFCD06494D8528644858247BF01C2F2212@EX10MBOX03.pnnl.gov>

+1
________________________________________
From: keycloak-user-bounces at lists.jboss.org [keycloak-user-bounces at lists.jboss.org] on behalf of mj [lists at merit.unu.edu]
Sent: Thursday, April 11, 2019 12:09 AM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Keycloak and Clever

Hi,

On 4/10/19 11:45 AM, Sebastien Blanc wrote:
> a nice solution to persist these kind of "How-to" articles. I have some
> ideas in mind and I will come back to you about this.

YES! We wouold *really* appreciate that, as the area
keycloak/sso/saml/oidc is a difficut one to enter, and the
keycloak-specific examples are very rare.

So, *please* do implement some kind of 'knowledge sharing' platform!

MJ
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From jdennis at redhat.com  Thu Apr 11 12:18:13 2019
From: jdennis at redhat.com (John Dennis)
Date: Thu, 11 Apr 2019 12:18:13 -0400
Subject: [keycloak-user] SAML securing application via browser / REST
 API via ECP on wildfly
In-Reply-To: <fb049443c0c644baa52c109c32364144@EXMBX24.SFP-Net.skyfillers.local>
References: <fb049443c0c644baa52c109c32364144@EXMBX24.SFP-Net.skyfillers.local>
Message-ID: <c385ac84-3c4f-e54c-964c-a1e7fb49aa88@redhat.com>

On 4/11/19 5:07 AM, Manuel Waltschek wrote:
> Hello KC Community!
> 
> We are currently securing our war via browser SSO with SAML. We are deploying on wildfly 10 and are using keycloak as an IdP broker.
> We have the requirement to also secure a REST endpoint which is invoked by a thrid party. I read about ECP shortly in KC docs and some forum discussions, but I could not find out how to set this up. It is also unclear if keycloak even supports this feature. If not ECP, are there any other known ways to support this behaviour?

Keycloak supports ECP. But from you description it's not clear if you 
understand the ECP use case. ECP is meant for non-browser (e.g. use 
without a user agent) authentication. Typically this means command-line 
tools. The ECP SAML profile requires 3 cooperating parties to be ECP aware:

1) A relying party (typically a web resource, often referred to as 
Service Provider, i.e. SP). In your case this is where the REST endpoint 
exists. Usually this means an HTTP server such as Apache with a SAML 
module loaded, or it could be the JBoss Undertow server part of Wildfly 
(although I have no personal knowledge of the SAML support in Undertow, 
others here are probably much more familiar with this).

2) An ECP client, e.g. the command line tool or other non-browser 
implementation.

3) A SAML assertion provider (e.g. IdP), this would be Keycloak in this 
instance.

The ECP flow works like this: The ECP client requests a resource on the 
SP (REST endpoint), it indicates it wants ECP. The SP returns a SOAP 
document to the ECP client containing an authentication request. The ECP 
client forwards the authentication request to the IdP (e.g. Keycloak) 
along with authentication credentials (recall ECP is meant for 
non-interactive use). The IdP returns the authentication result (i.e. 
SAML Assertion) to the ECP client. The ECP client then forwards it to 
the SP. The SP will then return the original requested resource. Note, 
this is a simplified explanation.

Hopefully you can see from this description that the fact the protected 
resource is a REST endpoint or the fact it's invoked by a third party 
has little bearing on the choice of using the ECP SAML profile. Rather I 
think what you're looking for is how to perform delegation, a different 
topic.


-- 
John Dennis

From aechols at bfcsaz.com  Thu Apr 11 12:19:16 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Thu, 11 Apr 2019 09:19:16 -0700
Subject: [keycloak-user] Keycloak and Clever
In-Reply-To: <CAMZCGg8s3wurD5g4r=ZZPyQgNLVpT+zkrgaMOEii0GWKz_fM6g@mail.gmail.com>
References: <CAHj77GXFqjO3EhoHHwNJOkEcG16ZAftqCQpq0ZEO3-yhMS0j=g@mail.gmail.com>
	<CAMZCGg8s3wurD5g4r=ZZPyQgNLVpT+zkrgaMOEii0GWKz_fM6g@mail.gmail.com>
Message-ID: <CAHj77GUQVaR-S3UmYoN1-_FbmjjJTOkgDKCqzjm=7wtzykQqxA@mail.gmail.com>

That would be awesome! Thanks. :)
--
*Aaron Echols*
Systems Architect (IT)
Benjamin Franklin Charter School | IT
Email: aechols at bfcsaz.com
Phone: (480) 677-8400
Website: http://www.bfcsaz.com
IT Website: https://it.bfcsaz.com
Support Email: techsupport at bfcsaz.com
Support Portal: https://bfcs.freshservice.com/support/home
Common Questions: https://bfcs.freshservice.com/support/solutions
Forgot your password: https://accounts.bfcsaz.com

<https://www.facebook.com/bfcsaz/>  <https://twitter.com/bfcs_k12>
<https://www.instagram.com/bfcs_k12>


*CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, copy, use, disclosure,
or distribution is prohibited. If you are not the intended recipient,
please contact the sender by reply e-mail and destroy all copies of the
original message.


On Wed, Apr 10, 2019 at 2:46 AM Sebastien Blanc <sblanc at redhat.com> wrote:

> Hey Aaron !
>
> Thanks a lot for sharing this with the community. And I agree we must find
> a nice solution to persist these kind of "How-to" articles. I have some
> ideas in mind and I will come back to you about this.
>
> Sebi
>
>
> On Tue, Apr 9, 2019 at 7:31 PM Aaron Echols <aechols at bfcsaz.com> wrote:
>
>> Hi All,
>>
>> I'm in k12edu and have been working on implementing Clever. I've
>> successfully setup and configured Clever as a SP in Keycloak using the
>> Active Directory Authentication login method. I wanted to share it here,
>> in
>> case there are others that would like to use it.
>>
>> Also, it might be useful to have a wiki in the Keycloak documentation for
>> users to contribute how-to articles on configuring services with Keycloak.
>> Please consider this. I'd gladly contribute my Clever and Google
>> configurations there.
>>
>> I'm not sure how this is going to format, hopefully, it doesn't get too
>> botched. :)
>>
>> Create new client
>>
>>
>>    -
>>
>>    Go to the Clients page under the {your} realm.
>>    -
>>
>>    Click: Create
>>    -
>>
>>    Download federation metadata:
>> https://clever.com/oauth/saml/metadata.xml
>>    -
>>
>>    Click: Select file
>>    -
>>
>>    Browse to the metadata.xml downloaded in the previous step
>>    -
>>
>>    Click: Save
>>    -
>>
>>    Set the following options:
>>
>>
>> Setting
>>
>> Flag/Option/String
>>
>> Name
>>
>> {Give it a user facing name}
>>
>> Enabled
>>
>> ON
>>
>> Include AuthnStatement
>>
>> ON
>>
>> Sign Documents
>>
>> ON
>>
>> Sign Assertions
>>
>> ON
>>
>> Signature Algorithm
>>
>> RSA_SHA256
>>
>> SAML Signature Key Name
>>
>> KEY_ID
>>
>> Canonicalization Method
>>
>> EXCLUSIVE
>>
>> Encrypt Assertions
>>
>> ON
>>
>> Client Signature Required
>>
>> OFF
>>
>> Force POST Binding
>>
>> ON
>>
>> Front Channel Logout
>>
>> ON
>>
>> Force Name ID Format
>>
>> ON
>>
>> Name ID Format
>>
>> email
>>
>> Valid Redirect URIs
>>
>> https://clever.com/oauth/saml/assert
>>
>> Base URL
>>
>> /auth/realms/{realm}/protocol/saml/clients/clever&RelayState=true
>>
>> IDP Initiated SSO URL Name
>>
>> clever
>>
>> Assertion Consumer Service POST Binding URL
>>
>> https://clever.com/oauth/saml/assert
>>
>> Logout Service POST Binding URL
>>
>> https://clever.com/oauth/saml/assert
>>
>> Create Mapper(s)
>>
>>
>>    -
>>
>>    Go to: Clients > https://clever.com/oauth/saml/metadata.xml > Edit >
>>    Mappers > Create
>>    -
>>
>>    Set the following options:
>>
>>
>> Setting
>>
>> Flag/Option/String
>>
>> Name
>>
>> clever.any.email
>>
>> Mapper Type
>>
>> User Property
>>
>> Property
>>
>> email
>>
>> Friendly Name
>>
>> Email
>>
>> SAML Attribute Name
>>
>> clever.any.email
>>
>> SAML Attribute NameFormat
>>
>>
>> Setting
>>
>> Flag/Option/String
>>
>> Name
>>
>> clever.any.sis_id
>>
>> Mapper Type
>>
>> User Property
>>
>> Property
>>
>> username
>>
>> Friendly Name
>>
>> Username
>>
>> SAML Attribute Name
>>
>> clever.any.sis_id
>>
>> SAML Attribute NameFormat
>>
>>
>> Import Custom idP Metadata
>>
>>
>>
>>    -
>>
>>    Login to https://clever.com/in/<your-portal>
>>    -
>>
>>    Go to: Portal > SSO Settings > Add Login Method > Active Directory
>>    Authentication
>>    -
>>
>>    Click: or upload metadata file instead (not recommended)
>>    -
>>
>>    Download and modify the Auth Mellon idp-metadata.xml file from your
>>    clever client in Keycloak and add the missing information below:
>>
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>>
>> <EntityDescriptor entityID="https://{vip}/auth/realms/{realm}"
>>
>>                   xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
>>
>>                   xmlns:dsig="http://www.w3.org/2000/09/xmldsig#"
>>
>>                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
>>
>>   <IDPSSODescriptor WantAuthnRequestsSigned="true"
>>
>>      protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
>>
>>      <SingleLogoutService
>>
>>         Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>>
>>         Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
>>
>>  <SingleLogoutService
>>
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>>
>> Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
>>
>>
>>  <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
>>
>>      <SingleSignOnService
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
>>
>>         Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
>>
>>  <SingleSignOnService
>> Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
>>
>> Location="https://{vip}/auth/realms/{realm}/protocol/saml" />
>>
>>      <KeyDescriptor use="signing">
>>
>>        <dsig:KeyInfo>
>>
>>          <dsig:KeyName>{kID}</dsig:KeyName>
>>
>>          <dsig:X509Data>
>>
>>            <dsig:X509Certificate>{cert}</dsig:X509Certificate>
>>
>>          </dsig:X509Data>
>>
>>        </dsig:KeyInfo>
>>
>>      </KeyDescriptor>
>>
>>   </IDPSSODescriptor>
>>
>> </EntityDescriptor>
>>
>>
>>    -
>>
>>    Click the cloud symbol with an up arrow through it to upload the
>>    idp-metadata.xml you created.
>>    -
>>
>>    Click: Save
>>    -
>>
>>    You should see a message in green saying: Your settings have been saved
>>
>>
>> References
>>
>>
>> https://support.clever.com/hc/en-us/articles/218050687-Single-sign-on-SSO-with-a-custom-SAML-connection
>>
>> https://support.clever.com/hc/en-us/articles/215176617
>> --
>> *Aaron Echols*
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From kmizuki88 at yahoo.com  Thu Apr 11 12:39:52 2019
From: kmizuki88 at yahoo.com (Mizuki Karasawa)
Date: Thu, 11 Apr 2019 16:39:52 +0000 (UTC)
Subject: [keycloak-user] Configuring MySQL JDBC Driver with Keycloak-5.0.0
References: <959775511.126855.1555000792110.ref@mail.yahoo.com>
Message-ID: <959775511.126855.1555000792110@mail.yahoo.com>

Hi,
Has anyone successfully load MySQL JDBC driver with Keycloak-5.0.0? 
Following? https://www.keycloak.org/docs/5.0/server_installation/index.html#_database , it should be straightforward, but I'm getting error when Keycloak starts:

2019-04-10 14:08:12,055 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 28) WFLYCTL0013: Operation ("add") failed - address: ([
??? ("subsystem" => "datasources"),
??? ("jdbc-driver" => "mysql")
]) - failure description: "WFLYJCA0041: Failed to load module for driver [org.mysql]"
This can be reproduced after driver is configured, before configuring datasource 'KeycloakDS' to user the JDBC driver, following are the steps that i followed:

1. yum install mysql-connector-java

2. mkdir -p /opt/keycloak/modules/system/layers/keycloak/org/mysql/main/

3. cd?/opt/keycloak/modules/system/layers/keycloak/org/mysql/main/

4. ln -s /usr/share/java/mysql-connector-java.jar ./

5. cat << EOF > module.xml<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:jboss:module:1.3" name="org.mysql">
? <resources>
??? <resource-root path="mysql-connector-jav.jar" />
? </resource>
? <dependencies>
??? <module name="javax.api"/>
??? <module name="javax.transaction.api"/>
? </dependencies>
</module>
EOF

6. Declare the driver in /opt/keycloak/standalone/configuration/standalone.xml , add the driver to the <drivers> section:
<drivers>?? ....
?? <driver name="mysql" module="org.mysql">
????? <driver-class>org.mysql.jdbc.Driver</driver-class>
?? </driver></drivers>
7. restart Keycloak

Note that changing to various JDBC drivers doesn't make a difference, just to test the driver itself is fine, I connect to localhost console via http://localhost:9990, and loaded the driver as the new deployment, and configured the datasource to use the driver seems to be working fine.
Does anyone have suggestions what is possibly going on?

Thanks a lot!
Mizuki












































































































































































































































































<?xml version="1.0" encoding="UTF-8"?><module xmlns="urn:jboss:module:1.3" name="org.mysql">? <resources>? ? <resource-root path="mysql-connector-java-bin.jar" />? </resource>? <dependencies>? ? <module name="javax.api"/>? ? <module name="javax.transaction.api"/>? </dependencies></module>EOF

- Add JDBC driver type to '/opt/keycloak/standalone/configuration/standalone.xml' in <datasources> block as followng:
? ? ? ? ? ? ? ? <drivers>? ? ? ? ? ? ? ? ? ? <driver name="h2" module="com.h2database.h2">? ? ? ? ? ? ? ? ? ? ? ? <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>? ? ? ? ? ? ? ? ? ? </driver>? ? ? ? ? ? ? ? ? ? <driver name="mysql" module="org.mysql">? ? ? ? ? ? ? ? ? ? ? ? <driver-class>org.mysql.jdbc.Driver</driver-class>? ? ? ? ? ? ? ? ? ? </driver>? ? ? ? ? ? ? ? </drivers>
Before I change actual 'KeyclockDS' datasource to use MySQL, I restart the service to confirm the JDBC driver is successfully load, but I got following error:
2019-04-10 14:08:12,055 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 28) WFLYCTL0013: Operation ("add") failed - address: ([? ? ("subsystem" => "datasources"),? ? ("jdbc-driver" => "mysql")]) - failure description: "WFLYJCA0041: Failed to load module for driver [org.mysql]"

From jdennis at redhat.com  Thu Apr 11 12:44:05 2019
From: jdennis at redhat.com (John Dennis)
Date: Thu, 11 Apr 2019 12:44:05 -0400
Subject: [keycloak-user] Remove check for redirect_uri
In-Reply-To: <98a70e2e-453e-c3be-6407-2dcc84db83c0@yahoo.gr>
References: <98a70e2e-453e-c3be-6407-2dcc84db83c0@yahoo.gr>
Message-ID: <e0451559-e616-1be5-bebc-06e1ea85b930@redhat.com>

On 4/11/19 7:19 AM, vasleon wrote:
> Hello everyone
> 
> it is required to specify a valid redirect_uri for each client in order
> for the login form to appear.
> 
> how could I remove the check that verifies the redirect_uri exists? I
> would like to make it possible to be able for an application to redirect
> anywhere. ( it is for educational purposes)

DO NOT DO THIS!

It's very bad. There is a reason the OpenID Connect and SAML 
specifications *mandate* responses only be returned to known registered 
clients.

Also, make sure you understand the difference between redirects 
performed during authentication and a post authentication redirect 
performed by the application which is not part of the authentication 
flow, they are not the same thing.



-- 
John Dennis

From yervand.aghababyan at sflpro.com  Thu Apr 11 13:14:00 2019
From: yervand.aghababyan at sflpro.com (Yervand Aghababyan)
Date: Thu, 11 Apr 2019 21:14:00 +0400
Subject: [keycloak-user] Keycloak support for one realm on a domain name
 while serving on multiple domains simultaneously
Message-ID: <CAOC_Hr1TOqWBrh5qsNq3+m-z7yK4KpYbPJc_ESUawjPfk+hGgA@mail.gmail.com>

I've also posted this question on stackoverflow. So if you want to you can
answer there so it'll be easier to find for anyone looking. Here it is:
https://stackoverflow.com/questions/55634962/keycloak-support-for-one-realm-on-a-domain-name-while-serving-on-multiple-domain


I'm building an ecosystem of applications on kubernetes with keycloak as
authentication/authorization provider. I am(or probably was) planning for
everything to be integrated with it via OpenId(OAuth2) and for user
credentials and other private information never to leave the keycloak
instance in an unencrypted form.

I was trying to implement the whole authentication scheme with the
following configurations in mind.
Realms

myservice: Realm containing the public and back-office users of my application.
           All microservices that I have are authenticating users
against this realm.

master:    Contains admins, keycloak administrators and other resources which
           should not be ever exposed to the public or intranet users.
No microservice
           ever performs authentication on this realm.

Domains

 1. domain: account.myservice.com

    access: public
    cors: allow requests from app.myservice.com

    config: kubernetes-ingress
    exposes: configured themes to support login, registration, etc.. Endpoints
        for public front-end application token validation
    description: Only exposes access to a realm called "myservice" in keycloak.
        No users from other realms can login or interact.

2.  domain: account.internal.myservice.com

    access: intranet/admins
    cors: allow requests from back-office.internal.myservice.com

    config: kubernetes-ingress
    exposes: configured themes to support login, registration, etc.. Endpoints
        for back-end front-end application token validation
    description: Exposes all the realms and provides access to keycloak
        administrative UI.

3.  domain: keycloak (keycloak.default.svc.cluster.local)
    access: cluster-internal
    cors: none
    config: kubernetes service, visible only inside the cluster
    exposes: endpoints for back-end application token validation
    description: Only exposes realm "myservice" and is used for other
services to
        validate user tokens and similar stuff.

I did come across a number of issues when trying to implement the above
configuration scheme. If I do SSL termination inside Keycloak I won't be
able to configure the different domains via a reverse proxy or similar
approach which, in turn, means that Keycloak should provide a feature to
listen on a separate SSL encrypted port and only make one realm available
there. Which it does not. So do I want something weird here? Are the best
practices different from what I want?

-- 
Best Regards,
Yervand

From sblanc at redhat.com  Thu Apr 11 13:22:07 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 11 Apr 2019 19:22:07 +0200
Subject: [keycloak-user] Keycloak and shared JWT secrets
In-Reply-To: <2b20c86f-f1e3-ccab-215a-4b3231c9c7eb@thewordnerd.info>
References: <2b20c86f-f1e3-ccab-215a-4b3231c9c7eb@thewordnerd.info>
Message-ID: <CAMZCGg-GD2VWQShC1S=uVKcFv1B3XLCJhDuyXpormPnGFrycgA@mail.gmail.com>

Hi,

Are you using https://github.com/BTBurke/caddy-jwt/blob/master/README.md ?

So I never used Caddy but a couple of things :

* Keycloak uses RSA to sign the token, so you need to specify
JWT_PUBLIC_KEY in Caddy and not the JWT_SECRET.
* Just use a public client (because Caddy JWT probably don't handle this)
and do not enable authorization (you just want authentication right ?)
* the redirect field from your config block looks like to be the endpoint
for authenticating your user, not sure why you are using the /account
endpoint, this is a completely different thing ( this is the "space" where
logged-in users can manage their account : reset password etc ...)  , the
redirect value would looks like something as :

http://localhost:8180/auth/realms/myrealmprotocol/openid-connect/auth?client_id=myclient&redirect_uri=http%3A%2F%2Flocalhost%3A8080&response_mode=fragment&response_type=code

<http://localhost:8180/auth/realms/katacoda/protocol/openid-connect/auth?client_id=quarkus-front&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&state=6d7a4fdb-ee71-41d6-846d-1e0a4b7060ab&response_mode=fragment&response_type=code>

If you are app is just an service endpoint you probably don't need the
redirect field to be set since you will obtain the token differently :
 You said that you kept being redirected even when you are logged in , what
does that means "logged in"  ? Did you managed to log in with Keycloak ?
Are you using the Keycloak Javascript adapter in your webapp to obtain your
token ?





On Thu, Apr 11, 2019 at 4:38 PM Nolan Darilek <nolan at thewordnerd.info>
wrote:

> Apologies if the answer to this is simple. I've poured through every doc
> I can get my hands on and am a bit overwhelmed.
>
>
> I'm trying to set up a shared account service that works across my
> static website, forum, and eventually on mobile apps. Given that
> security isn't a core competency, I decided to try using Keycloak for this.
>
>
> My first goal is to require authentication to example.com/members. I'm
> using the Caddy web server which has a JWT-based protection scheme
> built-in. Keycloak is running at example.com/auth.
>
>
> What I *thought* I'd do is set up my website as a confidential client
> with authorization enabled. Caddy needs a shared secret for the JWT, so
> I thought this would be the client secret. Also, since my website and
> Keycloak are on the same domain, I thought that if they shared a secret
> and if Caddy looked to the KEYCLOAK_IDENTITY cookie, that authentication
> would just work. Alas, no. Here's my Caddy JWT configuration block:
>
>
> jwt {
>    path /members
>    redirect /auth/realms/myrealm/account
>    token_source header
>    token_source cookie KEYCLOAK_IDENTITY
> }
>
> Visiting /members just redirects me to my account page again and again,
> even if I'm logged in.
>
>
> Am I completely off the rails here? I thought about using the client
> library, but I don't know if that works for confidential authorization
> setups. I don't even know if I *need* a confidential authorization setup
> here, or if I'm completely misunderstanding. It also occurs to me that
> I'm redirecting to /auth/realms/myrealm/account. There's nothing in that
> URL indicating which client to use, and as such, which secret to
> generate the JWT with. So before I go too much further down this rabbit
> hole, I wanted to check my assumptions.
>
>
> Thanks for any help.
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From jlieskov at redhat.com  Thu Apr 11 13:51:08 2019
From: jlieskov at redhat.com (Jan Lieskovsky)
Date: Thu, 11 Apr 2019 19:51:08 +0200
Subject: [keycloak-user] Configuring MySQL JDBC Driver with
	Keycloak-5.0.0
In-Reply-To: <959775511.126855.1555000792110@mail.yahoo.com>
References: <959775511.126855.1555000792110.ref@mail.yahoo.com>
	<959775511.126855.1555000792110@mail.yahoo.com>
Message-ID: <CAPr-+aEr8VC=5TpJk8dc2drf60e5m5Jh5OmbqRq7SF7ft9eu+g@mail.gmail.com>

Hello Karasawa-san,

On Thu, Apr 11, 2019 at 7:08 PM Mizuki Karasawa <kmizuki88 at yahoo.com> wrote:

> Hi,
> Has anyone successfully load MySQL JDBC driver with Keycloak-5.0.0?
> Following
> https://www.keycloak.org/docs/5.0/server_installation/index.html#_database
> , it should be straightforward, but I'm getting error when Keycloak starts:
>
> 2019-04-10 14:08:12,055 ERROR
> [org.jboss.as.controller.management-operation] (ServerService Thread Pool
> -- 28) WFLYCTL0013: Operation ("add") failed - address: ([
>     ("subsystem" => "datasources"),
>     ("jdbc-driver" => "mysql")
> ]) - failure description: "WFLYJCA0041: Failed to load module for driver
> [org.mysql]"
> This can be reproduced after driver is configured, before configuring
> datasource 'KeycloakDS' to user the JDBC driver, following are the steps
> that i followed:
>
> 1. yum install mysql-connector-java
>
> 2. mkdir -p /opt/keycloak/modules/system/layers/keycloak/org/mysql/main/
>
> 3. cd /opt/keycloak/modules/system/layers/keycloak/org/mysql/main/
>
> 4. ln -s /usr/share/java/mysql-connector-java.jar ./
>
> 5. cat << EOF > module.xml<?xml version="1.0" encoding="UTF-8"?>
> <module xmlns="urn:jboss:module:1.3" name="org.mysql">
>   <resources>
>     <resource-root path="mysql-connector-jav.jar" />
>

I think you have a typo here -- missing the 'a' character before the .jar
suffix:

# rpm -ql mysql-connector-java | grep jar
/usr/share/java/mysql-connector-java.jar


>   </resource>
>   <dependencies>
>     <module name="javax.api"/>
>     <module name="javax.transaction.api"/>
>   </dependencies>
> </module>
> EOF
>
> 6. Declare the driver in
> /opt/keycloak/standalone/configuration/standalone.xml , add the driver to
> the <drivers> section:
> <drivers>   ....
>    <driver name="mysql" module="org.mysql">
>       <driver-class>org.mysql.jdbc.Driver</driver-class>
>    </driver></drivers>
> 7. restart Keycloak
>
> Note that changing to various JDBC drivers doesn't make a difference, just
> to test the driver itself is fine, I connect to localhost console via
> http://localhost:9990, and loaded the driver as the new deployment, and
> configured the datasource to use the driver seems to be working fine.
> Does anyone have suggestions what is possibly going on?
>

HTH


>
> Thanks a lot!
> Mizuki
>

Jan


>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> <?xml version="1.0" encoding="UTF-8"?><module xmlns="urn:jboss:module:1.3"
> name="org.mysql">  <resources>    <resource-root
> path="mysql-connector-java-bin.jar" />  </resource>  <dependencies>
> <module name="javax.api"/>    <module name="javax.transaction.api"/>
> </dependencies></module>EOF
>
> - Add JDBC driver type to
> '/opt/keycloak/standalone/configuration/standalone.xml' in <datasources>
> block as followng:
>                 <drivers>                    <driver name="h2"
> module="com.h2database.h2">
> <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
>               </driver>                    <driver name="mysql"
> module="org.mysql">
> <driver-class>org.mysql.jdbc.Driver</driver-class>
> </driver>                </drivers>
> Before I change actual 'KeyclockDS' datasource to use MySQL, I restart the
> service to confirm the JDBC driver is successfully load, but I got
> following error:
> 2019-04-10 14:08:12,055 ERROR
> [org.jboss.as.controller.management-operation] (ServerService Thread Pool
> -- 28) WFLYCTL0013: Operation ("add") failed - address: ([    ("subsystem"
> => "datasources"),    ("jdbc-driver" => "mysql")]) - failure description:
> "WFLYJCA0041: Failed to load module for driver [org.mysql]"
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From nolan at thewordnerd.info  Thu Apr 11 13:51:26 2019
From: nolan at thewordnerd.info (Nolan Darilek)
Date: Thu, 11 Apr 2019 12:51:26 -0500
Subject: [keycloak-user] Keycloak and shared JWT secrets
In-Reply-To: <CAMZCGg-GD2VWQShC1S=uVKcFv1B3XLCJhDuyXpormPnGFrycgA@mail.gmail.com>
References: <2b20c86f-f1e3-ccab-215a-4b3231c9c7eb@thewordnerd.info>
	<CAMZCGg-GD2VWQShC1S=uVKcFv1B3XLCJhDuyXpormPnGFrycgA@mail.gmail.com>
Message-ID: <8c73e82b-104d-a33b-e7ef-fa165de35364@thewordnerd.info>

Yes, that's the JWT plugin I'm using.


I will eventually need roles. Can I do this without enabling 
authorization on the client? I'll be using Caddy's JWT module to 
authorize access to some resources. I don't know if this means I need 
authorization support to enable roles, or if I *don't* need 
authorization support because I'm not asking Keycloak to grant or deny 
access to my pages based on their URLs.


When you say to use a public client because Caddy won't handle this, 
what specifically do you mean? It won't handle setting a public key? It 
does seem to via the JWT_PUBLIC_KEY environment variable as you noted. I 
imagine I'll need to retrieve that from a .well-known endpoint? 
Otherwise, I'm not sure what isn't being handled here. Sorry if I seem 
dense--this is a bit overwhelming and I'd like to get it right.

I'm not using the JS adapter because I don't have an app as such. For 
now I just have some static pages generated by Hugo, and I'm trying to 
gate access to a /members section. In the future I'll probably have a 
few different levels of access, which I'll represent by roles, so 
/members/gold, /members/silver, etc. may be gated by role. This blocking 
is happening on the server side. I'm not immediately clear on how the JS 
library would help in this case, since my pages are just being served up 
directly.

Thanks for the pointer on the wrong redirect URL. I used the /account 
endpoint because it at least prompts me to log in if I'm not. When I say 
that I'm being redirected, I mean that hitting /members doesn't take me 
to the members-only page, but takes me to the account redirect if I'm 
logged into Keycloak, which I definitely am.

Thanks for the help.

On 4/11/19 12:22 PM, Sebastien Blanc wrote:
> Hi,
>
> Are you using 
> https://github.com/BTBurke/caddy-jwt/blob/master/README.md ?
>
> So I never used Caddy but a couple of things :
>
> * Keycloak uses RSA to sign the token, so you need to specify 
> JWT_PUBLIC_KEY in Caddy and not the JWT_SECRET.
> * Just use a public client (because Caddy JWT probably don't handle 
> this) and do not enable authorization (you just want authentication 
> right ?)
> * the redirect field from your config block looks like to be the 
> endpoint for authenticating your user, not sure why you are using the 
> /account endpoint, this is a completely different thing ( this is the 
> "space" where logged-in users can manage their account : reset 
> password etc ...)? , the redirect value would looks like something as :
>
> http://localhost:8180/auth/realms/myrealmprotocol/openid-connect/auth?client_id=myclient&redirect_uri=http%3A%2F%2Flocalhost%3A8080&response_mode=fragment&response_type=code 
>
> <http://localhost:8180/auth/realms/katacoda/protocol/openid-connect/auth?client_id=quarkus-front&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&state=6d7a4fdb-ee71-41d6-846d-1e0a4b7060ab&response_mode=fragment&response_type=code>
>
> If you are app is just an service endpoint you probably don't need the 
> redirect field to be set since you will obtain the token differently :
> ?You said that you kept being redirected even when you are logged in , 
> what does that means "logged in"? ? Did you managed to log in with 
> Keycloak ? Are you using the Keycloak Javascript adapter in your 
> webapp to obtain your token ?
>
>
>
>
>
> On Thu, Apr 11, 2019 at 4:38 PM Nolan Darilek <nolan at thewordnerd.info 
> <mailto:nolan at thewordnerd.info>> wrote:
>
>     Apologies if the answer to this is simple. I've poured through
>     every doc
>     I can get my hands on and am a bit overwhelmed.
>
>
>     I'm trying to set up a shared account service that works across my
>     static website, forum, and eventually on mobile apps. Given that
>     security isn't a core competency, I decided to try using Keycloak
>     for this.
>
>
>     My first goal is to require authentication to example.com/members
>     <http://example.com/members>. I'm
>     using the Caddy web server which has a JWT-based protection scheme
>     built-in. Keycloak is running at example.com/auth
>     <http://example.com/auth>.
>
>
>     What I *thought* I'd do is set up my website as a confidential client
>     with authorization enabled. Caddy needs a shared secret for the
>     JWT, so
>     I thought this would be the client secret. Also, since my website and
>     Keycloak are on the same domain, I thought that if they shared a
>     secret
>     and if Caddy looked to the KEYCLOAK_IDENTITY cookie, that
>     authentication
>     would just work. Alas, no. Here's my Caddy JWT configuration block:
>
>
>     jwt {
>     ?? path /members
>     ?? redirect /auth/realms/myrealm/account
>     ?? token_source header
>     ?? token_source cookie KEYCLOAK_IDENTITY
>     }
>
>     Visiting /members just redirects me to my account page again and
>     again,
>     even if I'm logged in.
>
>
>     Am I completely off the rails here? I thought about using the client
>     library, but I don't know if that works for confidential
>     authorization
>     setups. I don't even know if I *need* a confidential authorization
>     setup
>     here, or if I'm completely misunderstanding. It also occurs to me
>     that
>     I'm redirecting to /auth/realms/myrealm/account. There's nothing
>     in that
>     URL indicating which client to use, and as such, which secret to
>     generate the JWT with. So before I go too much further down this
>     rabbit
>     hole, I wanted to check my assumptions.
>
>
>     Thanks for any help.
>
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From aechols at bfcsaz.com  Thu Apr 11 14:07:37 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Thu, 11 Apr 2019 11:07:37 -0700
Subject: [keycloak-user] Configuring MySQL JDBC Driver with
	Keycloak-5.0.0
In-Reply-To: <CAPr-+aEr8VC=5TpJk8dc2drf60e5m5Jh5OmbqRq7SF7ft9eu+g@mail.gmail.com>
References: <959775511.126855.1555000792110.ref@mail.yahoo.com>
	<959775511.126855.1555000792110@mail.yahoo.com>
	<CAPr-+aEr8VC=5TpJk8dc2drf60e5m5Jh5OmbqRq7SF7ft9eu+g@mail.gmail.com>
Message-ID: <CAHj77GUy29ZsDjpBsSYOH=XBNVa2cJTEvQ7_x5CgPULVpeFb9Q@mail.gmail.com>

You need to update your driver class. Had the same issue coming from 4.8.3
> 5.0.0. You'll have to check the MySQL docs for using option jdbc classes.
This might be it, but I'm not sure without further research:

https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-reference-driver-name.html


https://github.com/keycloak/keycloak/pull/5660/commits/fff753d4fd6ca56279e9e873618ba537e55abeaf#diff-39dac83c21cd39ac45302c6213854e23

I user MariaDB Galera and had to use the optional jdbc class.

https://mariadb.com/kb/en/library/about-mariadb-connector-j/#optional-jdbc-classes
--
Aaron Echols

On Thu, Apr 11, 2019 at 10:56 AM Jan Lieskovsky <jlieskov at redhat.com> wrote:

> Hello Karasawa-san,
>
> On Thu, Apr 11, 2019 at 7:08 PM Mizuki Karasawa <kmizuki88 at yahoo.com>
> wrote:
>
> > Hi,
> > Has anyone successfully load MySQL JDBC driver with Keycloak-5.0.0?
> > Following
> >
> https://www.keycloak.org/docs/5.0/server_installation/index.html#_database
> > , it should be straightforward, but I'm getting error when Keycloak
> starts:
> >
> > 2019-04-10 14:08:12,055 ERROR
> > [org.jboss.as.controller.management-operation] (ServerService Thread Pool
> > -- 28) WFLYCTL0013: Operation ("add") failed - address: ([
> >     ("subsystem" => "datasources"),
> >     ("jdbc-driver" => "mysql")
> > ]) - failure description: "WFLYJCA0041: Failed to load module for driver
> > [org.mysql]"
> > This can be reproduced after driver is configured, before configuring
> > datasource 'KeycloakDS' to user the JDBC driver, following are the steps
> > that i followed:
> >
> > 1. yum install mysql-connector-java
> >
> > 2. mkdir -p /opt/keycloak/modules/system/layers/keycloak/org/mysql/main/
> >
> > 3. cd /opt/keycloak/modules/system/layers/keycloak/org/mysql/main/
> >
> > 4. ln -s /usr/share/java/mysql-connector-java.jar ./
> >
> > 5. cat << EOF > module.xml<?xml version="1.0" encoding="UTF-8"?>
> > <module xmlns="urn:jboss:module:1.3" name="org.mysql">
> >   <resources>
> >     <resource-root path="mysql-connector-jav.jar" />
> >
>
> I think you have a typo here -- missing the 'a' character before the .jar
> suffix:
>
> # rpm -ql mysql-connector-java | grep jar
> /usr/share/java/mysql-connector-java.jar
>
>
> >   </resource>
> >   <dependencies>
> >     <module name="javax.api"/>
> >     <module name="javax.transaction.api"/>
> >   </dependencies>
> > </module>
> > EOF
> >
> > 6. Declare the driver in
> > /opt/keycloak/standalone/configuration/standalone.xml , add the driver to
> > the <drivers> section:
> > <drivers>   ....
> >    <driver name="mysql" module="org.mysql">
> >       <driver-class>org.mysql.jdbc.Driver</driver-class>
> >    </driver></drivers>
> > 7. restart Keycloak
> >
> > Note that changing to various JDBC drivers doesn't make a difference,
> just
> > to test the driver itself is fine, I connect to localhost console via
> > http://localhost:9990, and loaded the driver as the new deployment, and
> > configured the datasource to use the driver seems to be working fine.
> > Does anyone have suggestions what is possibly going on?
> >
>
> HTH
>
>
> >
> > Thanks a lot!
> > Mizuki
> >
>
> Jan
>
>
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > <?xml version="1.0" encoding="UTF-8"?><module
> xmlns="urn:jboss:module:1.3"
> > name="org.mysql">  <resources>    <resource-root
> > path="mysql-connector-java-bin.jar" />  </resource>  <dependencies>
> > <module name="javax.api"/>    <module name="javax.transaction.api"/>
> > </dependencies></module>EOF
> >
> > - Add JDBC driver type to
> > '/opt/keycloak/standalone/configuration/standalone.xml' in <datasources>
> > block as followng:
> >                 <drivers>                    <driver name="h2"
> > module="com.h2database.h2">
> > <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
> >               </driver>                    <driver name="mysql"
> > module="org.mysql">
> > <driver-class>org.mysql.jdbc.Driver</driver-class>
> > </driver>                </drivers>
> > Before I change actual 'KeyclockDS' datasource to use MySQL, I restart
> the
> > service to confirm the JDBC driver is successfully load, but I got
> > following error:
> > 2019-04-10 14:08:12,055 ERROR
> > [org.jboss.as.controller.management-operation] (ServerService Thread Pool
> > -- 28) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem"
> > => "datasources"),    ("jdbc-driver" => "mysql")]) - failure description:
> > "WFLYJCA0041: Failed to load module for driver [org.mysql]"
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From yervand.aghababyan at sflpro.com  Thu Apr 11 15:19:00 2019
From: yervand.aghababyan at sflpro.com (Yervand Aghababyan)
Date: Thu, 11 Apr 2019 23:19:00 +0400
Subject: [keycloak-user] Docker image Java 11
Message-ID: <CAOC_Hr0kEBmvZp63_ERBXfBcd1b6MPp6FQ6kkb-hfxz9Efxk7w@mail.gmail.com>

As I understood from here:
https://issues.jboss.org/browse/KEYCLOAK-7811 Keycloak
already has support for Java 11. So plugins for it can also be developed
using java 11. But the official docker distro comes with java 8 only which
forces us to repackage and create our own docker image distribution
of keycloak just to bableel to use java 11 plugins with it.

Are there plans to bump the java version to 11 in the docker release?

Official image dockerfile:
https://hub.docker.com/r/jboss/keycloak/dockerfile

-- 
Best Regards,
Yervand

From kmizuki88 at yahoo.com  Thu Apr 11 15:41:04 2019
From: kmizuki88 at yahoo.com (Mizuki Karasawa)
Date: Thu, 11 Apr 2019 19:41:04 +0000 (UTC)
Subject: [keycloak-user] Configuring MySQL JDBC Driver with
 Keycloak-5.0.0
In-Reply-To: <CAHj77GUy29ZsDjpBsSYOH=XBNVa2cJTEvQ7_x5CgPULVpeFb9Q@mail.gmail.com>
References: <959775511.126855.1555000792110.ref@mail.yahoo.com>
	<959775511.126855.1555000792110@mail.yahoo.com>
	<CAPr-+aEr8VC=5TpJk8dc2drf60e5m5Jh5OmbqRq7SF7ft9eu+g@mail.gmail.com>
	<CAHj77GUy29ZsDjpBsSYOH=XBNVa2cJTEvQ7_x5CgPULVpeFb9Q@mail.gmail.com>
Message-ID: <1061485038.248493.1555011664515@mail.yahoo.com>

Hi Jan, good catch! But that was the typo in the email, the actual configuration is good. ;)
Hi Aaron, good catch too! But that was the connect-j 8.0,? I'm using 5.0, I believe I had correct driver class name defined?https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-usagenotes-jboss.html?, I confirmed the class name as well by connecting to WildFly console after loading the actually driver via deployment.I switched to connect-j 8.0, but got the same error. hmm....
Anything else might have triggered this?
Thanks!
Mizuki Karasawa 

    On Thursday, April 11, 2019, 1:07:55 PM CDT, Aaron Echols <aechols at bfcsaz.com> wrote:  
 
 You need to update your driver class. Had the same issue coming from 4.8.3 > 5.0.0. You'll have to check the MySQL docs for using option jdbc classes. This might be it, but I'm not sure without further research:
https://dev.mysql.com/doc/connector-j/8.0/en/connector-j-reference-driver-name.html??

https://github.com/keycloak/keycloak/pull/5660/commits/fff753d4fd6ca56279e9e873618ba537e55abeaf#diff-39dac83c21cd39ac45302c6213854e23
I user MariaDB Galera and had to use the optional jdbc class.
https://mariadb.com/kb/en/library/about-mariadb-connector-j/#optional-jdbc-classes
--Aaron?Echols
On Thu, Apr 11, 2019 at 10:56 AM Jan Lieskovsky <jlieskov at redhat.com> wrote:

Hello Karasawa-san,

On Thu, Apr 11, 2019 at 7:08 PM Mizuki Karasawa <kmizuki88 at yahoo.com> wrote:

> Hi,
> Has anyone successfully load MySQL JDBC driver with Keycloak-5.0.0?
> Following
> https://www.keycloak.org/docs/5.0/server_installation/index.html#_database
> , it should be straightforward, but I'm getting error when Keycloak starts:
>
> 2019-04-10 14:08:12,055 ERROR
> [org.jboss.as.controller.management-operation] (ServerService Thread Pool
> -- 28) WFLYCTL0013: Operation ("add") failed - address: ([
>? ? ?("subsystem" => "datasources"),
>? ? ?("jdbc-driver" => "mysql")
> ]) - failure description: "WFLYJCA0041: Failed to load module for driver
> [org.mysql]"
> This can be reproduced after driver is configured, before configuring
> datasource 'KeycloakDS' to user the JDBC driver, following are the steps
> that i followed:
>
> 1. yum install mysql-connector-java
>
> 2. mkdir -p /opt/keycloak/modules/system/layers/keycloak/org/mysql/main/
>
> 3. cd /opt/keycloak/modules/system/layers/keycloak/org/mysql/main/
>
> 4. ln -s /usr/share/java/mysql-connector-java.jar ./
>
> 5. cat << EOF > module.xml<?xml version="1.0" encoding="UTF-8"?>
> <module xmlns="urn:jboss:module:1.3" name="org.mysql">
>? ?<resources>
>? ? ?<resource-root path="mysql-connector-jav.jar" />
>

I think you have a typo here -- missing the 'a' character before the .jar
suffix:

# rpm -ql mysql-connector-java | grep jar
/usr/share/java/mysql-connector-java.jar


>? ?</resource>
>? ?<dependencies>
>? ? ?<module name="javax.api"/>
>? ? ?<module name="javax.transaction.api"/>
>? ?</dependencies>
> </module>
> EOF
>
> 6. Declare the driver in
> /opt/keycloak/standalone/configuration/standalone.xml , add the driver to
> the <drivers> section:
> <drivers>? ?....
>? ? <driver name="mysql" module="org.mysql">
>? ? ? ?<driver-class>org.mysql.jdbc.Driver</driver-class>
>? ? </driver></drivers>
> 7. restart Keycloak
>
> Note that changing to various JDBC drivers doesn't make a difference, just
> to test the driver itself is fine, I connect to localhost console via
> http://localhost:9990, and loaded the driver as the new deployment, and
> configured the datasource to use the driver seems to be working fine.
> Does anyone have suggestions what is possibly going on?
>

HTH


>
> Thanks a lot!
> Mizuki
>

Jan


>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> <?xml version="1.0" encoding="UTF-8"?><module xmlns="urn:jboss:module:1.3"
> name="org.mysql">? <resources>? ? <resource-root
> path="mysql-connector-java-bin.jar" />? </resource>? <dependencies>
> <module name="javax.api"/>? ? <module name="javax.transaction.api"/>
> </dependencies></module>EOF
>
> - Add JDBC driver type to
> '/opt/keycloak/standalone/configuration/standalone.xml' in <datasources>
> block as followng:
>? ? ? ? ? ? ? ? ?<drivers>? ? ? ? ? ? ? ? ? ? <driver name="h2"
> module="com.h2database.h2">
> <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
>? ? ? ? ? ? ? ?</driver>? ? ? ? ? ? ? ? ? ? <driver name="mysql"
> module="org.mysql">
> <driver-class>org.mysql.jdbc.Driver</driver-class>
> </driver>? ? ? ? ? ? ? ? </drivers>
> Before I change actual 'KeyclockDS' datasource to use MySQL, I restart the
> service to confirm the JDBC driver is successfully load, but I got
> following error:
> 2019-04-10 14:08:12,055 ERROR
> [org.jboss.as.controller.management-operation] (ServerService Thread Pool
> -- 28) WFLYCTL0013: Operation ("add") failed - address: ([? ? ("subsystem"
> => "datasources"),? ? ("jdbc-driver" => "mysql")]) - failure description:
> "WFLYJCA0041: Failed to load module for driver [org.mysql]"
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user

  

From bruno at abstractj.org  Thu Apr 11 15:48:31 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 11 Apr 2019 16:48:31 -0300
Subject: [keycloak-user] Docker image Java 11
In-Reply-To: <CAOC_Hr0kEBmvZp63_ERBXfBcd1b6MPp6FQ6kkb-hfxz9Efxk7w@mail.gmail.com>
References: <CAOC_Hr0kEBmvZp63_ERBXfBcd1b6MPp6FQ6kkb-hfxz9Efxk7w@mail.gmail.com>
Message-ID: <20190411194831.GA8461@abstractj.org>

Hi Yervand, 

At the moment is not supported into our docker image because we depend
on the base image. 

Could you please create a Jira as an enhancement for this?

On 2019-04-11, Yervand Aghababyan wrote:
> As I understood from here:
> https://issues.jboss.org/browse/KEYCLOAK-7811 Keycloak
> already has support for Java 11. So plugins for it can also be developed
> using java 11. But the official docker distro comes with java 8 only which
> forces us to repackage and create our own docker image distribution
> of keycloak just to bableel to use java 11 plugins with it.
> 
> Are there plans to bump the java version to 11 in the docker release?
> 
> Official image dockerfile:
> https://hub.docker.com/r/jboss/keycloak/dockerfile
> 
> -- 
> Best Regards,
> Yervand
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From yervand.aghababyan at sflpro.com  Thu Apr 11 15:59:44 2019
From: yervand.aghababyan at sflpro.com (Yervand Aghababyan)
Date: Thu, 11 Apr 2019 23:59:44 +0400
Subject: [keycloak-user] Docker image Java 11
In-Reply-To: <20190411194831.GA8461@abstractj.org>
References: <CAOC_Hr0kEBmvZp63_ERBXfBcd1b6MPp6FQ6kkb-hfxz9Efxk7w@mail.gmail.com>
	<20190411194831.GA8461@abstractj.org>
Message-ID: <CAOC_Hr2su8hxbwb2vxamyR-M0z-SH_LSLzrNu8HDjSoHhC6hLw@mail.gmail.com>

Tried doing that first. Can't login using readhat sing in. I had an account
there but can't remember the pass and the reset email is not arriving for
some reason :)

If it does, I'll create the ticket tomorrow.

On Thu, 11 Apr 2019, 23:48 Bruno Oliveira, <bruno at abstractj.org> wrote:

> Hi Yervand,
>
> At the moment is not supported into our docker image because we depend
> on the base image.
>
> Could you please create a Jira as an enhancement for this?
>
> On 2019-04-11, Yervand Aghababyan wrote:
> > As I understood from here:
> > https://issues.jboss.org/browse/KEYCLOAK-7811 Keycloak
> > already has support for Java 11. So plugins for it can also be developed
> > using java 11. But the official docker distro comes with java 8 only
> which
> > forces us to repackage and create our own docker image distribution
> > of keycloak just to bableel to use java 11 plugins with it.
> >
> > Are there plans to bump the java version to 11 in the docker release?
> >
> > Official image dockerfile:
> > https://hub.docker.com/r/jboss/keycloak/dockerfile
> >
> > --
> > Best Regards,
> > Yervand
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
>

From vaslion13 at yahoo.gr  Thu Apr 11 16:57:59 2019
From: vaslion13 at yahoo.gr (vasleon)
Date: Thu, 11 Apr 2019 22:57:59 +0200
Subject: [keycloak-user] Remove check for redirect_uri
In-Reply-To: <e0451559-e616-1be5-bebc-06e1ea85b930@redhat.com>
References: <98a70e2e-453e-c3be-6407-2dcc84db83c0@yahoo.gr>
	<e0451559-e616-1be5-bebc-06e1ea85b930@redhat.com>
Message-ID: <90bf973f-c923-e808-2852-578f78e0dd6e@yahoo.gr>

Thank you for the clarification between redirects performed during 
authentication and a post authentication redirect performed by the 
application.
I know it is bad to do so. I want to make it vulnerable in purpose so I 
can show to students how this vulnerability can affect openID connect.

I am familiarizing with the code from available on github for now and 
trying to convert it to gradle and put it on intellij.

Any hint or help on which files need to be edited to achieve this, is 
very welcome

thank you


On 11-Apr-19 18:44, John Dennis wrote:
> On 4/11/19 7:19 AM, vasleon wrote:
>> Hello everyone
>>
>> it is required to specify a valid redirect_uri for each client in order
>> for the login form to appear.
>>
>> how could I remove the check that verifies the redirect_uri exists? I
>> would like to make it possible to be able for an application to redirect
>> anywhere. ( it is for educational purposes)
>
> DO NOT DO THIS!
>
> It's very bad. There is a reason the OpenID Connect and SAML 
> specifications *mandate* responses only be returned to known 
> registered clients.
>
> Also, make sure you understand the difference between redirects 
> performed during authentication and a post authentication redirect 
> performed by the application which is not part of the authentication 
> flow, they are not the same thing.
>
>
>

From bruno at abstractj.org  Thu Apr 11 17:17:03 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 11 Apr 2019 18:17:03 -0300
Subject: [keycloak-user] Docker image Java 11
In-Reply-To: <CAOC_Hr2su8hxbwb2vxamyR-M0z-SH_LSLzrNu8HDjSoHhC6hLw@mail.gmail.com>
References: <CAOC_Hr0kEBmvZp63_ERBXfBcd1b6MPp6FQ6kkb-hfxz9Efxk7w@mail.gmail.com>
	<20190411194831.GA8461@abstractj.org>
	<CAOC_Hr2su8hxbwb2vxamyR-M0z-SH_LSLzrNu8HDjSoHhC6hLw@mail.gmail.com>
Message-ID: <CAM5SUC7YMY7ix48UojXHkkJ_xx1GST8hnuHfmjQ_X9tL3fgrag@mail.gmail.com>

Cool, thanks!

On Thu, Apr 11, 2019 at 4:59 PM Yervand Aghababyan
<yervand.aghababyan at sflpro.com> wrote:
>
> Tried doing that first. Can't login using readhat sing in. I had an account there but can't remember the pass and the reset email is not arriving for some reason :)
>
> If it does, I'll create the ticket tomorrow.
>
> On Thu, 11 Apr 2019, 23:48 Bruno Oliveira, <bruno at abstractj.org> wrote:
>>
>> Hi Yervand,
>>
>> At the moment is not supported into our docker image because we depend
>> on the base image.
>>
>> Could you please create a Jira as an enhancement for this?
>>
>> On 2019-04-11, Yervand Aghababyan wrote:
>> > As I understood from here:
>> > https://issues.jboss.org/browse/KEYCLOAK-7811 Keycloak
>> > already has support for Java 11. So plugins for it can also be developed
>> > using java 11. But the official docker distro comes with java 8 only which
>> > forces us to repackage and create our own docker image distribution
>> > of keycloak just to bableel to use java 11 plugins with it.
>> >
>> > Are there plans to bump the java version to 11 in the docker release?
>> >
>> > Official image dockerfile:
>> > https://hub.docker.com/r/jboss/keycloak/dockerfile
>> >
>> > --
>> > Best Regards,
>> > Yervand
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> --
>>
>> abstractj



-- 
- abstractj

From sulakshana.gunna at microfocus.com  Fri Apr 12 02:00:45 2019
From: sulakshana.gunna at microfocus.com (Sulakshana Gunna)
Date: Fri, 12 Apr 2019 06:00:45 +0000
Subject: [keycloak-user] offline token issue - critical
Message-ID: <BN6PR1801MB200120FFBCF4392CF6C8A040EB280@BN6PR1801MB2001.namprd18.prod.outlook.com>

Hi,
We were using keycloak 1.9.8 and now upgrading to keycloak 4.8.2.
I am facing a blocker issue with respect to refreshing offline tokens.
I have opened a ticket, https://issues.jboss.org/browse/KEYCLOAK-10029
I appreciate if anyone faced the similar issue.
Details repeated below:

We have been using keycloak for our authentication process.
We generate offline token using response_type as code and exchange code for token. Our client refreshes it when access token expires.
What is observed is, all the offline tokens generated in 1.9.8 keycloak are not as expected after upgrading to 4.8.2 version. They are assigned expires_in to session idle time and subsequent refresh fails with Session Not Active. The issue is impairing our release which is round the corner. Specific details below:


With 1.9.8 keycloak:
1) User logs in with the following url:
https://<keycloak url>/auth/realms/<realm>/protocol/openid-connect/auth?client_id=<client_id>&redirect_uri=<redirect_url>&response_type=code&scope=offline_access
2) When the code is returned, it is exchanged for token using:
curl -s --request POST --header "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" --data "client_id=<client_id>&client_secret=<client_secret>&redirect_uri=<redirection url>&grant_type=authorization_code&code=<code>" "https://<keycloak url>/auth/realms/<realm>/protocol/openid-connect/token"
Sample response:
{"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI2YjJkNThhNC05NjZkLTQ0NTAtOWZmOC0wMmZkNzI3MjUyNTUiLCJleHAiOjE1NTQ5NTg1ODksIm5iZiI6MCwiaWF0IjoxNTU0OTU3Njg5LCJpc3MiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJhdWQiOiJDTVhfQXBwIiwic3ViIjoiNzg1YTlkZmMtNjI4MS00MmVlLThhNTMtZmY3YzUxZDQ4OGE4IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiQ01YX0FwcCIsInNlc3Npb25fc3RhdGUiOiI4NDljNWVkOS02YzQ3LTRjM2MtOTNiMi01MDc2Y2FkODM0ZTYiLCJjbGllbnRfc2Vzc2lvbiI6ImJiZGZiYWU0LTA4YzEtNDY5Ni1iYmJhLTRkNWQxNDdhNGRiZiIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwOi8vbG9jYWxob3N0OjE2Mzg5Il0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJ2aWV3LXByb2ZpbGUiXX19LCJuYW1lIjoiQWRtaW4iLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1aWQ9ODIzNjUxZGYtNTQzNi00MDcwLWE5MDEtYmE1OGM5OTc2ZWYyLG91PXVzZXJzLG89aGV3bGV0dC1wYWNrYXJkLG91PXBhcnRuZXJzLGRjPWhld2xldHQtcGFja2FyZCxkYz1ocCxkYz1jb20iLCJmYW1pbHlfbmFtZSI6IkFkbWluIiwiZW1haWwiOiJocGNvbm5lY3RlZHN5bmNhZG1pbkBocC5jb20ifQ.Tul3RCempI7aevTh7SqNODSWRS9c6KgT9FbGsulCE90xUdbDE7X_50OV1n9QBtQZH160b8AKbf1BkRGqZtbGWkXWCEvUCY-iyrovtKt-3SsGedpfD-0tEfvd53FgTrxwH8i9DxvRzOIknIDZGcCz39gYokVC-bDnyZynEpMFD1ZRPnS9fSY_S07NmeSakWPD4iF4W_09AGloZb9T5k2denRVrpIEVzoKF6lrP2U98WqvWxnJC8r-l6zZPNsThDcYiZmdOSxrmvQFYmzpaOAShX4Ad6b9vAk7Ri_6lazb3ESBgv2GSnBSRmLSpDcQBWR-qvlqVRpWLDPDCtnICFCfcw","expires_in":900,"refresh_expires_in":0,"refresh_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiIzYzlmZjgxNi00YWY3LTQyOGEtOWVhZS1lMWJiYTdiYmZmN2MiLCJleHAiOjAsIm5iZiI6MCwiaWF0IjoxNTU0OTU3Njg5LCJpc3MiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJhdWQiOiJDTVhfQXBwIiwic3ViIjoiNzg1YTlkZmMtNjI4MS00MmVlLThhNTMtZmY3YzUxZDQ4OGE4IiwidHlwIjoiT2ZmbGluZSIsImF6cCI6IkNNWF9BcHAiLCJzZXNzaW9uX3N0YXRlIjoiODQ5YzVlZDktNmM0Ny00YzNjLTkzYjItNTA3NmNhZDgzNGU2IiwiY2xpZW50X3Nlc3Npb24iOiJiYmRmYmFlNC0wOGMxLTQ2OTYtYmJiYS00ZDVkMTQ3YTRkYmYiLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fX0.aXcghpPA7H7O_KA3uUjxWr5fGvCsPV9uHdVaH5yTJ88p8Y1zhO8l6kGmTO_lYZs9_acKE6CL99kJUtNq_x42YbQEYic8aKTm5Muv41pBznSvTpE0sEn7GmdqMTLA-bCedsCcBDpEOcOJGVT-GfO9iiFYzdKBszUfDCGFPfJrF1NVUy-An7VLz4aJUur2ERu2zMGWj6Edq6go9fAJ6MJRVfT8OWvxgtt-08RpIf8Tsfx0XLIFeCT0kqzGzffadgDrNG_fL8hnODrCRVZ2qV6WAbH7cgpF1zcAsY8NQW0yvuB0hQU3i4pM_ibt-EuLeFSX05SF43PxsVnmhf-ZPBjk4A","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiI0ZTBjYjc5My03MzI4LTRlNTMtYjUxYy04NTg1OTQzMDNlMWEiLCJleHAiOjE1NTQ5NTg1ODksIm5iZiI6MCwiaWF0IjoxNTU0OTU3Njg5LCJpc3MiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJhdWQiOiJDTVhfQXBwIiwic3ViIjoiNzg1YTlkZmMtNjI4MS00MmVlLThhNTMtZmY3YzUxZDQ4OGE4IiwidHlwIjoiSUQiLCJhenAiOiJDTVhfQXBwIiwic2Vzc2lvbl9zdGF0ZSI6Ijg0OWM1ZWQ5LTZjNDctNGMzYy05M2IyLTUwNzZjYWQ4MzRlNiIsIm5hbWUiOiJBZG1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6InVpZD04MjM2NTFkZi01NDM2LTQwNzAtYTkwMS1iYTU4Yzk5NzZlZjIsb3U9dXNlcnMsbz1oZXdsZXR0LXBhY2thcmQsb3U9cGFydG5lcnMsZGM9aGV3bGV0dC1wYWNrYXJkLGRjPWhwLGRjPWNvbSIsImZhbWlseV9uYW1lIjoiQWRtaW4iLCJlbWFpbCI6ImhwY29ubmVjdGVkc3luY2FkbWluQGhwLmNvbSJ9.rvlNPmsGd0d57yGtbnmCubF3ctXnyP__lTzTdH08GhJptht0iC7CKTwuXWUfmPHN98iu8cxLyWkqOQ50obcNGOpzZXPQDTx-FW2zcyAVd6sQJxZRtOfJjGAetGaXK1s4BaJr1kwl6jmbVeslggtAAxFGCeIlGUO3zu6Qc0MhfLjOGlmUbno2tI4lAFLWkcp1LQ4vrUx5qS9Jcvs3Y2q5j-l2_XaZTLmCRVpCaWRcay9idLgIJb-yDi1r5RMv36614yTQc8pbf1eawfYp4dN1cO6ldXKG9LfWNbVj8MyD_r9Z3tZlS2fgbAzuHVIcI7BL7HlWE2Rn8uUNGkLfUKZF4w","not-before-policy":1439992645,"session_state":"849c5ed9-6c47-4c3c-93b2-5076cad834e6"}
3) Keycloak is upgraded to 4.8.2.
4) What is seen in the admin console, is above generated offline tokens are refreshed during upgrade when looked at the last refresh times
5) The offline refresh token is now refreshed with below api after upgrade:
curl -s --request POST --header "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" --data "client_id=<client_id>&client_secret=<client_secret>&grant_type=refresh_token&refresh_token=<refresh_token>" "https://<keycloak url>/auth/realms/<realm>/protocol/openid-connect/token"
Sample response after upgrade:
{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJUVElxeHVSa3NjSG4zYlNYQ19CUldtTFdlUUdJc3dYMGVKM3BBTlhuODdRIn0.eyJqdGkiOiJkNmQ0ZjU3OS1kMTQwLTRkZjItOWRkMy04ZGE4NDUwMGRjMmYiLCJleHAiOjE1NTQ5NTkxNDYsIm5iZiI6MCwiaWF0IjoxNTU0OTU4MjQ2LCJpc3MiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJhdWQiOiJhY2NvdW50Iiwic3ViIjoiNzg1YTlkZmMtNjI4MS00MmVlLThhNTMtZmY3YzUxZDQ4OGE4IiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiQ01YX0FwcCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6Ijg0OWM1ZWQ5LTZjNDctNGMzYy05M2IyLTUwNzZjYWQ4MzRlNiIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiaHR0cDovL2xvY2FsaG9zdDoxNjM4OSJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6IiIsIm5hbWUiOiJBZG1pbiIsInByZWZlcnJlZF91c2VybmFtZSI6InVpZD04MjM2NTFkZi01NDM2LTQwNzAtYTkwMS1iYTU4Yzk5NzZlZjIsb3U9dXNlcnMsbz1oZXdsZXR0LXBhY2thcmQsb3U9cGFydG5lcnMsZGM9aGV3bGV0dC1wYWNrYXJkLGRjPWhwLGRjPWNvbSIsImZhbWlseV9uYW1lIjoiQWRtaW4iLCJlbWFpbCI6ImhwY29ubmVjdGVkc3luY2FkbWluQGhwLmNvbSJ9.i3lEED2K_lVQk3FYDF4GaQlf0esT5iS-eP6vDKzucx9LEgHJy-ZHc4h6KhSlBoLzkFcX8zhecZq2FY69KQQZo_QdTQP3Ja8Pv1CAPRbUx8BZF1PhCmdfs6NFZmxmKSwMHwTSkFTIImbfGguMLHZexYsQ9bYNMX-ZnxlNKL1Uz25RrFAD2YYl06d_No8ojfti7KGamDjeuWK_nW-Vgy_i-6MikVbmeANj4VUEx91Ba1xlpZaGAEqC9qri90Vbr9jRo9x803G76uGsjI8D6ROSTUl2TkfoC1d9H-4KvwBrLaRBL2g-RqE9VnRL9xq5alQXiDFRzL0b7KnSqNRUT0siyw","expires_in":900,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICI5N2Y5OTEyNS1kOTdlLTRhY2EtYTVmMS1mMGVlNjAwYTVmOTYifQ.eyJqdGkiOiJiMGFiNjE5MS01ZWVmLTQ0OTAtYmYzMS04OTFiMDg2Mjk1NzQiLCJleHAiOjE1NTQ5NjAwNDYsIm5iZiI6MCwiaWF0IjoxNTU0OTU4MjQ2LCJpc3MiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJhdWQiOiJodHRwczovL3Nzby1jdC13ZXN0LmRldi5hd3MuY29ubmVjdGVkLmNvbS9hdXRoL3JlYWxtcy9DTVgiLCJzdWIiOiI3ODVhOWRmYy02MjgxLTQyZWUtOGE1My1mZjdjNTFkNDg4YTgiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiQ01YX0FwcCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6Ijg0OWM1ZWQ5LTZjNDctNGMzYy05M2IyLTUwNzZjYWQ4MzRlNiIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiIn0.qbL9akZtOrPK-a54A1qTbbCymaxrn2lpX21f_M_PMbQ","token_type":"bearer","not-before-policy":1439992645,"session_state":"849c5ed9-6c47-4c3c-93b2-5076cad834e6","scope":""}
6) As can be seen above, the new refresh token is now expiring in 1800 sec which is the sso session idle time that I set to my session tokens. Whereas before upgrade these tokens has expires in as 0. And also scope is empty. This scope was not present before the upgrade.
7) At this time when I see the admin console I see that offline session token shows last refresh as the one that I did after upgrade.
8) Now when I refresh this newly generated token, I get the below error:
{"error":"invalid_grant","error_description":"Session not active"}
9) But I still see those offline session token in the table and console.
10) On the other hand, I do not see this issue with any new offline session tokens created after upgrading to 4.8.2.
So what is happening after the upgrade that these old offline tokens are not treated as offline though they are in the offline session table.
Do we have to do anything as a part of upgrade? All we do is pointing keycloak 4.8.2 to the 1.9.8 DB and it takes care of upgrading the database.

Thx
-Sulakshana




From vramik at redhat.com  Fri Apr 12 02:39:14 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Fri, 12 Apr 2019 08:39:14 +0200
Subject: [keycloak-user] Issue in importing realm from old version to
 version 5
In-Reply-To: <CAOA-0XsKQt7um9t6o2cZ6KjSn+GyN6cLaSZk4zfr9m-=bQbodg@mail.gmail.com>
References: <CAOA-0XsKQt7um9t6o2cZ6KjSn+GyN6cLaSZk4zfr9m-=bQbodg@mail.gmail.com>
Message-ID: <005066ea-1143-d7bb-adc7-40de7e80cfac@redhat.com>

Hey,

it seems like a bug, can you create a ticket to 
https://issues.jboss.org/browse/KEYCLOAK please?

As a workaround you can try direct database migration [1].

V.

[1] https://www.keycloak.org/docs/latest/upgrading/index.html

On 4/11/19 4:05 PM, valsaraj pv wrote:
> Hi,
>
> We need to export & import configuration from an old version 3.4 to new
> Keycloak version 5. But it shows error on import:
> {"errorMessage":"App doesn't exist in role definitions: realm-management"}
>
> Is there any option to import realm to new version?
>
> Thanks!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From vramik at redhat.com  Fri Apr 12 02:48:35 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Fri, 12 Apr 2019 08:48:35 +0200
Subject: [keycloak-user] Import realm settings without removing users
In-Reply-To: <CAO5GBXcDBCN2bYqw-54u4W-TdrrQvDYcGZNN1ubUoH174NaHag@mail.gmail.com>
References: <CAO5GBXcDBCN2bYqw-54u4W-TdrrQvDYcGZNN1ubUoH174NaHag@mail.gmail.com>
Message-ID: <f32a0377-9422-8f02-2a82-3f13af933cd9@redhat.com>

Hey Pavel,

if you've exported users as well those should be imported during import 
as well.

When you use -Dkeycloak.migration.strategy=OVERWRITE_EXISTING the 
existing realm is erased and then imported from file/dir [1]

V.

[1] 
https://www.keycloak.org/docs/latest/server_admin/index.html#_export_import

On 4/11/19 3:49 PM, Pavel Drankov wrote:
> Hi,
>
> Is there any command-line way to import realms settings without erasing all
> the users?  If import realm settings with OVERWRITE_EXISTING, keycloak also
> removes all the users.
>
> Best wishes,
> Pavel
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From vramik at redhat.com  Fri Apr 12 02:54:53 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Fri, 12 Apr 2019 08:54:53 +0200
Subject: [keycloak-user] User creation
In-Reply-To: <CAO5GBXc1xAqPjuCg+CXwNoKNa4t8EkYNCyo9W19AZs_8JtGP7Q@mail.gmail.com>
References: <CAO5GBXc1xAqPjuCg+CXwNoKNa4t8EkYNCyo9W19AZs_8JtGP7Q@mail.gmail.com>
Message-ID: <8c634fac-fd05-2e30-2db9-a89ba51df296@redhat.com>

Hey Pavel,

inline

On 4/10/19 5:36 PM, Pavel Drankov wrote:
> Hello,
>
> I'm trying to implement a two-step registration process based keylock. On
> the first step enters the same information as in the default registration
> form, but with the addition of telephone number. On the second step, he
> enters a code received via an SMS message.
>
> The problem I faced is that if a user successfully filled the first step
> registration form and failed to enter a valid code on the second step, he
> is not able to use the same email address on the first step(because of "Email
> already exists." error). Is there a way to clean up not fully registered
> users and allow them to re-register if they have not finished all the step
> from the registration flow.

It doesn't sound right, I think the registration should be an atomic 
operation, so either both steps are successful and user is registered or 
the user is not registered.

To tell more I'd need to know more information how you've developed the 
described functionality.

Regards,

V.

>
> Best wishes,
> Pavel
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From uo67113 at gmail.com  Fri Apr 12 03:03:58 2019
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Fri, 12 Apr 2019 09:03:58 +0200
Subject: [keycloak-user] SAML securing application via browser / REST
 API via ECP on wildfly
In-Reply-To: <791dd9d6bcfe4e16878db390dbb7f42c@EXMBX24.SFP-Net.skyfillers.local>
References: <fb049443c0c644baa52c109c32364144@EXMBX24.SFP-Net.skyfillers.local>
	<CACp70Mk3KZwdLE=yXKzZ9Z5aB_GLVi0PwzffGRg8hzPP=nv+nw@mail.gmail.com>
	<791dd9d6bcfe4e16878db390dbb7f42c@EXMBX24.SFP-Net.skyfillers.local>
Message-ID: <CACp70MmLBnFgZn-hU5R3vXA2MAdbOUAsJ2Y6Efu5SJm7iEMKwQ@mail.gmail.com>

Hello Manuel,

Please, do not say sorry, you do not bother at all.

Me for the scenarios like that one I use the keycloak java servlet filter
adapter [1]. This allows me to use SAML2 for the user interface (web
profile) and basic authentication for APIs:

    <filter-mapping>
        <filter-name>Keycloak Filter</filter-name>
        <url-pattern>/saml</url-pattern>
    </filter-mapping>
    <filter-mapping>
        <filter-name>Keycloak Filter</filter-name>
        <url-pattern>/secure/ui/*</url-pattern>
    </filter-mapping>

    <servlet-mapping>
        <servlet-name>ApiController</servlet-name>
        <url-pattern>/secure/api/*</url-pattern>
    </servlet-mapping>
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>API</web-resource-name>
            <url-pattern>/secure/api/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>*</role-name>
        </auth-constraint>
    </security-constraint>

    <security-role>
        <description>
            Wildcard allows any authenticated user to access
        </description>
        <role-name>*</role-name>
    </security-role>

Hope it helps,

Luis


[1]
https://www.keycloak.org/docs/latest/securing_apps/index.html#java-servlet-filter-adapter







El jue., 11 abr. 2019 a las 14:31, Manuel Waltschek (<
manuel.waltschek at prisma-solutions.at>) escribi?:

> Hello Luis,
>
> sorry to bother you again, but for me it is unclear if this can coexist to
> SAML authentication for the same web-app, since it needs a special
> keycloak.json as seen in
> https://github.com/keycloak/keycloak/tree/master/examples/basic-auth
>
>
>
> Regards,
>
>
>
> Manuel
>
>
>
> *Von:* Luis Rodr?guez Fern?ndez <uo67113 at gmail.com>
> *Gesendet:* Donnerstag, 11. April 2019 14:07
> *An:* Manuel Waltschek <manuel.waltschek at prisma-solutions.at>
> *Betreff:* Re: [keycloak-user] SAML securing application via browser /
> REST API via ECP on wildfly
>
>
>
> Hello Manuel,
>
>
>
> If your client can keep secrets I would go for good and old basic
> authentication or Oauth2 with the client credentials flow [1]:
> machine-to-machine authentication where a specific user?s permission to
> access data is not required.
>
>
>
> Hope it helps,
>
>
>
> Luis
>
>
>
> [1] https://tools.ietf.org/html/rfc6749#section-4.4
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> El jue., 11 abr. 2019 a las 11:14, Manuel Waltschek (<
> manuel.waltschek at prisma-solutions.at>) escribi?:
>
> Hello KC Community!
>
> We are currently securing our war via browser SSO with SAML. We are
> deploying on wildfly 10 and are using keycloak as an IdP broker.
> We have the requirement to also secure a REST endpoint which is invoked by
> a thrid party. I read about ECP shortly in KC docs and some forum
> discussions, but I could not find out how to set this up. It is also
> unclear if keycloak even supports this feature. If not ECP, are there any
> other known ways to support this behaviour?
>
> Regards,
>
>
> [Logo]
>
> Manuel Waltschek BSc.
>
> +43 660 86655 47<tel:+436608665547 <+436608665547>>
> manuel.waltschek at prisma-solutions.at<mailto:
> manuel.waltschek at prisma-solutions.at>
> https://www.prisma-solutions.com
>
> PRISMA solutions EDV-Dienstleistungen GmbH
> Klostergasse 18, 2340 M?dling, Austria
> Firmenbuch: FN 239449 g, Landesgericht Wiener Neustadt
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
>


-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From lorenzo.luconi at iit.cnr.it  Fri Apr 12 03:11:58 2019
From: lorenzo.luconi at iit.cnr.it (Lorenzo Luconi Trombacchi)
Date: Fri, 12 Apr 2019 09:11:58 +0200
Subject: [keycloak-user] Remove check for redirect_uri
In-Reply-To: <90bf973f-c923-e808-2852-578f78e0dd6e@yahoo.gr>
References: <98a70e2e-453e-c3be-6407-2dcc84db83c0@yahoo.gr>
	<e0451559-e616-1be5-bebc-06e1ea85b930@redhat.com>
	<90bf973f-c923-e808-2852-578f78e0dd6e@yahoo.gr>
Message-ID: <3EC782FD-AA21-49CC-8BD0-D2949BBB2E7F@iit.cnr.it>

Hi,

> Il giorno 11 apr 2019, alle ore 22:57, vasleon <vaslion13 at yahoo.gr> ha scritto:
> 
> Thank you for the clarification between redirects performed during 
> authentication and a post authentication redirect performed by the 
> application.
> I know it is bad to do so. I want to make it vulnerable in purpose so I 
> can show to students how this vulnerability can affect openID connect.
> 
> I am familiarizing with the code from available on github for now and 
> trying to convert it to gradle and put it on intellij.
> 
> Any hint or help on which files need to be edited to achieve this, is 
> very welcome

we already answered to your question (me and Stan Silvert).
You can put a wildcard * in Valid Redirect Uris:

Menu Clients -> ?your client? -> Settings tab -> Valid Redirect Uris

Lorenzo



> 
> thank you
> 
> 
> On 11-Apr-19 18:44, John Dennis wrote:
>> On 4/11/19 7:19 AM, vasleon wrote:
>>> Hello everyone
>>> 
>>> it is required to specify a valid redirect_uri for each client in order
>>> for the login form to appear.
>>> 
>>> how could I remove the check that verifies the redirect_uri exists? I
>>> would like to make it possible to be able for an application to redirect
>>> anywhere. ( it is for educational purposes)
>> 
>> DO NOT DO THIS!
>> 
>> It's very bad. There is a reason the OpenID Connect and SAML 
>> specifications *mandate* responses only be returned to known 
>> registered clients.
>> 
>> Also, make sure you understand the difference between redirects 
>> performed during authentication and a post authentication redirect 
>> performed by the application which is not part of the authentication 
>> flow, they are not the same thing.
>> 
>> 
>> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From lorenzo.luconi at iit.cnr.it  Fri Apr 12 03:21:20 2019
From: lorenzo.luconi at iit.cnr.it (Lorenzo Luconi Trombacchi)
Date: Fri, 12 Apr 2019 09:21:20 +0200
Subject: [keycloak-user] Login with email in keycloak not working for
 federated user
In-Reply-To: <CAMLZ2v=hY1mHRxx+6KDDn=zLegsf_waFa_0A_eXtQj7eOumA+g@mail.gmail.com>
References: <CAMLZ2vnrYOxLwE0EaeAkAfKQndC9HwWvdZ2OiaDFpNKyS5bAsQ@mail.gmail.com>
	<2F9C94E5-FF63-49BC-AAC1-44895E9D2889@iit.cnr.it>
	<CAMLZ2v=hY1mHRxx+6KDDn=zLegsf_waFa_0A_eXtQj7eOumA+g@mail.gmail.com>
Message-ID: <530A71BD-641C-484E-86C9-74EFC75E4D02@iit.cnr.it>

Hi Kapil,

sorry I have no experience with LDAP and LDAP user federation. I developed a keycloak user federation plugin for our internal database and as I said e-mail authentication works fine.

Lorenzo



> Il giorno 12 apr 2019, alle ore 03:03, kapil joshi <kapilkumarjoshi001 at gmail.com> ha scritto:
> 
> Hi Lorenzo, 
> 
> We are using JavaScript adapter for the client and stable helm chart for keylock, somewhere I read we need a mapping of LDAP mail attribute with username. But I didn't exactly got what was it. Can someone point me to that.
> 
> Thanks
> Kapil
> 
> On Thu, 11 Apr 2019, 20:10 Lorenzo Luconi Trombacchi, <lorenzo.luconi at iit.cnr.it <mailto:lorenzo.luconi at iit.cnr.it>> wrote:
> Just tested with my user federation implementation and it works (4.8.3.Final). I can login to my app using email address.
> You must implements UserLookupProvider interface and getUsersByEmail method.
> 
> Lorenzo
> 
> 
> > Il giorno 11 apr 2019, alle ore 15:59, kapil joshi <kapilkumarjoshi001 at gmail.com <mailto:kapilkumarjoshi001 at gmail.com>> ha scritto:
> > 
> > Hi Team,
> > 
> > Login with email in Keycloak not working for federated user, please note
> > that we have enabled the switch to Login With Email.
> > Can some point us what are we missing.
> > 
> > Thanks & regards
> > Kapil
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
> 


From pulkitsrivastavajd at gmail.com  Fri Apr 12 04:07:31 2019
From: pulkitsrivastavajd at gmail.com (Pulkit Srivastava)
Date: Fri, 12 Apr 2019 13:37:31 +0530
Subject: [keycloak-user] Keycloak Remember me
Message-ID: <CAA-7KZ-viH9HGtbsJEos4K5f4cVG0+TRYGurqELq8aS=5nMvBQ@mail.gmail.com>

Hi All,
I was wondering if authentication through external IDP(google, facebook,
saml etc) supports remember me functionality.

I know it works for internal keycloak authentication.
Thanks in advance.

Thank,
Pulkit

From abhi.raghav007 at gmail.com  Fri Apr 12 04:20:48 2019
From: abhi.raghav007 at gmail.com (abhishek raghav)
Date: Fri, 12 Apr 2019 13:50:48 +0530
Subject: [keycloak-user] Custom account provider not working after upgrading
	to 4.8.3.Final
Message-ID: <CAJmz6fvUigkOygUb0XsHtfVJXbe6vxz4dY6AjfAJLoLbKvwKFQ@mail.gmail.com>

Hi -

We have implemented a custom account provider which
implements AccountProviderFactory and the implementation class
extends FreeMarkerAccountProvider. It is packaged and deployed as a
provider with a service definition file.

This used to be work in keycloak 3.4.3.Final but not after we upgrade to
keycloak 4.8.3.Final.

We also identified that the provider is not even registering/initialized
during boot time of keycloak. Could somebody please tell - whether keycloak
has removed support of extending Account provider SPI. Or there is any
other way to extend the account provider in keycloak 4.8.3.Final.

Any help is greatly appreciated.

Thanks
-Abhishek

From lilian.benoit at lbenoit.fr  Fri Apr 12 04:46:14 2019
From: lilian.benoit at lbenoit.fr (Lilian BENOIT)
Date: Fri, 12 Apr 2019 10:46:14 +0200
Subject: [keycloak-user] Login with email in keycloak not working for
 federated user
In-Reply-To: <530A71BD-641C-484E-86C9-74EFC75E4D02@iit.cnr.it>
References: <CAMLZ2vnrYOxLwE0EaeAkAfKQndC9HwWvdZ2OiaDFpNKyS5bAsQ@mail.gmail.com>
	<2F9C94E5-FF63-49BC-AAC1-44895E9D2889@iit.cnr.it>
	<CAMLZ2v=hY1mHRxx+6KDDn=zLegsf_waFa_0A_eXtQj7eOumA+g@mail.gmail.com>
	<530A71BD-641C-484E-86C9-74EFC75E4D02@iit.cnr.it>
Message-ID: <17ed227bdf49633cf1b3d34449702a98@lbenoit.fr>

Hi Kapil,

For one to my clients, we use Keycloak with federated user (LDAP). We 
have activate Login with email (Realm settings) and it works fine.
With this option, we don't change mapping email.

Regards,
Lilian.

Le 12/04/2019 09:21, Lorenzo Luconi Trombacchi a ?crit?:
> Hi Kapil,
> 
> sorry I have no experience with LDAP and LDAP user federation. I
> developed a keycloak user federation plugin for our internal database
> and as I said e-mail authentication works fine.
> 
> Lorenzo
> 
> 
> 
>> Il giorno 12 apr 2019, alle ore 03:03, kapil joshi 
>> <kapilkumarjoshi001 at gmail.com> ha scritto:
>> 
>> Hi Lorenzo,
>> 
>> We are using JavaScript adapter for the client and stable helm chart 
>> for keylock, somewhere I read we need a mapping of LDAP mail attribute 
>> with username. But I didn't exactly got what was it. Can someone point 
>> me to that.
>> 
>> Thanks
>> Kapil
>> 
>> On Thu, 11 Apr 2019, 20:10 Lorenzo Luconi Trombacchi, 
>> <lorenzo.luconi at iit.cnr.it <mailto:lorenzo.luconi at iit.cnr.it>> wrote:
>> Just tested with my user federation implementation and it works 
>> (4.8.3.Final). I can login to my app using email address.
>> You must implements UserLookupProvider interface and getUsersByEmail 
>> method.
>> 
>> Lorenzo
>> 
>> 
>> > Il giorno 11 apr 2019, alle ore 15:59, kapil joshi <kapilkumarjoshi001 at gmail.com <mailto:kapilkumarjoshi001 at gmail.com>> ha scritto:
>> >
>> > Hi Team,
>> >
>> > Login with email in Keycloak not working for federated user, please note
>> > that we have enabled the switch to Login With Email.
>> > Can some point us what are we missing.
>> >
>> > Thanks & regards
>> > Kapil
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From vramik at redhat.com  Fri Apr 12 04:55:13 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Fri, 12 Apr 2019 10:55:13 +0200
Subject: [keycloak-user] Import realm settings without removing users
In-Reply-To: <CAO5GBXc=-zE7OSJc6-CnXM4L1-4wcsvE944hnfU3GFsB7cDoxQ@mail.gmail.com>
References: <CAO5GBXcDBCN2bYqw-54u4W-TdrrQvDYcGZNN1ubUoH174NaHag@mail.gmail.com>
	<f32a0377-9422-8f02-2a82-3f13af933cd9@redhat.com>
	<CAO5GBXc=-zE7OSJc6-CnXM4L1-4wcsvE944hnfU3GFsB7cDoxQ@mail.gmail.com>
Message-ID: <5f90cdd7-11e7-e234-41ae-bb3e06d3be2a@redhat.com>

On 4/12/19 10:52 AM, Pavel Drankov wrote:
>
>     if you've exported users as well those should be imported during
>     import
>     as well.
>
> I don't want to export/import users, just realm settings. Is it 
> possible to import realm settings without erasing _users?_

afaik it's not possible at the moment.

V.

>
>
> Best wishes,
> Pavel
>
>
> On Fri, 12 Apr 2019 at 09:48, Vlasta Ramik <vramik at redhat.com 
> <mailto:vramik at redhat.com>> wrote:
>
>     Hey Pavel,
>
>     if you've exported users as well those should be imported during
>     import
>     as well.
>
>     When you use -Dkeycloak.migration.strategy=OVERWRITE_EXISTING the
>     existing realm is erased and then imported from file/dir [1]
>
>     V.
>
>     [1]
>     https://www.keycloak.org/docs/latest/server_admin/index.html#_export_import
>
>     On 4/11/19 3:49 PM, Pavel Drankov wrote:
>     > Hi,
>     >
>     > Is there any command-line way to import realms settings without
>     erasing all
>     > the users?? If import realm settings with OVERWRITE_EXISTING,
>     keycloak also
>     > removes all the users.
>     >
>     > Best wishes,
>     > Pavel
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From valsarajpv at gmail.com  Fri Apr 12 05:08:47 2019
From: valsarajpv at gmail.com (valsaraj pv)
Date: Fri, 12 Apr 2019 14:38:47 +0530
Subject: [keycloak-user] Issue in importing realm from old version to
 version 5
In-Reply-To: <005066ea-1143-d7bb-adc7-40de7e80cfac@redhat.com>
References: <CAOA-0XsKQt7um9t6o2cZ6KjSn+GyN6cLaSZk4zfr9m-=bQbodg@mail.gmail.com>
	<005066ea-1143-d7bb-adc7-40de7e80cfac@redhat.com>
Message-ID: <CAOA-0Xs37eGVpM5_piEThBrjC0fMg2Ptce=dG85j0HT=e-WHAg@mail.gmail.com>

Hi,

It worked fine when I imported the json file to add realm section. Error
occurred when tried to import from Import section in KC admin console.

Thanks!

On Fri, Apr 12, 2019 at 12:09 PM Vlasta Ramik <vramik at redhat.com> wrote:

> Hey,
>
> it seems like a bug, can you create a ticket to
> https://issues.jboss.org/browse/KEYCLOAK please?
>
> As a workaround you can try direct database migration [1].
>
> V.
>
> [1] https://www.keycloak.org/docs/latest/upgrading/index.html
>
> On 4/11/19 4:05 PM, valsaraj pv wrote:
> > Hi,
> >
> > We need to export & import configuration from an old version 3.4 to new
> > Keycloak version 5. But it shows error on import:
> > {"errorMessage":"App doesn't exist in role definitions:
> realm-management"}
> >
> > Is there any option to import realm to new version?
> >
> > Thanks!
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 
Life is like this: "Just when we get all the answers of life.... God
changes the question paper....

Valsaraj Viswanathan

From vramik at redhat.com  Fri Apr 12 05:14:19 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Fri, 12 Apr 2019 11:14:19 +0200
Subject: [keycloak-user] User creation
In-Reply-To: <CAO5GBXcDk2wNCrYgzbOq_Jx37cVKH+R9OBtG-SL1Sy6Avz7xMA@mail.gmail.com>
References: <CAO5GBXc1xAqPjuCg+CXwNoKNa4t8EkYNCyo9W19AZs_8JtGP7Q@mail.gmail.com>
	<8c634fac-fd05-2e30-2db9-a89ba51df296@redhat.com>
	<CAO5GBXcDk2wNCrYgzbOq_Jx37cVKH+R9OBtG-SL1Sy6Avz7xMA@mail.gmail.com>
Message-ID: <4f744ea0-d2d4-12a8-87f1-37edbde52532@redhat.com>

On 4/12/19 10:49 AM, Pavel Drankov wrote:
>
>     registration should be an atomic 
>
> Sure, I agree with you. But, a user is created after the first step by 
> default. How can I make the user creation process consisted of two 
> steps atomic?

I suppose you've implemented custom SPI execution [1],

Then in admin console in "Authentication" tab you should make a copy of 
"Registration" flow. Then you have to add new execution [Actions -> Add 
execution] (your custom execution with sms validation) to "Copy Of 
Registration Registration Form" and then you make the execution "REQUIRED".

[1] 
https://www.keycloak.org/docs/latest/server_development/index.html#_providers

>
> Best wishes,
> Pavel
>
>
> On Fri, 12 Apr 2019 at 09:54, Vlasta Ramik <vramik at redhat.com 
> <mailto:vramik at redhat.com>> wrote:
>
>     Hey Pavel,
>
>     inline
>
>     On 4/10/19 5:36 PM, Pavel Drankov wrote:
>     > Hello,
>     >
>     > I'm trying to implement a two-step registration process based
>     keylock. On
>     > the first step enters the same information as in the default
>     registration
>     > form, but with the addition of telephone number. On the second
>     step, he
>     > enters a code received via an SMS message.
>     >
>     > The problem I faced is that if a user successfully filled the
>     first step
>     > registration form and failed to enter a valid code on the second
>     step, he
>     > is not able to use the same email address on the first
>     step(because of "Email
>     > already exists." error). Is there a way to clean up not fully
>     registered
>     > users and allow them to re-register if they have not finished
>     all the step
>     > from the registration flow.
>
>     It doesn't sound right, I think the registration should be an atomic
>     operation, so either both steps are successful and user is
>     registered or
>     the user is not registered.
>
>     To tell more I'd need to know more information how you've
>     developed the
>     described functionality.
>
>     Regards,
>
>     V.
>
>     >
>     > Best wishes,
>     > Pavel
>     > _______________________________________________
>     > keycloak-user mailing list
>     > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Fri Apr 12 06:12:29 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 12 Apr 2019 12:12:29 +0200
Subject: [keycloak-user] Keycloak and shared JWT secrets
In-Reply-To: <8c73e82b-104d-a33b-e7ef-fa165de35364@thewordnerd.info>
References: <2b20c86f-f1e3-ccab-215a-4b3231c9c7eb@thewordnerd.info>
	<CAMZCGg-GD2VWQShC1S=uVKcFv1B3XLCJhDuyXpormPnGFrycgA@mail.gmail.com>
	<8c73e82b-104d-a33b-e7ef-fa165de35364@thewordnerd.info>
Message-ID: <CAMZCGg9Y17ZF=DsOtYh4Wr0DJUpN78tOCn+9M3=wPU4sn3SZ+g@mail.gmail.com>

On Thu, Apr 11, 2019 at 7:57 PM Nolan Darilek <nolan at thewordnerd.info>
wrote:

> Yes, that's the JWT plugin I'm using.
>
>
> I will eventually need roles. Can I do this without enabling
> authorization on the client? I'll be using Caddy's JWT module to
> authorize access to some resources. I don't know if this means I need
> authorization support to enable roles, or if I *don't* need
> authorization support because I'm not asking Keycloak to grant or deny
> access to my pages based on their URLs.
>
Looking at the Caddy JWT plugin, it looks like it can do some basic RBAC ,
it will be looking at the "groups" claim of the token. In Keycloak, roles
are not put by default in a "groups" claim by you can easily do that by
creating a custom mapper. And you don't need authorization enabled for
this.

>
>
> When you say to use a public client because Caddy won't handle this,
> what specifically do you mean? It won't handle setting a public key? It
> does seem to via the JWT_PUBLIC_KEY environment variable as you noted. I
> imagine I'll need to retrieve that from a .well-known endpoint?
> Otherwise, I'm not sure what isn't being handled here. Sorry if I seem
> dense--this is a bit overwhelming and I'd like to get it right.
>
What I meant is it does use the shared secret but the public key for
signature validation. So yes you have to set JWT_PULBIC_KEY harcoded or as
you said maybe the JWT caddy plugin can handle retrieving the key from JKWS
endpoint, if it can in keycloak the endpoint is there :
http://localhost:8180/auth/realms/myrealm/protocol/openid-connect/certs

>
> I'm not using the JS adapter because I don't have an app as such. For
> now I just have some static pages generated by Hugo, and I'm trying to
> gate access to a /members section. In the future I'll probably have a
> few different levels of access, which I'll represent by roles, so
> /members/gold, /members/silver, etc. may be gated by role. This blocking
> is happening on the server side. I'm not immediately clear on how the JS
> library would help in this case, since my pages are just being served up
> directly.
>
> Thanks for the pointer on the wrong redirect URL. I used the /account
> endpoint because it at least prompts me to log in if I'm not. When I say
> that I'm being redirected, I mean that hitting /members doesn't take me
> to the members-only page, but takes me to the account redirect if I'm
> logged into Keycloak, which I definitely am.
>
> Thanks for the help.
>
> On 4/11/19 12:22 PM, Sebastien Blanc wrote:
> > Hi,
> >
> > Are you using
> > https://github.com/BTBurke/caddy-jwt/blob/master/README.md ?
> >
> > So I never used Caddy but a couple of things :
> >
> > * Keycloak uses RSA to sign the token, so you need to specify
> > JWT_PUBLIC_KEY in Caddy and not the JWT_SECRET.
> > * Just use a public client (because Caddy JWT probably don't handle
> > this) and do not enable authorization (you just want authentication
> > right ?)
> > * the redirect field from your config block looks like to be the
> > endpoint for authenticating your user, not sure why you are using the
> > /account endpoint, this is a completely different thing ( this is the
> > "space" where logged-in users can manage their account : reset
> > password etc ...)  , the redirect value would looks like something as :
> >
> >
> http://localhost:8180/auth/realms/myrealmprotocol/openid-connect/auth?client_id=myclient&redirect_uri=http%3A%2F%2Flocalhost%3A8080&response_mode=fragment&response_type=code
> >
> > <
> http://localhost:8180/auth/realms/katacoda/protocol/openid-connect/auth?client_id=quarkus-front&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2F&state=6d7a4fdb-ee71-41d6-846d-1e0a4b7060ab&response_mode=fragment&response_type=code
> >
> >
> > If you are app is just an service endpoint you probably don't need the
> > redirect field to be set since you will obtain the token differently :
> >  You said that you kept being redirected even when you are logged in ,
> > what does that means "logged in"  ? Did you managed to log in with
> > Keycloak ? Are you using the Keycloak Javascript adapter in your
> > webapp to obtain your token ?
> >
> >
> >
> >
> >
> > On Thu, Apr 11, 2019 at 4:38 PM Nolan Darilek <nolan at thewordnerd.info
> > <mailto:nolan at thewordnerd.info>> wrote:
> >
> >     Apologies if the answer to this is simple. I've poured through
> >     every doc
> >     I can get my hands on and am a bit overwhelmed.
> >
> >
> >     I'm trying to set up a shared account service that works across my
> >     static website, forum, and eventually on mobile apps. Given that
> >     security isn't a core competency, I decided to try using Keycloak
> >     for this.
> >
> >
> >     My first goal is to require authentication to example.com/members
> >     <http://example.com/members>. I'm
> >     using the Caddy web server which has a JWT-based protection scheme
> >     built-in. Keycloak is running at example.com/auth
> >     <http://example.com/auth>.
> >
> >
> >     What I *thought* I'd do is set up my website as a confidential client
> >     with authorization enabled. Caddy needs a shared secret for the
> >     JWT, so
> >     I thought this would be the client secret. Also, since my website and
> >     Keycloak are on the same domain, I thought that if they shared a
> >     secret
> >     and if Caddy looked to the KEYCLOAK_IDENTITY cookie, that
> >     authentication
> >     would just work. Alas, no. Here's my Caddy JWT configuration block:
> >
> >
> >     jwt {
> >        path /members
> >        redirect /auth/realms/myrealm/account
> >        token_source header
> >        token_source cookie KEYCLOAK_IDENTITY
> >     }
> >
> >     Visiting /members just redirects me to my account page again and
> >     again,
> >     even if I'm logged in.
> >
> >
> >     Am I completely off the rails here? I thought about using the client
> >     library, but I don't know if that works for confidential
> >     authorization
> >     setups. I don't even know if I *need* a confidential authorization
> >     setup
> >     here, or if I'm completely misunderstanding. It also occurs to me
> >     that
> >     I'm redirecting to /auth/realms/myrealm/account. There's nothing
> >     in that
> >     URL indicating which client to use, and as such, which secret to
> >     generate the JWT with. So before I go too much further down this
> >     rabbit
> >     hole, I wanted to check my assumptions.
> >
> >
> >     Thanks for any help.
> >
> >     _______________________________________________
> >     keycloak-user mailing list
> >     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >     https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sblanc at redhat.com  Fri Apr 12 06:26:12 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 12 Apr 2019 12:26:12 +0200
Subject: [keycloak-user] Lookup user during registration
In-Reply-To: <CAO5GBXfgsD_F3usJh5r==OMnvSKBAO=XS1yVaGe5Z0GCxqv2-Q@mail.gmail.com>
References: <CAO5GBXfgsD_F3usJh5r==OMnvSKBAO=XS1yVaGe5Z0GCxqv2-Q@mail.gmail.com>
Message-ID: <CAMZCGg-O5eEXh2esuzh6HFKGN3Nct-wvgG38+vGq8vCstEo7dA@mail.gmail.com>

Have you looked here
https://www.keycloak.org/docs/latest/server_development/index.html#modifying-extending-the-registration-form
?
You can probably add this check in the validate method.

On Thu, Apr 11, 2019 at 2:03 PM Pavel Drankov <titantins at gmail.com> wrote:

> Hi,
>
> What I have to do if I want to check if a user with a specific email
> already exists during the registration flow? How can I do this on the SPI
> module side?
>
> Best wishes,
> Pavel
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mrestelli at cuebiq.com  Fri Apr 12 06:28:57 2019
From: mrestelli at cuebiq.com (Matteo Restelli)
Date: Fri, 12 Apr 2019 12:28:57 +0200
Subject: [keycloak-user] Token Exchange AWS Cognito & Keycloak
In-Reply-To: <CAJrcDBeHZUtdC7N0im1hRePyxntC3zEL5d2=KtuXRvX2Ny3epw@mail.gmail.com>
References: <CAHpjjTYE=hN02=i+vojzviAv1bK547VFxAZC-Lqy9eRkB6sVPA@mail.gmail.com>
	<CAJrcDBeHZUtdC7N0im1hRePyxntC3zEL5d2=KtuXRvX2Ny3epw@mail.gmail.com>
Message-ID: <CAHpjjTb0sb0afopqntuE5mEG=S0Xuk+RYrYbKPjcn+8xUs+bSw@mail.gmail.com>

Hi Pedro,
i'll try to reply to your questions:

- We've configured Cognito as an identity provider in Keycloak, importing
the configuration via the OIDC discovery-configuration endpoint. At this
point we needed to introduce the clientID & secret, so we've created a new
confidential client inside AWS Cognito and used its id &secret in the
Keycloak's Identity provider config

- We've set the permission & policy about token exchange feature to our
Keycloak client

- The SRP flow leverages the SRP authentication protocol (so basically, no
password is sent to the server). The result of this flow is a couple of JWT
tokens (access and id token), but the access token doesn't respect the OIDC
rules (it doesn't contain the openid scope). This last point is what make
the token exchange process impossible (this because, during the process,
Cognito replies that "the token doesn't contain the openid scope"). About
that i want to highlight the fact that these problems are entirely Cognito
related: if we use a standard OAuth2 Flow (like Authorization code grant or
implicit) the process works as expected.

- Since the SRP flow enables us to use a self-hosted login page which
doesn't send the password directly to the server, we've tried to find other
solution. So we've tried to provide to the token exchange endpoint the id
token, changing some parameters of the HTTP call. And at this point
something unexpected for us happened: the token exchange process works also
providing the id token. Here's the reason of my first flow of questions: is
this behaviour expected? Is the "exchange with id token" approach a
feasible and good one? Or is completely a bad approach?

- Since using this flow (SRP) force us to provide the id token to our
backend side, here comes the other flow of questions :). From an OIDC point
of view, can be a right approach accessing a backend resource from a single
page application, using an id token? I've always read that if you want to
access to a backend resource, from a client application, is better to use
the access token, because the id token contains a lot of user informations
and must be used only by the client application.

- Here's the curl of the token exchange process with the access token (i'm
omitting some infos):

curl -X POST \
-d "client_id=test" \
-d "client_secret=<client_secret>" \
--data-urlencode
"grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "subject_issuer=<alias_of_the_identity_provider_in_keycloak>" \
-d "subject_token=<access_token>" \
--data-urlencode
"subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
-d "audience=test" \
http://localhost:8080/auth/realms/<realm_name>/protocol/openid-connect/token


- Here's the curl of the token exchange process with the id token (i'm
omitting some infos):

curl -X POST \
-d "client_id=test" \
-d "client_secret=<client_secret>" \
--data-urlencode
"grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
-d "subject_issuer=<alias_of_the_identity_provider_in_keycloak>" \
-d "subject_token=<id_token>" \
--data-urlencode
"subject_token_type=urn:ietf:params:oauth:token-type:id_token" \
-d "audience=test" \
http://localhost:8080/auth/realms/<realm_name>/protocol/openid-connect/token

Let me know if you need more infos.

Thank you again,
Matteo Restelli

On Wed, Apr 10, 2019 at 3:40 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> So you are doing external to internal exchange. It is not clear to me how
> you configured AWS Cognito as an identity provider and what/how the SRP
> flow works. Could you provide more details, please? Is the token issued by
> Cognito a JWT ?
>
> In addition to that, how your token exchange request looks like when using
> both id_token and access_token as a subject_token ?
>
> On Wed, Apr 10, 2019 at 9:56 AM Matteo Restelli <mrestelli at cuebiq.com>
> wrote:
>
>> Any news on that?
>>
>> Thank you!
>> Matteo
>>
>> =============================
>>
>>
>> Hi all,
>> We're using AWS Cognito as our Identity provider for our platform. We're
>> trying to use an internal instance of Keycloak, in order to check the
>> possibility to use KC for authorization purposes (this because Keycloak
>> has
>> a wonderful and powerful authorization system that fulfill our needs, and
>> for that i want to say you "Thank you very much" :) ). For this reason we
>> want to use the token exchange feature of Keycloak.
>> More specifically we want to follow this flow:
>>
>> - User authenticates on AWS Cognito via SRP auth flow (which basically is
>> not a standard OIDC/OAuth2 authentication flow)
>> - User sends the access token to contact the backend service and, in the
>> middle, this token is translated to an internal one, minted by Keycloak
>>
>> If we provide the AWS Cognito access token to the token exchange endpoint,
>> with the subject_token_type parameter set to
>> "urn:ietf:params:oauth:token-type:access_token", an error is returned
>> stating that the access token doesn't contain the "openid" scope. Despite
>> this we've tried another way, providing the id token to the token exchange
>> endpoint with the subject_token_parameter set to
>> "urn:ietf:params:oauth:token-type:id_token", and we discovered that this
>> alternative way works. So, my questions are:
>>
>> - Is the "exchange with id token" approach a feasible and good one? Or is
>> completely a bad approach?
>> - From an OIDC point of view, can be a right approach accessing a backend
>> resource from a single page application, using an id token? I've always
>> read that if you want to access to a backend resource, from a client
>> application, is better to use the access token, because the id token
>> contains a lot of user informations and must be used only by the client
>> application
>>
>> Thank you very much,
>> Matteo
>>
>>
>> PS:  As a side note, i want to clarify that if we follow an authorization
>> code grant flow, or an implicit flow, during the authentication against
>> AWS
>> Cognito, the access token exchange works as expected. So this means that
>> the problem is related to the shape of the token released by Cognito.
>>
>> --
>>
>> Like <https://www.facebook.com/cuebiq/> I Follow
>> <https://twitter.com/Cuebiq>I Connect
>> <https://www.linkedin.com/company/cuebiq>
>>
>>
>> This email is reserved
>> exclusively for sending and receiving messages inherent working
>> activities,
>> and is not intended nor authorized for personal use. Therefore, any
>> outgoing messages or incoming response messages will be treated as company
>> messages and will be subject to the corporate IT policy and may possibly
>> to
>> be read by persons other than by the subscriber of the box. Confidential
>> information may be contained in this message. If you are not the address
>> indicated in this message, please do not copy or deliver this message to
>> anyone. In such case, you should notify the sender immediately and delete
>> the original message.
>>
>> --
>>
>> Like <https://www.facebook.com/cuebiq/> I Follow
>> <https://twitter.com/Cuebiq>I Connect
>> <https://www.linkedin.com/company/cuebiq>
>>
>>
>> This email is reserved
>> exclusively for sending and receiving messages inherent working
>> activities,
>> and is not intended nor authorized for personal use. Therefore, any
>> outgoing messages or incoming response messages will be treated as
>> company
>> messages and will be subject to the corporate IT policy and may possibly
>> to
>> be read by persons other than by the subscriber of the box. Confidential
>> information may be contained in this message. If you are not the address
>> indicated in this message, please do not copy or deliver this message to
>> anyone. In such case, you should notify the sender immediately and delete
>> the original message.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

-- 

Like <https://www.facebook.com/cuebiq/> I Follow  
<https://twitter.com/Cuebiq>I Connect 
<https://www.linkedin.com/company/cuebiq>


This email is reserved 
exclusively for sending and receiving messages inherent working activities, 
and is not intended nor authorized for personal use. Therefore, any 
outgoing messages or incoming response messages will be treated as company 
messages and will be subject to the corporate IT policy and may possibly to 
be read by persons other than by the subscriber of the box. Confidential 
information may be contained in this message. If you are not the address 
indicated in this message, please do not copy or deliver this message to 
anyone. In such case, you should notify the sender immediately and delete 
the original message.

From cedric at couralet.eu  Fri Apr 12 07:12:48 2019
From: cedric at couralet.eu (=?utf-8?q?cedric=40couralet=2Eeu?=)
Date: Fri, 12 Apr 2019 13:12:48 +0200
Subject: [keycloak-user] Managing differents timeout between keycloak and
	application
Message-ID: <1789-5cb07280-5-2e9642c0@38297601>

Hi,

When using keycloak-servlet-filter-adapter, we saw that the http session expires at the same time the keycloak sso idle timeout occurs. 
Going through the code in OIDCSessionFilterStore, those lines seems to be the cause:
        // Refresh failed, so user is already logged out from keycloak. Cleanup and expire our session
        //log.fine("Cleanup and expire session " + httpSession.getId() + " after failed refresh");
        cleanSession(httpSession);
        httpSession.invalidate();

Is there a way to have different timeouts between the 2 ? We may want to keep the session alive in our app for longer than in keycloak (to be the same as the servlet container in our case).

C?dric



From titantins at gmail.com  Fri Apr 12 07:42:40 2019
From: titantins at gmail.com (Pavel Drankov)
Date: Fri, 12 Apr 2019 14:42:40 +0300
Subject: [keycloak-user] User creation
In-Reply-To: <4f744ea0-d2d4-12a8-87f1-37edbde52532@redhat.com>
References: <CAO5GBXc1xAqPjuCg+CXwNoKNa4t8EkYNCyo9W19AZs_8JtGP7Q@mail.gmail.com>
	<8c634fac-fd05-2e30-2db9-a89ba51df296@redhat.com>
	<CAO5GBXcDk2wNCrYgzbOq_Jx37cVKH+R9OBtG-SL1Sy6Avz7xMA@mail.gmail.com>
	<4f744ea0-d2d4-12a8-87f1-37edbde52532@redhat.com>
Message-ID: <CAO5GBXeFz6bxWGZPDaAXV50b7CFtS_tZM3AryWHF-YeL-AQvtA@mail.gmail.com>

>
> I suppose you've implemented custom SPI execution [1],
> Then in admin console in "Authentication" tab you should make a copy of
> "Registration" flow. Then you have to add new execution [Actions -> Add
> execution] (your custom execution with sms validation) to "Copy Of
> Registration Registration Form" and then you make the execution "REQUIRED".


Already did this. My point is that the default registration steps combined
with a custom one can't be an atomic operation. User entity is created on
the first step without fully passing through the flow.


On Fri, 12 Apr 2019 at 12:14, Vlasta Ramik <vramik at redhat.com> wrote:

> On 4/12/19 10:49 AM, Pavel Drankov wrote:
>
> registration should be an atomic
>
> Sure, I agree with you. But, a user is created after the first step by
> default. How can I make the user creation process consisted of two steps
> atomic?
>
> I suppose you've implemented custom SPI execution [1],
>
> Then in admin console in "Authentication" tab you should make a copy of
> "Registration" flow. Then you have to add new execution [Actions -> Add
> execution] (your custom execution with sms validation) to "Copy Of
> Registration Registration Form" and then you make the execution "REQUIRED".
>
> [1]
> https://www.keycloak.org/docs/latest/server_development/index.html#_providers
>
>
> Best wishes,
> Pavel
>
>
> On Fri, 12 Apr 2019 at 09:54, Vlasta Ramik <vramik at redhat.com> wrote:
>
>> Hey Pavel,
>>
>> inline
>>
>> On 4/10/19 5:36 PM, Pavel Drankov wrote:
>> > Hello,
>> >
>> > I'm trying to implement a two-step registration process based keylock.
>> On
>> > the first step enters the same information as in the default
>> registration
>> > form, but with the addition of telephone number. On the second step, he
>> > enters a code received via an SMS message.
>> >
>> > The problem I faced is that if a user successfully filled the first step
>> > registration form and failed to enter a valid code on the second step,
>> he
>> > is not able to use the same email address on the first step(because of
>> "Email
>> > already exists." error). Is there a way to clean up not fully registered
>> > users and allow them to re-register if they have not finished all the
>> step
>> > from the registration flow.
>>
>> It doesn't sound right, I think the registration should be an atomic
>> operation, so either both steps are successful and user is registered or
>> the user is not registered.
>>
>> To tell more I'd need to know more information how you've developed the
>> described functionality.
>>
>> Regards,
>>
>> V.
>>
>> >
>> > Best wishes,
>> > Pavel
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From bruno at abstractj.org  Fri Apr 12 07:47:45 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Fri, 12 Apr 2019 08:47:45 -0300
Subject: [keycloak-user] Java 11 (Docker container base)
In-Reply-To: <A2769845-42BF-4E72-B253-B4156519FD63@topicus.nl>
References: <A2769845-42BF-4E72-B253-B4156519FD63@topicus.nl>
Message-ID: <CAM5SUC7jJ1vRXQuGqJ-fPnjwqq7T+5u2s_uY=9XcPTeGmjvm9g@mail.gmail.com>

Hi Chris, the following Jira was created to address this:
https://issues.jboss.org/browse/KEYCLOAK-10059

On Thu, Jan 3, 2019 at 12:35 PM Chris Brandhorst
<Chris.Brandhorst at topicus.nl> wrote:
>
> Sebastian,
>
> The link [1] only shows support on RHEL and Windows environments. Do you mean to say the 2023 date is also valid for OpenJDK running in the Docker-version of Keycloak, regardless of underlying architecture?
>
> [1] https://access.redhat.com/articles/1299013
>
> Chris
>
> > >From the support perspective, Red Hat offers extended support till June
> > 2023 [1].
> >
> > Our move towards JDK11 (LTS) relies heavily on Wildfly/EAP Team. I guess we
> > still have plenty of time to do the switch, so I wouldn't rush things too
> > much.
> >
> > BTW, why do you need JDK11, especially in the container?
> >
> > [1] https://access.redhat.com/articles/1299013
> >
> >> On Tue, Oct 23, 2018 at 1:13 PM Pavel Micka <Pavel.Micka at zoomint.com> wrote:
> >>
> >> Sorry, end of january (my fault):
> >> https://www.oracle.com/technetwork/java/eol-135779.html. Then Oracle Java
> >> and OpenJDK will most probably start to diverge, as OpenJDK will not have
> >> access to Oracle repos (afaik). So the speed of security fixes will depend
> >> on willigness of community to fix the upcomming issues.
> >>
> >> Pavel
> >>
> >>
> >> From: Meissa M'baye Sakho <msakho at redhat.com>
> >> Sent: Tuesday, October 23, 2018 11:04 AM
> >> To: Pavel Micka <Pavel.Micka at zoomint.com>
> >> Cc: keycloak-user <keycloak-user at lists.jboss.org>
> >> Subject: Re: [keycloak-user] Java 11 (Docker container base)
> >>
> >> Hello,
> >> Pavel, where did you get the information that the official Java 8 support
> >> will cease at the end of december?
> >> https://access.redhat.com/articles/1299013
> >> https://www.oracle.com/technetwork/java/javase/eol-135779.html
> >> Meissa
> >>
> >> Le lun. 22 oct. 2018 ? 16:33, Pavel Micka <Pavel.Micka at zoomint.com<mailto:
> >> Pavel.Micka at zoomint.com>> a ?crit :
> >> Hello everyone,
> >>
> >> What is the plan for Java 11 support? The point is that current versions
> >> of Docker containers are based on OpenJDK 8, but the official Java 8
> >> support will cease at the end of December. Will Keycloak use Java 11 by
> >> that time or will it rely on updates provided by the community.
> >>
> >> This is important to us, as Keycloak is important part of our app security.
> >>
> >> Thanks,
> >>
> >> Pavel
> >>
> >> // I have found this ticket in Jira, but it does not provide too many
> >> details: https://issues.jboss.org/browse/KEYCLOAK-7811
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >> _______________________________________________
> >> keycloak-user mailing list
> >> keycloak-user at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
- abstractj


From titantins at gmail.com  Fri Apr 12 07:50:52 2019
From: titantins at gmail.com (Pavel Drankov)
Date: Fri, 12 Apr 2019 14:50:52 +0300
Subject: [keycloak-user] Import realm settings without removing users
In-Reply-To: <5f90cdd7-11e7-e234-41ae-bb3e06d3be2a@redhat.com>
References: <CAO5GBXcDBCN2bYqw-54u4W-TdrrQvDYcGZNN1ubUoH174NaHag@mail.gmail.com>
	<f32a0377-9422-8f02-2a82-3f13af933cd9@redhat.com>
	<CAO5GBXc=-zE7OSJc6-CnXM4L1-4wcsvE944hnfU3GFsB7cDoxQ@mail.gmail.com>
	<5f90cdd7-11e7-e234-41ae-bb3e06d3be2a@redhat.com>
Message-ID: <CAO5GBXcMkKxyo8TU01T4MqJuVSj1Hco9QAS47R5cB=Xif=-Zow@mail.gmail.com>

>
> afaik it's not possible at the moment.

Is there any plan to support in the future?

On Fri, 12 Apr 2019 at 11:55, Vlasta Ramik <vramik at redhat.com> wrote:

> On 4/12/19 10:52 AM, Pavel Drankov wrote:
>
> if you've exported users as well those should be imported during import
>> as well.
>
> I don't want to export/import users, just realm settings. Is it possible
> to import realm settings without erasing *users?*
>
> afaik it's not possible at the moment.
>
> V.
>
>
>
> Best wishes,
> Pavel
>
>
> On Fri, 12 Apr 2019 at 09:48, Vlasta Ramik <vramik at redhat.com> wrote:
>
>> Hey Pavel,
>>
>> if you've exported users as well those should be imported during import
>> as well.
>>
>> When you use -Dkeycloak.migration.strategy=OVERWRITE_EXISTING the
>> existing realm is erased and then imported from file/dir [1]
>>
>> V.
>>
>> [1]
>>
>> https://www.keycloak.org/docs/latest/server_admin/index.html#_export_import
>>
>> On 4/11/19 3:49 PM, Pavel Drankov wrote:
>> > Hi,
>> >
>> > Is there any command-line way to import realms settings without erasing
>> all
>> > the users?  If import realm settings with OVERWRITE_EXISTING, keycloak
>> also
>> > removes all the users.
>> >
>> > Best wishes,
>> > Pavel
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From yervand.aghababyan at sflpro.com  Fri Apr 12 09:00:03 2019
From: yervand.aghababyan at sflpro.com (Yervand Aghababyan)
Date: Fri, 12 Apr 2019 17:00:03 +0400
Subject: [keycloak-user] Keycloak support for one realm on a domain name
 while serving on multiple domains simultaneously
In-Reply-To: <CAOC_Hr1TOqWBrh5qsNq3+m-z7yK4KpYbPJc_ESUawjPfk+hGgA@mail.gmail.com>
References: <CAOC_Hr1TOqWBrh5qsNq3+m-z7yK4KpYbPJc_ESUawjPfk+hGgA@mail.gmail.com>
Message-ID: <CAOC_Hr03r3CMAB8hD5ST9UvWa9wV2JanFyfjTvnZ2XSX-7Kj9Q@mail.gmail.com>

A follow-up to better explain what I want.

What's the best practice to create a separate domain or hostname which will
only be able to authenticate users of only one custom Keycloak realm? So I
do not expose the login form for the master realm to the public. Keeping
admins in the master realm and end-users in a custom realm.

On Thu, Apr 11, 2019 at 9:14 PM Yervand Aghababyan <
yervand.aghababyan at sflpro.com> wrote:

> I've also posted this question on stackoverflow. So if you want to you can
> answer there so it'll be easier to find for anyone looking. Here it is:
> https://stackoverflow.com/questions/55634962/keycloak-support-for-one-realm-on-a-domain-name-while-serving-on-multiple-domain
>
>
> I'm building an ecosystem of applications on kubernetes with keycloak as
> authentication/authorization provider. I am(or probably was) planning for
> everything to be integrated with it via OpenId(OAuth2) and for user
> credentials and other private information never to leave the keycloak
> instance in an unencrypted form.
>
> I was trying to implement the whole authentication scheme with the
> following configurations in mind.
> Realms
>
> myservice: Realm containing the public and back-office users of my application.
>            All microservices that I have are authenticating users against this realm.
>
> master:    Contains admins, keycloak administrators and other resources which
>            should not be ever exposed to the public or intranet users. No microservice
>            ever performs authentication on this realm.
>
> Domains
>
>  1. domain: account.myservice.com
>
>     access: public
>     cors: allow requests from app.myservice.com
>
>     config: kubernetes-ingress
>     exposes: configured themes to support login, registration, etc.. Endpoints
>         for public front-end application token validation
>     description: Only exposes access to a realm called "myservice" in keycloak.
>         No users from other realms can login or interact.
>
> 2.  domain: account.internal.myservice.com
>
>     access: intranet/admins
>     cors: allow requests from back-office.internal.myservice.com
>
>     config: kubernetes-ingress
>     exposes: configured themes to support login, registration, etc.. Endpoints
>         for back-end front-end application token validation
>     description: Exposes all the realms and provides access to keycloak
>         administrative UI.
>
> 3.  domain: keycloak (keycloak.default.svc.cluster.local)
>     access: cluster-internal
>     cors: none
>     config: kubernetes service, visible only inside the cluster
>     exposes: endpoints for back-end application token validation
>     description: Only exposes realm "myservice" and is used for other services to
>         validate user tokens and similar stuff.
>
> I did come across a number of issues when trying to implement the above
> configuration scheme. If I do SSL termination inside Keycloak I won't be
> able to configure the different domains via a reverse proxy or similar
> approach which, in turn, means that Keycloak should provide a feature to
> listen on a separate SSL encrypted port and only make one realm available
> there. Which it does not. So do I want something weird here? Are the best
> practices different from what I want?
>
> --
> Best Regards,
> Yervand
>


-- 
Best Regards,
Yervand

From psilva at redhat.com  Fri Apr 12 09:20:10 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 12 Apr 2019 10:20:10 -0300
Subject: [keycloak-user] Token Exchange AWS Cognito & Keycloak
In-Reply-To: <CAHpjjTb0sb0afopqntuE5mEG=S0Xuk+RYrYbKPjcn+8xUs+bSw@mail.gmail.com>
References: <CAHpjjTYE=hN02=i+vojzviAv1bK547VFxAZC-Lqy9eRkB6sVPA@mail.gmail.com>
	<CAJrcDBeHZUtdC7N0im1hRePyxntC3zEL5d2=KtuXRvX2Ny3epw@mail.gmail.com>
	<CAHpjjTb0sb0afopqntuE5mEG=S0Xuk+RYrYbKPjcn+8xUs+bSw@mail.gmail.com>
Message-ID: <CAJrcDBcdqOhux6M3g0Jg1exUJugR4ttAw+c0NeA9nkqyNFkuGw@mail.gmail.com>

Thanks. Now it is more clear.

Answers inline below.


On Fri, Apr 12, 2019 at 7:29 AM Matteo Restelli <mrestelli at cuebiq.com>
wrote:

> Hi Pedro,
> i'll try to reply to your questions:
>
> - We've configured Cognito as an identity provider in Keycloak, importing
> the configuration via the OIDC discovery-configuration endpoint. At this
> point we needed to introduce the clientID & secret, so we've created a new
> confidential client inside AWS Cognito and used its id &secret in the
> Keycloak's Identity provider config
>
> - We've set the permission & policy about token exchange feature to our
> Keycloak client
>
> - The SRP flow leverages the SRP authentication protocol (so basically, no
> password is sent to the server). The result of this flow is a couple of JWT
> tokens (access and id token), but the access token doesn't respect the OIDC
> rules (it doesn't contain the openid scope). This last point is what make
> the token exchange process impossible (this because, during the process,
> Cognito replies that "the token doesn't contain the openid scope"). About
> that i want to highlight the fact that these problems are entirely Cognito
> related: if we use a standard OAuth2 Flow (like Authorization code grant or
> implicit) the process works as expected.
>

I see now. In this case, I think you should try to include somehow the
openid scope in the access token so that Cognito can process it. I guess
this error is returned when the broker is invoking the user endpoint  on
Cognito? based on the OIDC user info endpoint definition, the endpoint
should accept access tokens.


> - Since the SRP flow enables us to use a self-hosted login page which
> doesn't send the password directly to the server, we've tried to find other
> solution. So we've tried to provide to the token exchange endpoint the id
> token, changing some parameters of the HTTP call. And at this point
> something unexpected for us happened: the token exchange process works also
> providing the id token. Here's the reason of my first flow of questions: is
> this behaviour expected? Is the "exchange with id token" approach a
> feasible and good one? Or is completely a bad approach?
>
> - Since using this flow (SRP) force us to provide the id token to our
> backend side, here comes the other flow of questions :). From an OIDC point
> of view, can be a right approach accessing a backend resource from a single
> page application, using an id token? I've always read that if you want to
> access to a backend resource, from a client application, is better to use
> the access token, because the id token contains a lot of user informations
> and must be used only by the client application.
>
>
It is fine to use id_token (or any other format supported by the server
that can be specified via subject_token_type) when doing the exchange.

However, here is the interesting part. If you look our documentation we
should only support "access_token" and "jwt" as a subject_token_type. But
the implementation can also handle "id_token". The reason why "id_token"
works is that the validation of the token is done locally by Keycloak,
differently than when you are using an access_token where a request will be
sent to the user info endpoint on Cognito.

Regarding your last question, no it is not a good practice to use id_token
for bearer token authorization. In addition to privacy concerns (which is
not really different than when using JWTs in access tokens), ID Token is
about carrying the authentication context with specific constraints. For
instance, the audience is the client, not the backend. The lifetime of ID
Token is shorter as they are mainly important to authenticate the user into
a client, etc.

So, you are right. You should try to use access tokens.


> - Here's the curl of the token exchange process with the access token (i'm
> omitting some infos):
>
> curl -X POST \
> -d "client_id=test" \
> -d "client_secret=<client_secret>" \
> --data-urlencode
> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
> -d "subject_issuer=<alias_of_the_identity_provider_in_keycloak>" \
> -d "subject_token=<access_token>" \
> --data-urlencode
> "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
> -d "audience=test" \
> http://localhost:8080/auth/realms/
> <realm_name>/protocol/openid-connect/token
>
>
> - Here's the curl of the token exchange process with the id token (i'm
> omitting some infos):
>
> curl -X POST \
> -d "client_id=test" \
> -d "client_secret=<client_secret>" \
> --data-urlencode
> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
> -d "subject_issuer=<alias_of_the_identity_provider_in_keycloak>" \
> -d "subject_token=<id_token>" \
> --data-urlencode
> "subject_token_type=urn:ietf:params:oauth:token-type:id_token" \
> -d "audience=test" \
> http://localhost:8080/auth/realms/
> <realm_name>/protocol/openid-connect/token
>
> Let me know if you need more infos.
>
> Thank you again,
> Matteo Restelli
>
> On Wed, Apr 10, 2019 at 3:40 PM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hi,
>>
>> So you are doing external to internal exchange. It is not clear to me how
>> you configured AWS Cognito as an identity provider and what/how the SRP
>> flow works. Could you provide more details, please? Is the token issued by
>> Cognito a JWT ?
>>
>> In addition to that, how your token exchange request looks like when
>> using both id_token and access_token as a subject_token ?
>>
>> On Wed, Apr 10, 2019 at 9:56 AM Matteo Restelli <mrestelli at cuebiq.com>
>> wrote:
>>
>>> Any news on that?
>>>
>>> Thank you!
>>> Matteo
>>>
>>> =============================
>>>
>>>
>>> Hi all,
>>> We're using AWS Cognito as our Identity provider for our platform. We're
>>> trying to use an internal instance of Keycloak, in order to check the
>>> possibility to use KC for authorization purposes (this because Keycloak
>>> has
>>> a wonderful and powerful authorization system that fulfill our needs, and
>>> for that i want to say you "Thank you very much" :) ). For this reason we
>>> want to use the token exchange feature of Keycloak.
>>> More specifically we want to follow this flow:
>>>
>>> - User authenticates on AWS Cognito via SRP auth flow (which basically is
>>> not a standard OIDC/OAuth2 authentication flow)
>>> - User sends the access token to contact the backend service and, in the
>>> middle, this token is translated to an internal one, minted by Keycloak
>>>
>>> If we provide the AWS Cognito access token to the token exchange
>>> endpoint,
>>> with the subject_token_type parameter set to
>>> "urn:ietf:params:oauth:token-type:access_token", an error is returned
>>> stating that the access token doesn't contain the "openid" scope. Despite
>>> this we've tried another way, providing the id token to the token
>>> exchange
>>> endpoint with the subject_token_parameter set to
>>> "urn:ietf:params:oauth:token-type:id_token", and we discovered that this
>>> alternative way works. So, my questions are:
>>>
>>> - Is the "exchange with id token" approach a feasible and good one? Or is
>>> completely a bad approach?
>>> - From an OIDC point of view, can be a right approach accessing a backend
>>> resource from a single page application, using an id token? I've always
>>> read that if you want to access to a backend resource, from a client
>>> application, is better to use the access token, because the id token
>>> contains a lot of user informations and must be used only by the client
>>> application
>>>
>>> Thank you very much,
>>> Matteo
>>>
>>>
>>> PS:  As a side note, i want to clarify that if we follow an authorization
>>> code grant flow, or an implicit flow, during the authentication against
>>> AWS
>>> Cognito, the access token exchange works as expected. So this means that
>>> the problem is related to the shape of the token released by Cognito.
>>>
>>> --
>>>
>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>> <https://twitter.com/Cuebiq>I Connect
>>> <https://www.linkedin.com/company/cuebiq>
>>>
>>>
>>> This email is reserved
>>> exclusively for sending and receiving messages inherent working
>>> activities,
>>> and is not intended nor authorized for personal use. Therefore, any
>>> outgoing messages or incoming response messages will be treated as
>>> company
>>> messages and will be subject to the corporate IT policy and may possibly
>>> to
>>> be read by persons other than by the subscriber of the box. Confidential
>>> information may be contained in this message. If you are not the address
>>> indicated in this message, please do not copy or deliver this message to
>>> anyone. In such case, you should notify the sender immediately and delete
>>> the original message.
>>>
>>> --
>>>
>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>> <https://twitter.com/Cuebiq>I Connect
>>> <https://www.linkedin.com/company/cuebiq>
>>>
>>>
>>> This email is reserved
>>> exclusively for sending and receiving messages inherent working
>>> activities,
>>> and is not intended nor authorized for personal use. Therefore, any
>>> outgoing messages or incoming response messages will be treated as
>>> company
>>> messages and will be subject to the corporate IT policy and may possibly
>>> to
>>> be read by persons other than by the subscriber of the box. Confidential
>>> information may be contained in this message. If you are not the address
>>> indicated in this message, please do not copy or deliver this message to
>>> anyone. In such case, you should notify the sender immediately and
>>> delete
>>> the original message.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
> Like <https://www.facebook.com/cuebiq/> I Follow
> <https://twitter.com/Cuebiq>I Connect
> <https://www.linkedin.com/company/cuebiq>
>
> This email is reserved exclusively for sending and receiving messages
> inherent working activities, and is not intended nor authorized for
> personal use. Therefore, any outgoing messages or incoming response
> messages will be treated as company messages and will be subject to the
> corporate IT policy and may possibly to be read by persons other than by
> the subscriber of the box. Confidential information may be contained in
> this message. If you are not the address indicated in this message, please
> do not copy or deliver this message to anyone. In such case, you should
> notify the sender immediately and delete the original message.
>

From titantins at gmail.com  Fri Apr 12 10:02:21 2019
From: titantins at gmail.com (Pavel Drankov)
Date: Fri, 12 Apr 2019 17:02:21 +0300
Subject: [keycloak-user] Lookup user during registration
In-Reply-To: <CAMZCGg-O5eEXh2esuzh6HFKGN3Nct-wvgG38+vGq8vCstEo7dA@mail.gmail.com>
References: <CAO5GBXfgsD_F3usJh5r==OMnvSKBAO=XS1yVaGe5Z0GCxqv2-Q@mail.gmail.com>
	<CAMZCGg-O5eEXh2esuzh6HFKGN3Nct-wvgG38+vGq8vCstEo7dA@mail.gmail.com>
Message-ID: <CAO5GBXdCNCyR7Ycu4s1anS2K001tUvfzpDm3eyB5xCqMvj4b+g@mail.gmail.com>

Thanks! Sure!
Best wishes,
Pavel


On Fri, 12 Apr 2019 at 13:26, Sebastien Blanc <sblanc at redhat.com> wrote:

> Have you looked here
> https://www.keycloak.org/docs/latest/server_development/index.html#modifying-extending-the-registration-form
> ?
> You can probably add this check in the validate method.
>
> On Thu, Apr 11, 2019 at 2:03 PM Pavel Drankov <titantins at gmail.com> wrote:
>
>> Hi,
>>
>> What I have to do if I want to check if a user with a specific email
>> already exists during the registration flow? How can I do this on the SPI
>> module side?
>>
>> Best wishes,
>> Pavel
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From H.Hoogeveen at bva-auctions.com  Fri Apr 12 10:11:15 2019
From: H.Hoogeveen at bva-auctions.com (Harrie Hoogeveen - BVA)
Date: Fri, 12 Apr 2019 14:11:15 +0000
Subject: [keycloak-user] Keycloak in Azure cloud
References: <15da20db-6198-4d93-890a-56ec3949b949.827805c9-6246-4f83-850f-511c8ce6d370.be3ae5e9-c413-428e-abd4-00663b7cf971@emailsignatures365.codetwo.com>
Message-ID: <AM0PR02MB5298D422D084B5D97F900E5BC1280@AM0PR02MB5298.eurprd02.prod.outlook.com>

Hello,

I am Harrie working for a auction company and we are trying to do a POC with running Keycloak in the cloud. We face the problem that a sync network between node is not really a cloud friendly solution (costs and scalabillety) and we have been trying to to run Keycloak (5) in high availability mode with shared caches.
So far we ported the old redis cache driver to the new Keycloak / infinispan version by loading it as a JBoss module. It seemed very successful at first. Loading of the store works:

<local-cache name="sessions" module="tbacachestore">
    <store class="com.tbauctions.tbacachestore.TbaCacheStoreConf" shared="true" passivation="false"/>
</local-cache>

And if we put passivation=true and shared=false, it actually writes to it when it shutsdown and reads the sessions again when starting up. But that of course does not leave us with a realtime shared cache. When we configure it as a write through cache. It also actually starts doing live reads and deletes, but somehow it never writes to the cache store. We tried many different overwrites, took a look at the casandara implementation and tried al kinds of cache configs. local-cache, replicated-cache, distrubed-cache with different amounts of owners. But so far no luck and we got stuck. We read about successful implementations like this, but always on older versions that do not apply to the current version. So I have some questions.
1) Is this actually a approach that is still supported, and if not, what is your advice on running in the cloud to make sure on node lost or restart we do not loose the active sessions?
2) Is there a good example / documentation on how to implement a shared cache on which multiple nodes read and write so they share sessions for the current 5.0.0 version, without using the cache sync network?

Also, if I am not complying with any netiquettes, please let me know. Its been a while after the last time I used a mailing list.

Best regards,
Harrie Hoogeveen


Met vriendelijke groet,
Kind regards,

Harrie Hoogeveen

________________________________


Harrie Hoogeveen - BVA [cid:BVA_logo_28399888-555e-4d9d-9d46-bb4fa642bca0.png]  <https://www.bva-auctions.com/>


E.      H.Hoogeveen at bva-auctions.com
T.

PO Box 1838
3800 BV Amersfoort
the Netherlands

Kryptonweg 8
3812 RZ Amersfoort
the Netherlands

https://www.bva-auctions.com<http://www.bva-auctions.com/>


________________________________
This email and any attachments may contain confidential material and is solely for the use of the intended recipient(s). If you have received this email in error, please notify the sender immediately and delete this email. If you are not the intended recipient(s), you must not use, retain or disclose any information contained in this email. BVA Auctions does not guarantee that this email or any attachments are free from viruses or 100% secure. Unless expressly stated in the body of the text of the email, this email is not intended to form a binding contract. The general terms and conditions of BVA Auctions, which include a limitation of liability, are applicable to all work and services. Contact information and the terms and conditions are available on request and can also be found on https://www.bva-auctions.com. 12/04/2019 16:11 UTC+02:00
________________________________

From mrestelli at cuebiq.com  Fri Apr 12 10:28:15 2019
From: mrestelli at cuebiq.com (Matteo Restelli)
Date: Fri, 12 Apr 2019 16:28:15 +0200
Subject: [keycloak-user] Token Exchange AWS Cognito & Keycloak
In-Reply-To: <CAJrcDBcdqOhux6M3g0Jg1exUJugR4ttAw+c0NeA9nkqyNFkuGw@mail.gmail.com>
References: <CAHpjjTYE=hN02=i+vojzviAv1bK547VFxAZC-Lqy9eRkB6sVPA@mail.gmail.com>
	<CAJrcDBeHZUtdC7N0im1hRePyxntC3zEL5d2=KtuXRvX2Ny3epw@mail.gmail.com>
	<CAHpjjTb0sb0afopqntuE5mEG=S0Xuk+RYrYbKPjcn+8xUs+bSw@mail.gmail.com>
	<CAJrcDBcdqOhux6M3g0Jg1exUJugR4ttAw+c0NeA9nkqyNFkuGw@mail.gmail.com>
Message-ID: <CAHpjjTYi0sXbbr2X+WGc5Yykc-c1zdfQaMZMAEnpuaK972RFNQ@mail.gmail.com>

Thank you Pedro,
My answers (and questions) inline below ;)

Thank you!
Matteo

On Fri, Apr 12, 2019 at 3:20 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> Thanks. Now it is more clear.
>
> Answers inline below.
>
>
> On Fri, Apr 12, 2019 at 7:29 AM Matteo Restelli <mrestelli at cuebiq.com>
> wrote:
>
>> Hi Pedro,
>> i'll try to reply to your questions:
>>
>> - We've configured Cognito as an identity provider in Keycloak, importing
>> the configuration via the OIDC discovery-configuration endpoint. At this
>> point we needed to introduce the clientID & secret, so we've created a new
>> confidential client inside AWS Cognito and used its id &secret in the
>> Keycloak's Identity provider config
>>
>> - We've set the permission & policy about token exchange feature to our
>> Keycloak client
>>
>> - The SRP flow leverages the SRP authentication protocol (so basically,
>> no password is sent to the server). The result of this flow is a couple of
>> JWT tokens (access and id token), but the access token doesn't respect the
>> OIDC rules (it doesn't contain the openid scope). This last point is what
>> make the token exchange process impossible (this because, during the
>> process, Cognito replies that "the token doesn't contain the openid
>> scope"). About that i want to highlight the fact that these problems are
>> entirely Cognito related: if we use a standard OAuth2 Flow (like
>> Authorization code grant or implicit) the process works as expected.
>>
>
> I see now. In this case, I think you should try to include somehow the
> openid scope in the access token so that Cognito can process it. I guess
> this error is returned when the broker is invoking the user endpoint  on
> Cognito? based on the OIDC user info endpoint definition, the endpoint
> should accept access tokens.
>

Yeah unfortunately we're stuck with this option, because Cognito is lacking
support on adding this scope to the token (especially this is caused by the
Amplify.js library provided by AWS, which is the one we're using to
implement the SRP flow). Yes, the error is returned from Cognito when
Keycloak contacts the provider to validate the token.



>
>
>> - Since the SRP flow enables us to use a self-hosted login page which
>> doesn't send the password directly to the server, we've tried to find other
>> solution. So we've tried to provide to the token exchange endpoint the id
>> token, changing some parameters of the HTTP call. And at this point
>> something unexpected for us happened: the token exchange process works also
>> providing the id token. Here's the reason of my first flow of questions: is
>> this behaviour expected? Is the "exchange with id token" approach a
>> feasible and good one? Or is completely a bad approach?
>>
>> - Since using this flow (SRP) force us to provide the id token to our
>> backend side, here comes the other flow of questions :). From an OIDC point
>> of view, can be a right approach accessing a backend resource from a single
>> page application, using an id token? I've always read that if you want to
>> access to a backend resource, from a client application, is better to use
>> the access token, because the id token contains a lot of user informations
>> and must be used only by the client application.
>>
>>
> It is fine to use id_token (or any other format supported by the server
> that can be specified via subject_token_type) when doing the exchange.
>
> However, here is the interesting part. If you look our documentation we
> should only support "access_token" and "jwt" as a subject_token_type. But
> the implementation can also handle "id_token". The reason why "id_token"
> works is that the validation of the token is done locally by Keycloak,
> differently than when you are using an access_token where a request will be
> sent to the user info endpoint on Cognito.
>

Oh! That's really interesting! :)
About this point, in your opinion it will be feasible to call the token
exchange endpoint every time a request comes to our backend side? Imagine
this scenario:

- User authenticates to Cognito via the Spa app
- Spa app calls backend services (tipically contacting a gateway)
- Gateway performs the token exchange on keycloak
- Gateway forwards the request (adding the new access token in place of the
Cognito one) to the underlying microservices...

Do you see any performance issues? Does Keycloak caches something during
the token exchange process?


>
> Regarding your last question, no it is not a good practice to use id_token
> for bearer token authorization. In addition to privacy concerns (which is
> not really different than when using JWTs in access tokens), ID Token is
> about carrying the authentication context with specific constraints. For
> instance, the audience is the client, not the backend. The lifetime of ID
> Token is shorter as they are mainly important to authenticate the user into
> a client, etc.
>
> So, you are right. You should try to use access tokens.
>

Ok thank you for the explanation. We'll try to use access tokens (probably
we'll stop using the SRP flow in favour of an OAuth2 flow like
Authorization Code Grant with PKCE (which is the one recommended for public
Single page Applications)




>
>
>> - Here's the curl of the token exchange process with the access token
>> (i'm omitting some infos):
>>
>> curl -X POST \
>> -d "client_id=test" \
>> -d "client_secret=<client_secret>" \
>> --data-urlencode
>> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
>> -d "subject_issuer=<alias_of_the_identity_provider_in_keycloak>" \
>> -d "subject_token=<access_token>" \
>> --data-urlencode
>> "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
>> -d "audience=test" \
>> http://localhost:8080/auth/realms/
>> <realm_name>/protocol/openid-connect/token
>>
>>
>> - Here's the curl of the token exchange process with the id token (i'm
>> omitting some infos):
>>
>> curl -X POST \
>> -d "client_id=test" \
>> -d "client_secret=<client_secret>" \
>> --data-urlencode
>> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
>> -d "subject_issuer=<alias_of_the_identity_provider_in_keycloak>" \
>> -d "subject_token=<id_token>" \
>> --data-urlencode
>> "subject_token_type=urn:ietf:params:oauth:token-type:id_token" \
>> -d "audience=test" \
>> http://localhost:8080/auth/realms/
>> <realm_name>/protocol/openid-connect/token
>>
>> Let me know if you need more infos.
>>
>> Thank you again,
>> Matteo Restelli
>>
>> On Wed, Apr 10, 2019 at 3:40 PM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi,
>>>
>>> So you are doing external to internal exchange. It is not clear to me
>>> how you configured AWS Cognito as an identity provider and what/how the SRP
>>> flow works. Could you provide more details, please? Is the token issued by
>>> Cognito a JWT ?
>>>
>>> In addition to that, how your token exchange request looks like when
>>> using both id_token and access_token as a subject_token ?
>>>
>>> On Wed, Apr 10, 2019 at 9:56 AM Matteo Restelli <mrestelli at cuebiq.com>
>>> wrote:
>>>
>>>> Any news on that?
>>>>
>>>> Thank you!
>>>> Matteo
>>>>
>>>> =============================
>>>>
>>>>
>>>> Hi all,
>>>> We're using AWS Cognito as our Identity provider for our platform. We're
>>>> trying to use an internal instance of Keycloak, in order to check the
>>>> possibility to use KC for authorization purposes (this because Keycloak
>>>> has
>>>> a wonderful and powerful authorization system that fulfill our needs,
>>>> and
>>>> for that i want to say you "Thank you very much" :) ). For this reason
>>>> we
>>>> want to use the token exchange feature of Keycloak.
>>>> More specifically we want to follow this flow:
>>>>
>>>> - User authenticates on AWS Cognito via SRP auth flow (which basically
>>>> is
>>>> not a standard OIDC/OAuth2 authentication flow)
>>>> - User sends the access token to contact the backend service and, in the
>>>> middle, this token is translated to an internal one, minted by Keycloak
>>>>
>>>> If we provide the AWS Cognito access token to the token exchange
>>>> endpoint,
>>>> with the subject_token_type parameter set to
>>>> "urn:ietf:params:oauth:token-type:access_token", an error is returned
>>>> stating that the access token doesn't contain the "openid" scope.
>>>> Despite
>>>> this we've tried another way, providing the id token to the token
>>>> exchange
>>>> endpoint with the subject_token_parameter set to
>>>> "urn:ietf:params:oauth:token-type:id_token", and we discovered that this
>>>> alternative way works. So, my questions are:
>>>>
>>>> - Is the "exchange with id token" approach a feasible and good one? Or
>>>> is
>>>> completely a bad approach?
>>>> - From an OIDC point of view, can be a right approach accessing a
>>>> backend
>>>> resource from a single page application, using an id token? I've always
>>>> read that if you want to access to a backend resource, from a client
>>>> application, is better to use the access token, because the id token
>>>> contains a lot of user informations and must be used only by the client
>>>> application
>>>>
>>>> Thank you very much,
>>>> Matteo
>>>>
>>>>
>>>> PS:  As a side note, i want to clarify that if we follow an
>>>> authorization
>>>> code grant flow, or an implicit flow, during the authentication against
>>>> AWS
>>>> Cognito, the access token exchange works as expected. So this means that
>>>> the problem is related to the shape of the token released by Cognito.
>>>>
>>>> --
>>>>
>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>> <https://twitter.com/Cuebiq>I Connect
>>>> <https://www.linkedin.com/company/cuebiq>
>>>>
>>>>
>>>> This email is reserved
>>>> exclusively for sending and receiving messages inherent working
>>>> activities,
>>>> and is not intended nor authorized for personal use. Therefore, any
>>>> outgoing messages or incoming response messages will be treated as
>>>> company
>>>> messages and will be subject to the corporate IT policy and may
>>>> possibly to
>>>> be read by persons other than by the subscriber of the box. Confidential
>>>> information may be contained in this message. If you are not the address
>>>> indicated in this message, please do not copy or deliver this message to
>>>> anyone. In such case, you should notify the sender immediately and
>>>> delete
>>>> the original message.
>>>>
>>>> --
>>>>
>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>> <https://twitter.com/Cuebiq>I Connect
>>>> <https://www.linkedin.com/company/cuebiq>
>>>>
>>>>
>>>> This email is reserved
>>>> exclusively for sending and receiving messages inherent working
>>>> activities,
>>>> and is not intended nor authorized for personal use. Therefore, any
>>>> outgoing messages or incoming response messages will be treated as
>>>> company
>>>> messages and will be subject to the corporate IT policy and may
>>>> possibly to
>>>> be read by persons other than by the subscriber of the box.
>>>> Confidential
>>>> information may be contained in this message. If you are not the
>>>> address
>>>> indicated in this message, please do not copy or deliver this message
>>>> to
>>>> anyone. In such case, you should notify the sender immediately and
>>>> delete
>>>> the original message.
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>> Like <https://www.facebook.com/cuebiq/> I Follow
>> <https://twitter.com/Cuebiq>I Connect
>> <https://www.linkedin.com/company/cuebiq>
>>
>> This email is reserved exclusively for sending and receiving messages
>> inherent working activities, and is not intended nor authorized for
>> personal use. Therefore, any outgoing messages or incoming response
>> messages will be treated as company messages and will be subject to the
>> corporate IT policy and may possibly to be read by persons other than by
>> the subscriber of the box. Confidential information may be contained in
>> this message. If you are not the address indicated in this message, please
>> do not copy or deliver this message to anyone. In such case, you should
>> notify the sender immediately and delete the original message.
>>
>

-- 

Like <https://www.facebook.com/cuebiq/> I Follow  
<https://twitter.com/Cuebiq>I Connect 
<https://www.linkedin.com/company/cuebiq>


This email is reserved 
exclusively for sending and receiving messages inherent working activities, 
and is not intended nor authorized for personal use. Therefore, any 
outgoing messages or incoming response messages will be treated as company 
messages and will be subject to the corporate IT policy and may possibly to 
be read by persons other than by the subscriber of the box. Confidential 
information may be contained in this message. If you are not the address 
indicated in this message, please do not copy or deliver this message to 
anyone. In such case, you should notify the sender immediately and delete 
the original message.

From titantins at gmail.com  Fri Apr 12 10:27:59 2019
From: titantins at gmail.com (Pavel Drankov)
Date: Fri, 12 Apr 2019 17:27:59 +0300
Subject: [keycloak-user] TokenService is not visible from class loader
Message-ID: <CAO5GBXeVr5cBOHoHsPzy4tMsb8JH1+bOYwKLHK-Wb+96rTEydQ@mail.gmail.com>

Hi,

I'm trying to delete a user during a new user registration process if the
previous account was not confirmed.

And I decided to use Admin REST API with keycloak-admin-client, but, when
using, the following exception is thrown:

16:59:56,028 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-3)
MSC000001: Failed to start service
jboss.deployment.unit."keycloak-sms-authenticator-fat-1.1.0.jar".POST_MODULE:
org.jboss.msc.service.StartException in service
jboss.deployment.unit."keycloak-sms-authenticator-fat-1.1.0.jar".POST_MODULE:
WFLYSRV0153: Failed to process phase POST_MODULE of deployment
"keycloak-sms-authenticator-fat-1.1.0.jar"
at
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:151)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1738)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1700)
at
org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1558)
at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.IllegalArgumentException: interface
org.keycloak.admin.client.token.TokenService is not visible from class
loader
at java.lang.reflect.Proxy$ProxyClassFactory.apply(Proxy.java:581)
at java.lang.reflect.Proxy$ProxyClassFactory.apply(Proxy.java:557)
at java.lang.reflect.WeakCache$Factory.get(WeakCache.java:230)
at java.lang.reflect.WeakCache.get(WeakCache.java:127)
at java.lang.reflect.Proxy.getProxyClass0(Proxy.java:419)
at java.lang.reflect.Proxy.newProxyInstance(Proxy.java:719)
at org.jboss.resteasy.client.jaxrs.ProxyBuilder.proxy(ProxyBuilder.java:85)
at org.jboss.resteasy.client.jaxrs.ProxyBuilder.build(ProxyBuilder.java:152)
at
org.jboss.resteasy.client.jaxrs.internal.ClientWebTarget.proxy(ClientWebTarget.java:93)
at org.keycloak.admin.client.token.TokenManager.<init>(TokenManager.java:55)
at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:59)
at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:87)
at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:103)
at my.plugin.postInit(plugin.java:line)
at
org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:138)
at
org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42)
at
org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:55)
at
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:144)
... 8

How this error can be fixed?

Best wishes,
Pavel

From psilva at redhat.com  Fri Apr 12 10:53:47 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Fri, 12 Apr 2019 11:53:47 -0300
Subject: [keycloak-user] Token Exchange AWS Cognito & Keycloak
In-Reply-To: <CAHpjjTYi0sXbbr2X+WGc5Yykc-c1zdfQaMZMAEnpuaK972RFNQ@mail.gmail.com>
References: <CAHpjjTYE=hN02=i+vojzviAv1bK547VFxAZC-Lqy9eRkB6sVPA@mail.gmail.com>
	<CAJrcDBeHZUtdC7N0im1hRePyxntC3zEL5d2=KtuXRvX2Ny3epw@mail.gmail.com>
	<CAHpjjTb0sb0afopqntuE5mEG=S0Xuk+RYrYbKPjcn+8xUs+bSw@mail.gmail.com>
	<CAJrcDBcdqOhux6M3g0Jg1exUJugR4ttAw+c0NeA9nkqyNFkuGw@mail.gmail.com>
	<CAHpjjTYi0sXbbr2X+WGc5Yykc-c1zdfQaMZMAEnpuaK972RFNQ@mail.gmail.com>
Message-ID: <CAJrcDBfpXH_hekVMszJ-Cd77Urobz4-sX5f_xi47w4QJnNigeg@mail.gmail.com>

On Fri, Apr 12, 2019 at 11:28 AM Matteo Restelli <mrestelli at cuebiq.com>
wrote:

> Thank you Pedro,
> My answers (and questions) inline below ;)
>
> Thank you!
> Matteo
>
> On Fri, Apr 12, 2019 at 3:20 PM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Thanks. Now it is more clear.
>>
>> Answers inline below.
>>
>>
>> On Fri, Apr 12, 2019 at 7:29 AM Matteo Restelli <mrestelli at cuebiq.com>
>> wrote:
>>
>>> Hi Pedro,
>>> i'll try to reply to your questions:
>>>
>>> - We've configured Cognito as an identity provider in Keycloak,
>>> importing the configuration via the OIDC discovery-configuration endpoint.
>>> At this point we needed to introduce the clientID & secret, so we've
>>> created a new confidential client inside AWS Cognito and used its id
>>> &secret in the Keycloak's Identity provider config
>>>
>>> - We've set the permission & policy about token exchange feature to our
>>> Keycloak client
>>>
>>> - The SRP flow leverages the SRP authentication protocol (so basically,
>>> no password is sent to the server). The result of this flow is a couple of
>>> JWT tokens (access and id token), but the access token doesn't respect the
>>> OIDC rules (it doesn't contain the openid scope). This last point is what
>>> make the token exchange process impossible (this because, during the
>>> process, Cognito replies that "the token doesn't contain the openid
>>> scope"). About that i want to highlight the fact that these problems are
>>> entirely Cognito related: if we use a standard OAuth2 Flow (like
>>> Authorization code grant or implicit) the process works as expected.
>>>
>>
>> I see now. In this case, I think you should try to include somehow the
>> openid scope in the access token so that Cognito can process it. I guess
>> this error is returned when the broker is invoking the user endpoint  on
>> Cognito? based on the OIDC user info endpoint definition, the endpoint
>> should accept access tokens.
>>
>
> Yeah unfortunately we're stuck with this option, because Cognito is
> lacking support on adding this scope to the token (especially this is
> caused by the Amplify.js library provided by AWS, which is the one we're
> using to implement the SRP flow). Yes, the error is returned from Cognito
> when Keycloak contacts the provider to validate the token.
>
>
>
>>
>>
>>> - Since the SRP flow enables us to use a self-hosted login page which
>>> doesn't send the password directly to the server, we've tried to find other
>>> solution. So we've tried to provide to the token exchange endpoint the id
>>> token, changing some parameters of the HTTP call. And at this point
>>> something unexpected for us happened: the token exchange process works also
>>> providing the id token. Here's the reason of my first flow of questions: is
>>> this behaviour expected? Is the "exchange with id token" approach a
>>> feasible and good one? Or is completely a bad approach?
>>>
>>> - Since using this flow (SRP) force us to provide the id token to our
>>> backend side, here comes the other flow of questions :). From an OIDC point
>>> of view, can be a right approach accessing a backend resource from a single
>>> page application, using an id token? I've always read that if you want to
>>> access to a backend resource, from a client application, is better to use
>>> the access token, because the id token contains a lot of user informations
>>> and must be used only by the client application.
>>>
>>>
>> It is fine to use id_token (or any other format supported by the server
>> that can be specified via subject_token_type) when doing the exchange.
>>
>> However, here is the interesting part. If you look our documentation we
>> should only support "access_token" and "jwt" as a subject_token_type. But
>> the implementation can also handle "id_token". The reason why "id_token"
>> works is that the validation of the token is done locally by Keycloak,
>> differently than when you are using an access_token where a request will be
>> sent to the user info endpoint on Cognito.
>>
>
> Oh! That's really interesting! :)
> About this point, in your opinion it will be feasible to call the token
> exchange endpoint every time a request comes to our backend side? Imagine
> this scenario:
>
> - User authenticates to Cognito via the Spa app
> - Spa app calls backend services (tipically contacting a gateway)
> - Gateway performs the token exchange on keycloak
> - Gateway forwards the request (adding the new access token in place of
> the Cognito one) to the underlying microservices...
>
> Do you see any performance issues? Does Keycloak caches something during
> the token exchange process?
>

I would ask you to try it out and check latency and response times.
Unfortunately, benchmarking is something we are lacking so we depend on
feedback from the community.

Maybe, another option you could consider is to aggregate your APIs so that
your SPA doesn't need to interact with multiple backend services ? Where
this API aggregator would be 1:1 mapped to your client and responsible for
all exchanges to access downstream services.

Or you could eventually use different scopes to gain access to these
different services and still use the same token obtained by the client
during the authentication. There is a caveat here regarding audience
though, so you could maybe include some audience that logically represent
your different APIs.


>
>
>>
>> Regarding your last question, no it is not a good practice to use
>> id_token for bearer token authorization. In addition to privacy concerns
>> (which is not really different than when using JWTs in access tokens), ID
>> Token is about carrying the authentication context with specific
>> constraints. For instance, the audience is the client, not the backend. The
>> lifetime of ID Token is shorter as they are mainly important to
>> authenticate the user into a client, etc.
>>
>> So, you are right. You should try to use access tokens.
>>
>
> Ok thank you for the explanation. We'll try to use access tokens (probably
> we'll stop using the SRP flow in favour of an OAuth2 flow like
> Authorization Code Grant with PKCE (which is the one recommended for public
> Single page Applications)
>

+1


>
>
>
>
>>
>>
>>> - Here's the curl of the token exchange process with the access token
>>> (i'm omitting some infos):
>>>
>>> curl -X POST \
>>> -d "client_id=test" \
>>> -d "client_secret=<client_secret>" \
>>> --data-urlencode
>>> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
>>> -d "subject_issuer=<alias_of_the_identity_provider_in_keycloak>" \
>>> -d "subject_token=<access_token>" \
>>> --data-urlencode
>>> "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
>>> -d "audience=test" \
>>> http://localhost:8080/auth/realms/
>>> <realm_name>/protocol/openid-connect/token
>>>
>>>
>>> - Here's the curl of the token exchange process with the id token (i'm
>>> omitting some infos):
>>>
>>> curl -X POST \
>>> -d "client_id=test" \
>>> -d "client_secret=<client_secret>" \
>>> --data-urlencode
>>> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
>>> -d "subject_issuer=<alias_of_the_identity_provider_in_keycloak>" \
>>> -d "subject_token=<id_token>" \
>>> --data-urlencode
>>> "subject_token_type=urn:ietf:params:oauth:token-type:id_token" \
>>> -d "audience=test" \
>>> http://localhost:8080/auth/realms/
>>> <realm_name>/protocol/openid-connect/token
>>>
>>> Let me know if you need more infos.
>>>
>>> Thank you again,
>>> Matteo Restelli
>>>
>>> On Wed, Apr 10, 2019 at 3:40 PM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> So you are doing external to internal exchange. It is not clear to me
>>>> how you configured AWS Cognito as an identity provider and what/how the SRP
>>>> flow works. Could you provide more details, please? Is the token issued by
>>>> Cognito a JWT ?
>>>>
>>>> In addition to that, how your token exchange request looks like when
>>>> using both id_token and access_token as a subject_token ?
>>>>
>>>> On Wed, Apr 10, 2019 at 9:56 AM Matteo Restelli <mrestelli at cuebiq.com>
>>>> wrote:
>>>>
>>>>> Any news on that?
>>>>>
>>>>> Thank you!
>>>>> Matteo
>>>>>
>>>>> =============================
>>>>>
>>>>>
>>>>> Hi all,
>>>>> We're using AWS Cognito as our Identity provider for our platform.
>>>>> We're
>>>>> trying to use an internal instance of Keycloak, in order to check the
>>>>> possibility to use KC for authorization purposes (this because
>>>>> Keycloak has
>>>>> a wonderful and powerful authorization system that fulfill our needs,
>>>>> and
>>>>> for that i want to say you "Thank you very much" :) ). For this reason
>>>>> we
>>>>> want to use the token exchange feature of Keycloak.
>>>>> More specifically we want to follow this flow:
>>>>>
>>>>> - User authenticates on AWS Cognito via SRP auth flow (which basically
>>>>> is
>>>>> not a standard OIDC/OAuth2 authentication flow)
>>>>> - User sends the access token to contact the backend service and, in
>>>>> the
>>>>> middle, this token is translated to an internal one, minted by Keycloak
>>>>>
>>>>> If we provide the AWS Cognito access token to the token exchange
>>>>> endpoint,
>>>>> with the subject_token_type parameter set to
>>>>> "urn:ietf:params:oauth:token-type:access_token", an error is returned
>>>>> stating that the access token doesn't contain the "openid" scope.
>>>>> Despite
>>>>> this we've tried another way, providing the id token to the token
>>>>> exchange
>>>>> endpoint with the subject_token_parameter set to
>>>>> "urn:ietf:params:oauth:token-type:id_token", and we discovered that
>>>>> this
>>>>> alternative way works. So, my questions are:
>>>>>
>>>>> - Is the "exchange with id token" approach a feasible and good one? Or
>>>>> is
>>>>> completely a bad approach?
>>>>> - From an OIDC point of view, can be a right approach accessing a
>>>>> backend
>>>>> resource from a single page application, using an id token? I've always
>>>>> read that if you want to access to a backend resource, from a client
>>>>> application, is better to use the access token, because the id token
>>>>> contains a lot of user informations and must be used only by the client
>>>>> application
>>>>>
>>>>> Thank you very much,
>>>>> Matteo
>>>>>
>>>>>
>>>>> PS:  As a side note, i want to clarify that if we follow an
>>>>> authorization
>>>>> code grant flow, or an implicit flow, during the authentication
>>>>> against AWS
>>>>> Cognito, the access token exchange works as expected. So this means
>>>>> that
>>>>> the problem is related to the shape of the token released by Cognito.
>>>>>
>>>>> --
>>>>>
>>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>>> <https://twitter.com/Cuebiq>I Connect
>>>>> <https://www.linkedin.com/company/cuebiq>
>>>>>
>>>>>
>>>>> This email is reserved
>>>>> exclusively for sending and receiving messages inherent working
>>>>> activities,
>>>>> and is not intended nor authorized for personal use. Therefore, any
>>>>> outgoing messages or incoming response messages will be treated as
>>>>> company
>>>>> messages and will be subject to the corporate IT policy and may
>>>>> possibly to
>>>>> be read by persons other than by the subscriber of the box.
>>>>> Confidential
>>>>> information may be contained in this message. If you are not the
>>>>> address
>>>>> indicated in this message, please do not copy or deliver this message
>>>>> to
>>>>> anyone. In such case, you should notify the sender immediately and
>>>>> delete
>>>>> the original message.
>>>>>
>>>>> --
>>>>>
>>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>>> <https://twitter.com/Cuebiq>I Connect
>>>>> <https://www.linkedin.com/company/cuebiq>
>>>>>
>>>>>
>>>>> This email is reserved
>>>>> exclusively for sending and receiving messages inherent working
>>>>> activities,
>>>>> and is not intended nor authorized for personal use. Therefore, any
>>>>> outgoing messages or incoming response messages will be treated as
>>>>> company
>>>>> messages and will be subject to the corporate IT policy and may
>>>>> possibly to
>>>>> be read by persons other than by the subscriber of the box.
>>>>> Confidential
>>>>> information may be contained in this message. If you are not the
>>>>> address
>>>>> indicated in this message, please do not copy or deliver this message
>>>>> to
>>>>> anyone. In such case, you should notify the sender immediately and
>>>>> delete
>>>>> the original message.
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>
>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>> <https://twitter.com/Cuebiq>I Connect
>>> <https://www.linkedin.com/company/cuebiq>
>>>
>>> This email is reserved exclusively for sending and receiving messages
>>> inherent working activities, and is not intended nor authorized for
>>> personal use. Therefore, any outgoing messages or incoming response
>>> messages will be treated as company messages and will be subject to the
>>> corporate IT policy and may possibly to be read by persons other than by
>>> the subscriber of the box. Confidential information may be contained in
>>> this message. If you are not the address indicated in this message, please
>>> do not copy or deliver this message to anyone. In such case, you should
>>> notify the sender immediately and delete the original message.
>>>
>>
> Like <https://www.facebook.com/cuebiq/> I Follow
> <https://twitter.com/Cuebiq>I Connect
> <https://www.linkedin.com/company/cuebiq>
>
> This email is reserved exclusively for sending and receiving messages
> inherent working activities, and is not intended nor authorized for
> personal use. Therefore, any outgoing messages or incoming response
> messages will be treated as company messages and will be subject to the
> corporate IT policy and may possibly to be read by persons other than by
> the subscriber of the box. Confidential information may be contained in
> this message. If you are not the address indicated in this message, please
> do not copy or deliver this message to anyone. In such case, you should
> notify the sender immediately and delete the original message.
>

From orivat at janua.fr  Fri Apr 12 11:16:45 2019
From: orivat at janua.fr (Olivier Rivat)
Date: Fri, 12 Apr 2019 17:16:45 +0200
Subject: [keycloak-user] keycloak 5.0 integration with FranceConnect (IDP
 provider) no longer working
Message-ID: <d334a63a-8921-c3ef-19bd-6119ed89b120@janua.fr>

Hi,

I am testing the integration of keycloak? to ? FranceConnect (French IDP 
provider).
It is working fine with keycloak 4.81 (I have just tested it today), but 
it is failing with keycloak 5.0.

The difference between the both is that keycloak 5.0 is adding 
internally client_session_state on the idp request.
But FranceConnect idp is not recognizing client_session_state.

What could be done to overcome this issue, as the IDP has not changed.
Is it possibel to disbale this flag (client_session_state) so it does 
not appear in the log of KC 5.0 ?

Please advise what could be done to have it working again.


Regards,

Olivier Rivat



==============================================================================






Traces are as follows between the both:

Keycloak 4.83 trace (OK)


2019-04-12 17:06:04,250 DEBUG [org.apache.http.wire] (default task-11) 
http-outgoing-3 >> "[\r][\n]"
2019-04-12 17:06:04,250 DEBUG [org.apache.http.wire] (default task-11) 
http-outgoing-3 >>
code=de5db40072c4d4a146f46330e7f85e38610d0943e95e9cb6ac73d66bd672205a&
grant_type=authorization_code&
client_secret=f6495844366b0a6c44fb2fffb4764ee732d134f4a7a8321863983473801c26db&
redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Fdemo%2Fbroker%2FFranceConnect%2Fendpoint&
client_id=db14bd4bf83bf764076a25f664ca6750a32c2cd18be6ba43806d80cb2a3745b6
2019-04-12 17:06:04,308 DEBUG [org.apache.http.wire] (default task-11) 
http-outgoing-3 << "HTTP/1.1 200 OK[\r][\n]"
2019-04-12 17:06:04,308 DEBUG [org.apache.http.wire] (default task-11) 
http-outgoing-3 << "Server: nginx[\r][\n]"
2019-04-12 17:06:04,309 DEBUG [org.apache.http.wire] (default task-11) 
http-outgoing-3 << "Date: Fri, 12 Apr 2019 15:05:57 GMT[\r][\n]"
2019-04




Keycloak 5.00 trace (Not working)

6:01:00,889 DEBUG [org.apache.http.wire] (default task-10) 
http-outgoing-0 >> "
code=326df10aabf29c322ca83a2a20b7ffc8c3dcab1ce150b62e99433b3a11e78e81&
grant_type=authorization_code&
client_session_state=n%2Fa&
client_secret=f6495844366b0a6c44fb2fffb4764ee732d134f4a7a8321863983473801c26db&
redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Fdemo%2Fbroker%2FFranceConnect%2Fendpoint&
client_id=db14bd4bf83bf764076a25f664ca6750a32c2cd18be6ba43806d80cb2a3745b6"
16:01:00,966 DEBUG [org.apache.http.wire] (default task-10) 
http-outgoing-0 << "HTTP/1.1 400 Bad Request[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
http-outgoing-0 << "Server: nginx[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
http-outgoing-0 << "Date: Fri, 12 Apr 2019 14:00:53 GMT[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
http-outgoing-0 << "Content-Type: application/json; charset=utf-8[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
http-outgoing-0 << "Content-Length: 104[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
http-outgoing-0 << "Connection: keep-alive[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
http-outgoing-0 << "ETag: W/"68-1YcGPHfKrHgT2FZkgQmpNQ"[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
http-outgoing-0 << "Vary: Accept-Encoding[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
http-outgoing-0 << "[\r][\n]"
16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
http-outgoing-0 << "{"status":"fail","message":"The following fields are 
not supposed to be present : client_session_state"}"
1








-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>



From bland999 at hotmail.com  Fri Apr 12 16:08:40 2019
From: bland999 at hotmail.com (A. A.)
Date: Fri, 12 Apr 2019 20:08:40 +0000
Subject: [keycloak-user] Keycloak Identity Broker to LDAP User Storage?
Message-ID: <CWLP123MB171615AA863B240A5382A74893280@CWLP123MB1716.GBRP123.PROD.OUTLOOK.COM>

Hello,

We have successfully configured Keycloak as an identity broker, and used some SAML attribute mappers to pull SAML claims into user attributes within Keycloak, e.g. national-id, birthdate, and so on.

We also have configured an LDAP storage backend under User Federation, along with attribute to LDAP mappers.

Is there a way to configure Keycloak to push a newly verified user (I mean after email verification) attributes into LDAP automatically? It dawned on me that the user-LDAP mapping is more of a "pull from LDAP into Keycloak" type of mapping and not the other way around. I do know there is a sync option but I was wondering if the push from SAML to Keycloak to LDAP could be done in "one transaction" on first login?

From albinoseagull at gmail.com  Fri Apr 12 18:35:37 2019
From: albinoseagull at gmail.com (Alper Kara)
Date: Sat, 13 Apr 2019 01:35:37 +0300
Subject: [keycloak-user] Users having Roles at Departments
Message-ID: <CANex=cnxc6KrF+hMHG8Sc+wGvD1zA3A7s-9R43QGP-G8iVgU0g@mail.gmail.com>

What is the right way of having effect areas of roles  like:

-Department1
--SubDepartment1
--SubDepartment2
-Department2
--SubDepartment3
--SubDepartment4

user - role at SomeGroupOrDepartment

Joe - manager at SubDepartment1
Kim - manager at Department2
Jim - user at Department2
Joe - user at Department1
Kim - qa at Department1
Kim - user at SubDepartment2
...
In the end we want to say in our applications
manager of Department 1 --> can write files
all users  - -> can read files
all managers  --> can have reports
any role in Sub Department 1  --> can use CAD
...
etc.

so to speak is there a good way to have effective role in triplets instead
of tuples... If my understanding is correct at the moment we have to create
composite roles with departments, In any living organization there are
multiple roles like employee, manager etc. with different departments doing
different things  like human resource manager can read personal files,
where IT manager can access svn, and all managers can post announcement
emails where ordinary users can have different access rights depending on
department...

From kapilkumarjoshi001 at gmail.com  Sat Apr 13 01:53:28 2019
From: kapilkumarjoshi001 at gmail.com (kapil joshi)
Date: Sat, 13 Apr 2019 11:23:28 +0530
Subject: [keycloak-user] Login with email in keycloak not working for
 federated user
In-Reply-To: <17ed227bdf49633cf1b3d34449702a98@lbenoit.fr>
References: <CAMLZ2vnrYOxLwE0EaeAkAfKQndC9HwWvdZ2OiaDFpNKyS5bAsQ@mail.gmail.com>
	<2F9C94E5-FF63-49BC-AAC1-44895E9D2889@iit.cnr.it>
	<CAMLZ2v=hY1mHRxx+6KDDn=zLegsf_waFa_0A_eXtQj7eOumA+g@mail.gmail.com>
	<530A71BD-641C-484E-86C9-74EFC75E4D02@iit.cnr.it>
	<17ed227bdf49633cf1b3d34449702a98@lbenoit.fr>
Message-ID: <CAMLZ2v=N7y1gTi44aSH5OUAO+i8sm9tY1+66rXqjYjmhZXCiiQ@mail.gmail.com>

Hi Lilian,

Thanks for your reply, i found out the issue, the issue was we had enabled
duplicate email switch along with login with email.
But they both cannot be turned on, it can be either login with email or
duplicate email option.

It works now.

Thanks again.
Kapil



On Fri, 12 Apr 2019, 14:16 Lilian BENOIT, <lilian.benoit at lbenoit.fr> wrote:

> Hi Kapil,
>
> For one to my clients, we use Keycloak with federated user (LDAP). We
> have activate Login with email (Realm settings) and it works fine.
> With this option, we don't change mapping email.
>
> Regards,
> Lilian.
>
> Le 12/04/2019 09:21, Lorenzo Luconi Trombacchi a ?crit :
> > Hi Kapil,
> >
> > sorry I have no experience with LDAP and LDAP user federation. I
> > developed a keycloak user federation plugin for our internal database
> > and as I said e-mail authentication works fine.
> >
> > Lorenzo
> >
> >
> >
> >> Il giorno 12 apr 2019, alle ore 03:03, kapil joshi
> >> <kapilkumarjoshi001 at gmail.com> ha scritto:
> >>
> >> Hi Lorenzo,
> >>
> >> We are using JavaScript adapter for the client and stable helm chart
> >> for keylock, somewhere I read we need a mapping of LDAP mail attribute
> >> with username. But I didn't exactly got what was it. Can someone point
> >> me to that.
> >>
> >> Thanks
> >> Kapil
> >>
> >> On Thu, 11 Apr 2019, 20:10 Lorenzo Luconi Trombacchi,
> >> <lorenzo.luconi at iit.cnr.it <mailto:lorenzo.luconi at iit.cnr.it>> wrote:
> >> Just tested with my user federation implementation and it works
> >> (4.8.3.Final). I can login to my app using email address.
> >> You must implements UserLookupProvider interface and getUsersByEmail
> >> method.
> >>
> >> Lorenzo
> >>
> >>
> >> > Il giorno 11 apr 2019, alle ore 15:59, kapil joshi <
> kapilkumarjoshi001 at gmail.com <mailto:kapilkumarjoshi001 at gmail.com>> ha
> scritto:
> >> >
> >> > Hi Team,
> >> >
> >> > Login with email in Keycloak not working for federated user, please
> note
> >> > that we have enabled the switch to Login With Email.
> >> > Can some point us what are we missing.
> >> >
> >> > Thanks & regards
> >> > Kapil
> >> > _______________________________________________
> >> > keycloak-user mailing list
> >> > keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >> > https://lists.jboss.org/mailman/listinfo/keycloak-user <
> https://lists.jboss.org/mailman/listinfo/keycloak-user>
> >>
> >
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From bland999 at hotmail.com  Sat Apr 13 02:04:20 2019
From: bland999 at hotmail.com (A. A.)
Date: Sat, 13 Apr 2019 06:04:20 +0000
Subject: [keycloak-user] Keycloak Identity Broker to LDAP User Storage?
Message-ID: <CWLP123MB1716D5E3C19F5EF3FD81C76793290@CWLP123MB1716.GBRP123.PROD.OUTLOOK.COM>

Actually, I've traced the source of my challenge I believe to this excellent analysis:

https://issues.jboss.org/browse/KEYCLOAK-4433?focusedCommentId=13364626&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13364626


In my case, I have a few attributes in OpenLDAP that have constraints associated with them (we are using the constraints overlay/extension provided by OpenLDAP). Those constraints prevent the creation of the "default" dummy object. I have confirmed that watching the logs: Keycloak first tries to create a dummy empty object, then moves forward with modifying the returned entry.

Is there a workaround to this? Or a configuration option that instead of create empty then modify, instead simply does create with full attributes?

From bland999 at hotmail.com  Sat Apr 13 03:51:28 2019
From: bland999 at hotmail.com (A. A.)
Date: Sat, 13 Apr 2019 07:51:28 +0000
Subject: [keycloak-user] Keycloak Identity Broker to LDAP User Storage?
In-Reply-To: <CWLP123MB1716D5E3C19F5EF3FD81C76793290@CWLP123MB1716.GBRP123.PROD.OUTLOOK.COM>
References: <CWLP123MB1716D5E3C19F5EF3FD81C76793290@CWLP123MB1716.GBRP123.PROD.OUTLOOK.COM>
Message-ID: <CWLP123MB17161D28028F70D86D181BFD93290@CWLP123MB1716.GBRP123.PROD.OUTLOOK.COM>

After going thru KEYCLOAK-4433 in more detail, I better understood the nature of the "fix" (it's fair to call it less than optimal) and used it... and all is good.

Ideally we would not have to create the "hardcoded mapper", and instead commit all LDAP attributes in one transaction. Using a constraint on LDAP attributes for validation purposes means that we have to add these hardcoded mappers for each such attribute. Easily done ... but still.

One more gentle suggestion: though the tool tips that pop up try to yell "Only during registration", I did not notice them at first because the hardcoded mapper seems very straightforward so I ignored the tool tips entirely. That mapper would be better served if its name included something like "hardcoded-registration-only" (yes the name is long, but long names are especially useful for temporary solutions).

Sincere thanks to the Keycloak team: you help me make a living, and I cannot criticize your work except with the utmost humility.

________________________________
From: A. A.
Sent: Saturday, April 13, 2019 9:04 AM
To: keycloak-user at lists.jboss.org
Subject: Re: [keycloak-user] Keycloak Identity Broker to LDAP User Storage?

Actually, I've traced the source of my challenge I believe to this excellent analysis:

https://issues.jboss.org/browse/KEYCLOAK-4433?focusedCommentId=13364626&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13364626


In my case, I have a few attributes in OpenLDAP that have constraints associated with them (we are using the constraints overlay/extension provided by OpenLDAP). Those constraints prevent the creation of the "default" dummy object. I have confirmed that watching the logs: Keycloak first tries to create a dummy empty object, then moves forward with modifying the returned entry.

Is there a workaround to this? Or a configuration option that instead of create empty then modify, instead simply does create with full attributes?

From cedric at couralet.eu  Mon Apr 15 01:43:27 2019
From: cedric at couralet.eu (=?utf-8?q?cedric=40couralet=2Eeu?=)
Date: Mon, 15 Apr 2019 07:43:27 +0200
Subject: [keycloak-user]
 =?utf-8?q?keycloak_5=2E0_integration_with_FranceC?=
 =?utf-8?q?onnect_=28IDP_provider=29_no_longer_working?=
In-Reply-To: <d334a63a-8921-c3ef-19bd-6119ed89b120@janua.fr>
Message-ID: <1c90-5cb41a00-b-17db7d00@30246831>

Hi,

How are you integrating the two idps ? The client_session_state parameter seems added as an hack when using KeycloakOIDCIdentityProvider ([1]), but this was added a long time ago. I think this provider should only be used when the 2 idps are keycloak, you may want to tyry the generic OIDCIdentityProvider, which does not add this param.
But, there is an issue with logout [2]  and signature validation . Which is why we had to developed our own keycloak extension for france connect [3]. I just tried it with keycloak 5.0.0 without problem.

(and you may want to change your account information with france connect (client_secret and client_id), these should not be public)

C?dric Couralet

[1] https://github.com/keycloak/keycloak/blob/c34c0a3860fa3c6de5963eb56f431696e826404c/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java#L134
[2] https://issues.jboss.org/browse/KEYCLOAK-7209
[3] https://github.com/InseeFr/Keycloak-FranceConnect

Le Vendredi, Avril 12, 2019 17:16 CEST, Olivier Rivat <orivat at janua.fr> a ?crit: 
 
> Hi,
> 
> I am testing the integration of keycloak? to ? FranceConnect (French IDP 
> provider).
> It is working fine with keycloak 4.81 (I have just tested it today), but 
> it is failing with keycloak 5.0.
> 
> The difference between the both is that keycloak 5.0 is adding 
> internally client_session_state on the idp request.
> But FranceConnect idp is not recognizing client_session_state.
> 
> What could be done to overcome this issue, as the IDP has not changed.
> Is it possibel to disbale this flag (client_session_state) so it does 
> not appear in the log of KC 5.0 ?
> 
> Please advise what could be done to have it working again.
> 
> 
> Regards,
> 
> Olivier Rivat
> 
> 
> 
> ==============================================================================
> 
> 
> 
> 
> 
> 
> Traces are as follows between the both:
> 
> Keycloak 4.83 trace (OK)
> 
> 
> 2019-04-12 17:06:04,250 DEBUG [org.apache.http.wire] (default task-11) 
> http-outgoing-3 >> "[\r][\n]"
> 2019-04-12 17:06:04,250 DEBUG [org.apache.http.wire] (default task-11) 
> http-outgoing-3 >>
> code=de5db40072c4d4a146f46330e7f85e38610d0943e95e9cb6ac73d66bd672205a&
> grant_type=authorization_code&
> client_secret=f6495844366b0a6c44fb2fffb4764ee732d134f4a7a8321863983473801c26db&
> redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Fdemo%2Fbroker%2FFranceConnect%2Fendpoint&
> client_id=db14bd4bf83bf764076a25f664ca6750a32c2cd18be6ba43806d80cb2a3745b6
> 2019-04-12 17:06:04,308 DEBUG [org.apache.http.wire] (default task-11) 
> http-outgoing-3 << "HTTP/1.1 200 OK[\r][\n]"
> 2019-04-12 17:06:04,308 DEBUG [org.apache.http.wire] (default task-11) 
> http-outgoing-3 << "Server: nginx[\r][\n]"
> 2019-04-12 17:06:04,309 DEBUG [org.apache.http.wire] (default task-11) 
> http-outgoing-3 << "Date: Fri, 12 Apr 2019 15:05:57 GMT[\r][\n]"
> 2019-04
> 
> 
> 
> 
> Keycloak 5.00 trace (Not working)
> 
> 6:01:00,889 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 >> "
> code=326df10aabf29c322ca83a2a20b7ffc8c3dcab1ce150b62e99433b3a11e78e81&
> grant_type=authorization_code&
> client_session_state=n%2Fa&
> client_secret=f6495844366b0a6c44fb2fffb4764ee732d134f4a7a8321863983473801c26db&
> redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Fdemo%2Fbroker%2FFranceConnect%2Fendpoint&
> client_id=db14bd4bf83bf764076a25f664ca6750a32c2cd18be6ba43806d80cb2a3745b6"
> 16:01:00,966 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 << "HTTP/1.1 400 Bad Request[\r][\n]"
> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 << "Server: nginx[\r][\n]"
> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 << "Date: Fri, 12 Apr 2019 14:00:53 GMT[\r][\n]"
> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 << "Content-Type: application/json; charset=utf-8[\r][\n]"
> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 << "Content-Length: 104[\r][\n]"
> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 << "Connection: keep-alive[\r][\n]"
> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 << "ETag: W/"68-1YcGPHfKrHgT2FZkgQmpNQ"[\r][\n]"
> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 << "Vary: Accept-Encoding[\r][\n]"
> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 << "[\r][\n]"
> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10) 
> http-outgoing-0 << "{"status":"fail","message":"The following fields are 
> not supposed to be present : client_session_state"}"
> 1
> 
> 
> 
> 
> 
> 
> 
> 
> -- 
> 
> 
> <http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
> 
> 	<http://www.janua.fr/images/6g_top.gif>
> 	
> Olivier Rivat
> CTO
> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
> Gsm: +33(0)682 801 609
> T?l: +33(0)489 829 238
> Fax: +33(0)955 260 370
> http://www.janua.fr <http://www.janua.fr/>
> 	<http://www.janua.fr/images/6g_top.gif>
> 
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From orivat at janua.fr  Mon Apr 15 02:11:27 2019
From: orivat at janua.fr (Olivier Rivat)
Date: Mon, 15 Apr 2019 08:11:27 +0200
Subject: [keycloak-user] keycloak 5.0 integration with FranceConnect
 (IDP provider) no longer working
In-Reply-To: <1c90-5cb41a00-b-17db7d00@30246831>
References: <1c90-5cb41a00-b-17db7d00@30246831>
Message-ID: <b9afaf4f-0a58-65b4-e0bd-a51ca77a5ed9@janua.fr>

Hi Cedric,

I am integrating? KC (SP)? to FranceConnect (IDP) dierctly out of the box.
I haven't written any KC code module extension and FranceConnect is 
configured as an IDP for KC.


FranceConnect Integration is working fine with KC 4.81, but it is 
failing with KC 5.00.
Only diff I noticed is that internally there is this 
client_session_state flag added with KC 5.0.
This is what makes the integration failing

Regards,

Olivier Rivat


Le 15/04/2019 ? 07:43, cedric at couralet.eu a ?crit?:
> Hi,
>
> How are you integrating the two idps ? The client_session_state parameter seems added as an hack when using KeycloakOIDCIdentityProvider ([1]), but this was added a long time ago. I think this provider should only be used when the 2 idps are keycloak, you may want to tyry the generic OIDCIdentityProvider, which does not add this param.
> But, there is an issue with logout [2]  and signature validation . Which is why we had to developed our own keycloak extension for france connect [3]. I just tried it with keycloak 5.0.0 without problem.
>
> (and you may want to change your account information with france connect (client_secret and client_id), these should not be public)
>
> C?dric Couralet
>
> [1] https://github.com/keycloak/keycloak/blob/c34c0a3860fa3c6de5963eb56f431696e826404c/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java#L134
> [2] https://issues.jboss.org/browse/KEYCLOAK-7209
> [3] https://github.com/InseeFr/Keycloak-FranceConnect
>
> Le Vendredi, Avril 12, 2019 17:16 CEST, Olivier Rivat <orivat at janua.fr> a ?crit:
>   
>> Hi,
>>
>> I am testing the integration of keycloak? to ? FranceConnect (French IDP
>> provider).
>> It is working fine with keycloak 4.81 (I have just tested it today), but
>> it is failing with keycloak 5.0.
>>
>> The difference between the both is that keycloak 5.0 is adding
>> internally client_session_state on the idp request.
>> But FranceConnect idp is not recognizing client_session_state.
>>
>> What could be done to overcome this issue, as the IDP has not changed.
>> Is it possibel to disbale this flag (client_session_state) so it does
>> not appear in the log of KC 5.0 ?
>>
>> Please advise what could be done to have it working again.
>>
>>
>> Regards,
>>
>> Olivier Rivat
>>
>>
>>
>> ==============================================================================
>>
>>
>>
>>
>>
>>
>> Traces are as follows between the both:
>>
>> Keycloak 4.83 trace (OK)
>>
>>
>> 2019-04-12 17:06:04,250 DEBUG [org.apache.http.wire] (default task-11)
>> http-outgoing-3 >> "[\r][\n]"
>> 2019-04-12 17:06:04,250 DEBUG [org.apache.http.wire] (default task-11)
>> http-outgoing-3 >>
>> code=de5db40072c4d4a146f46330e7f85e38610d0943e95e9cb6ac73d66bd672205a&
>> grant_type=authorization_code&
>> client_secret=f6495844366b0a6c44fb2fffb4764ee732d134f4a7a8321863983473801c26db&
>> redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Fdemo%2Fbroker%2FFranceConnect%2Fendpoint&
>> client_id=db14bd4bf83bf764076a25f664ca6750a32c2cd18be6ba43806d80cb2a3745b6
>> 2019-04-12 17:06:04,308 DEBUG [org.apache.http.wire] (default task-11)
>> http-outgoing-3 << "HTTP/1.1 200 OK[\r][\n]"
>> 2019-04-12 17:06:04,308 DEBUG [org.apache.http.wire] (default task-11)
>> http-outgoing-3 << "Server: nginx[\r][\n]"
>> 2019-04-12 17:06:04,309 DEBUG [org.apache.http.wire] (default task-11)
>> http-outgoing-3 << "Date: Fri, 12 Apr 2019 15:05:57 GMT[\r][\n]"
>> 2019-04
>>
>>
>>
>>
>> Keycloak 5.00 trace (Not working)
>>
>> 6:01:00,889 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 >> "
>> code=326df10aabf29c322ca83a2a20b7ffc8c3dcab1ce150b62e99433b3a11e78e81&
>> grant_type=authorization_code&
>> client_session_state=n%2Fa&
>> client_secret=f6495844366b0a6c44fb2fffb4764ee732d134f4a7a8321863983473801c26db&
>> redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Fdemo%2Fbroker%2FFranceConnect%2Fendpoint&
>> client_id=db14bd4bf83bf764076a25f664ca6750a32c2cd18be6ba43806d80cb2a3745b6"
>> 16:01:00,966 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "HTTP/1.1 400 Bad Request[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Server: nginx[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Date: Fri, 12 Apr 2019 14:00:53 GMT[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Content-Type: application/json; charset=utf-8[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Content-Length: 104[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Connection: keep-alive[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "ETag: W/"68-1YcGPHfKrHgT2FZkgQmpNQ"[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Vary: Accept-Encoding[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "{"status":"fail","message":"The following fields are
>> not supposed to be present : client_session_state"}"
>> 1
>>
>>
>>
>>
>>
>>
>>
>>
>> -- 
>>
>>
>> <http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
>>
>> 	<http://www.janua.fr/images/6g_top.gif>
>> 	
>> Olivier Rivat
>> CTO
>> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
>> Gsm: +33(0)682 801 609
>> T?l: +33(0)489 829 238
>> Fax: +33(0)955 260 370
>> http://www.janua.fr <http://www.janua.fr/>
>> 	<http://www.janua.fr/images/6g_top.gif>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>



From cedric at couralet.eu  Mon Apr 15 02:18:56 2019
From: cedric at couralet.eu (=?utf-8?q?cedric=40couralet=2Eeu?=)
Date: Mon, 15 Apr 2019 08:18:56 +0200
Subject: [keycloak-user]
 =?utf-8?q?keycloak_5=2E0_integration_with_FranceC?=
 =?utf-8?q?onnect_=28IDP_provider=29_no_longer_working?=
In-Reply-To: <b9afaf4f-0a58-65b4-e0bd-a51ca77a5ed9@janua.fr>
Message-ID: <3af-5cb42280-d-179633c0@229327403>

Le Lundi, Avril 15, 2019 08:11 CEST, Olivier Rivat <orivat at janua.fr> a ?crit: 
 
> Hi Cedric,
> 
> I am integrating? KC (SP)? to FranceConnect (IDP) dierctly out of the box.
> I haven't written any KC code module extension and FranceConnect is 
> configured as an IDP for KC.
> 

Could you share your Idp configuration (minus the secrets) ? 
Did you choose "keycloak OpenId Connect" or "OpenId Connect v1.0". How did you test from one version to another (export/import, manual conf, upgrade?)

C?dric,


> FranceConnect Integration is working fine with KC 4.81, but it is 
> failing with KC 5.00.
> Only diff I noticed is that internally there is this 
> client_session_state flag added with KC 5.0.
> This is what makes the integration failing
> 
> Regards,
> 
> Olivier Rivat
>



From orivat at janua.fr  Mon Apr 15 02:58:54 2019
From: orivat at janua.fr (Olivier Rivat)
Date: Mon, 15 Apr 2019 08:58:54 +0200
Subject: [keycloak-user] keycloak 5.0 integration with FranceConnect
 (IDP provider) no longer working
In-Reply-To: <3af-5cb42280-d-179633c0@229327403>
References: <3af-5cb42280-d-179633c0@229327403>
Message-ID: <f9821e6f-173d-62fe-8c7b-888558096a9f@janua.fr>


Hi Cedric,

Please find attached my demo realm json file of KC 5.0.
(client secret is strarred).

TO add the idp provider, I select add user provider and select "keycloak 
openID provider".
After this, I do select all teh fields manually.


Regards,

Olivier Rivat




Le 15/04/2019 ? 08:18, cedric at couralet.eu a ?crit?:
> Le Lundi, Avril 15, 2019 08:11 CEST, Olivier Rivat <orivat at janua.fr> a ?crit:
>   
>> Hi Cedric,
>>
>> I am integrating? KC (SP)? to FranceConnect (IDP) dierctly out of the box.
>> I haven't written any KC code module extension and FranceConnect is
>> configured as an IDP for KC.
>>
> Could you share your Idp configuration (minus the secrets) ?
> Did you choose "keycloak OpenId Connect" or "OpenId Connect v1.0". How did you test from one version to another (export/import, manual conf, upgrade?)
>
> C?dric,
>
>
>> FranceConnect Integration is working fine with KC 4.81, but it is
>> failing with KC 5.00.
>> Only diff I noticed is that internally there is this
>> client_session_state flag added with KC 5.0.
>> This is what makes the integration failing
>>
>> Regards,
>>
>> Olivier Rivat
>>
-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: KC_5.0_export.json
Type: application/json
Size: 38894 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190415/666e0756/attachment-0001.bin 

From sblanc at redhat.com  Mon Apr 15 03:12:56 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Mon, 15 Apr 2019 09:12:56 +0200
Subject: [keycloak-user] keycloak 5.0 integration with FranceConnect
 (IDP provider) no longer working
In-Reply-To: <f9821e6f-173d-62fe-8c7b-888558096a9f@janua.fr>
References: <3af-5cb42280-d-179633c0@229327403>
	<f9821e6f-173d-62fe-8c7b-888558096a9f@janua.fr>
Message-ID: <CAMZCGg_Uo7nyT4p1Lcws7yV3ba+iNCSDUeexXMBoe+VmOmLQcw@mail.gmail.com>

Hi,

As C?dric said, you must choose "OpenID Connect v1.0" and not "keycloak
openID provider" if you don't want the param to be added. "Keycloak OpenID
provider" is only to be used when you want to federate another keycloak
instance as idp.

Seb


On Mon, Apr 15, 2019 at 9:01 AM Olivier Rivat <orivat at janua.fr> wrote:

>
> Hi Cedric,
>
> Please find attached my demo realm json file of KC 5.0.
> (client secret is strarred).
>
> TO add the idp provider, I select add user provider and select "keycloak
> openID provider".
> After this, I do select all teh fields manually.
>
>
> Regards,
>
> Olivier Rivat
>
>
>
>
> Le 15/04/2019 ? 08:18, cedric at couralet.eu a ?crit :
> > Le Lundi, Avril 15, 2019 08:11 CEST, Olivier Rivat <orivat at janua.fr> a
> ?crit:
> >
> >> Hi Cedric,
> >>
> >> I am integrating  KC (SP)  to FranceConnect (IDP) dierctly out of the
> box.
> >> I haven't written any KC code module extension and FranceConnect is
> >> configured as an IDP for KC.
> >>
> > Could you share your Idp configuration (minus the secrets) ?
> > Did you choose "keycloak OpenId Connect" or "OpenId Connect v1.0". How
> did you test from one version to another (export/import, manual conf,
> upgrade?)
> >
> > C?dric,
> >
> >
> >> FranceConnect Integration is working fine with KC 4.81, but it is
> >> failing with KC 5.00.
> >> Only diff I noticed is that internally there is this
> >> client_session_state flag added with KC 5.0.
> >> This is what makes the integration failing
> >>
> >> Regards,
> >>
> >> Olivier Rivat
> >>
> --
>
>
> <http://www.janua.fr/images/logo-big-sans.png><
> http://www.janua.fr/images/LogoSignature.gif>
>
>         <http://www.janua.fr/images/6g_top.gif>
>
> Olivier Rivat
> CTO
> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
> Gsm: +33(0)682 801 609
> T?l: +33(0)489 829 238
> Fax: +33(0)955 260 370
> http://www.janua.fr <http://www.janua.fr/>
>         <http://www.janua.fr/images/6g_top.gif>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From hans.zandbelt at zmartzone.eu  Mon Apr 15 03:16:44 2019
From: hans.zandbelt at zmartzone.eu (Hans Zandbelt)
Date: Mon, 15 Apr 2019 09:16:44 +0200
Subject: [keycloak-user] keycloak 5.0 integration with FranceConnect
 (IDP provider) no longer working
In-Reply-To: <mailman.30911.1555311541.4590.keycloak-user@lists.jboss.org>
References: <mailman.30911.1555311541.4590.keycloak-user@lists.jboss.org>
Message-ID: <CA+iA6ugMdyaA8Qb=kowB50beix368F+2p-+vq-Hj_CiqKr5P2w@mail.gmail.com>

France Connect IDP is not ignoring extra parameters in the token request as
the spec dictates; this has also proven to be a problem with other OIDC RPs

Hans.

On Mon, Apr 15, 2019 at 9:03 AM <keycloak-user-request at lists.jboss.org>
wrote:

>
> Hi Cedric,
>
> Please find attached my demo realm json file of KC 5.0.
> (client secret is strarred).
>
> TO add the idp provider, I select add user provider and select "keycloak
> openID provider".
> After this, I do select all teh fields manually.
>
>
> Regards,
>
> Olivier Rivat
>
>
>
>
> Le 15/04/2019 ? 08:18, cedric at couralet.eu a ?crit?:
> > Le Lundi, Avril 15, 2019 08:11 CEST, Olivier Rivat <orivat at janua.fr> a
> ?crit:
> >
> >> Hi Cedric,
> >>
> >> I am integrating? KC (SP)? to FranceConnect (IDP) dierctly out of the
> box.
> >> I haven't written any KC code module extension and FranceConnect is
> >> configured as an IDP for KC.
> >>
> > Could you share your Idp configuration (minus the secrets) ?
> > Did you choose "keycloak OpenId Connect" or "OpenId Connect v1.0". How
> did you test from one version to another (export/import, manual conf,
> upgrade?)
> >
> > C?dric,
> >
> >
> >> FranceConnect Integration is working fine with KC 4.81, but it is
> >> failing with KC 5.00.
> >> Only diff I noticed is that internally there is this
> >> client_session_state flag added with KC 5.0.
> >> This is what makes the integration failing
> >>
> >> Regards,
> >>
> >> Olivier Rivat
> >>
> --
>
>
> <http://www.janua.fr/images/logo-big-sans.png><
> http://www.janua.fr/images/LogoSignature.gif>
>
>         <http://www.janua.fr/images/6g_top.gif>
>
> Olivier Rivat
> CTO
> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
> Gsm: +33(0)682 801 609
> T?l: +33(0)489 829 238
> Fax: +33(0)955 260 370
> http://www.janua.fr <http://www.janua.fr/>
>         <http://www.janua.fr/images/6g_top.gif>
>
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: KC_5.0_export.json
> Type: application/json
> Size: 38894 bytes
> Desc: not available
> Url :
> http://lists.jboss.org/pipermail/keycloak-user/attachments/20190415/666e0756/attachment.bin
>
> ------------------------------
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> End of keycloak-user Digest, Vol 64, Issue 41
> *********************************************
>


-- 
hans.zandbelt at zmartzone.eu
ZmartZone IAM - www.zmartzone.eu

From cedric at couralet.eu  Mon Apr 15 03:18:18 2019
From: cedric at couralet.eu (=?UTF-8?Q?C=C3=A9dric_Couralet?=)
Date: Mon, 15 Apr 2019 09:18:18 +0200
Subject: [keycloak-user] keycloak 5.0 integration with FranceConnect
 (IDP provider) no longer working
In-Reply-To: <f9821e6f-173d-62fe-8c7b-888558096a9f@janua.fr>
References: <3af-5cb42280-d-179633c0@229327403>
	<f9821e6f-173d-62fe-8c7b-888558096a9f@janua.fr>
Message-ID: <d6adec097715759695e148ade3505f1e@couralet.eu>

Le 2019-04-15 08:58, Olivier Rivat a ?crit?:
> Hi Cedric,
> 
> Please find attached my demo realm json file of KC 5.0.
> (client secret is strarred).
> 
> TO add the idp provider, I select add user provider and select
> "keycloak openID provider".
> After this, I do select all teh fields manually.
> 

You are using the "Keycloak OpenId Connect" provider which, I think, 
should only be used between two keycloak instances. With France Connect, 
you want to use the "OpenId connect v1.0" provider which will not add 
the Client_Session_State Parameter.

As I said in my first message, you can also try our extension 
https://github.com/InseeFr/Keycloak-FranceConnect which is already 
tested with keycloak 5.0.0.

C?dric

> Regards,
> 
> Olivier Rivat
> 
> Le 15/04/2019 ? 08:18, cedric at couralet.eu a ?crit :
> 
>> Le Lundi, Avril 15, 2019 08:11 CEST, Olivier Rivat <orivat at janua.fr>
>> a ?crit:
>> 
>>> Hi Cedric,
>>> 
>>> I am integrating  KC (SP)  to FranceConnect (IDP) dierctly out of
>>> the box.
>>> I haven't written any KC code module extension and FranceConnect
>>> is
>>> configured as an IDP for KC.
>> 
>> Could you share your Idp configuration (minus the secrets) ?
>> Did you choose "keycloak OpenId Connect" or "OpenId Connect v1.0".
>> How did you test from one version to another (export/import, manual
>> conf, upgrade?)
>> 
>> C?dric,
>> 
>>> FranceConnect Integration is working fine with KC 4.81, but it is
>>> failing with KC 5.00.
>>> Only diff I noticed is that internally there is this
>>> client_session_state flag added with KC 5.0.
>>> This is what makes the integration failing
>>> 
>>> Regards,
>>> 
>>> Olivier Rivat
> 
> --
> 
>  [1] [2] [3]
> 
> Olivier Rivat
> CTO
>  orivat at janua.fr
>  Gsm:  +33(0)682 801 609
> T?l:    +33(0)489 829 238
> Fax:   +33(0)955 260 370
>  http://www.janua.fr [4]
>  		 [3]
> 
> 
> 
> Links:
> ------
> [1] http://www.janua.fr/images/logo-big-sans.png
> [2] http://www.janua.fr/images/LogoSignature.gif
> [3] http://www.janua.fr/images/6g_top.gif
> [4] http://www.janua.fr/

From luke at code-house.org  Mon Apr 15 03:54:53 2019
From: luke at code-house.org (luke at code-house.org)
Date: Mon, 15 Apr 2019 09:54:53 +0200
Subject: [keycloak-user] [keycloak-dev] Custom account provider not
 working after upgrading to 4.8.3.Final
In-Reply-To: <CAJmz6fvUigkOygUb0XsHtfVJXbe6vxz4dY6AjfAJLoLbKvwKFQ@mail.gmail.com>
References: <CAJmz6fvUigkOygUb0XsHtfVJXbe6vxz4dY6AjfAJLoLbKvwKFQ@mail.gmail.com>
Message-ID: <A515A35F-B215-456C-B2EA-4A654E5F7A70@code-house.org>

How did you package your extension - as jboss module or regular JAR with jboss-deployment-descriptor.xml ?

I did lately similar exercise with 4.8.3 and login forms. You need to modify standalone.xml and set your provider as primary one while disabling default one:

            <spi name=?account">
                <default-provider>my-custom-provider</default-provider>
                <provider name="my-custom-provider" enabled="true"/>
                <provider name="freemarker" enabled="false"/>
            </spi>

My extension is packaged as JBoss module and registered via providers configuration:
        <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
            <web-context>ROOT</web-context>
            <providers>
                <provider>
                    module:org.code-house.keycloak.login
                </provider>
               <!-- .... etc -->


You can also try to drop your JAR (if not packaged as module) to ${keycloak.home}/providers directory.

Kind regards,
?ukasz
?
Code-House
http://code-house.org <http://code-house.org/>

> On 12 Apr 2019, at 10:20, abhishek raghav <abhi.raghav007 at gmail.com> wrote:
> 
> Hi -
> 
> We have implemented a custom account provider which
> implements AccountProviderFactory and the implementation class
> extends FreeMarkerAccountProvider. It is packaged and deployed as a
> provider with a service definition file.
> 
> This used to be work in keycloak 3.4.3.Final but not after we upgrade to
> keycloak 4.8.3.Final.
> 
> We also identified that the provider is not even registering/initialized
> during boot time of keycloak. Could somebody please tell - whether keycloak
> has removed support of extending Account provider SPI. Or there is any
> other way to extend the account provider in keycloak 4.8.3.Final.
> 
> Any help is greatly appreciated.
> 
> Thanks
> -Abhishek
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190415/dff51155/attachment.bin 

From mrestelli at cuebiq.com  Mon Apr 15 04:08:34 2019
From: mrestelli at cuebiq.com (Matteo Restelli)
Date: Mon, 15 Apr 2019 10:08:34 +0200
Subject: [keycloak-user] Token Exchange AWS Cognito & Keycloak
In-Reply-To: <CAJrcDBfpXH_hekVMszJ-Cd77Urobz4-sX5f_xi47w4QJnNigeg@mail.gmail.com>
References: <CAHpjjTYE=hN02=i+vojzviAv1bK547VFxAZC-Lqy9eRkB6sVPA@mail.gmail.com>
	<CAJrcDBeHZUtdC7N0im1hRePyxntC3zEL5d2=KtuXRvX2Ny3epw@mail.gmail.com>
	<CAHpjjTb0sb0afopqntuE5mEG=S0Xuk+RYrYbKPjcn+8xUs+bSw@mail.gmail.com>
	<CAJrcDBcdqOhux6M3g0Jg1exUJugR4ttAw+c0NeA9nkqyNFkuGw@mail.gmail.com>
	<CAHpjjTYi0sXbbr2X+WGc5Yykc-c1zdfQaMZMAEnpuaK972RFNQ@mail.gmail.com>
	<CAJrcDBfpXH_hekVMszJ-Cd77Urobz4-sX5f_xi47w4QJnNigeg@mail.gmail.com>
Message-ID: <CAHpjjTYOFa5ST0jNrxquEmD89sga2uk9+77AyKoUUMY_UvHNqw@mail.gmail.com>

Hi Pedro,
Thank you for your replies and your patience :)
My answers inline below ;)

Have a nice day,
Matteo

On Fri, Apr 12, 2019 at 4:53 PM Pedro Igor Silva <psilva at redhat.com> wrote:

>
>
> On Fri, Apr 12, 2019 at 11:28 AM Matteo Restelli <mrestelli at cuebiq.com>
> wrote:
>
>> Thank you Pedro,
>> My answers (and questions) inline below ;)
>>
>> Thank you!
>> Matteo
>>
>> On Fri, Apr 12, 2019 at 3:20 PM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Thanks. Now it is more clear.
>>>
>>> Answers inline below.
>>>
>>>
>>> On Fri, Apr 12, 2019 at 7:29 AM Matteo Restelli <mrestelli at cuebiq.com>
>>> wrote:
>>>
>>>> Hi Pedro,
>>>> i'll try to reply to your questions:
>>>>
>>>> - We've configured Cognito as an identity provider in Keycloak,
>>>> importing the configuration via the OIDC discovery-configuration endpoint.
>>>> At this point we needed to introduce the clientID & secret, so we've
>>>> created a new confidential client inside AWS Cognito and used its id
>>>> &secret in the Keycloak's Identity provider config
>>>>
>>>
>>>> - We've set the permission & policy about token exchange feature to our
>>>> Keycloak client
>>>>
>>>> - The SRP flow leverages the SRP authentication protocol (so basically,
>>>> no password is sent to the server). The result of this flow is a couple of
>>>> JWT tokens (access and id token), but the access token doesn't respect the
>>>> OIDC rules (it doesn't contain the openid scope). This last point is what
>>>> make the token exchange process impossible (this because, during the
>>>> process, Cognito replies that "the token doesn't contain the openid
>>>> scope"). About that i want to highlight the fact that these problems are
>>>> entirely Cognito related: if we use a standard OAuth2 Flow (like
>>>> Authorization code grant or implicit) the process works as expected.
>>>>
>>>
>>> I see now. In this case, I think you should try to include somehow the
>>> openid scope in the access token so that Cognito can process it. I guess
>>> this error is returned when the broker is invoking the user endpoint  on
>>> Cognito? based on the OIDC user info endpoint definition, the endpoint
>>> should accept access tokens.
>>>
>>
>> Yeah unfortunately we're stuck with this option, because Cognito is
>> lacking support on adding this scope to the token (especially this is
>> caused by the Amplify.js library provided by AWS, which is the one we're
>> using to implement the SRP flow). Yes, the error is returned from Cognito
>> when Keycloak contacts the provider to validate the token.
>>
>
>>
>>
>>>
>>>
>>>> - Since the SRP flow enables us to use a self-hosted login page which
>>>> doesn't send the password directly to the server, we've tried to find other
>>>> solution. So we've tried to provide to the token exchange endpoint the id
>>>> token, changing some parameters of the HTTP call. And at this point
>>>> something unexpected for us happened: the token exchange process works also
>>>> providing the id token. Here's the reason of my first flow of questions: is
>>>> this behaviour expected? Is the "exchange with id token" approach a
>>>> feasible and good one? Or is completely a bad approach?
>>>>
>>>> - Since using this flow (SRP) force us to provide the id token to our
>>>> backend side, here comes the other flow of questions :). From an OIDC point
>>>> of view, can be a right approach accessing a backend resource from a single
>>>> page application, using an id token? I've always read that if you want to
>>>> access to a backend resource, from a client application, is better to use
>>>> the access token, because the id token contains a lot of user informations
>>>> and must be used only by the client application.
>>>>
>>>>
>>> It is fine to use id_token (or any other format supported by the server
>>> that can be specified via subject_token_type) when doing the exchange.
>>>
>>> However, here is the interesting part. If you look our documentation we
>>> should only support "access_token" and "jwt" as a subject_token_type. But
>>> the implementation can also handle "id_token". The reason why "id_token"
>>> works is that the validation of the token is done locally by Keycloak,
>>> differently than when you are using an access_token where a request will be
>>> sent to the user info endpoint on Cognito.
>>>
>>
>> Oh! That's really interesting! :)
>> About this point, in your opinion it will be feasible to call the token
>> exchange endpoint every time a request comes to our backend side? Imagine
>> this scenario:
>>
>> - User authenticates to Cognito via the Spa app
>> - Spa app calls backend services (tipically contacting a gateway)
>> - Gateway performs the token exchange on keycloak
>> - Gateway forwards the request (adding the new access token in place of
>> the Cognito one) to the underlying microservices...
>>
>> Do you see any performance issues? Does Keycloak caches something during
>> the token exchange process?
>>
>
> I would ask you to try it out and check latency and response times.
> Unfortunately, benchmarking is something we are lacking so we depend on
> feedback from the community.
>

> Maybe, another option you could consider is to aggregate your APIs so that
> your SPA doesn't need to interact with multiple backend services ? Where
> this API aggregator would be 1:1 mapped to your client and responsible for
> all exchanges to access downstream services.
>

So the main idea is to put a gateway in front of all the microservices, so
it will be the one who performs the token exchange process. To avoid
performance issues we can think about a caching mechanism but in this way
we need to investigate more (we're just evaluating the various options
right now ;) ). By the way, IMHO, if a user calls the gateway 300 times in
3 minutes there's no reason to perform the token exchange process at every
call.



>
> Or you could eventually use different scopes to gain access to these
> different services and still use the same token obtained by the client
> during the authentication. There is a caveat here regarding audience
> though, so you could maybe include some audience that logically represent
> your different APIs.
>

So, if i understood correctly:
- Client contacts gateway with a Cognito access token
- Gateway performs the token exchange process
- Depending on which service needs to be called, the gateway requests
scopes to Keycloak with the access token minted by Keycloak. Is this right?
Or requesting scopes is done in the token exchange process?

So i've some concepts regarding scopes that i read around on the Internet,
and for what i've understood, a scope represents what an oauth2 client can
do:
- You need to call service A, perform a read operation
- You request the custom scope read_service_a

I'm lacking the link between those scopes and the authorization part. How
are they linked with the authorization services in Keycloak? If a user
isn't authorized to do something, will never receive the related scope? Or
are they completely separated concepts?

The audience part is fine for me, also here for what i've understood, the
audience represents the "target" resource protected by the server. Am i
right?


>
>>
>>
>>>
>>> Regarding your last question, no it is not a good practice to use
>>> id_token for bearer token authorization. In addition to privacy concerns
>>> (which is not really different than when using JWTs in access tokens), ID
>>> Token is about carrying the authentication context with specific
>>> constraints. For instance, the audience is the client, not the backend. The
>>> lifetime of ID Token is shorter as they are mainly important to
>>> authenticate the user into a client, etc.
>>>
>>> So, you are right. You should try to use access tokens.
>>>
>>
>> Ok thank you for the explanation. We'll try to use access tokens
>> (probably we'll stop using the SRP flow in favour of an OAuth2 flow like
>> Authorization Code Grant with PKCE (which is the one recommended for public
>> Single page Applications)
>>
>
> +1
>
>
>>
>>
>>
>>
>>>
>>>
>>>> - Here's the curl of the token exchange process with the access token
>>>> (i'm omitting some infos):
>>>>
>>>> curl -X POST \
>>>> -d "client_id=test" \
>>>> -d "client_secret=<client_secret>" \
>>>> --data-urlencode
>>>> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
>>>> -d "subject_issuer=<alias_of_the_identity_provider_in_keycloak>" \
>>>> -d "subject_token=<access_token>" \
>>>> --data-urlencode
>>>> "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
>>>> -d "audience=test" \
>>>> http://localhost:8080/auth/realms/
>>>> <realm_name>/protocol/openid-connect/token
>>>>
>>>>
>>>> - Here's the curl of the token exchange process with the id token (i'm
>>>> omitting some infos):
>>>>
>>>> curl -X POST \
>>>> -d "client_id=test" \
>>>> -d "client_secret=<client_secret>" \
>>>> --data-urlencode
>>>> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
>>>> -d "subject_issuer=<alias_of_the_identity_provider_in_keycloak>" \
>>>> -d "subject_token=<id_token>" \
>>>> --data-urlencode
>>>> "subject_token_type=urn:ietf:params:oauth:token-type:id_token" \
>>>> -d "audience=test" \
>>>> http://localhost:8080/auth/realms/
>>>> <realm_name>/protocol/openid-connect/token
>>>>
>>>> Let me know if you need more infos.
>>>>
>>>> Thank you again,
>>>> Matteo Restelli
>>>>
>>>> On Wed, Apr 10, 2019 at 3:40 PM Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> So you are doing external to internal exchange. It is not clear to me
>>>>> how you configured AWS Cognito as an identity provider and what/how the SRP
>>>>> flow works. Could you provide more details, please? Is the token issued by
>>>>> Cognito a JWT ?
>>>>>
>>>>> In addition to that, how your token exchange request looks like when
>>>>> using both id_token and access_token as a subject_token ?
>>>>>
>>>>> On Wed, Apr 10, 2019 at 9:56 AM Matteo Restelli <mrestelli at cuebiq.com>
>>>>> wrote:
>>>>>
>>>>>> Any news on that?
>>>>>>
>>>>>> Thank you!
>>>>>> Matteo
>>>>>>
>>>>>> =============================
>>>>>>
>>>>>>
>>>>>> Hi all,
>>>>>> We're using AWS Cognito as our Identity provider for our platform.
>>>>>> We're
>>>>>> trying to use an internal instance of Keycloak, in order to check the
>>>>>> possibility to use KC for authorization purposes (this because
>>>>>> Keycloak has
>>>>>> a wonderful and powerful authorization system that fulfill our needs,
>>>>>> and
>>>>>> for that i want to say you "Thank you very much" :) ). For this
>>>>>> reason we
>>>>>> want to use the token exchange feature of Keycloak.
>>>>>> More specifically we want to follow this flow:
>>>>>>
>>>>>> - User authenticates on AWS Cognito via SRP auth flow (which
>>>>>> basically is
>>>>>> not a standard OIDC/OAuth2 authentication flow)
>>>>>> - User sends the access token to contact the backend service and, in
>>>>>> the
>>>>>> middle, this token is translated to an internal one, minted by
>>>>>> Keycloak
>>>>>>
>>>>>> If we provide the AWS Cognito access token to the token exchange
>>>>>> endpoint,
>>>>>> with the subject_token_type parameter set to
>>>>>> "urn:ietf:params:oauth:token-type:access_token", an error is returned
>>>>>> stating that the access token doesn't contain the "openid" scope.
>>>>>> Despite
>>>>>> this we've tried another way, providing the id token to the token
>>>>>> exchange
>>>>>> endpoint with the subject_token_parameter set to
>>>>>> "urn:ietf:params:oauth:token-type:id_token", and we discovered that
>>>>>> this
>>>>>> alternative way works. So, my questions are:
>>>>>>
>>>>>> - Is the "exchange with id token" approach a feasible and good one?
>>>>>> Or is
>>>>>> completely a bad approach?
>>>>>> - From an OIDC point of view, can be a right approach accessing a
>>>>>> backend
>>>>>> resource from a single page application, using an id token? I've
>>>>>> always
>>>>>> read that if you want to access to a backend resource, from a client
>>>>>> application, is better to use the access token, because the id token
>>>>>> contains a lot of user informations and must be used only by the
>>>>>> client
>>>>>> application
>>>>>>
>>>>>> Thank you very much,
>>>>>> Matteo
>>>>>>
>>>>>>
>>>>>> PS:  As a side note, i want to clarify that if we follow an
>>>>>> authorization
>>>>>> code grant flow, or an implicit flow, during the authentication
>>>>>> against AWS
>>>>>> Cognito, the access token exchange works as expected. So this means
>>>>>> that
>>>>>> the problem is related to the shape of the token released by Cognito.
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>>>> <https://twitter.com/Cuebiq>I Connect
>>>>>> <https://www.linkedin.com/company/cuebiq>
>>>>>>
>>>>>>
>>>>>> This email is reserved
>>>>>> exclusively for sending and receiving messages inherent working
>>>>>> activities,
>>>>>> and is not intended nor authorized for personal use. Therefore, any
>>>>>> outgoing messages or incoming response messages will be treated as
>>>>>> company
>>>>>> messages and will be subject to the corporate IT policy and may
>>>>>> possibly to
>>>>>> be read by persons other than by the subscriber of the box.
>>>>>> Confidential
>>>>>> information may be contained in this message. If you are not the
>>>>>> address
>>>>>> indicated in this message, please do not copy or deliver this message
>>>>>> to
>>>>>> anyone. In such case, you should notify the sender immediately and
>>>>>> delete
>>>>>> the original message.
>>>>>>
>>>>>> --
>>>>>>
>>>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>>>> <https://twitter.com/Cuebiq>I Connect
>>>>>> <https://www.linkedin.com/company/cuebiq>
>>>>>>
>>>>>>
>>>>>> This email is reserved
>>>>>> exclusively for sending and receiving messages inherent working
>>>>>> activities,
>>>>>> and is not intended nor authorized for personal use. Therefore, any
>>>>>> outgoing messages or incoming response messages will be treated as
>>>>>> company
>>>>>> messages and will be subject to the corporate IT policy and may
>>>>>> possibly to
>>>>>> be read by persons other than by the subscriber of the box.
>>>>>> Confidential
>>>>>> information may be contained in this message. If you are not the
>>>>>> address
>>>>>> indicated in this message, please do not copy or deliver this message
>>>>>> to
>>>>>> anyone. In such case, you should notify the sender immediately and
>>>>>> delete
>>>>>> the original message.
>>>>>> _______________________________________________
>>>>>> keycloak-user mailing list
>>>>>> keycloak-user at lists.jboss.org
>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>
>>>>>
>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>> <https://twitter.com/Cuebiq>I Connect
>>>> <https://www.linkedin.com/company/cuebiq>
>>>>
>>>> This email is reserved exclusively for sending and receiving messages
>>>> inherent working activities, and is not intended nor authorized for
>>>> personal use. Therefore, any outgoing messages or incoming response
>>>> messages will be treated as company messages and will be subject to the
>>>> corporate IT policy and may possibly to be read by persons other than by
>>>> the subscriber of the box. Confidential information may be contained in
>>>> this message. If you are not the address indicated in this message, please
>>>> do not copy or deliver this message to anyone. In such case, you should
>>>> notify the sender immediately and delete the original message.
>>>>
>>>
>> Like <https://www.facebook.com/cuebiq/> I Follow
>> <https://twitter.com/Cuebiq>I Connect
>> <https://www.linkedin.com/company/cuebiq>
>>
>> This email is reserved exclusively for sending and receiving messages
>> inherent working activities, and is not intended nor authorized for
>> personal use. Therefore, any outgoing messages or incoming response
>> messages will be treated as company messages and will be subject to the
>> corporate IT policy and may possibly to be read by persons other than by
>> the subscriber of the box. Confidential information may be contained in
>> this message. If you are not the address indicated in this message, please
>> do not copy or deliver this message to anyone. In such case, you should
>> notify the sender immediately and delete the original message.
>>
>

-- 

Like <https://www.facebook.com/cuebiq/> I Follow  
<https://twitter.com/Cuebiq>I Connect 
<https://www.linkedin.com/company/cuebiq>


This email is reserved 
exclusively for sending and receiving messages inherent working activities, 
and is not intended nor authorized for personal use. Therefore, any 
outgoing messages or incoming response messages will be treated as company 
messages and will be subject to the corporate IT policy and may possibly to 
be read by persons other than by the subscriber of the box. Confidential 
information may be contained in this message. If you are not the address 
indicated in this message, please do not copy or deliver this message to 
anyone. In such case, you should notify the sender immediately and delete 
the original message.

From vramik at redhat.com  Mon Apr 15 06:52:34 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Mon, 15 Apr 2019 12:52:34 +0200
Subject: [keycloak-user] Import realm settings without removing users
In-Reply-To: <CAO5GBXcMkKxyo8TU01T4MqJuVSj1Hco9QAS47R5cB=Xif=-Zow@mail.gmail.com>
References: <CAO5GBXcDBCN2bYqw-54u4W-TdrrQvDYcGZNN1ubUoH174NaHag@mail.gmail.com>
	<f32a0377-9422-8f02-2a82-3f13af933cd9@redhat.com>
	<CAO5GBXc=-zE7OSJc6-CnXM4L1-4wcsvE944hnfU3GFsB7cDoxQ@mail.gmail.com>
	<5f90cdd7-11e7-e234-41ae-bb3e06d3be2a@redhat.com>
	<CAO5GBXcMkKxyo8TU01T4MqJuVSj1Hco9QAS47R5cB=Xif=-Zow@mail.gmail.com>
Message-ID: <21dff93d-a773-4c28-7b8b-40b01313ef0d@redhat.com>

On 4/12/19 1:50 PM, Pavel Drankov wrote:
>
>     afaik it's not possible at the moment.
>
> Is there any plan to support in the?future?

There is no such plan afaik, you can create a feature request ticket: 
https://issues.jboss.org/browse/KEYCLOAK

V.

>
> On Fri, 12 Apr 2019 at 11:55, Vlasta Ramik <vramik at redhat.com 
> <mailto:vramik at redhat.com>> wrote:
>
>     On 4/12/19 10:52 AM, Pavel Drankov wrote:
>>
>>         if you've exported users as well those should be imported
>>         during import
>>         as well.
>>
>>     I don't want to export/import users, just realm settings. Is it
>>     possible to import realm settings without erasing _users?_
>
>     afaik it's not possible at the moment.
>
>     V.
>
>>
>>
>>     Best wishes,
>>     Pavel
>>
>>
>>     On Fri, 12 Apr 2019 at 09:48, Vlasta Ramik <vramik at redhat.com
>>     <mailto:vramik at redhat.com>> wrote:
>>
>>         Hey Pavel,
>>
>>         if you've exported users as well those should be imported
>>         during import
>>         as well.
>>
>>         When you use -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
>>         the
>>         existing realm is erased and then imported from file/dir [1]
>>
>>         V.
>>
>>         [1]
>>         https://www.keycloak.org/docs/latest/server_admin/index.html#_export_import
>>
>>         On 4/11/19 3:49 PM, Pavel Drankov wrote:
>>         > Hi,
>>         >
>>         > Is there any command-line way to import realms settings
>>         without erasing all
>>         > the users?? If import realm settings with
>>         OVERWRITE_EXISTING, keycloak also
>>         > removes all the users.
>>         >
>>         > Best wishes,
>>         > Pavel
>>         > _______________________________________________
>>         > keycloak-user mailing list
>>         > keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>

From vramik at redhat.com  Mon Apr 15 06:54:14 2019
From: vramik at redhat.com (Vlasta Ramik)
Date: Mon, 15 Apr 2019 12:54:14 +0200
Subject: [keycloak-user] User creation
In-Reply-To: <CAO5GBXeFz6bxWGZPDaAXV50b7CFtS_tZM3AryWHF-YeL-AQvtA@mail.gmail.com>
References: <CAO5GBXc1xAqPjuCg+CXwNoKNa4t8EkYNCyo9W19AZs_8JtGP7Q@mail.gmail.com>
	<8c634fac-fd05-2e30-2db9-a89ba51df296@redhat.com>
	<CAO5GBXcDk2wNCrYgzbOq_Jx37cVKH+R9OBtG-SL1Sy6Avz7xMA@mail.gmail.com>
	<4f744ea0-d2d4-12a8-87f1-37edbde52532@redhat.com>
	<CAO5GBXeFz6bxWGZPDaAXV50b7CFtS_tZM3AryWHF-YeL-AQvtA@mail.gmail.com>
Message-ID: <39a49815-553f-57ca-6966-874c8218a290@redhat.com>

On 4/12/19 1:42 PM, Pavel Drankov wrote:
>
>     I suppose you've implemented custom SPI execution [1],
>     Then in admin console in "Authentication" tab you should make a
>     copy of "Registration" flow. Then you have to add new execution
>     [Actions -> Add execution] (your custom execution with sms
>     validation) to "Copy Of Registration Registration Form" and then
>     you make the execution "REQUIRED".
>
>
> Already did this. My point is that the default registration steps 
> combined with a custom one can't be an atomic operation. User entity 
> is created on the first step without fully passing through the flow.

I'd need to investigate this further. Do you have any reproducer which 
may be used to simulate your issue?

V.

>
>
> On Fri, 12 Apr 2019 at 12:14, Vlasta Ramik <vramik at redhat.com 
> <mailto:vramik at redhat.com>> wrote:
>
>     On 4/12/19 10:49 AM, Pavel Drankov wrote:
>>
>>         registration should be an atomic 
>>
>>     Sure, I agree with you. But, a user is created after the first
>>     step by default. How can I make the user creation process
>>     consisted of two steps atomic?
>
>     I suppose you've implemented custom SPI execution [1],
>
>     Then in admin console in "Authentication" tab you should make a
>     copy of "Registration" flow. Then you have to add new execution
>     [Actions -> Add execution] (your custom execution with sms
>     validation) to "Copy Of Registration Registration Form" and then
>     you make the execution "REQUIRED".
>
>     [1]
>     https://www.keycloak.org/docs/latest/server_development/index.html#_providers
>
>>
>>     Best wishes,
>>     Pavel
>>
>>
>>     On Fri, 12 Apr 2019 at 09:54, Vlasta Ramik <vramik at redhat.com
>>     <mailto:vramik at redhat.com>> wrote:
>>
>>         Hey Pavel,
>>
>>         inline
>>
>>         On 4/10/19 5:36 PM, Pavel Drankov wrote:
>>         > Hello,
>>         >
>>         > I'm trying to implement a two-step registration process
>>         based keylock. On
>>         > the first step enters the same information as in the
>>         default registration
>>         > form, but with the addition of telephone number. On the
>>         second step, he
>>         > enters a code received via an SMS message.
>>         >
>>         > The problem I faced is that if a user successfully filled
>>         the first step
>>         > registration form and failed to enter a valid code on the
>>         second step, he
>>         > is not able to use the same email address on the first
>>         step(because of "Email
>>         > already exists." error). Is there a way to clean up not
>>         fully registered
>>         > users and allow them to re-register if they have not
>>         finished all the step
>>         > from the registration flow.
>>
>>         It doesn't sound right, I think the registration should be an
>>         atomic
>>         operation, so either both steps are successful and user is
>>         registered or
>>         the user is not registered.
>>
>>         To tell more I'd need to know more information how you've
>>         developed the
>>         described functionality.
>>
>>         Regards,
>>
>>         V.
>>
>>         >
>>         > Best wishes,
>>         > Pavel
>>         > _______________________________________________
>>         > keycloak-user mailing list
>>         > keycloak-user at lists.jboss.org
>>         <mailto:keycloak-user at lists.jboss.org>
>>         > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>

From psilva at redhat.com  Mon Apr 15 08:20:00 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Mon, 15 Apr 2019 09:20:00 -0300
Subject: [keycloak-user] Token Exchange AWS Cognito & Keycloak
In-Reply-To: <CAHpjjTYOFa5ST0jNrxquEmD89sga2uk9+77AyKoUUMY_UvHNqw@mail.gmail.com>
References: <CAHpjjTYE=hN02=i+vojzviAv1bK547VFxAZC-Lqy9eRkB6sVPA@mail.gmail.com>
	<CAJrcDBeHZUtdC7N0im1hRePyxntC3zEL5d2=KtuXRvX2Ny3epw@mail.gmail.com>
	<CAHpjjTb0sb0afopqntuE5mEG=S0Xuk+RYrYbKPjcn+8xUs+bSw@mail.gmail.com>
	<CAJrcDBcdqOhux6M3g0Jg1exUJugR4ttAw+c0NeA9nkqyNFkuGw@mail.gmail.com>
	<CAHpjjTYi0sXbbr2X+WGc5Yykc-c1zdfQaMZMAEnpuaK972RFNQ@mail.gmail.com>
	<CAJrcDBfpXH_hekVMszJ-Cd77Urobz4-sX5f_xi47w4QJnNigeg@mail.gmail.com>
	<CAHpjjTYOFa5ST0jNrxquEmD89sga2uk9+77AyKoUUMY_UvHNqw@mail.gmail.com>
Message-ID: <CAJrcDBdKmMfTs6KU_waRnqYdqQaE30D+j47coV7pnjaLG7Pj8Q@mail.gmail.com>

On Mon, Apr 15, 2019 at 5:08 AM Matteo Restelli <mrestelli at cuebiq.com>
wrote:

> Hi Pedro,
> Thank you for your replies and your patience :)
> My answers inline below ;)
>
> Have a nice day,
> Matteo
>
> On Fri, Apr 12, 2019 at 4:53 PM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>>
>>
>> On Fri, Apr 12, 2019 at 11:28 AM Matteo Restelli <mrestelli at cuebiq.com>
>> wrote:
>>
>>> Thank you Pedro,
>>> My answers (and questions) inline below ;)
>>>
>>> Thank you!
>>> Matteo
>>>
>>> On Fri, Apr 12, 2019 at 3:20 PM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> Thanks. Now it is more clear.
>>>>
>>>> Answers inline below.
>>>>
>>>>
>>>> On Fri, Apr 12, 2019 at 7:29 AM Matteo Restelli <mrestelli at cuebiq.com>
>>>> wrote:
>>>>
>>>>> Hi Pedro,
>>>>> i'll try to reply to your questions:
>>>>>
>>>>> - We've configured Cognito as an identity provider in Keycloak,
>>>>> importing the configuration via the OIDC discovery-configuration endpoint.
>>>>> At this point we needed to introduce the clientID & secret, so we've
>>>>> created a new confidential client inside AWS Cognito and used its id
>>>>> &secret in the Keycloak's Identity provider config
>>>>>
>>>>
>>>>> - We've set the permission & policy about token exchange feature to
>>>>> our Keycloak client
>>>>>
>>>>> - The SRP flow leverages the SRP authentication protocol (so
>>>>> basically, no password is sent to the server). The result of this flow is a
>>>>> couple of JWT tokens (access and id token), but the access token doesn't
>>>>> respect the OIDC rules (it doesn't contain the openid scope). This last
>>>>> point is what make the token exchange process impossible (this because,
>>>>> during the process, Cognito replies that "the token doesn't contain the
>>>>> openid scope"). About that i want to highlight the fact that these problems
>>>>> are entirely Cognito related: if we use a standard OAuth2 Flow (like
>>>>> Authorization code grant or implicit) the process works as expected.
>>>>>
>>>>
>>>> I see now. In this case, I think you should try to include somehow the
>>>> openid scope in the access token so that Cognito can process it. I guess
>>>> this error is returned when the broker is invoking the user endpoint  on
>>>> Cognito? based on the OIDC user info endpoint definition, the endpoint
>>>> should accept access tokens.
>>>>
>>>
>>> Yeah unfortunately we're stuck with this option, because Cognito is
>>> lacking support on adding this scope to the token (especially this is
>>> caused by the Amplify.js library provided by AWS, which is the one we're
>>> using to implement the SRP flow). Yes, the error is returned from Cognito
>>> when Keycloak contacts the provider to validate the token.
>>>
>>
>>>
>>>
>>>>
>>>>
>>>>> - Since the SRP flow enables us to use a self-hosted login page which
>>>>> doesn't send the password directly to the server, we've tried to find other
>>>>> solution. So we've tried to provide to the token exchange endpoint the id
>>>>> token, changing some parameters of the HTTP call. And at this point
>>>>> something unexpected for us happened: the token exchange process works also
>>>>> providing the id token. Here's the reason of my first flow of questions: is
>>>>> this behaviour expected? Is the "exchange with id token" approach a
>>>>> feasible and good one? Or is completely a bad approach?
>>>>>
>>>>> - Since using this flow (SRP) force us to provide the id token to our
>>>>> backend side, here comes the other flow of questions :). From an OIDC point
>>>>> of view, can be a right approach accessing a backend resource from a single
>>>>> page application, using an id token? I've always read that if you want to
>>>>> access to a backend resource, from a client application, is better to use
>>>>> the access token, because the id token contains a lot of user informations
>>>>> and must be used only by the client application.
>>>>>
>>>>>
>>>> It is fine to use id_token (or any other format supported by the server
>>>> that can be specified via subject_token_type) when doing the exchange.
>>>>
>>>> However, here is the interesting part. If you look our documentation we
>>>> should only support "access_token" and "jwt" as a subject_token_type. But
>>>> the implementation can also handle "id_token". The reason why "id_token"
>>>> works is that the validation of the token is done locally by Keycloak,
>>>> differently than when you are using an access_token where a request will be
>>>> sent to the user info endpoint on Cognito.
>>>>
>>>
>>> Oh! That's really interesting! :)
>>> About this point, in your opinion it will be feasible to call the token
>>> exchange endpoint every time a request comes to our backend side? Imagine
>>> this scenario:
>>>
>>> - User authenticates to Cognito via the Spa app
>>> - Spa app calls backend services (tipically contacting a gateway)
>>> - Gateway performs the token exchange on keycloak
>>> - Gateway forwards the request (adding the new access token in place of
>>> the Cognito one) to the underlying microservices...
>>>
>>> Do you see any performance issues? Does Keycloak caches something during
>>> the token exchange process?
>>>
>>
>> I would ask you to try it out and check latency and response times.
>> Unfortunately, benchmarking is something we are lacking so we depend on
>> feedback from the community.
>>
>
>> Maybe, another option you could consider is to aggregate your APIs so
>> that your SPA doesn't need to interact with multiple backend services
>> ? Where this API aggregator would be 1:1 mapped to your client and
>> responsible for all exchanges to access downstream services.
>>
>
> So the main idea is to put a gateway in front of all the microservices, so
> it will be the one who performs the token exchange process. To avoid
> performance issues we can think about a caching mechanism but in this way
> we need to investigate more (we're just evaluating the various options
> right now ;) ). By the way, IMHO, if a user calls the gateway 300 times in
> 3 minutes there's no reason to perform the token exchange process at every
> call.
>
>
>
>>
>> Or you could eventually use different scopes to gain access to these
>> different services and still use the same token obtained by the client
>> during the authentication. There is a caveat here regarding audience
>> though, so you could maybe include some audience that logically represent
>> your different APIs.
>>
>
> So, if i understood correctly:
> - Client contacts gateway with a Cognito access token
> - Gateway performs the token exchange process
> - Depending on which service needs to be called, the gateway requests
> scopes to Keycloak with the access token minted by Keycloak. Is this right?
> Or requesting scopes is done in the token exchange process?
>
> So i've some concepts regarding scopes that i read around on the Internet,
> and for what i've understood, a scope represents what an oauth2 client can
> do:
> - You need to call service A, perform a read operation
> - You request the custom scope read_service_a
>
> I'm lacking the link between those scopes and the authorization part. How
> are they linked with the authorization services in Keycloak? If a user
> isn't authorized to do something, will never receive the related scope? Or
> are they completely separated concepts?
>

There is no link between the two. I was considering a regular OAuth2
authorization where you would rely on the scopes granted by the server. I
think I missed the authorization services part in your first message :)


>
> The audience part is fine for me, also here for what i've understood, the
> audience represents the "target" resource protected by the server. Am i
> right?
>

Yes.


>
>
>>
>>>
>>>
>>>>
>>>> Regarding your last question, no it is not a good practice to use
>>>> id_token for bearer token authorization. In addition to privacy concerns
>>>> (which is not really different than when using JWTs in access tokens), ID
>>>> Token is about carrying the authentication context with specific
>>>> constraints. For instance, the audience is the client, not the backend. The
>>>> lifetime of ID Token is shorter as they are mainly important to
>>>> authenticate the user into a client, etc.
>>>>
>>>> So, you are right. You should try to use access tokens.
>>>>
>>>
>>> Ok thank you for the explanation. We'll try to use access tokens
>>> (probably we'll stop using the SRP flow in favour of an OAuth2 flow like
>>> Authorization Code Grant with PKCE (which is the one recommended for public
>>> Single page Applications)
>>>
>>
>> +1
>>
>>
>>>
>>>
>>>
>>>
>>>>
>>>>
>>>>> - Here's the curl of the token exchange process with the access token
>>>>> (i'm omitting some infos):
>>>>>
>>>>> curl -X POST \
>>>>> -d "client_id=test" \
>>>>> -d "client_secret=<client_secret>" \
>>>>> --data-urlencode
>>>>> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
>>>>> -d "subject_issuer=<alias_of_the_identity_provider_in_keycloak>" \
>>>>> -d "subject_token=<access_token>" \
>>>>> --data-urlencode
>>>>> "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
>>>>> -d "audience=test" \
>>>>> http://localhost:8080/auth/realms/
>>>>> <realm_name>/protocol/openid-connect/token
>>>>>
>>>>>
>>>>> - Here's the curl of the token exchange process with the id token (i'm
>>>>> omitting some infos):
>>>>>
>>>>> curl -X POST \
>>>>> -d "client_id=test" \
>>>>> -d "client_secret=<client_secret>" \
>>>>> --data-urlencode
>>>>> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
>>>>> -d "subject_issuer=<alias_of_the_identity_provider_in_keycloak>" \
>>>>> -d "subject_token=<id_token>" \
>>>>> --data-urlencode
>>>>> "subject_token_type=urn:ietf:params:oauth:token-type:id_token" \
>>>>> -d "audience=test" \
>>>>> http://localhost:8080/auth/realms/
>>>>> <realm_name>/protocol/openid-connect/token
>>>>>
>>>>> Let me know if you need more infos.
>>>>>
>>>>> Thank you again,
>>>>> Matteo Restelli
>>>>>
>>>>> On Wed, Apr 10, 2019 at 3:40 PM Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> So you are doing external to internal exchange. It is not clear to me
>>>>>> how you configured AWS Cognito as an identity provider and what/how the SRP
>>>>>> flow works. Could you provide more details, please? Is the token issued by
>>>>>> Cognito a JWT ?
>>>>>>
>>>>>> In addition to that, how your token exchange request looks like when
>>>>>> using both id_token and access_token as a subject_token ?
>>>>>>
>>>>>> On Wed, Apr 10, 2019 at 9:56 AM Matteo Restelli <mrestelli at cuebiq.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Any news on that?
>>>>>>>
>>>>>>> Thank you!
>>>>>>> Matteo
>>>>>>>
>>>>>>> =============================
>>>>>>>
>>>>>>>
>>>>>>> Hi all,
>>>>>>> We're using AWS Cognito as our Identity provider for our platform.
>>>>>>> We're
>>>>>>> trying to use an internal instance of Keycloak, in order to check the
>>>>>>> possibility to use KC for authorization purposes (this because
>>>>>>> Keycloak has
>>>>>>> a wonderful and powerful authorization system that fulfill our
>>>>>>> needs, and
>>>>>>> for that i want to say you "Thank you very much" :) ). For this
>>>>>>> reason we
>>>>>>> want to use the token exchange feature of Keycloak.
>>>>>>> More specifically we want to follow this flow:
>>>>>>>
>>>>>>> - User authenticates on AWS Cognito via SRP auth flow (which
>>>>>>> basically is
>>>>>>> not a standard OIDC/OAuth2 authentication flow)
>>>>>>> - User sends the access token to contact the backend service and, in
>>>>>>> the
>>>>>>> middle, this token is translated to an internal one, minted by
>>>>>>> Keycloak
>>>>>>>
>>>>>>> If we provide the AWS Cognito access token to the token exchange
>>>>>>> endpoint,
>>>>>>> with the subject_token_type parameter set to
>>>>>>> "urn:ietf:params:oauth:token-type:access_token", an error is returned
>>>>>>> stating that the access token doesn't contain the "openid" scope.
>>>>>>> Despite
>>>>>>> this we've tried another way, providing the id token to the token
>>>>>>> exchange
>>>>>>> endpoint with the subject_token_parameter set to
>>>>>>> "urn:ietf:params:oauth:token-type:id_token", and we discovered that
>>>>>>> this
>>>>>>> alternative way works. So, my questions are:
>>>>>>>
>>>>>>> - Is the "exchange with id token" approach a feasible and good one?
>>>>>>> Or is
>>>>>>> completely a bad approach?
>>>>>>> - From an OIDC point of view, can be a right approach accessing a
>>>>>>> backend
>>>>>>> resource from a single page application, using an id token? I've
>>>>>>> always
>>>>>>> read that if you want to access to a backend resource, from a client
>>>>>>> application, is better to use the access token, because the id token
>>>>>>> contains a lot of user informations and must be used only by the
>>>>>>> client
>>>>>>> application
>>>>>>>
>>>>>>> Thank you very much,
>>>>>>> Matteo
>>>>>>>
>>>>>>>
>>>>>>> PS:  As a side note, i want to clarify that if we follow an
>>>>>>> authorization
>>>>>>> code grant flow, or an implicit flow, during the authentication
>>>>>>> against AWS
>>>>>>> Cognito, the access token exchange works as expected. So this means
>>>>>>> that
>>>>>>> the problem is related to the shape of the token released by Cognito.
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>>>>> <https://twitter.com/Cuebiq>I Connect
>>>>>>> <https://www.linkedin.com/company/cuebiq>
>>>>>>>
>>>>>>>
>>>>>>> This email is reserved
>>>>>>> exclusively for sending and receiving messages inherent working
>>>>>>> activities,
>>>>>>> and is not intended nor authorized for personal use. Therefore, any
>>>>>>> outgoing messages or incoming response messages will be treated as
>>>>>>> company
>>>>>>> messages and will be subject to the corporate IT policy and may
>>>>>>> possibly to
>>>>>>> be read by persons other than by the subscriber of the box.
>>>>>>> Confidential
>>>>>>> information may be contained in this message. If you are not the
>>>>>>> address
>>>>>>> indicated in this message, please do not copy or deliver this
>>>>>>> message to
>>>>>>> anyone. In such case, you should notify the sender immediately and
>>>>>>> delete
>>>>>>> the original message.
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>>>>> <https://twitter.com/Cuebiq>I Connect
>>>>>>> <https://www.linkedin.com/company/cuebiq>
>>>>>>>
>>>>>>>
>>>>>>> This email is reserved
>>>>>>> exclusively for sending and receiving messages inherent working
>>>>>>> activities,
>>>>>>> and is not intended nor authorized for personal use. Therefore, any
>>>>>>> outgoing messages or incoming response messages will be treated as
>>>>>>> company
>>>>>>> messages and will be subject to the corporate IT policy and may
>>>>>>> possibly to
>>>>>>> be read by persons other than by the subscriber of the box.
>>>>>>> Confidential
>>>>>>> information may be contained in this message. If you are not the
>>>>>>> address
>>>>>>> indicated in this message, please do not copy or deliver this
>>>>>>> message to
>>>>>>> anyone. In such case, you should notify the sender immediately and
>>>>>>> delete
>>>>>>> the original message.
>>>>>>> _______________________________________________
>>>>>>> keycloak-user mailing list
>>>>>>> keycloak-user at lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>
>>>>>>
>>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>>> <https://twitter.com/Cuebiq>I Connect
>>>>> <https://www.linkedin.com/company/cuebiq>
>>>>>
>>>>> This email is reserved exclusively for sending and receiving messages
>>>>> inherent working activities, and is not intended nor authorized for
>>>>> personal use. Therefore, any outgoing messages or incoming response
>>>>> messages will be treated as company messages and will be subject to the
>>>>> corporate IT policy and may possibly to be read by persons other than by
>>>>> the subscriber of the box. Confidential information may be contained in
>>>>> this message. If you are not the address indicated in this message, please
>>>>> do not copy or deliver this message to anyone. In such case, you should
>>>>> notify the sender immediately and delete the original message.
>>>>>
>>>>
>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>> <https://twitter.com/Cuebiq>I Connect
>>> <https://www.linkedin.com/company/cuebiq>
>>>
>>> This email is reserved exclusively for sending and receiving messages
>>> inherent working activities, and is not intended nor authorized for
>>> personal use. Therefore, any outgoing messages or incoming response
>>> messages will be treated as company messages and will be subject to the
>>> corporate IT policy and may possibly to be read by persons other than by
>>> the subscriber of the box. Confidential information may be contained in
>>> this message. If you are not the address indicated in this message, please
>>> do not copy or deliver this message to anyone. In such case, you should
>>> notify the sender immediately and delete the original message.
>>>
>>
> Like <https://www.facebook.com/cuebiq/> I Follow
> <https://twitter.com/Cuebiq>I Connect
> <https://www.linkedin.com/company/cuebiq>
>
> This email is reserved exclusively for sending and receiving messages
> inherent working activities, and is not intended nor authorized for
> personal use. Therefore, any outgoing messages or incoming response
> messages will be treated as company messages and will be subject to the
> corporate IT policy and may possibly to be read by persons other than by
> the subscriber of the box. Confidential information may be contained in
> this message. If you are not the address indicated in this message, please
> do not copy or deliver this message to anyone. In such case, you should
> notify the sender immediately and delete the original message.
>

From abhi.raghav007 at gmail.com  Mon Apr 15 08:21:03 2019
From: abhi.raghav007 at gmail.com (abhishek raghav)
Date: Mon, 15 Apr 2019 17:51:03 +0530
Subject: [keycloak-user] [keycloak-dev] Custom account provider not
 working after upgrading to 4.8.3.Final
In-Reply-To: <A515A35F-B215-456C-B2EA-4A654E5F7A70@code-house.org>
References: <CAJmz6fvUigkOygUb0XsHtfVJXbe6vxz4dY6AjfAJLoLbKvwKFQ@mail.gmail.com>
	<A515A35F-B215-456C-B2EA-4A654E5F7A70@code-house.org>
Message-ID: <CAJmz6fvXy7bHZd+twgozxPOfKszbCh1zZ9ugBmKegFaDkT7tmQ@mail.gmail.com>

Hi ?ukasz,

Wow, you just saved me a lot of time. On point answer.

We are packaging the provider as a regular jar and dropping it in
${keycloak.home}/providers directory. I tried your way of modifying
standalone.xml file just as you suggested and it worked like charm.

Now we are able to see all the overridden features in the account section.

Thank you so much. :)

*Regards*
Abhishek








On Mon, Apr 15, 2019 at 1:24 PM <luke at code-house.org> wrote:

> How did you package your extension - as jboss module or regular JAR with
> jboss-deployment-descriptor.xml ?
>
> I did lately similar exercise with 4.8.3 and login forms. You need to
> modify standalone.xml and set your provider as primary one while disabling
> default one:
>
>             <spi name=?account">
>                 <default-provider>my-custom-provider</default-provider>
>                 <provider name="my-custom-provider" enabled="true"/>
>                 <provider name="freemarker" enabled="false"/>
>             </spi>
>
> My extension is packaged as JBoss module and registered via providers
> configuration:
>         <subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
>             <web-context>ROOT</web-context>
>             <providers>
>                 <provider>
>                     module:org.code-house.keycloak.login
>                 </provider>
>                <!-- .... etc -->
>
>
> You can also try to drop your JAR (if not packaged as module) to
> ${keycloak.home}/providers directory.
>
> Kind regards,
> ?ukasz
> ?
> Code-House
> http://code-house.org
>
>
> On 12 Apr 2019, at 10:20, abhishek raghav <abhi.raghav007 at gmail.com>
> wrote:
>
> Hi -
>
> We have implemented a custom account provider which
> implements AccountProviderFactory and the implementation class
> extends FreeMarkerAccountProvider. It is packaged and deployed as a
> provider with a service definition file.
>
> This used to be work in keycloak 3.4.3.Final but not after we upgrade to
> keycloak 4.8.3.Final.
>
> We also identified that the provider is not even registering/initialized
> during boot time of keycloak. Could somebody please tell - whether keycloak
> has removed support of extending Account provider SPI. Or there is any
> other way to extend the account provider in keycloak 4.8.3.Final.
>
> Any help is greatly appreciated.
>
> Thanks
> -Abhishek
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>

From namikbarisidil at hotmail.com  Mon Apr 15 08:32:22 2019
From: namikbarisidil at hotmail.com (=?utf-8?B?TmFtxLFrIEJhcsSxxZ8gxLBExLBM?=)
Date: Mon, 15 Apr 2019 12:32:22 +0000
Subject: [keycloak-user] SMS Integration
Message-ID: <VI1PR06MB58068DCF4705D27B2F4DD59BCC2B0@VI1PR06MB5806.eurprd06.prod.outlook.com>

Hi All,

Is it possible to integrate an external SMS provider service to Keycloak 
(for user registration)? If it is, where can I find some documentation 
of how.

Thanks in advance.

Bar??




From melissa.palmer at gmail.com  Mon Apr 15 10:06:08 2019
From: melissa.palmer at gmail.com (Melissa Palmer)
Date: Mon, 15 Apr 2019 16:06:08 +0200
Subject: [keycloak-user] How do you export a REALM from keycloak when
	running within a Docker container?
Message-ID: <CAHTQH9+LkM4he7YkmWfTn72vqOmPaC3gcrxLFpfXvG3W7Wf+qw@mail.gmail.com>

Hi

How do you export a REALM from keycloak when running within a Docker
container?

*If running Keycloak via docker, eg: using *
docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin
-e DB_VENDOR=h2 --name kc jboss/keycloak

How can you export a realm that you have added via the UI?

Thanks in Advance
Melissa

From rabbiosi at esteco.com  Mon Apr 15 11:23:04 2019
From: rabbiosi at esteco.com (Gabriele Rabbiosi)
Date: Mon, 15 Apr 2019 17:23:04 +0200
Subject: [keycloak-user] Account Management Rest API
Message-ID: <CAG0YySwdkAQ9r2X_GXy+Eyp=0xyVA9Dji+Wp++9A=Rkd5WCgXQ@mail.gmail.com>

Hi guys,
I'd like more information about the AccountRestService class
(https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/AccountRestService.java)

1. I noticed that there are still a couple of TODO (such as Identity
Providers management), is there a roadmap for the development of this
missing features?
2. Are these API public or for internal use only? I'd like to use them
to implement a custom Account Management page for my application.
3. How stable are they? How likely is it that they will change or
disappear in the (near) future?

Thanky you.
Best regards

--

GABRIELE RABBIOSI

BeePMN Software Engineer



ESTECO | EXPLORE DESIGN PERFECTION

AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY
Phone: +39 040 3755548 - Fax: +39 040 3755549
[Website] | [Twitter] | [Facebook] | [Linkedin]

Pursuant to Legislative Decree No. 196/2003, you are hereby informed
that this message contains confidential information intended only for
the use of the addressee. If you are not the addressee, and have
received this message by mistake, please delete it and immediately
notify us. You may not copy or disseminate this message to anyone.
Thank you. Please consider the environment before printing this email.

From keycloak-user at imber.wien  Mon Apr 15 12:07:17 2019
From: keycloak-user at imber.wien (keycloak-user at imber.wien)
Date: Mon, 15 Apr 2019 18:07:17 +0200
Subject: [keycloak-user] User Export with Storage Providers inefficient
Message-ID: <22966735ec75fef9f5f73b827865e82d@imber.wien>

Hi, 

I was doing some research on an issue we encountered with user export
(at boot-time). The export task was running for hours with ~50.000
LDAP-backed Users and eventually crashed. It obviously got slower and
slower with each user bulk. 

I observerd that this also happens with local-only users, as soon as an
LDAP provider is configured and enabled. 

SQL log output showed, that for each user-select for a given "page"
(limit and offset), all preceding pages are queried first, which
explains the deterioration over time (quadratic complexity). 

The responsible Code (KC 4.8.3) is UserStorageManager#query(...). If any
enabled storage providers exist, this method queries all pages up the
requested one. 

I then found this explanation of Summer 2016:
http://lists.jboss.org/pipermail/keycloak-dev/2016-June/007448.html 

> Right now I've implemented something that is pretty inefficient to keep it backward compatible right now. Basically I iterate all providers from the beginning until the page desired is identified and filled up. Minimally it is a stop gap until I get everything working. 

... so it seems to be a concession to backwards compatibility, back when
storage federation got refactored. 

Can you think of workaround to make user export usable for us? 

Do you plan to drop or improve the current pagination behavior at some
point? 

Thanks,
best regards,
Mario.

From Shweta.Shetty at Teradata.com  Mon Apr 15 12:27:51 2019
From: Shweta.Shetty at Teradata.com (Shetty, Shweta)
Date: Mon, 15 Apr 2019 16:27:51 +0000
Subject: [keycloak-user] Key Rotation
Message-ID: <E2569564-8A73-4CE9-8954-B2D37ED97B79@teradata.com>

Hi Folks,
As per the security need we need to provide the functionality of rotating keys. The access token is using RAS256 as key algorithm, but looks like the Keycloak signs the refresh token with a different algorithm by using HMAC (HS256). We have use case of offline tokens and would like to get new offline token when the key rotates. Is it possible to sign the refresh token with the same key as access token? The problem is we can only revoke refresh token ? there is no way to rotate the refresh token key. Please advise? What do folks usually do?

Shweta



From ssilvert at redhat.com  Mon Apr 15 12:32:07 2019
From: ssilvert at redhat.com (Stan Silvert)
Date: Mon, 15 Apr 2019 12:32:07 -0400
Subject: [keycloak-user] Account Management Rest API
In-Reply-To: <CAG0YySwdkAQ9r2X_GXy+Eyp=0xyVA9Dji+Wp++9A=Rkd5WCgXQ@mail.gmail.com>
References: <CAG0YySwdkAQ9r2X_GXy+Eyp=0xyVA9Dji+Wp++9A=Rkd5WCgXQ@mail.gmail.com>
Message-ID: <3b45a135-3023-e685-21e6-ab556276491e@redhat.com>

Right now this API is in development and subject to change at any time.? 
We are hoping to have it completed in the next few months.

Also, we are working on a new Account Console that will use PatternFly 4 
and React.? It will be easy to extend, so you can add your own pages.? 
It will work better on mobile devices.? And of course, you will be able 
to change it around with different themes and such.

So building your own console from this new Account Console might be a 
better option than building the whole thing from scratch.

If you are interested, the code is here along with a readme that tells 
how to build and run.? It's very much a work in progress:
https://github.com/keycloak/keycloak/tree/master/themes/src/main/resources/theme/keycloak-preview/account/resources

I still need to document how to create extensions, so let me know if you 
are interested in that.

Stan

On 4/15/2019 11:23 AM, Gabriele Rabbiosi wrote:
> Hi guys,
> I'd like more information about the AccountRestService class
> (https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/AccountRestService.java)
>
> 1. I noticed that there are still a couple of TODO (such as Identity
> Providers management), is there a roadmap for the development of this
> missing features?
> 2. Are these API public or for internal use only? I'd like to use them
> to implement a custom Account Management page for my application.
> 3. How stable are they? How likely is it that they will change or
> disappear in the (near) future?
>
> Thanky you.
> Best regards
>
> --
>
> GABRIELE RABBIOSI
>
> BeePMN Software Engineer
>
>
>
> ESTECO | EXPLORE DESIGN PERFECTION
>
> AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY
> Phone: +39 040 3755548 - Fax: +39 040 3755549
> [Website] | [Twitter] | [Facebook] | [Linkedin]
>
> Pursuant to Legislative Decree No. 196/2003, you are hereby informed
> that this message contains confidential information intended only for
> the use of the addressee. If you are not the addressee, and have
> received this message by mistake, please delete it and immediately
> notify us. You may not copy or disseminate this message to anyone.
> Thank you. Please consider the environment before printing this email.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From orivat at janua.fr  Mon Apr 15 12:32:05 2019
From: orivat at janua.fr (Olivier Rivat)
Date: Mon, 15 Apr 2019 18:32:05 +0200
Subject: [keycloak-user] keycloak 5.0 integration with FranceConnect
 (IDP provider) no longer working
In-Reply-To: <1c90-5cb41a00-b-17db7d00@30246831>
References: <1c90-5cb41a00-b-17db7d00@30246831>
Message-ID: <b021935a-32d7-de77-ae5c-a98b5683c5bd@janua.fr>

Hello Cedric,

Tkx a lot for all your updates.


I have just downloaded your module, and uploaded it.
I am not able to configure the IDPwith your module.

When I click on it on one? of the both choices to configure the IDP 
(FranceConnect Particlier for example), I do obtain the following below.


What could be missing from my side ?

Regards,

Olivier






Le 15/04/2019 ? 07:43, cedric at couralet.eu a ?crit?:
> Hi,
>
> How are you integrating the two idps ? The client_session_state parameter seems added as an hack when using KeycloakOIDCIdentityProvider ([1]), but this was added a long time ago. I think this provider should only be used when the 2 idps are keycloak, you may want to tyry the generic OIDCIdentityProvider, which does not add this param.
> But, there is an issue with logout [2]  and signature validation . Which is why we had to developed our own keycloak extension for france connect [3]. I just tried it with keycloak 5.0.0 without problem.
>
> (and you may want to change your account information with france connect (client_secret and client_id), these should not be public)
>
> C?dric Couralet
>
> [1] https://github.com/keycloak/keycloak/blob/c34c0a3860fa3c6de5963eb56f431696e826404c/services/src/main/java/org/keycloak/broker/oidc/KeycloakOIDCIdentityProvider.java#L134
> [2] https://issues.jboss.org/browse/KEYCLOAK-7209
> [3] https://github.com/InseeFr/Keycloak-FranceConnect
>
> Le Vendredi, Avril 12, 2019 17:16 CEST, Olivier Rivat <orivat at janua.fr> a ?crit:
>   
>> Hi,
>>
>> I am testing the integration of keycloak? to ? FranceConnect (French IDP
>> provider).
>> It is working fine with keycloak 4.81 (I have just tested it today), but
>> it is failing with keycloak 5.0.
>>
>> The difference between the both is that keycloak 5.0 is adding
>> internally client_session_state on the idp request.
>> But FranceConnect idp is not recognizing client_session_state.
>>
>> What could be done to overcome this issue, as the IDP has not changed.
>> Is it possibel to disbale this flag (client_session_state) so it does
>> not appear in the log of KC 5.0 ?
>>
>> Please advise what could be done to have it working again.
>>
>>
>> Regards,
>>
>> Olivier Rivat
>>
>>
>>
>> ==============================================================================
>>
>>
>>
>>
>>
>>
>> Traces are as follows between the both:
>>
>> Keycloak 4.83 trace (OK)
>>
>>
>> 2019-04-12 17:06:04,250 DEBUG [org.apache.http.wire] (default task-11)
>> http-outgoing-3 >> "[\r][\n]"
>> 2019-04-12 17:06:04,250 DEBUG [org.apache.http.wire] (default task-11)
>> http-outgoing-3 >>
>> code=de5db40072c4d4a146f46330e7f85e38610d0943e95e9cb6ac73d66bd672205a&
>> grant_type=authorization_code&
>> client_secret=f6495844366b0a6c44fb2fffb4764ee732d134f4a7a8321863983473801c26db&
>> redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Fdemo%2Fbroker%2FFranceConnect%2Fendpoint&
>> client_id=db14bd4bf83bf764076a25f664ca6750a32c2cd18be6ba43806d80cb2a3745b6
>> 2019-04-12 17:06:04,308 DEBUG [org.apache.http.wire] (default task-11)
>> http-outgoing-3 << "HTTP/1.1 200 OK[\r][\n]"
>> 2019-04-12 17:06:04,308 DEBUG [org.apache.http.wire] (default task-11)
>> http-outgoing-3 << "Server: nginx[\r][\n]"
>> 2019-04-12 17:06:04,309 DEBUG [org.apache.http.wire] (default task-11)
>> http-outgoing-3 << "Date: Fri, 12 Apr 2019 15:05:57 GMT[\r][\n]"
>> 2019-04
>>
>>
>>
>>
>> Keycloak 5.00 trace (Not working)
>>
>> 6:01:00,889 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 >> "
>> code=326df10aabf29c322ca83a2a20b7ffc8c3dcab1ce150b62e99433b3a11e78e81&
>> grant_type=authorization_code&
>> client_session_state=n%2Fa&
>> client_secret=f6495844366b0a6c44fb2fffb4764ee732d134f4a7a8321863983473801c26db&
>> redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fauth%2Frealms%2Fdemo%2Fbroker%2FFranceConnect%2Fendpoint&
>> client_id=db14bd4bf83bf764076a25f664ca6750a32c2cd18be6ba43806d80cb2a3745b6"
>> 16:01:00,966 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "HTTP/1.1 400 Bad Request[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Server: nginx[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Date: Fri, 12 Apr 2019 14:00:53 GMT[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Content-Type: application/json; charset=utf-8[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Content-Length: 104[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Connection: keep-alive[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "ETag: W/"68-1YcGPHfKrHgT2FZkgQmpNQ"[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "Vary: Accept-Encoding[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "[\r][\n]"
>> 16:01:00,967 DEBUG [org.apache.http.wire] (default task-10)
>> http-outgoing-0 << "{"status":"fail","message":"The following fields are
>> not supposed to be present : client_session_state"}"
>> 1
>>
>>
>>
>>
>>
>>
>>
>>
>> -- 
>>
>>
>> <http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>
>>
>> 	<http://www.janua.fr/images/6g_top.gif>
>> 	
>> Olivier Rivat
>> CTO
>> orivat at janua.fr <mailto:dchikhaoui at janua.fr>
>> Gsm: +33(0)682 801 609
>> T?l: +33(0)489 829 238
>> Fax: +33(0)955 260 370
>> http://www.janua.fr <http://www.janua.fr/>
>> 	<http://www.janua.fr/images/6g_top.gif>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>



From cedric at couralet.eu  Mon Apr 15 12:39:21 2019
From: cedric at couralet.eu (=?UTF-8?Q?C=C3=A9dric_Couralet?=)
Date: Mon, 15 Apr 2019 18:39:21 +0200
Subject: [keycloak-user] keycloak 5.0 integration with FranceConnect
 (IDP provider) no longer working
In-Reply-To: <b021935a-32d7-de77-ae5c-a98b5683c5bd@janua.fr>
References: <1c90-5cb41a00-b-17db7d00@30246831>
	<b021935a-32d7-de77-ae5c-a98b5683c5bd@janua.fr>
Message-ID: <51bc04327dc394f6b7756a3ee45009ab@couralet.eu>

Le 2019-04-15 18:32, Olivier Rivat a ?crit?:
> Hello Cedric,
> 
> Tkx a lot for all your updates.
> 
> I have just downloaded your module, and uploaded it.
> I am not able to configure the IDPwith your module.
> 
> When I click on it on one  of the both choices to configure the IDP
> (FranceConnect Particlier for example), I do obtain the following
> below.
> 
> What could be missing from my side ?
> 

Right, sorry, I just realized I didn't  pushed the docs...

For it to work, you need to pick the "fc-theme" theme for the admin 
console (careful, if you connect with the /admin/master/console, like it 
is by default, you need to change the theme for the master realm and not 
your "demo" realm).
Then you will have to logout and login again and it should work 
(deleting browser cache may help).
I sometimes had to restart keycloak, but I think it is not really 
necessary.

Regards,
C?dric Couralet

> Regards,
> 
> Olivier
> 

From orivat at janua.fr  Mon Apr 15 13:12:11 2019
From: orivat at janua.fr (Olivier Rivat)
Date: Mon, 15 Apr 2019 19:12:11 +0200
Subject: [keycloak-user] keycloak 5.0 integration with FranceConnect
 (IDP provider) no longer working
In-Reply-To: <51bc04327dc394f6b7756a3ee45009ab@couralet.eu>
References: <1c90-5cb41a00-b-17db7d00@30246831>
	<b021935a-32d7-de77-ae5c-a98b5683c5bd@janua.fr>
	<51bc04327dc394f6b7756a3ee45009ab@couralet.eu>
Message-ID: <3e135c2e-37d2-abad-8689-21ea364677f8@janua.fr>

Hi Cedric,

Tkx for your last update.
I've been able to make it working.

in your doc, you should also indicate that you need to configure both 
attribute mappers for firstname and lastname to be able sign in immediately


Regards,

Olivier Rivat





Le 15/04/2019 ? 18:39, C?dric Couralet a ?crit?:
> Le 2019-04-15 18:32, Olivier Rivat a ?crit?:
>> Hello Cedric,
>>
>> Tkx a lot for all your updates.
>>
>> I have just downloaded your module, and uploaded it.
>> I am not able to configure the IDPwith your module.
>>
>> When I click on it on one? of the both choices to configure the IDP
>> (FranceConnect Particlier for example), I do obtain the following
>> below.
>>
>> What could be missing from my side ?
>>
>
> Right, sorry, I just realized I didn't? pushed the docs...
>
> For it to work, you need to pick the "fc-theme" theme for the admin 
> console (careful, if you connect with the /admin/master/console, like 
> it is by default, you need to change the theme for the master realm 
> and not your "demo" realm).
> Then you will have to logout and login again and it should work 
> (deleting browser cache may help).
> I sometimes had to restart keycloak, but I think it is not really 
> necessary.
>
> Regards,
> C?dric Couralet
>
>> Regards,
>>
>> Olivier
>>
-- 


<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>

	<http://www.janua.fr/images/6g_top.gif>
	
Olivier Rivat
CTO
orivat at janua.fr <mailto:dchikhaoui at janua.fr>
Gsm: +33(0)682 801 609
T?l: +33(0)489 829 238
Fax: +33(0)955 260 370
http://www.janua.fr <http://www.janua.fr/>
	<http://www.janua.fr/images/6g_top.gif>



From Nithin.Chandrashekhar at Teradata.com  Mon Apr 15 14:05:32 2019
From: Nithin.Chandrashekhar at Teradata.com (Chandrashekhar, Nithin)
Date: Mon, 15 Apr 2019 18:05:32 +0000
Subject: [keycloak-user] Keycloak Ldap Group Sync
Message-ID: <0E759449-BCB6-4394-8777-F686589D7864@teradata.com>

Hi Folks,

Is there a way to bring in a new ldap group (without clearing the cache) which a user is made part of after the user has logged in.

Thanks
Nithin


From Nithin.Chandrashekhar at Teradata.com  Mon Apr 15 14:12:40 2019
From: Nithin.Chandrashekhar at Teradata.com (Chandrashekhar, Nithin)
Date: Mon, 15 Apr 2019 18:12:40 +0000
Subject: [keycloak-user] Duplicate ldap groups during group sync
Message-ID: <8E7B0A42-0C74-421C-A9AB-05ED7639E57C@teradata.com>

Hi Folks,

Keycloak Version: 4.8.2.Final

When the group sync is in progress and if a user tries to login, I see that those groups which the user belongs to are being duplicated.
Is this a bug in keycloak or a mistake in any other configuration in keycloak?

Thanks
Nithin

From titantins at gmail.com  Mon Apr 15 18:48:10 2019
From: titantins at gmail.com (Pavel Drankov)
Date: Tue, 16 Apr 2019 01:48:10 +0300
Subject: [keycloak-user] Import realm settings without removing users
In-Reply-To: <21dff93d-a773-4c28-7b8b-40b01313ef0d@redhat.com>
References: <CAO5GBXcDBCN2bYqw-54u4W-TdrrQvDYcGZNN1ubUoH174NaHag@mail.gmail.com>
	<f32a0377-9422-8f02-2a82-3f13af933cd9@redhat.com>
	<CAO5GBXc=-zE7OSJc6-CnXM4L1-4wcsvE944hnfU3GFsB7cDoxQ@mail.gmail.com>
	<5f90cdd7-11e7-e234-41ae-bb3e06d3be2a@redhat.com>
	<CAO5GBXcMkKxyo8TU01T4MqJuVSj1Hco9QAS47R5cB=Xif=-Zow@mail.gmail.com>
	<21dff93d-a773-4c28-7b8b-40b01313ef0d@redhat.com>
Message-ID: <CAO5GBXcj_trK9oiHY7VgakWb2yv+=TJG+n3-L6fi7hBXfXCdvA@mail.gmail.com>

Ok, thanks.
Best wishes,
Pavel


On Mon, 15 Apr 2019 at 13:52, Vlasta Ramik <vramik at redhat.com> wrote:

> On 4/12/19 1:50 PM, Pavel Drankov wrote:
>
> afaik it's not possible at the moment.
>
> Is there any plan to support in the future?
>
> There is no such plan afaik, you can create a feature request ticket:
> https://issues.jboss.org/browse/KEYCLOAK
>
> V.
>
>
> On Fri, 12 Apr 2019 at 11:55, Vlasta Ramik <vramik at redhat.com> wrote:
>
>> On 4/12/19 10:52 AM, Pavel Drankov wrote:
>>
>> if you've exported users as well those should be imported during import
>>> as well.
>>
>> I don't want to export/import users, just realm settings. Is it possible
>> to import realm settings without erasing *users?*
>>
>> afaik it's not possible at the moment.
>>
>> V.
>>
>>
>>
>> Best wishes,
>> Pavel
>>
>>
>> On Fri, 12 Apr 2019 at 09:48, Vlasta Ramik <vramik at redhat.com> wrote:
>>
>>> Hey Pavel,
>>>
>>> if you've exported users as well those should be imported during import
>>> as well.
>>>
>>> When you use -Dkeycloak.migration.strategy=OVERWRITE_EXISTING the
>>> existing realm is erased and then imported from file/dir [1]
>>>
>>> V.
>>>
>>> [1]
>>>
>>> https://www.keycloak.org/docs/latest/server_admin/index.html#_export_import
>>>
>>> On 4/11/19 3:49 PM, Pavel Drankov wrote:
>>> > Hi,
>>> >
>>> > Is there any command-line way to import realms settings without
>>> erasing all
>>> > the users?  If import realm settings with OVERWRITE_EXISTING, keycloak
>>> also
>>> > removes all the users.
>>> >
>>> > Best wishes,
>>> > Pavel
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>

From mrestelli at cuebiq.com  Tue Apr 16 03:16:22 2019
From: mrestelli at cuebiq.com (Matteo Restelli)
Date: Tue, 16 Apr 2019 09:16:22 +0200
Subject: [keycloak-user] Token Exchange AWS Cognito & Keycloak
In-Reply-To: <CAJrcDBdKmMfTs6KU_waRnqYdqQaE30D+j47coV7pnjaLG7Pj8Q@mail.gmail.com>
References: <CAHpjjTYE=hN02=i+vojzviAv1bK547VFxAZC-Lqy9eRkB6sVPA@mail.gmail.com>
	<CAJrcDBeHZUtdC7N0im1hRePyxntC3zEL5d2=KtuXRvX2Ny3epw@mail.gmail.com>
	<CAHpjjTb0sb0afopqntuE5mEG=S0Xuk+RYrYbKPjcn+8xUs+bSw@mail.gmail.com>
	<CAJrcDBcdqOhux6M3g0Jg1exUJugR4ttAw+c0NeA9nkqyNFkuGw@mail.gmail.com>
	<CAHpjjTYi0sXbbr2X+WGc5Yykc-c1zdfQaMZMAEnpuaK972RFNQ@mail.gmail.com>
	<CAJrcDBfpXH_hekVMszJ-Cd77Urobz4-sX5f_xi47w4QJnNigeg@mail.gmail.com>
	<CAHpjjTYOFa5ST0jNrxquEmD89sga2uk9+77AyKoUUMY_UvHNqw@mail.gmail.com>
	<CAJrcDBdKmMfTs6KU_waRnqYdqQaE30D+j47coV7pnjaLG7Pj8Q@mail.gmail.com>
Message-ID: <CAHpjjTanp83XWj=wSzziw9opwSbMvFtUW3wWYM+K=15Bx0c0ng@mail.gmail.com>

Hi Pedro,
you can find, inline below, a question about the authorization services (
the last question, i promise :) ).


Thank you again,
Matteo

On Mon, Apr 15, 2019 at 2:20 PM Pedro Igor Silva <psilva at redhat.com> wrote:

>
>
> On Mon, Apr 15, 2019 at 5:08 AM Matteo Restelli <mrestelli at cuebiq.com>
> wrote:
>
>> Hi Pedro,
>> Thank you for your replies and your patience :)
>> My answers inline below ;)
>>
>> Have a nice day,
>> Matteo
>>
>> On Fri, Apr 12, 2019 at 4:53 PM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>>
>>>
>>> On Fri, Apr 12, 2019 at 11:28 AM Matteo Restelli <mrestelli at cuebiq.com>
>>> wrote:
>>>
>>>> Thank you Pedro,
>>>> My answers (and questions) inline below ;)
>>>>
>>>> Thank you!
>>>> Matteo
>>>>
>>>> On Fri, Apr 12, 2019 at 3:20 PM Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>> Thanks. Now it is more clear.
>>>>>
>>>>> Answers inline below.
>>>>>
>>>>>
>>>>> On Fri, Apr 12, 2019 at 7:29 AM Matteo Restelli <mrestelli at cuebiq.com>
>>>>> wrote:
>>>>>
>>>>>> Hi Pedro,
>>>>>> i'll try to reply to your questions:
>>>>>>
>>>>>> - We've configured Cognito as an identity provider in Keycloak,
>>>>>> importing the configuration via the OIDC discovery-configuration endpoint.
>>>>>> At this point we needed to introduce the clientID & secret, so we've
>>>>>> created a new confidential client inside AWS Cognito and used its id
>>>>>> &secret in the Keycloak's Identity provider config
>>>>>>
>>>>>
>>>>>> - We've set the permission & policy about token exchange feature to
>>>>>> our Keycloak client
>>>>>>
>>>>>> - The SRP flow leverages the SRP authentication protocol (so
>>>>>> basically, no password is sent to the server). The result of this flow is a
>>>>>> couple of JWT tokens (access and id token), but the access token doesn't
>>>>>> respect the OIDC rules (it doesn't contain the openid scope). This last
>>>>>> point is what make the token exchange process impossible (this because,
>>>>>> during the process, Cognito replies that "the token doesn't contain the
>>>>>> openid scope"). About that i want to highlight the fact that these problems
>>>>>> are entirely Cognito related: if we use a standard OAuth2 Flow (like
>>>>>> Authorization code grant or implicit) the process works as expected.
>>>>>>
>>>>>
>>>>> I see now. In this case, I think you should try to include somehow the
>>>>> openid scope in the access token so that Cognito can process it. I guess
>>>>> this error is returned when the broker is invoking the user endpoint  on
>>>>> Cognito? based on the OIDC user info endpoint definition, the endpoint
>>>>> should accept access tokens.
>>>>>
>>>>
>>>> Yeah unfortunately we're stuck with this option, because Cognito is
>>>> lacking support on adding this scope to the token (especially this is
>>>> caused by the Amplify.js library provided by AWS, which is the one we're
>>>> using to implement the SRP flow). Yes, the error is returned from Cognito
>>>> when Keycloak contacts the provider to validate the token.
>>>>
>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>> - Since the SRP flow enables us to use a self-hosted login page which
>>>>>> doesn't send the password directly to the server, we've tried to find other
>>>>>> solution. So we've tried to provide to the token exchange endpoint the id
>>>>>> token, changing some parameters of the HTTP call. And at this point
>>>>>> something unexpected for us happened: the token exchange process works also
>>>>>> providing the id token. Here's the reason of my first flow of questions: is
>>>>>> this behaviour expected? Is the "exchange with id token" approach a
>>>>>> feasible and good one? Or is completely a bad approach?
>>>>>>
>>>>>> - Since using this flow (SRP) force us to provide the id token to our
>>>>>> backend side, here comes the other flow of questions :). From an OIDC point
>>>>>> of view, can be a right approach accessing a backend resource from a single
>>>>>> page application, using an id token? I've always read that if you want to
>>>>>> access to a backend resource, from a client application, is better to use
>>>>>> the access token, because the id token contains a lot of user informations
>>>>>> and must be used only by the client application.
>>>>>>
>>>>>>
>>>>> It is fine to use id_token (or any other format supported by the
>>>>> server that can be specified via subject_token_type) when doing the
>>>>> exchange.
>>>>>
>>>>> However, here is the interesting part. If you look our documentation
>>>>> we should only support "access_token" and "jwt" as a subject_token_type.
>>>>> But the implementation can also handle "id_token". The reason why
>>>>> "id_token" works is that the validation of the token is done locally by
>>>>> Keycloak, differently than when you are using an access_token where a
>>>>> request will be sent to the user info endpoint on Cognito.
>>>>>
>>>>
>>>> Oh! That's really interesting! :)
>>>> About this point, in your opinion it will be feasible to call the token
>>>> exchange endpoint every time a request comes to our backend side? Imagine
>>>> this scenario:
>>>>
>>>> - User authenticates to Cognito via the Spa app
>>>> - Spa app calls backend services (tipically contacting a gateway)
>>>> - Gateway performs the token exchange on keycloak
>>>> - Gateway forwards the request (adding the new access token in place of
>>>> the Cognito one) to the underlying microservices...
>>>>
>>>> Do you see any performance issues? Does Keycloak caches something
>>>> during the token exchange process?
>>>>
>>>
>>> I would ask you to try it out and check latency and response times.
>>> Unfortunately, benchmarking is something we are lacking so we depend on
>>> feedback from the community.
>>>
>>
>>> Maybe, another option you could consider is to aggregate your APIs so
>>> that your SPA doesn't need to interact with multiple backend services
>>> ? Where this API aggregator would be 1:1 mapped to your client and
>>> responsible for all exchanges to access downstream services.
>>>
>>
>> So the main idea is to put a gateway in front of all the microservices,
>> so it will be the one who performs the token exchange process. To avoid
>> performance issues we can think about a caching mechanism but in this way
>> we need to investigate more (we're just evaluating the various options
>> right now ;) ). By the way, IMHO, if a user calls the gateway 300 times in
>> 3 minutes there's no reason to perform the token exchange process at every
>> call.
>>
>>
>>
>>>
>>> Or you could eventually use different scopes to gain access to these
>>> different services and still use the same token obtained by the client
>>> during the authentication. There is a caveat here regarding audience
>>> though, so you could maybe include some audience that logically represent
>>> your different APIs.
>>>
>>
>> So, if i understood correctly:
>> - Client contacts gateway with a Cognito access token
>> - Gateway performs the token exchange process
>> - Depending on which service needs to be called, the gateway requests
>> scopes to Keycloak with the access token minted by Keycloak. Is this right?
>> Or requesting scopes is done in the token exchange process?
>>
>> So i've some concepts regarding scopes that i read around on the
>> Internet, and for what i've understood, a scope represents what an oauth2
>> client can do:
>> - You need to call service A, perform a read operation
>> - You request the custom scope read_service_a
>>
>> I'm lacking the link between those scopes and the authorization part. How
>> are they linked with the authorization services in Keycloak? If a user
>> isn't authorized to do something, will never receive the related scope? Or
>> are they completely separated concepts?
>>
>
> There is no link between the two. I was considering a regular OAuth2
> authorization where you would rely on the scopes granted by the server. I
> think I missed the authorization services part in your first message :)
>

Ah ok. We are planning to store the authorization data into keycloak
(something like user X has the permission to access to resource Y and to
perform on it the action Z) in order to have this kind of information
inside the access token minted by Keycloak during the exchange process.
Once the resource server gets the token it will authorize or not the
access. Do you think this could be the right way? It could be feasible, in
your opinion?





>
>
>>
>> The audience part is fine for me, also here for what i've understood, the
>> audience represents the "target" resource protected by the server. Am i
>> right?
>>
>
> Yes.
>
>
>>
>>
>>>
>>>>
>>>>
>>>>>
>>>>> Regarding your last question, no it is not a good practice to use
>>>>> id_token for bearer token authorization. In addition to privacy concerns
>>>>> (which is not really different than when using JWTs in access tokens), ID
>>>>> Token is about carrying the authentication context with specific
>>>>> constraints. For instance, the audience is the client, not the backend. The
>>>>> lifetime of ID Token is shorter as they are mainly important to
>>>>> authenticate the user into a client, etc.
>>>>>
>>>>> So, you are right. You should try to use access tokens.
>>>>>
>>>>
>>>> Ok thank you for the explanation. We'll try to use access tokens
>>>> (probably we'll stop using the SRP flow in favour of an OAuth2 flow like
>>>> Authorization Code Grant with PKCE (which is the one recommended for public
>>>> Single page Applications)
>>>>
>>>
>>> +1
>>>
>>>
>>>>
>>>>
>>>>
>>>>
>>>>>
>>>>>
>>>>>> - Here's the curl of the token exchange process with the access token
>>>>>> (i'm omitting some infos):
>>>>>>
>>>>>> curl -X POST \
>>>>>> -d "client_id=test" \
>>>>>> -d "client_secret=<client_secret>" \
>>>>>> --data-urlencode
>>>>>> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
>>>>>> -d "subject_issuer=<alias_of_the_identity_provider_in_keycloak>" \
>>>>>> -d "subject_token=<access_token>" \
>>>>>> --data-urlencode
>>>>>> "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
>>>>>> -d "audience=test" \
>>>>>> http://localhost:8080/auth/realms/
>>>>>> <realm_name>/protocol/openid-connect/token
>>>>>>
>>>>>>
>>>>>> - Here's the curl of the token exchange process with the id token
>>>>>> (i'm omitting some infos):
>>>>>>
>>>>>> curl -X POST \
>>>>>> -d "client_id=test" \
>>>>>> -d "client_secret=<client_secret>" \
>>>>>> --data-urlencode
>>>>>> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
>>>>>> -d "subject_issuer=<alias_of_the_identity_provider_in_keycloak>" \
>>>>>> -d "subject_token=<id_token>" \
>>>>>> --data-urlencode
>>>>>> "subject_token_type=urn:ietf:params:oauth:token-type:id_token" \
>>>>>> -d "audience=test" \
>>>>>> http://localhost:8080/auth/realms/
>>>>>> <realm_name>/protocol/openid-connect/token
>>>>>>
>>>>>> Let me know if you need more infos.
>>>>>>
>>>>>> Thank you again,
>>>>>> Matteo Restelli
>>>>>>
>>>>>> On Wed, Apr 10, 2019 at 3:40 PM Pedro Igor Silva <psilva at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> So you are doing external to internal exchange. It is not clear to
>>>>>>> me how you configured AWS Cognito as an identity provider and what/how the
>>>>>>> SRP flow works. Could you provide more details, please? Is the token issued
>>>>>>> by Cognito a JWT ?
>>>>>>>
>>>>>>> In addition to that, how your token exchange request looks like when
>>>>>>> using both id_token and access_token as a subject_token ?
>>>>>>>
>>>>>>> On Wed, Apr 10, 2019 at 9:56 AM Matteo Restelli <
>>>>>>> mrestelli at cuebiq.com> wrote:
>>>>>>>
>>>>>>>> Any news on that?
>>>>>>>>
>>>>>>>> Thank you!
>>>>>>>> Matteo
>>>>>>>>
>>>>>>>> =============================
>>>>>>>>
>>>>>>>>
>>>>>>>> Hi all,
>>>>>>>> We're using AWS Cognito as our Identity provider for our platform.
>>>>>>>> We're
>>>>>>>> trying to use an internal instance of Keycloak, in order to check
>>>>>>>> the
>>>>>>>> possibility to use KC for authorization purposes (this because
>>>>>>>> Keycloak has
>>>>>>>> a wonderful and powerful authorization system that fulfill our
>>>>>>>> needs, and
>>>>>>>> for that i want to say you "Thank you very much" :) ). For this
>>>>>>>> reason we
>>>>>>>> want to use the token exchange feature of Keycloak.
>>>>>>>> More specifically we want to follow this flow:
>>>>>>>>
>>>>>>>> - User authenticates on AWS Cognito via SRP auth flow (which
>>>>>>>> basically is
>>>>>>>> not a standard OIDC/OAuth2 authentication flow)
>>>>>>>> - User sends the access token to contact the backend service and,
>>>>>>>> in the
>>>>>>>> middle, this token is translated to an internal one, minted by
>>>>>>>> Keycloak
>>>>>>>>
>>>>>>>> If we provide the AWS Cognito access token to the token exchange
>>>>>>>> endpoint,
>>>>>>>> with the subject_token_type parameter set to
>>>>>>>> "urn:ietf:params:oauth:token-type:access_token", an error is
>>>>>>>> returned
>>>>>>>> stating that the access token doesn't contain the "openid" scope.
>>>>>>>> Despite
>>>>>>>> this we've tried another way, providing the id token to the token
>>>>>>>> exchange
>>>>>>>> endpoint with the subject_token_parameter set to
>>>>>>>> "urn:ietf:params:oauth:token-type:id_token", and we discovered that
>>>>>>>> this
>>>>>>>> alternative way works. So, my questions are:
>>>>>>>>
>>>>>>>> - Is the "exchange with id token" approach a feasible and good one?
>>>>>>>> Or is
>>>>>>>> completely a bad approach?
>>>>>>>> - From an OIDC point of view, can be a right approach accessing a
>>>>>>>> backend
>>>>>>>> resource from a single page application, using an id token? I've
>>>>>>>> always
>>>>>>>> read that if you want to access to a backend resource, from a client
>>>>>>>> application, is better to use the access token, because the id token
>>>>>>>> contains a lot of user informations and must be used only by the
>>>>>>>> client
>>>>>>>> application
>>>>>>>>
>>>>>>>> Thank you very much,
>>>>>>>> Matteo
>>>>>>>>
>>>>>>>>
>>>>>>>> PS:  As a side note, i want to clarify that if we follow an
>>>>>>>> authorization
>>>>>>>> code grant flow, or an implicit flow, during the authentication
>>>>>>>> against AWS
>>>>>>>> Cognito, the access token exchange works as expected. So this means
>>>>>>>> that
>>>>>>>> the problem is related to the shape of the token released by
>>>>>>>> Cognito.
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>>>>>> <https://twitter.com/Cuebiq>I Connect
>>>>>>>> <https://www.linkedin.com/company/cuebiq>
>>>>>>>>
>>>>>>>>
>>>>>>>> This email is reserved
>>>>>>>> exclusively for sending and receiving messages inherent working
>>>>>>>> activities,
>>>>>>>> and is not intended nor authorized for personal use. Therefore, any
>>>>>>>> outgoing messages or incoming response messages will be treated as
>>>>>>>> company
>>>>>>>> messages and will be subject to the corporate IT policy and may
>>>>>>>> possibly to
>>>>>>>> be read by persons other than by the subscriber of the box.
>>>>>>>> Confidential
>>>>>>>> information may be contained in this message. If you are not the
>>>>>>>> address
>>>>>>>> indicated in this message, please do not copy or deliver this
>>>>>>>> message to
>>>>>>>> anyone. In such case, you should notify the sender immediately and
>>>>>>>> delete
>>>>>>>> the original message.
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>>>>>> <https://twitter.com/Cuebiq>I Connect
>>>>>>>> <https://www.linkedin.com/company/cuebiq>
>>>>>>>>
>>>>>>>>
>>>>>>>> This email is reserved
>>>>>>>> exclusively for sending and receiving messages inherent working
>>>>>>>> activities,
>>>>>>>> and is not intended nor authorized for personal use. Therefore, any
>>>>>>>> outgoing messages or incoming response messages will be treated as
>>>>>>>> company
>>>>>>>> messages and will be subject to the corporate IT policy and may
>>>>>>>> possibly to
>>>>>>>> be read by persons other than by the subscriber of the box.
>>>>>>>> Confidential
>>>>>>>> information may be contained in this message. If you are not the
>>>>>>>> address
>>>>>>>> indicated in this message, please do not copy or deliver this
>>>>>>>> message to
>>>>>>>> anyone. In such case, you should notify the sender immediately and
>>>>>>>> delete
>>>>>>>> the original message.
>>>>>>>> _______________________________________________
>>>>>>>> keycloak-user mailing list
>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>
>>>>>>>
>>>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>>>> <https://twitter.com/Cuebiq>I Connect
>>>>>> <https://www.linkedin.com/company/cuebiq>
>>>>>>
>>>>>> This email is reserved exclusively for sending and receiving messages
>>>>>> inherent working activities, and is not intended nor authorized for
>>>>>> personal use. Therefore, any outgoing messages or incoming response
>>>>>> messages will be treated as company messages and will be subject to the
>>>>>> corporate IT policy and may possibly to be read by persons other than by
>>>>>> the subscriber of the box. Confidential information may be contained in
>>>>>> this message. If you are not the address indicated in this message, please
>>>>>> do not copy or deliver this message to anyone. In such case, you should
>>>>>> notify the sender immediately and delete the original message.
>>>>>>
>>>>>
>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>> <https://twitter.com/Cuebiq>I Connect
>>>> <https://www.linkedin.com/company/cuebiq>
>>>>
>>>> This email is reserved exclusively for sending and receiving messages
>>>> inherent working activities, and is not intended nor authorized for
>>>> personal use. Therefore, any outgoing messages or incoming response
>>>> messages will be treated as company messages and will be subject to the
>>>> corporate IT policy and may possibly to be read by persons other than by
>>>> the subscriber of the box. Confidential information may be contained in
>>>> this message. If you are not the address indicated in this message, please
>>>> do not copy or deliver this message to anyone. In such case, you should
>>>> notify the sender immediately and delete the original message.
>>>>
>>>
>> Like <https://www.facebook.com/cuebiq/> I Follow
>> <https://twitter.com/Cuebiq>I Connect
>> <https://www.linkedin.com/company/cuebiq>
>>
>> This email is reserved exclusively for sending and receiving messages
>> inherent working activities, and is not intended nor authorized for
>> personal use. Therefore, any outgoing messages or incoming response
>> messages will be treated as company messages and will be subject to the
>> corporate IT policy and may possibly to be read by persons other than by
>> the subscriber of the box. Confidential information may be contained in
>> this message. If you are not the address indicated in this message, please
>> do not copy or deliver this message to anyone. In such case, you should
>> notify the sender immediately and delete the original message.
>>
>

-- 

Like <https://www.facebook.com/cuebiq/> I Follow  
<https://twitter.com/Cuebiq>I Connect 
<https://www.linkedin.com/company/cuebiq>


This email is reserved 
exclusively for sending and receiving messages inherent working activities, 
and is not intended nor authorized for personal use. Therefore, any 
outgoing messages or incoming response messages will be treated as company 
messages and will be subject to the corporate IT policy and may possibly to 
be read by persons other than by the subscriber of the box. Confidential 
information may be contained in this message. If you are not the address 
indicated in this message, please do not copy or deliver this message to 
anyone. In such case, you should notify the sender immediately and delete 
the original message.

From mohamad.khayat at esis.ae  Tue Apr 16 03:49:21 2019
From: mohamad.khayat at esis.ae (Mohamad KHAYAT)
Date: Tue, 16 Apr 2019 11:49:21 +0400
Subject: [keycloak-user] help
Message-ID: <75AF973B9D9D984899A02A2DCCD87A904E41BD5197@adexchange3.adess.intra>

Dear Sir/Madame,

I was looking for a clear step by step document to install and configure keycloak in domain mode. The idea is to have a central configuration. I have six remote sites and one central site.

Can you please help?

Kind Regards,
Mohamad



From abhi.raghav007 at gmail.com  Tue Apr 16 05:28:08 2019
From: abhi.raghav007 at gmail.com (abhishek raghav)
Date: Tue, 16 Apr 2019 14:58:08 +0530
Subject: [keycloak-user] SMS Integration
In-Reply-To: <VI1PR06MB58068DCF4705D27B2F4DD59BCC2B0@VI1PR06MB5806.eurprd06.prod.outlook.com>
References: <VI1PR06MB58068DCF4705D27B2F4DD59BCC2B0@VI1PR06MB5806.eurprd06.prod.outlook.com>
Message-ID: <CAJmz6fvXta5hRWvKWY1-2OZafE4uSBFQSB+euK2fBsRf9oBhAg@mail.gmail.com>

Hi  Bar??,

Keycloak does not provide any SMS provider OOTB.

If I understand correctly, are you looking to implement the 2 factor
authentication via sms.
If yes, you can definitely have a look at this repo, which uses external
sms provider as Amazon SNS service.

https://github.com/nickpack/keycloak-sms-authenticator-sns


Thanks
Abhishek


On Mon, Apr 15, 2019 at 6:08 PM Nam?k Bar?? ?D?L <namikbarisidil at hotmail.com>
wrote:

> Hi All,
>
> Is it possible to integrate an external SMS provider service to Keycloak
> (for user registration)? If it is, where can I find some documentation
> of how.
>
> Thanks in advance.
>
> Bar??
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sylvain.malnuit at lyra-network.com  Tue Apr 16 05:44:15 2019
From: sylvain.malnuit at lyra-network.com (Sylvain Malnuit)
Date: Tue, 16 Apr 2019 11:44:15 +0200 (CEST)
Subject: [keycloak-user] SMS Integration
In-Reply-To: <CAJmz6fvXta5hRWvKWY1-2OZafE4uSBFQSB+euK2fBsRf9oBhAg@mail.gmail.com>
References: <VI1PR06MB58068DCF4705D27B2F4DD59BCC2B0@VI1PR06MB5806.eurprd06.prod.outlook.com>
	<CAJmz6fvXta5hRWvKWY1-2OZafE4uSBFQSB+euK2fBsRf9oBhAg@mail.gmail.com>
Message-ID: <004801d4f438$f41faed0$dc5f0c70$@lyra-network.com>

Hi  Bar??,
Moreover, you can contribute and add the support of new SMS provider (see my 
merge request for example 
https://github.com/nickpack/keycloak-sms-authenticator-sns/commit/710bdcbdfc5c75a13418db2c4c629bf35adb701b)

Bye
Sylvain

-----Message d'origine-----
De : keycloak-user-bounces at lists.jboss.org 
[mailto:keycloak-user-bounces at lists.jboss.org] De la part de abhishek raghav
Envoy? : mardi 16 avril 2019 11:28
? : Nam?k Bar?? ?D?L <namikbarisidil at hotmail.com>
Cc : keycloak-user at lists.jboss.org
Objet : Re: [keycloak-user] SMS Integration

Hi  Bar??,

Keycloak does not provide any SMS provider OOTB.

If I understand correctly, are you looking to implement the 2 factor 
authentication via sms.
If yes, you can definitely have a look at this repo, which uses external sms 
provider as Amazon SNS service.

https://github.com/nickpack/keycloak-sms-authenticator-sns


Thanks
Abhishek


On Mon, Apr 15, 2019 at 6:08 PM Nam?k Bar?? ?D?L 
<namikbarisidil at hotmail.com>
wrote:

> Hi All,
>
> Is it possible to integrate an external SMS provider service to
> Keycloak (for user registration)? If it is, where can I find some
> documentation of how.
>
> Thanks in advance.
>
> Bar??
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From rabbiosi at esteco.com  Tue Apr 16 06:09:50 2019
From: rabbiosi at esteco.com (Gabriele Rabbiosi)
Date: Tue, 16 Apr 2019 12:09:50 +0200
Subject: [keycloak-user] Account Management Rest API
In-Reply-To: <3b45a135-3023-e685-21e6-ab556276491e@redhat.com>
References: <CAG0YySwdkAQ9r2X_GXy+Eyp=0xyVA9Dji+Wp++9A=Rkd5WCgXQ@mail.gmail.com>
	<3b45a135-3023-e685-21e6-ab556276491e@redhat.com>
Message-ID: <CAG0YySz8W8OtQg2uLAiaFo8VR=T7zx3-U7FcvbGsop+j=1q-Zg@mail.gmail.com>

Hi Stan,
thanks for your info.

>From what I understand, you're planning to use the Account Rest API in
the implementation of the new Account Console.
When the new Console will be finished, do you intend to make the
Account API public, documented and maintained (like the Admin Rest
API, for example)?

Thanks

--

GABRIELE RABBIOSI

BeePMN Software Engineer



ESTECO | EXPLORE DESIGN PERFECTION

AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY
Phone: +39 040 3755548 - Fax: +39 040 3755549
[Website] | [Twitter] | [Facebook] | [Linkedin]

Pursuant to Legislative Decree No. 196/2003, you are hereby informed
that this message contains confidential information intended only for
the use of the addressee. If you are not the addressee, and have
received this message by mistake, please delete it and immediately
notify us. You may not copy or disseminate this message to anyone.
Thank you. Please consider the environment before printing this email.


On Mon, Apr 15, 2019 at 6:55 PM Stan Silvert <ssilvert at redhat.com> wrote:
>
> Right now this API is in development and subject to change at any time.
> We are hoping to have it completed in the next few months.
>
> Also, we are working on a new Account Console that will use PatternFly 4
> and React.  It will be easy to extend, so you can add your own pages.
> It will work better on mobile devices.  And of course, you will be able
> to change it around with different themes and such.
>
> So building your own console from this new Account Console might be a
> better option than building the whole thing from scratch.
>
> If you are interested, the code is here along with a readme that tells
> how to build and run.  It's very much a work in progress:
> https://github.com/keycloak/keycloak/tree/master/themes/src/main/resources/theme/keycloak-preview/account/resources
>
> I still need to document how to create extensions, so let me know if you
> are interested in that.
>
> Stan
>
> On 4/15/2019 11:23 AM, Gabriele Rabbiosi wrote:
> > Hi guys,
> > I'd like more information about the AccountRestService class
> > (https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/AccountRestService.java)
> >
> > 1. I noticed that there are still a couple of TODO (such as Identity
> > Providers management), is there a roadmap for the development of this
> > missing features?
> > 2. Are these API public or for internal use only? I'd like to use them
> > to implement a custom Account Management page for my application.
> > 3. How stable are they? How likely is it that they will change or
> > disappear in the (near) future?
> >
> > Thanky you.
> > Best regards
> >
> > --
> >
> > GABRIELE RABBIOSI
> >
> > BeePMN Software Engineer
> >
> >
> >
> > ESTECO | EXPLORE DESIGN PERFECTION
> >
> > AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY
> > Phone: +39 040 3755548 - Fax: +39 040 3755549
> > [Website] | [Twitter] | [Facebook] | [Linkedin]
> >
> > Pursuant to Legislative Decree No. 196/2003, you are hereby informed
> > that this message contains confidential information intended only for
> > the use of the addressee. If you are not the addressee, and have
> > received this message by mistake, please delete it and immediately
> > notify us. You may not copy or disseminate this message to anyone.
> > Thank you. Please consider the environment before printing this email.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From psilva at redhat.com  Tue Apr 16 08:08:17 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 16 Apr 2019 09:08:17 -0300
Subject: [keycloak-user] Token Exchange AWS Cognito & Keycloak
In-Reply-To: <CAHpjjTanp83XWj=wSzziw9opwSbMvFtUW3wWYM+K=15Bx0c0ng@mail.gmail.com>
References: <CAHpjjTYE=hN02=i+vojzviAv1bK547VFxAZC-Lqy9eRkB6sVPA@mail.gmail.com>
	<CAJrcDBeHZUtdC7N0im1hRePyxntC3zEL5d2=KtuXRvX2Ny3epw@mail.gmail.com>
	<CAHpjjTb0sb0afopqntuE5mEG=S0Xuk+RYrYbKPjcn+8xUs+bSw@mail.gmail.com>
	<CAJrcDBcdqOhux6M3g0Jg1exUJugR4ttAw+c0NeA9nkqyNFkuGw@mail.gmail.com>
	<CAHpjjTYi0sXbbr2X+WGc5Yykc-c1zdfQaMZMAEnpuaK972RFNQ@mail.gmail.com>
	<CAJrcDBfpXH_hekVMszJ-Cd77Urobz4-sX5f_xi47w4QJnNigeg@mail.gmail.com>
	<CAHpjjTYOFa5ST0jNrxquEmD89sga2uk9+77AyKoUUMY_UvHNqw@mail.gmail.com>
	<CAJrcDBdKmMfTs6KU_waRnqYdqQaE30D+j47coV7pnjaLG7Pj8Q@mail.gmail.com>
	<CAHpjjTanp83XWj=wSzziw9opwSbMvFtUW3wWYM+K=15Bx0c0ng@mail.gmail.com>
Message-ID: <CAJrcDBcUgpG3M0aomVB2Q8kjTvchWbyzWRqqCUi80DgSMaWhFw@mail.gmail.com>

Yes, sure.

If you are using our adapter, you should be able to enable the policy
enforcer to your services. What it does is enforce access to protected
resources based on the policies you have on Keycloak.

The policy enforcer has two operation modes. One that uses regular access
tokens (sent as a bearer to your services) to obtain permissions from the
server, thus requiring interaction between the enforcer and Keycloak to
obtain the decision. And another one that leverages bearer token
authorization to enforce access based on the permissions within the token.
It is up to you to decide which one works best for your use case.

For instance, when using a regular access token to access your service, a
connection to Keycloak is necessary in order to check whether or not access
should be granted. Whereas if you are using a "permission token", you don't
have this additional request. The regular access token approach makes your
client's life easier as they just need to send the access token, whereas
the other approach requires your client to exchange a regular access token
with a permission token. The permission token approach also allows you to
do incremental authorization so that your clients can obtain permissions on
demand, etc ...

Performance-wise, the regular access token approach is obviously more
expensive. But I don't think it should be a bottleneck. Microservices is
all about S2S :)

On Tue, Apr 16, 2019 at 4:16 AM Matteo Restelli <mrestelli at cuebiq.com>
wrote:

> Hi Pedro,
> you can find, inline below, a question about the authorization services (
> the last question, i promise :) ).
>
>
> Thank you again,
> Matteo
>
> On Mon, Apr 15, 2019 at 2:20 PM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>>
>>
>> On Mon, Apr 15, 2019 at 5:08 AM Matteo Restelli <mrestelli at cuebiq.com>
>> wrote:
>>
>>> Hi Pedro,
>>> Thank you for your replies and your patience :)
>>> My answers inline below ;)
>>>
>>> Have a nice day,
>>> Matteo
>>>
>>> On Fri, Apr 12, 2019 at 4:53 PM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Fri, Apr 12, 2019 at 11:28 AM Matteo Restelli <mrestelli at cuebiq.com>
>>>> wrote:
>>>>
>>>>> Thank you Pedro,
>>>>> My answers (and questions) inline below ;)
>>>>>
>>>>> Thank you!
>>>>> Matteo
>>>>>
>>>>> On Fri, Apr 12, 2019 at 3:20 PM Pedro Igor Silva <psilva at redhat.com>
>>>>> wrote:
>>>>>
>>>>>> Thanks. Now it is more clear.
>>>>>>
>>>>>> Answers inline below.
>>>>>>
>>>>>>
>>>>>> On Fri, Apr 12, 2019 at 7:29 AM Matteo Restelli <mrestelli at cuebiq.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Pedro,
>>>>>>> i'll try to reply to your questions:
>>>>>>>
>>>>>>> - We've configured Cognito as an identity provider in Keycloak,
>>>>>>> importing the configuration via the OIDC discovery-configuration endpoint.
>>>>>>> At this point we needed to introduce the clientID & secret, so we've
>>>>>>> created a new confidential client inside AWS Cognito and used its id
>>>>>>> &secret in the Keycloak's Identity provider config
>>>>>>>
>>>>>>
>>>>>>> - We've set the permission & policy about token exchange feature to
>>>>>>> our Keycloak client
>>>>>>>
>>>>>>> - The SRP flow leverages the SRP authentication protocol (so
>>>>>>> basically, no password is sent to the server). The result of this flow is a
>>>>>>> couple of JWT tokens (access and id token), but the access token doesn't
>>>>>>> respect the OIDC rules (it doesn't contain the openid scope). This last
>>>>>>> point is what make the token exchange process impossible (this because,
>>>>>>> during the process, Cognito replies that "the token doesn't contain the
>>>>>>> openid scope"). About that i want to highlight the fact that these problems
>>>>>>> are entirely Cognito related: if we use a standard OAuth2 Flow (like
>>>>>>> Authorization code grant or implicit) the process works as expected.
>>>>>>>
>>>>>>
>>>>>> I see now. In this case, I think you should try to include somehow
>>>>>> the openid scope in the access token so that Cognito can process it. I
>>>>>> guess this error is returned when the broker is invoking the user endpoint
>>>>>> on Cognito? based on the OIDC user info endpoint definition, the endpoint
>>>>>> should accept access tokens.
>>>>>>
>>>>>
>>>>> Yeah unfortunately we're stuck with this option, because Cognito is
>>>>> lacking support on adding this scope to the token (especially this is
>>>>> caused by the Amplify.js library provided by AWS, which is the one we're
>>>>> using to implement the SRP flow). Yes, the error is returned from Cognito
>>>>> when Keycloak contacts the provider to validate the token.
>>>>>
>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>> - Since the SRP flow enables us to use a self-hosted login page
>>>>>>> which doesn't send the password directly to the server, we've tried to find
>>>>>>> other solution. So we've tried to provide to the token exchange endpoint
>>>>>>> the id token, changing some parameters of the HTTP call. And at this point
>>>>>>> something unexpected for us happened: the token exchange process works also
>>>>>>> providing the id token. Here's the reason of my first flow of questions: is
>>>>>>> this behaviour expected? Is the "exchange with id token" approach a
>>>>>>> feasible and good one? Or is completely a bad approach?
>>>>>>>
>>>>>>> - Since using this flow (SRP) force us to provide the id token to
>>>>>>> our backend side, here comes the other flow of questions :). From an OIDC
>>>>>>> point of view, can be a right approach accessing a backend resource from a
>>>>>>> single page application, using an id token? I've always read that if you
>>>>>>> want to access to a backend resource, from a client application, is better
>>>>>>> to use the access token, because the id token contains a lot of user
>>>>>>> informations and must be used only by the client application.
>>>>>>>
>>>>>>>
>>>>>> It is fine to use id_token (or any other format supported by the
>>>>>> server that can be specified via subject_token_type) when doing the
>>>>>> exchange.
>>>>>>
>>>>>> However, here is the interesting part. If you look our documentation
>>>>>> we should only support "access_token" and "jwt" as a subject_token_type.
>>>>>> But the implementation can also handle "id_token". The reason why
>>>>>> "id_token" works is that the validation of the token is done locally by
>>>>>> Keycloak, differently than when you are using an access_token where a
>>>>>> request will be sent to the user info endpoint on Cognito.
>>>>>>
>>>>>
>>>>> Oh! That's really interesting! :)
>>>>> About this point, in your opinion it will be feasible to call the
>>>>> token exchange endpoint every time a request comes to our backend side?
>>>>> Imagine this scenario:
>>>>>
>>>>> - User authenticates to Cognito via the Spa app
>>>>> - Spa app calls backend services (tipically contacting a gateway)
>>>>> - Gateway performs the token exchange on keycloak
>>>>> - Gateway forwards the request (adding the new access token in place
>>>>> of the Cognito one) to the underlying microservices...
>>>>>
>>>>> Do you see any performance issues? Does Keycloak caches something
>>>>> during the token exchange process?
>>>>>
>>>>
>>>> I would ask you to try it out and check latency and response times.
>>>> Unfortunately, benchmarking is something we are lacking so we depend on
>>>> feedback from the community.
>>>>
>>>
>>>> Maybe, another option you could consider is to aggregate your APIs so
>>>> that your SPA doesn't need to interact with multiple backend services
>>>> ? Where this API aggregator would be 1:1 mapped to your client and
>>>> responsible for all exchanges to access downstream services.
>>>>
>>>
>>> So the main idea is to put a gateway in front of all the microservices,
>>> so it will be the one who performs the token exchange process. To avoid
>>> performance issues we can think about a caching mechanism but in this way
>>> we need to investigate more (we're just evaluating the various options
>>> right now ;) ). By the way, IMHO, if a user calls the gateway 300 times in
>>> 3 minutes there's no reason to perform the token exchange process at every
>>> call.
>>>
>>>
>>>
>>>>
>>>> Or you could eventually use different scopes to gain access to these
>>>> different services and still use the same token obtained by the client
>>>> during the authentication. There is a caveat here regarding audience
>>>> though, so you could maybe include some audience that logically represent
>>>> your different APIs.
>>>>
>>>
>>> So, if i understood correctly:
>>> - Client contacts gateway with a Cognito access token
>>> - Gateway performs the token exchange process
>>> - Depending on which service needs to be called, the gateway requests
>>> scopes to Keycloak with the access token minted by Keycloak. Is this right?
>>> Or requesting scopes is done in the token exchange process?
>>>
>>> So i've some concepts regarding scopes that i read around on the
>>> Internet, and for what i've understood, a scope represents what an oauth2
>>> client can do:
>>> - You need to call service A, perform a read operation
>>> - You request the custom scope read_service_a
>>>
>>> I'm lacking the link between those scopes and the authorization part.
>>> How are they linked with the authorization services in Keycloak? If a user
>>> isn't authorized to do something, will never receive the related scope? Or
>>> are they completely separated concepts?
>>>
>>
>> There is no link between the two. I was considering a regular OAuth2
>> authorization where you would rely on the scopes granted by the server. I
>> think I missed the authorization services part in your first message :)
>>
>
> Ah ok. We are planning to store the authorization data into keycloak
> (something like user X has the permission to access to resource Y and to
> perform on it the action Z) in order to have this kind of information
> inside the access token minted by Keycloak during the exchange process.
> Once the resource server gets the token it will authorize or not the
> access. Do you think this could be the right way? It could be feasible, in
> your opinion?
>
>
>
>
>
>>
>>
>>>
>>> The audience part is fine for me, also here for what i've understood,
>>> the audience represents the "target" resource protected by the server. Am i
>>> right?
>>>
>>
>> Yes.
>>
>>
>>>
>>>
>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> Regarding your last question, no it is not a good practice to use
>>>>>> id_token for bearer token authorization. In addition to privacy concerns
>>>>>> (which is not really different than when using JWTs in access tokens), ID
>>>>>> Token is about carrying the authentication context with specific
>>>>>> constraints. For instance, the audience is the client, not the backend. The
>>>>>> lifetime of ID Token is shorter as they are mainly important to
>>>>>> authenticate the user into a client, etc.
>>>>>>
>>>>>> So, you are right. You should try to use access tokens.
>>>>>>
>>>>>
>>>>> Ok thank you for the explanation. We'll try to use access tokens
>>>>> (probably we'll stop using the SRP flow in favour of an OAuth2 flow like
>>>>> Authorization Code Grant with PKCE (which is the one recommended for public
>>>>> Single page Applications)
>>>>>
>>>>
>>>> +1
>>>>
>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>> - Here's the curl of the token exchange process with the access
>>>>>>> token (i'm omitting some infos):
>>>>>>>
>>>>>>> curl -X POST \
>>>>>>> -d "client_id=test" \
>>>>>>> -d "client_secret=<client_secret>" \
>>>>>>> --data-urlencode
>>>>>>> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
>>>>>>> -d "subject_issuer=<alias_of_the_identity_provider_in_keycloak>" \
>>>>>>> -d "subject_token=<access_token>" \
>>>>>>> --data-urlencode
>>>>>>> "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
>>>>>>> -d "audience=test" \
>>>>>>> http://localhost:8080/auth/realms/
>>>>>>> <realm_name>/protocol/openid-connect/token
>>>>>>>
>>>>>>>
>>>>>>> - Here's the curl of the token exchange process with the id token
>>>>>>> (i'm omitting some infos):
>>>>>>>
>>>>>>> curl -X POST \
>>>>>>> -d "client_id=test" \
>>>>>>> -d "client_secret=<client_secret>" \
>>>>>>> --data-urlencode
>>>>>>> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
>>>>>>> -d "subject_issuer=<alias_of_the_identity_provider_in_keycloak>" \
>>>>>>> -d "subject_token=<id_token>" \
>>>>>>> --data-urlencode
>>>>>>> "subject_token_type=urn:ietf:params:oauth:token-type:id_token" \
>>>>>>> -d "audience=test" \
>>>>>>> http://localhost:8080/auth/realms/
>>>>>>> <realm_name>/protocol/openid-connect/token
>>>>>>>
>>>>>>> Let me know if you need more infos.
>>>>>>>
>>>>>>> Thank you again,
>>>>>>> Matteo Restelli
>>>>>>>
>>>>>>> On Wed, Apr 10, 2019 at 3:40 PM Pedro Igor Silva <psilva at redhat.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> So you are doing external to internal exchange. It is not clear to
>>>>>>>> me how you configured AWS Cognito as an identity provider and what/how the
>>>>>>>> SRP flow works. Could you provide more details, please? Is the token issued
>>>>>>>> by Cognito a JWT ?
>>>>>>>>
>>>>>>>> In addition to that, how your token exchange request looks like
>>>>>>>> when using both id_token and access_token as a subject_token ?
>>>>>>>>
>>>>>>>> On Wed, Apr 10, 2019 at 9:56 AM Matteo Restelli <
>>>>>>>> mrestelli at cuebiq.com> wrote:
>>>>>>>>
>>>>>>>>> Any news on that?
>>>>>>>>>
>>>>>>>>> Thank you!
>>>>>>>>> Matteo
>>>>>>>>>
>>>>>>>>> =============================
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Hi all,
>>>>>>>>> We're using AWS Cognito as our Identity provider for our platform.
>>>>>>>>> We're
>>>>>>>>> trying to use an internal instance of Keycloak, in order to check
>>>>>>>>> the
>>>>>>>>> possibility to use KC for authorization purposes (this because
>>>>>>>>> Keycloak has
>>>>>>>>> a wonderful and powerful authorization system that fulfill our
>>>>>>>>> needs, and
>>>>>>>>> for that i want to say you "Thank you very much" :) ). For this
>>>>>>>>> reason we
>>>>>>>>> want to use the token exchange feature of Keycloak.
>>>>>>>>> More specifically we want to follow this flow:
>>>>>>>>>
>>>>>>>>> - User authenticates on AWS Cognito via SRP auth flow (which
>>>>>>>>> basically is
>>>>>>>>> not a standard OIDC/OAuth2 authentication flow)
>>>>>>>>> - User sends the access token to contact the backend service and,
>>>>>>>>> in the
>>>>>>>>> middle, this token is translated to an internal one, minted by
>>>>>>>>> Keycloak
>>>>>>>>>
>>>>>>>>> If we provide the AWS Cognito access token to the token exchange
>>>>>>>>> endpoint,
>>>>>>>>> with the subject_token_type parameter set to
>>>>>>>>> "urn:ietf:params:oauth:token-type:access_token", an error is
>>>>>>>>> returned
>>>>>>>>> stating that the access token doesn't contain the "openid" scope.
>>>>>>>>> Despite
>>>>>>>>> this we've tried another way, providing the id token to the token
>>>>>>>>> exchange
>>>>>>>>> endpoint with the subject_token_parameter set to
>>>>>>>>> "urn:ietf:params:oauth:token-type:id_token", and we discovered
>>>>>>>>> that this
>>>>>>>>> alternative way works. So, my questions are:
>>>>>>>>>
>>>>>>>>> - Is the "exchange with id token" approach a feasible and good
>>>>>>>>> one? Or is
>>>>>>>>> completely a bad approach?
>>>>>>>>> - From an OIDC point of view, can be a right approach accessing a
>>>>>>>>> backend
>>>>>>>>> resource from a single page application, using an id token? I've
>>>>>>>>> always
>>>>>>>>> read that if you want to access to a backend resource, from a
>>>>>>>>> client
>>>>>>>>> application, is better to use the access token, because the id
>>>>>>>>> token
>>>>>>>>> contains a lot of user informations and must be used only by the
>>>>>>>>> client
>>>>>>>>> application
>>>>>>>>>
>>>>>>>>> Thank you very much,
>>>>>>>>> Matteo
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> PS:  As a side note, i want to clarify that if we follow an
>>>>>>>>> authorization
>>>>>>>>> code grant flow, or an implicit flow, during the authentication
>>>>>>>>> against AWS
>>>>>>>>> Cognito, the access token exchange works as expected. So this
>>>>>>>>> means that
>>>>>>>>> the problem is related to the shape of the token released by
>>>>>>>>> Cognito.
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>>>>>>> <https://twitter.com/Cuebiq>I Connect
>>>>>>>>> <https://www.linkedin.com/company/cuebiq>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> This email is reserved
>>>>>>>>> exclusively for sending and receiving messages inherent working
>>>>>>>>> activities,
>>>>>>>>> and is not intended nor authorized for personal use. Therefore, any
>>>>>>>>> outgoing messages or incoming response messages will be treated as
>>>>>>>>> company
>>>>>>>>> messages and will be subject to the corporate IT policy and may
>>>>>>>>> possibly to
>>>>>>>>> be read by persons other than by the subscriber of the box.
>>>>>>>>> Confidential
>>>>>>>>> information may be contained in this message. If you are not the
>>>>>>>>> address
>>>>>>>>> indicated in this message, please do not copy or deliver this
>>>>>>>>> message to
>>>>>>>>> anyone. In such case, you should notify the sender immediately and
>>>>>>>>> delete
>>>>>>>>> the original message.
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>>>>>>> <https://twitter.com/Cuebiq>I Connect
>>>>>>>>> <https://www.linkedin.com/company/cuebiq>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> This email is reserved
>>>>>>>>> exclusively for sending and receiving messages inherent working
>>>>>>>>> activities,
>>>>>>>>> and is not intended nor authorized for personal use. Therefore,
>>>>>>>>> any
>>>>>>>>> outgoing messages or incoming response messages will be treated as
>>>>>>>>> company
>>>>>>>>> messages and will be subject to the corporate IT policy and may
>>>>>>>>> possibly to
>>>>>>>>> be read by persons other than by the subscriber of the box.
>>>>>>>>> Confidential
>>>>>>>>> information may be contained in this message. If you are not the
>>>>>>>>> address
>>>>>>>>> indicated in this message, please do not copy or deliver this
>>>>>>>>> message to
>>>>>>>>> anyone. In such case, you should notify the sender immediately and
>>>>>>>>> delete
>>>>>>>>> the original message.
>>>>>>>>> _______________________________________________
>>>>>>>>> keycloak-user mailing list
>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>
>>>>>>>>
>>>>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>>>>> <https://twitter.com/Cuebiq>I Connect
>>>>>>> <https://www.linkedin.com/company/cuebiq>
>>>>>>>
>>>>>>> This email is reserved exclusively for sending and receiving
>>>>>>> messages inherent working activities, and is not intended nor authorized
>>>>>>> for personal use. Therefore, any outgoing messages or incoming response
>>>>>>> messages will be treated as company messages and will be subject to the
>>>>>>> corporate IT policy and may possibly to be read by persons other than by
>>>>>>> the subscriber of the box. Confidential information may be contained in
>>>>>>> this message. If you are not the address indicated in this message, please
>>>>>>> do not copy or deliver this message to anyone. In such case, you should
>>>>>>> notify the sender immediately and delete the original message.
>>>>>>>
>>>>>>
>>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>>> <https://twitter.com/Cuebiq>I Connect
>>>>> <https://www.linkedin.com/company/cuebiq>
>>>>>
>>>>> This email is reserved exclusively for sending and receiving messages
>>>>> inherent working activities, and is not intended nor authorized for
>>>>> personal use. Therefore, any outgoing messages or incoming response
>>>>> messages will be treated as company messages and will be subject to the
>>>>> corporate IT policy and may possibly to be read by persons other than by
>>>>> the subscriber of the box. Confidential information may be contained in
>>>>> this message. If you are not the address indicated in this message, please
>>>>> do not copy or deliver this message to anyone. In such case, you should
>>>>> notify the sender immediately and delete the original message.
>>>>>
>>>>
>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>> <https://twitter.com/Cuebiq>I Connect
>>> <https://www.linkedin.com/company/cuebiq>
>>>
>>> This email is reserved exclusively for sending and receiving messages
>>> inherent working activities, and is not intended nor authorized for
>>> personal use. Therefore, any outgoing messages or incoming response
>>> messages will be treated as company messages and will be subject to the
>>> corporate IT policy and may possibly to be read by persons other than by
>>> the subscriber of the box. Confidential information may be contained in
>>> this message. If you are not the address indicated in this message, please
>>> do not copy or deliver this message to anyone. In such case, you should
>>> notify the sender immediately and delete the original message.
>>>
>>
> Like <https://www.facebook.com/cuebiq/> I Follow
> <https://twitter.com/Cuebiq>I Connect
> <https://www.linkedin.com/company/cuebiq>
>
> This email is reserved exclusively for sending and receiving messages
> inherent working activities, and is not intended nor authorized for
> personal use. Therefore, any outgoing messages or incoming response
> messages will be treated as company messages and will be subject to the
> corporate IT policy and may possibly to be read by persons other than by
> the subscriber of the box. Confidential information may be contained in
> this message. If you are not the address indicated in this message, please
> do not copy or deliver this message to anyone. In such case, you should
> notify the sender immediately and delete the original message.
>

From mrestelli at cuebiq.com  Tue Apr 16 08:22:41 2019
From: mrestelli at cuebiq.com (Matteo Restelli)
Date: Tue, 16 Apr 2019 14:22:41 +0200
Subject: [keycloak-user] Token Exchange AWS Cognito & Keycloak
In-Reply-To: <CAJrcDBcUgpG3M0aomVB2Q8kjTvchWbyzWRqqCUi80DgSMaWhFw@mail.gmail.com>
References: <CAHpjjTYE=hN02=i+vojzviAv1bK547VFxAZC-Lqy9eRkB6sVPA@mail.gmail.com>
	<CAJrcDBeHZUtdC7N0im1hRePyxntC3zEL5d2=KtuXRvX2Ny3epw@mail.gmail.com>
	<CAHpjjTb0sb0afopqntuE5mEG=S0Xuk+RYrYbKPjcn+8xUs+bSw@mail.gmail.com>
	<CAJrcDBcdqOhux6M3g0Jg1exUJugR4ttAw+c0NeA9nkqyNFkuGw@mail.gmail.com>
	<CAHpjjTYi0sXbbr2X+WGc5Yykc-c1zdfQaMZMAEnpuaK972RFNQ@mail.gmail.com>
	<CAJrcDBfpXH_hekVMszJ-Cd77Urobz4-sX5f_xi47w4QJnNigeg@mail.gmail.com>
	<CAHpjjTYOFa5ST0jNrxquEmD89sga2uk9+77AyKoUUMY_UvHNqw@mail.gmail.com>
	<CAJrcDBdKmMfTs6KU_waRnqYdqQaE30D+j47coV7pnjaLG7Pj8Q@mail.gmail.com>
	<CAHpjjTanp83XWj=wSzziw9opwSbMvFtUW3wWYM+K=15Bx0c0ng@mail.gmail.com>
	<CAJrcDBcUgpG3M0aomVB2Q8kjTvchWbyzWRqqCUi80DgSMaWhFw@mail.gmail.com>
Message-ID: <CAHpjjTZRMKfKWod4Z2g-zDcZT0WNakF9yoaTrePAWB7iqJ0W7Q@mail.gmail.com>

Ok Pedro, all was clear!
Thank you very much for your support and your patience, your answers will
definitely help us in building our authorization system.

Have a nice day and, again, THANK YOU! :)
Matteo

On Tue, Apr 16, 2019 at 2:08 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> Yes, sure.
>
> If you are using our adapter, you should be able to enable the policy
> enforcer to your services. What it does is enforce access to protected
> resources based on the policies you have on Keycloak.
>
> The policy enforcer has two operation modes. One that uses regular access
> tokens (sent as a bearer to your services) to obtain permissions from the
> server, thus requiring interaction between the enforcer and Keycloak to
> obtain the decision. And another one that leverages bearer token
> authorization to enforce access based on the permissions within the token.
> It is up to you to decide which one works best for your use case.
>
> For instance, when using a regular access token to access your service, a
> connection to Keycloak is necessary in order to check whether or not access
> should be granted. Whereas if you are using a "permission token", you don't
> have this additional request. The regular access token approach makes your
> client's life easier as they just need to send the access token, whereas
> the other approach requires your client to exchange a regular access token
> with a permission token. The permission token approach also allows you to
> do incremental authorization so that your clients can obtain permissions on
> demand, etc ...
>
> Performance-wise, the regular access token approach is obviously more
> expensive. But I don't think it should be a bottleneck. Microservices is
> all about S2S :)
>
> On Tue, Apr 16, 2019 at 4:16 AM Matteo Restelli <mrestelli at cuebiq.com>
> wrote:
>
>> Hi Pedro,
>> you can find, inline below, a question about the authorization services (
>> the last question, i promise :) ).
>>
>>
>> Thank you again,
>> Matteo
>>
>> On Mon, Apr 15, 2019 at 2:20 PM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>>
>>>
>>> On Mon, Apr 15, 2019 at 5:08 AM Matteo Restelli <mrestelli at cuebiq.com>
>>> wrote:
>>>
>>>> Hi Pedro,
>>>> Thank you for your replies and your patience :)
>>>> My answers inline below ;)
>>>>
>>>> Have a nice day,
>>>> Matteo
>>>>
>>>> On Fri, Apr 12, 2019 at 4:53 PM Pedro Igor Silva <psilva at redhat.com>
>>>> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Fri, Apr 12, 2019 at 11:28 AM Matteo Restelli <mrestelli at cuebiq.com>
>>>>> wrote:
>>>>>
>>>>>> Thank you Pedro,
>>>>>> My answers (and questions) inline below ;)
>>>>>>
>>>>>> Thank you!
>>>>>> Matteo
>>>>>>
>>>>>> On Fri, Apr 12, 2019 at 3:20 PM Pedro Igor Silva <psilva at redhat.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Thanks. Now it is more clear.
>>>>>>>
>>>>>>> Answers inline below.
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Apr 12, 2019 at 7:29 AM Matteo Restelli <
>>>>>>> mrestelli at cuebiq.com> wrote:
>>>>>>>
>>>>>>>> Hi Pedro,
>>>>>>>> i'll try to reply to your questions:
>>>>>>>>
>>>>>>>> - We've configured Cognito as an identity provider in Keycloak,
>>>>>>>> importing the configuration via the OIDC discovery-configuration endpoint.
>>>>>>>> At this point we needed to introduce the clientID & secret, so we've
>>>>>>>> created a new confidential client inside AWS Cognito and used its id
>>>>>>>> &secret in the Keycloak's Identity provider config
>>>>>>>>
>>>>>>>
>>>>>>>> - We've set the permission & policy about token exchange feature to
>>>>>>>> our Keycloak client
>>>>>>>>
>>>>>>>> - The SRP flow leverages the SRP authentication protocol (so
>>>>>>>> basically, no password is sent to the server). The result of this flow is a
>>>>>>>> couple of JWT tokens (access and id token), but the access token doesn't
>>>>>>>> respect the OIDC rules (it doesn't contain the openid scope). This last
>>>>>>>> point is what make the token exchange process impossible (this because,
>>>>>>>> during the process, Cognito replies that "the token doesn't contain the
>>>>>>>> openid scope"). About that i want to highlight the fact that these problems
>>>>>>>> are entirely Cognito related: if we use a standard OAuth2 Flow (like
>>>>>>>> Authorization code grant or implicit) the process works as expected.
>>>>>>>>
>>>>>>>
>>>>>>> I see now. In this case, I think you should try to include somehow
>>>>>>> the openid scope in the access token so that Cognito can process it. I
>>>>>>> guess this error is returned when the broker is invoking the user endpoint
>>>>>>> on Cognito? based on the OIDC user info endpoint definition, the endpoint
>>>>>>> should accept access tokens.
>>>>>>>
>>>>>>
>>>>>> Yeah unfortunately we're stuck with this option, because Cognito is
>>>>>> lacking support on adding this scope to the token (especially this is
>>>>>> caused by the Amplify.js library provided by AWS, which is the one we're
>>>>>> using to implement the SRP flow). Yes, the error is returned from Cognito
>>>>>> when Keycloak contacts the provider to validate the token.
>>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> - Since the SRP flow enables us to use a self-hosted login page
>>>>>>>> which doesn't send the password directly to the server, we've tried to find
>>>>>>>> other solution. So we've tried to provide to the token exchange endpoint
>>>>>>>> the id token, changing some parameters of the HTTP call. And at this point
>>>>>>>> something unexpected for us happened: the token exchange process works also
>>>>>>>> providing the id token. Here's the reason of my first flow of questions: is
>>>>>>>> this behaviour expected? Is the "exchange with id token" approach a
>>>>>>>> feasible and good one? Or is completely a bad approach?
>>>>>>>>
>>>>>>>> - Since using this flow (SRP) force us to provide the id token to
>>>>>>>> our backend side, here comes the other flow of questions :). From an OIDC
>>>>>>>> point of view, can be a right approach accessing a backend resource from a
>>>>>>>> single page application, using an id token? I've always read that if you
>>>>>>>> want to access to a backend resource, from a client application, is better
>>>>>>>> to use the access token, because the id token contains a lot of user
>>>>>>>> informations and must be used only by the client application.
>>>>>>>>
>>>>>>>>
>>>>>>> It is fine to use id_token (or any other format supported by the
>>>>>>> server that can be specified via subject_token_type) when doing the
>>>>>>> exchange.
>>>>>>>
>>>>>>> However, here is the interesting part. If you look our documentation
>>>>>>> we should only support "access_token" and "jwt" as a subject_token_type.
>>>>>>> But the implementation can also handle "id_token". The reason why
>>>>>>> "id_token" works is that the validation of the token is done locally by
>>>>>>> Keycloak, differently than when you are using an access_token where a
>>>>>>> request will be sent to the user info endpoint on Cognito.
>>>>>>>
>>>>>>
>>>>>> Oh! That's really interesting! :)
>>>>>> About this point, in your opinion it will be feasible to call the
>>>>>> token exchange endpoint every time a request comes to our backend side?
>>>>>> Imagine this scenario:
>>>>>>
>>>>>> - User authenticates to Cognito via the Spa app
>>>>>> - Spa app calls backend services (tipically contacting a gateway)
>>>>>> - Gateway performs the token exchange on keycloak
>>>>>> - Gateway forwards the request (adding the new access token in place
>>>>>> of the Cognito one) to the underlying microservices...
>>>>>>
>>>>>> Do you see any performance issues? Does Keycloak caches something
>>>>>> during the token exchange process?
>>>>>>
>>>>>
>>>>> I would ask you to try it out and check latency and response times.
>>>>> Unfortunately, benchmarking is something we are lacking so we depend on
>>>>> feedback from the community.
>>>>>
>>>>
>>>>> Maybe, another option you could consider is to aggregate your APIs so
>>>>> that your SPA doesn't need to interact with multiple backend services
>>>>> ? Where this API aggregator would be 1:1 mapped to your client and
>>>>> responsible for all exchanges to access downstream services.
>>>>>
>>>>
>>>> So the main idea is to put a gateway in front of all the microservices,
>>>> so it will be the one who performs the token exchange process. To avoid
>>>> performance issues we can think about a caching mechanism but in this way
>>>> we need to investigate more (we're just evaluating the various options
>>>> right now ;) ). By the way, IMHO, if a user calls the gateway 300 times in
>>>> 3 minutes there's no reason to perform the token exchange process at every
>>>> call.
>>>>
>>>>
>>>>
>>>>>
>>>>> Or you could eventually use different scopes to gain access to these
>>>>> different services and still use the same token obtained by the client
>>>>> during the authentication. There is a caveat here regarding audience
>>>>> though, so you could maybe include some audience that logically represent
>>>>> your different APIs.
>>>>>
>>>>
>>>> So, if i understood correctly:
>>>> - Client contacts gateway with a Cognito access token
>>>> - Gateway performs the token exchange process
>>>> - Depending on which service needs to be called, the gateway requests
>>>> scopes to Keycloak with the access token minted by Keycloak. Is this right?
>>>> Or requesting scopes is done in the token exchange process?
>>>>
>>>> So i've some concepts regarding scopes that i read around on the
>>>> Internet, and for what i've understood, a scope represents what an oauth2
>>>> client can do:
>>>> - You need to call service A, perform a read operation
>>>> - You request the custom scope read_service_a
>>>>
>>>> I'm lacking the link between those scopes and the authorization part.
>>>> How are they linked with the authorization services in Keycloak? If a user
>>>> isn't authorized to do something, will never receive the related scope? Or
>>>> are they completely separated concepts?
>>>>
>>>
>>> There is no link between the two. I was considering a regular OAuth2
>>> authorization where you would rely on the scopes granted by the server. I
>>> think I missed the authorization services part in your first message :)
>>>
>>
>> Ah ok. We are planning to store the authorization data into keycloak
>> (something like user X has the permission to access to resource Y and to
>> perform on it the action Z) in order to have this kind of information
>> inside the access token minted by Keycloak during the exchange process.
>> Once the resource server gets the token it will authorize or not the
>> access. Do you think this could be the right way? It could be feasible, in
>> your opinion?
>>
>>
>>
>>
>>
>>>
>>>
>>>>
>>>> The audience part is fine for me, also here for what i've understood,
>>>> the audience represents the "target" resource protected by the server. Am i
>>>> right?
>>>>
>>>
>>> Yes.
>>>
>>>
>>>>
>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> Regarding your last question, no it is not a good practice to use
>>>>>>> id_token for bearer token authorization. In addition to privacy concerns
>>>>>>> (which is not really different than when using JWTs in access tokens), ID
>>>>>>> Token is about carrying the authentication context with specific
>>>>>>> constraints. For instance, the audience is the client, not the backend. The
>>>>>>> lifetime of ID Token is shorter as they are mainly important to
>>>>>>> authenticate the user into a client, etc.
>>>>>>>
>>>>>>> So, you are right. You should try to use access tokens.
>>>>>>>
>>>>>>
>>>>>> Ok thank you for the explanation. We'll try to use access tokens
>>>>>> (probably we'll stop using the SRP flow in favour of an OAuth2 flow like
>>>>>> Authorization Code Grant with PKCE (which is the one recommended for public
>>>>>> Single page Applications)
>>>>>>
>>>>>
>>>>> +1
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> - Here's the curl of the token exchange process with the access
>>>>>>>> token (i'm omitting some infos):
>>>>>>>>
>>>>>>>> curl -X POST \
>>>>>>>> -d "client_id=test" \
>>>>>>>> -d "client_secret=<client_secret>" \
>>>>>>>> --data-urlencode
>>>>>>>> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
>>>>>>>> -d "subject_issuer=<alias_of_the_identity_provider_in_keycloak>" \
>>>>>>>> -d "subject_token=<access_token>" \
>>>>>>>> --data-urlencode
>>>>>>>> "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
>>>>>>>> -d "audience=test" \
>>>>>>>> http://localhost:8080/auth/realms/
>>>>>>>> <realm_name>/protocol/openid-connect/token
>>>>>>>>
>>>>>>>>
>>>>>>>> - Here's the curl of the token exchange process with the id token
>>>>>>>> (i'm omitting some infos):
>>>>>>>>
>>>>>>>> curl -X POST \
>>>>>>>> -d "client_id=test" \
>>>>>>>> -d "client_secret=<client_secret>" \
>>>>>>>> --data-urlencode
>>>>>>>> "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
>>>>>>>> -d "subject_issuer=<alias_of_the_identity_provider_in_keycloak>" \
>>>>>>>> -d "subject_token=<id_token>" \
>>>>>>>> --data-urlencode
>>>>>>>> "subject_token_type=urn:ietf:params:oauth:token-type:id_token" \
>>>>>>>> -d "audience=test" \
>>>>>>>> http://localhost:8080/auth/realms/
>>>>>>>> <realm_name>/protocol/openid-connect/token
>>>>>>>>
>>>>>>>> Let me know if you need more infos.
>>>>>>>>
>>>>>>>> Thank you again,
>>>>>>>> Matteo Restelli
>>>>>>>>
>>>>>>>> On Wed, Apr 10, 2019 at 3:40 PM Pedro Igor Silva <psilva at redhat.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> So you are doing external to internal exchange. It is not clear to
>>>>>>>>> me how you configured AWS Cognito as an identity provider and what/how the
>>>>>>>>> SRP flow works. Could you provide more details, please? Is the token issued
>>>>>>>>> by Cognito a JWT ?
>>>>>>>>>
>>>>>>>>> In addition to that, how your token exchange request looks like
>>>>>>>>> when using both id_token and access_token as a subject_token ?
>>>>>>>>>
>>>>>>>>> On Wed, Apr 10, 2019 at 9:56 AM Matteo Restelli <
>>>>>>>>> mrestelli at cuebiq.com> wrote:
>>>>>>>>>
>>>>>>>>>> Any news on that?
>>>>>>>>>>
>>>>>>>>>> Thank you!
>>>>>>>>>> Matteo
>>>>>>>>>>
>>>>>>>>>> =============================
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Hi all,
>>>>>>>>>> We're using AWS Cognito as our Identity provider for our
>>>>>>>>>> platform. We're
>>>>>>>>>> trying to use an internal instance of Keycloak, in order to check
>>>>>>>>>> the
>>>>>>>>>> possibility to use KC for authorization purposes (this because
>>>>>>>>>> Keycloak has
>>>>>>>>>> a wonderful and powerful authorization system that fulfill our
>>>>>>>>>> needs, and
>>>>>>>>>> for that i want to say you "Thank you very much" :) ). For this
>>>>>>>>>> reason we
>>>>>>>>>> want to use the token exchange feature of Keycloak.
>>>>>>>>>> More specifically we want to follow this flow:
>>>>>>>>>>
>>>>>>>>>> - User authenticates on AWS Cognito via SRP auth flow (which
>>>>>>>>>> basically is
>>>>>>>>>> not a standard OIDC/OAuth2 authentication flow)
>>>>>>>>>> - User sends the access token to contact the backend service and,
>>>>>>>>>> in the
>>>>>>>>>> middle, this token is translated to an internal one, minted by
>>>>>>>>>> Keycloak
>>>>>>>>>>
>>>>>>>>>> If we provide the AWS Cognito access token to the token exchange
>>>>>>>>>> endpoint,
>>>>>>>>>> with the subject_token_type parameter set to
>>>>>>>>>> "urn:ietf:params:oauth:token-type:access_token", an error is
>>>>>>>>>> returned
>>>>>>>>>> stating that the access token doesn't contain the "openid" scope.
>>>>>>>>>> Despite
>>>>>>>>>> this we've tried another way, providing the id token to the token
>>>>>>>>>> exchange
>>>>>>>>>> endpoint with the subject_token_parameter set to
>>>>>>>>>> "urn:ietf:params:oauth:token-type:id_token", and we discovered
>>>>>>>>>> that this
>>>>>>>>>> alternative way works. So, my questions are:
>>>>>>>>>>
>>>>>>>>>> - Is the "exchange with id token" approach a feasible and good
>>>>>>>>>> one? Or is
>>>>>>>>>> completely a bad approach?
>>>>>>>>>> - From an OIDC point of view, can be a right approach accessing a
>>>>>>>>>> backend
>>>>>>>>>> resource from a single page application, using an id token? I've
>>>>>>>>>> always
>>>>>>>>>> read that if you want to access to a backend resource, from a
>>>>>>>>>> client
>>>>>>>>>> application, is better to use the access token, because the id
>>>>>>>>>> token
>>>>>>>>>> contains a lot of user informations and must be used only by the
>>>>>>>>>> client
>>>>>>>>>> application
>>>>>>>>>>
>>>>>>>>>> Thank you very much,
>>>>>>>>>> Matteo
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> PS:  As a side note, i want to clarify that if we follow an
>>>>>>>>>> authorization
>>>>>>>>>> code grant flow, or an implicit flow, during the authentication
>>>>>>>>>> against AWS
>>>>>>>>>> Cognito, the access token exchange works as expected. So this
>>>>>>>>>> means that
>>>>>>>>>> the problem is related to the shape of the token released by
>>>>>>>>>> Cognito.
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>>
>>>>>>>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>>>>>>>> <https://twitter.com/Cuebiq>I Connect
>>>>>>>>>> <https://www.linkedin.com/company/cuebiq>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> This email is reserved
>>>>>>>>>> exclusively for sending and receiving messages inherent working
>>>>>>>>>> activities,
>>>>>>>>>> and is not intended nor authorized for personal use. Therefore,
>>>>>>>>>> any
>>>>>>>>>> outgoing messages or incoming response messages will be treated
>>>>>>>>>> as company
>>>>>>>>>> messages and will be subject to the corporate IT policy and may
>>>>>>>>>> possibly to
>>>>>>>>>> be read by persons other than by the subscriber of the box.
>>>>>>>>>> Confidential
>>>>>>>>>> information may be contained in this message. If you are not the
>>>>>>>>>> address
>>>>>>>>>> indicated in this message, please do not copy or deliver this
>>>>>>>>>> message to
>>>>>>>>>> anyone. In such case, you should notify the sender immediately
>>>>>>>>>> and delete
>>>>>>>>>> the original message.
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>>
>>>>>>>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>>>>>>>> <https://twitter.com/Cuebiq>I Connect
>>>>>>>>>> <https://www.linkedin.com/company/cuebiq>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> This email is reserved
>>>>>>>>>> exclusively for sending and receiving messages inherent working
>>>>>>>>>> activities,
>>>>>>>>>> and is not intended nor authorized for personal use. Therefore,
>>>>>>>>>> any
>>>>>>>>>> outgoing messages or incoming response messages will be treated
>>>>>>>>>> as company
>>>>>>>>>> messages and will be subject to the corporate IT policy and may
>>>>>>>>>> possibly to
>>>>>>>>>> be read by persons other than by the subscriber of the box.
>>>>>>>>>> Confidential
>>>>>>>>>> information may be contained in this message. If you are not the
>>>>>>>>>> address
>>>>>>>>>> indicated in this message, please do not copy or deliver this
>>>>>>>>>> message to
>>>>>>>>>> anyone. In such case, you should notify the sender immediately
>>>>>>>>>> and delete
>>>>>>>>>> the original message.
>>>>>>>>>> _______________________________________________
>>>>>>>>>> keycloak-user mailing list
>>>>>>>>>> keycloak-user at lists.jboss.org
>>>>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>>>>>>
>>>>>>>>>
>>>>>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>>>>>> <https://twitter.com/Cuebiq>I Connect
>>>>>>>> <https://www.linkedin.com/company/cuebiq>
>>>>>>>>
>>>>>>>> This email is reserved exclusively for sending and receiving
>>>>>>>> messages inherent working activities, and is not intended nor authorized
>>>>>>>> for personal use. Therefore, any outgoing messages or incoming response
>>>>>>>> messages will be treated as company messages and will be subject to the
>>>>>>>> corporate IT policy and may possibly to be read by persons other than by
>>>>>>>> the subscriber of the box. Confidential information may be contained in
>>>>>>>> this message. If you are not the address indicated in this message, please
>>>>>>>> do not copy or deliver this message to anyone. In such case, you should
>>>>>>>> notify the sender immediately and delete the original message.
>>>>>>>>
>>>>>>>
>>>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>>>> <https://twitter.com/Cuebiq>I Connect
>>>>>> <https://www.linkedin.com/company/cuebiq>
>>>>>>
>>>>>> This email is reserved exclusively for sending and receiving messages
>>>>>> inherent working activities, and is not intended nor authorized for
>>>>>> personal use. Therefore, any outgoing messages or incoming response
>>>>>> messages will be treated as company messages and will be subject to the
>>>>>> corporate IT policy and may possibly to be read by persons other than by
>>>>>> the subscriber of the box. Confidential information may be contained in
>>>>>> this message. If you are not the address indicated in this message, please
>>>>>> do not copy or deliver this message to anyone. In such case, you should
>>>>>> notify the sender immediately and delete the original message.
>>>>>>
>>>>>
>>>> Like <https://www.facebook.com/cuebiq/> I Follow
>>>> <https://twitter.com/Cuebiq>I Connect
>>>> <https://www.linkedin.com/company/cuebiq>
>>>>
>>>> This email is reserved exclusively for sending and receiving messages
>>>> inherent working activities, and is not intended nor authorized for
>>>> personal use. Therefore, any outgoing messages or incoming response
>>>> messages will be treated as company messages and will be subject to the
>>>> corporate IT policy and may possibly to be read by persons other than by
>>>> the subscriber of the box. Confidential information may be contained in
>>>> this message. If you are not the address indicated in this message, please
>>>> do not copy or deliver this message to anyone. In such case, you should
>>>> notify the sender immediately and delete the original message.
>>>>
>>>
>> Like <https://www.facebook.com/cuebiq/> I Follow
>> <https://twitter.com/Cuebiq>I Connect
>> <https://www.linkedin.com/company/cuebiq>
>>
>> This email is reserved exclusively for sending and receiving messages
>> inherent working activities, and is not intended nor authorized for
>> personal use. Therefore, any outgoing messages or incoming response
>> messages will be treated as company messages and will be subject to the
>> corporate IT policy and may possibly to be read by persons other than by
>> the subscriber of the box. Confidential information may be contained in
>> this message. If you are not the address indicated in this message, please
>> do not copy or deliver this message to anyone. In such case, you should
>> notify the sender immediately and delete the original message.
>>
>

-- 

Like <https://www.facebook.com/cuebiq/> I Follow  
<https://twitter.com/Cuebiq>I Connect 
<https://www.linkedin.com/company/cuebiq>


This email is reserved 
exclusively for sending and receiving messages inherent working activities, 
and is not intended nor authorized for personal use. Therefore, any 
outgoing messages or incoming response messages will be treated as company 
messages and will be subject to the corporate IT policy and may possibly to 
be read by persons other than by the subscriber of the box. Confidential 
information may be contained in this message. If you are not the address 
indicated in this message, please do not copy or deliver this message to 
anyone. In such case, you should notify the sender immediately and delete 
the original message.

From Edgar at info.nl  Tue Apr 16 09:01:44 2019
From: Edgar at info.nl (Edgar Vonk - INFO)
Date: Tue, 16 Apr 2019 13:01:44 +0000
Subject: [keycloak-user] Custom form-based authenticator in Identity
	Provider Post Login Flow
Message-ID: <73175D26-9F2F-4ED4-B578-BA3FDDB39872@info.nl>

Hi all,

We need to build a custom form-based authenticator/execution as part of our Identity Provider Post Login Authentication Flow.

We already have our custom Post Login Flow set up and we know how to build and use custom Authenticators. But we cannot quite figure out how to implement custom form-based Authenticators.

Basically what we need is: as the very last step of the post login flow (the user has authenticated to our external Identity Provider by this point) we need to present a simple form with a drop-down list to the user. The user needs to select one option and that option we then need to store as a user attribute in Keycloak. Somewhat akin to Review Profile maybe except that this needs to be done after every login.

What is the best way to go about this?

We know we can extend Keycloak forms relatively easily. E.g. looking at https://github.com/raptor-group/keycloak-login-recaptcha  But for this it seems we would need to create our own login provider with our own form in it (somewhat similar to https://github.com/dteleguin/keycloak-dynamic-branding) or is there another way?

There is also that ScriptBasedAuthenticator but to be honest we do not understand how to use that. It does not seem to be available as an executor in our custom Post Login Flow?

thanks in advance!



From Edgar at info.nl  Tue Apr 16 09:15:42 2019
From: Edgar at info.nl (Edgar Vonk - INFO)
Date: Tue, 16 Apr 2019 13:15:42 +0000
Subject: [keycloak-user] Custom form-based authenticator in Identity
 Provider Post Login Flow
In-Reply-To: <73175D26-9F2F-4ED4-B578-BA3FDDB39872@info.nl>
References: <73175D26-9F2F-4ED4-B578-BA3FDDB39872@info.nl>
Message-ID: <99ECDDF3-CA3C-4BEC-B80B-A2A7367328D5@info.nl>

Hmm, just realised that we have not enabled the script-based authenticators yet.. duh.. rtfm..

We will follow that route and see if we can do it that way.

https://www.keycloak.org/docs/latest/server_admin/index.html#_authentication-flows


On 16 Apr 2019, at 15:01, Edgar Vonk - INFO <Edgar at info.nl> wrote:

Hi all,

We need to build a custom form-based authenticator/execution as part of our Identity Provider Post Login Authentication Flow.

We already have our custom Post Login Flow set up and we know how to build and use custom Authenticators. But we cannot quite figure out how to implement custom form-based Authenticators.

Basically what we need is: as the very last step of the post login flow (the user has authenticated to our external Identity Provider by this point) we need to present a simple form with a drop-down list to the user. The user needs to select one option and that option we then need to store as a user attribute in Keycloak. Somewhat akin to Review Profile maybe except that this needs to be done after every login.

What is the best way to go about this?

We know we can extend Keycloak forms relatively easily. E.g. looking at https://github.com/raptor-group/keycloak-login-recaptcha  But for this it seems we would need to create our own login provider with our own form in it (somewhat similar to https://github.com/dteleguin/keycloak-dynamic-branding) or is there another way?

There is also that ScriptBasedAuthenticator but to be honest we do not understand how to use that. It does not seem to be available as an executor in our custom Post Login Flow?

thanks in advance!




From ssilvert at redhat.com  Tue Apr 16 12:03:57 2019
From: ssilvert at redhat.com (Stan Silvert)
Date: Tue, 16 Apr 2019 12:03:57 -0400
Subject: [keycloak-user] Account Management Rest API
In-Reply-To: <CAG0YySz8W8OtQg2uLAiaFo8VR=T7zx3-U7FcvbGsop+j=1q-Zg@mail.gmail.com>
References: <CAG0YySwdkAQ9r2X_GXy+Eyp=0xyVA9Dji+Wp++9A=Rkd5WCgXQ@mail.gmail.com>
	<3b45a135-3023-e685-21e6-ab556276491e@redhat.com>
	<CAG0YySz8W8OtQg2uLAiaFo8VR=T7zx3-U7FcvbGsop+j=1q-Zg@mail.gmail.com>
Message-ID: <029c09b5-cbc0-ae98-fb84-9f602fe9167b@redhat.com>

On 4/16/2019 6:09 AM, Gabriele Rabbiosi wrote:
> Hi Stan,
> thanks for your info.
>
>  From what I understand, you're planning to use the Account Rest API in
> the implementation of the new Account Console.
> When the new Console will be finished, do you intend to make the
> Account API public, documented and maintained (like the Admin Rest
> API, for example)?
Yes to both.

The new Account Console will use the new REST API.? That API will be 
public, documented, and maintained.
>
> Thanks
>
> --
>
> GABRIELE RABBIOSI
>
> BeePMN Software Engineer
>
>
>
> ESTECO | EXPLORE DESIGN PERFECTION
>
> AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY
> Phone: +39 040 3755548 - Fax: +39 040 3755549
> [Website] | [Twitter] | [Facebook] | [Linkedin]
>
> Pursuant to Legislative Decree No. 196/2003, you are hereby informed
> that this message contains confidential information intended only for
> the use of the addressee. If you are not the addressee, and have
> received this message by mistake, please delete it and immediately
> notify us. You may not copy or disseminate this message to anyone.
> Thank you. Please consider the environment before printing this email.
>
>
> On Mon, Apr 15, 2019 at 6:55 PM Stan Silvert <ssilvert at redhat.com> wrote:
>> Right now this API is in development and subject to change at any time.
>> We are hoping to have it completed in the next few months.
>>
>> Also, we are working on a new Account Console that will use PatternFly 4
>> and React.  It will be easy to extend, so you can add your own pages.
>> It will work better on mobile devices.  And of course, you will be able
>> to change it around with different themes and such.
>>
>> So building your own console from this new Account Console might be a
>> better option than building the whole thing from scratch.
>>
>> If you are interested, the code is here along with a readme that tells
>> how to build and run.  It's very much a work in progress:
>> https://github.com/keycloak/keycloak/tree/master/themes/src/main/resources/theme/keycloak-preview/account/resources
>>
>> I still need to document how to create extensions, so let me know if you
>> are interested in that.
>>
>> Stan
>>
>> On 4/15/2019 11:23 AM, Gabriele Rabbiosi wrote:
>>> Hi guys,
>>> I'd like more information about the AccountRestService class
>>> (https://github.com/keycloak/keycloak/blob/master/services/src/main/java/org/keycloak/services/resources/account/AccountRestService.java)
>>>
>>> 1. I noticed that there are still a couple of TODO (such as Identity
>>> Providers management), is there a roadmap for the development of this
>>> missing features?
>>> 2. Are these API public or for internal use only? I'd like to use them
>>> to implement a custom Account Management page for my application.
>>> 3. How stable are they? How likely is it that they will change or
>>> disappear in the (near) future?
>>>
>>> Thanky you.
>>> Best regards
>>>
>>> --
>>>
>>> GABRIELE RABBIOSI
>>>
>>> BeePMN Software Engineer
>>>
>>>
>>>
>>> ESTECO | EXPLORE DESIGN PERFECTION
>>>
>>> AREA Science Park, Padriciano 99 - 34149 Trieste - ITALY
>>> Phone: +39 040 3755548 - Fax: +39 040 3755549
>>> [Website] | [Twitter] | [Facebook] | [Linkedin]
>>>
>>> Pursuant to Legislative Decree No. 196/2003, you are hereby informed
>>> that this message contains confidential information intended only for
>>> the use of the addressee. If you are not the addressee, and have
>>> received this message by mistake, please delete it and immediately
>>> notify us. You may not copy or disseminate this message to anyone.
>>> Thank you. Please consider the environment before printing this email.
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user



From brandonesbox at gmail.com  Tue Apr 16 12:41:27 2019
From: brandonesbox at gmail.com (Brandon)
Date: Tue, 16 Apr 2019 11:41:27 -0500
Subject: [keycloak-user] Making it work with ZeroConf/Bonjour/Avahi addresses
Message-ID: <CADYcaHfrUx_L73-M7-vjdHejcra2vJWffe70qFrA_tEjC0WfbQ@mail.gmail.com>

I?m using KeyCloak to handle authentication for an application served over
LAN at my office. The application is accessible at office-1.local using
ZeroConf <https://en.wikipedia.org/wiki/Zero-configuration_networking>
(it?s a Linux server, so it?s configured using Avahi).
There is at least the problem that, after logging in with KeyCloak, one
winds up in a redirect loop due to the following error:

2019-04-16 16:37:14.587 ERROR 1 --- [ XNIO-2 task-31]
o.k.adapters.OAuthRequestAuthenticator   : failed to turn code into
token

java.net.UnknownHostException: ces-oficina.local
        at java.net.InetAddress.getAllByName0(InetAddress.java:1281)
~[na:1.8.0_181]
        at java.net.InetAddress.getAllByName(InetAddress.java:1193)
~[na:1.8.0_181]
        at java.net.InetAddress.getAllByName(InetAddress.java:1127)
~[na:1.8.0_181]
        at org.apache.http.impl.conn.SystemDefaultDnsResolver.resolve(SystemDefaultDnsResolver.java:45)
~[httpclient-4.5.5.jar!/:4.5.5]
        at org.apache.http.impl.conn.DefaultClientConnectionOperator.resolveHostname(DefaultClientConnectionOperator.java:263)
~[httpclient-4.5.5.jar!/:4.5.5]
        at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:162)
~[httpclient-4.5.5.jar!/:4.5.5]
        at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
~[httpclient-4.5.5.jar!/:4.5.5]
        at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:134)
~[httpclient-4.5.5.jar!/:4.5.5]
        at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:610)
~[httpclient-4.5.5.jar!/:4.5.5]
        at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:445)
~[httpclient-4.5.5.jar!/:4.5.5]
        at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:835)
~[httpclient-4.5.5.jar!/:4.5.5]
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
~[httpclient-4.5.5.jar!/:4.5.5]
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
~[httpclient-4.5.5.jar!/:4.5.5]
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
~[httpclient-4.5.5.jar!/:4.5.5]
        at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:111)
~[keycloak-adapter-core-4.7.0.Final.jar!/:4.7.0.Final]

...

So it seems like org.apache.http.impl.conn.SystemDefaultDnsResolver doesn?t
understand ZeroConf. Can it be configured so that KeyCloak can be used with
ZeroConf?

Thanks,
Brandon

From mdailous at forensiclogic.com  Tue Apr 16 13:34:05 2019
From: mdailous at forensiclogic.com (Michael Dailous)
Date: Tue, 16 Apr 2019 17:34:05 +0000
Subject: [keycloak-user] Is there a way to extend the "Create Realm" process?
Message-ID: <BYAPR09MB2549E3AE70F04E5EEB641C13D6240@BYAPR09MB2549.namprd09.prod.outlook.com>

We need to add some additional processing that must be completed when a new realm is created. Is there a way to hook into the create realm process? If not, is there a way we can accomplish this?

TIA,
Michael


From bruno at abstractj.org  Wed Apr 17 00:01:09 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 17 Apr 2019 01:01:09 -0300
Subject: [keycloak-user] keycloak-quickstarts: docker and/or
 docker-compose?
In-Reply-To: <29B463CD-2B51-4FEB-AC1D-CBA49D7F1CF1@gmail.com>
References: <CAHTQH9Job+dCKHBpqOTH38sViXpJ5kpjd8Hj-CtpnfeOWTFAWA@mail.gmail.com>
	<CAM5SUC5BMxmCeFOuJK5ZhBNx3yp70E=K85NCH7WwbzP=pHjn4A@mail.gmail.com>
	<CAHTQH9LrMycYw6ni=W3pSSf-FQi_7FoV-cPPV52+phTFgYMDCA@mail.gmail.com>
	<20190409014647.GA12882@abstractj.org>
	<29B463CD-2B51-4FEB-AC1D-CBA49D7F1CF1@gmail.com>
Message-ID: <20190417040109.GA5749@abstractj.org>

Sorry for the late response Melissa, I believe Sebastien may have some
input on this.

On 2019-04-09, Melissa Palmer wrote:
> Thanks Bruno, ok will see what I can do. 
> 
> A question on this: with regard to the deployment of the api?s or ui?s protected by keycloak (ie: those deployed to the WildFly server). What is approach you?d be looking for/suggest? 
> - ability to deploy the app to WildFly still via maven command 
> - or that?s built into a custom docker image with the WildFly-adapter too? 
> 
> Thanks 
> Melissa 
> 
> > On 09 Apr 2019, at 3:46 AM, Bruno Oliveira <bruno at abstractj.org> wrote:
> > 
> > Hi Melissa, you are correct. Unfortunately we still don't have a Docker
> > image for the quickstarts. 
> > 
> > We had this Jira https://issues.jboss.org/browse/KEYCLOAK-6307 to track
> > this. Feel free to reopen if you would like to help on it, we would be more 
> > than happy to review a pull-request.
> > 
> >> On 2019-04-08, Melissa Palmer wrote:
> >> Hi Bruno
> >> 
> >> Thanks, for that link but its not quite what I am looking for.
> >> 
> >> I am looking for a Docker way of getting the keycloak quickstarts running
> >> ie:
> >> https://github.com/keycloak/keycloak-quickstarts/
> >> 
> >> For example to get the
> >> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz
> >> currently you need to get Keycloak, WildFly running, WildFly needs to have
> >> the Keycloak Adapter client installed and so on...
> >> 
> >> I am looking for a docker image and/or docker-compose file which would
> >> start up all of the above for the
> >> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz
> >> quick start.
> >> 
> >> I have started to set something up myself, along the lines of
> >> ```
> >> git clone git at github.com:keycloak/keycloak-quickstarts.git
> >> git checkout tags/4.7.0.Final
> >> 
> >> cd keycloak-quickstarts/app-authz-uma-photoz
> >> 
> >> docker run -d -p 8080:8080 -e KEYCLOAK_USER=admin -e
> >> KEYCLOAK_PASSWORD=admin -e DB_VENDOR=h2 -e
> >> KEYCLOAK_IMPORT=/tmp/photoz-realm.json -v
> >> photoz-realm.json:/tmp/photoz-realm.json --name kc
> >> jboss/keycloak:4.7.0.Final
> >> 
> >> 
> >> docker run -d -p 8081:8080 -p 9991:9990 -it --name wildfly
> >> jboss/keycloak-adapter-wildfly:4.7.0.Final
> >> ```
> >> 
> >> But wondering if there is already something for this out there, I have not
> >> been able to find myself.
> >> 
> >> Thanks
> >> Melissa
> >> 
> >> 
> >>> On Mon, 8 Apr 2019 at 19:53, Bruno Oliveira <bruno at abstractj.org> wrote:
> >>> 
> >>> Hi Melissa, I believe this is what you're looking for
> >>> https://github.com/jboss-dockerfiles/keycloak
> >>> 
> >>> I hope it helps.
> >>> 
> >>> On Mon, Apr 8, 2019 at 1:51 PM Melissa Palmer <melissa.palmer at gmail.com>
> >>> wrote:
> >>>> 
> >>>> Hi
> >>>> 
> >>>> Are there any docker images and or docker-compose files from Keycloak
> >>>> quickstarts?
> >>>> 
> >>>> ie: that setup the Keycloak server (with imported Realm), WildFly server
> >>>> with Keycloak client adapter into it
> >>>> 
> >>>> Thanks in Advance
> >>>> Melissa
> >>>> _______________________________________________
> >>>> keycloak-user mailing list
> >>>> keycloak-user at lists.jboss.org
> >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>> 
> >>> 
> >>> 
> >>> --
> >>> - abstractj
> >>> 
> > 
> > -- 
> > 
> > abstractj

-- 

abstractj

From bruno at abstractj.org  Wed Apr 17 00:10:53 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Wed, 17 Apr 2019 01:10:53 -0300
Subject: [keycloak-user] How do you export a REALM from keycloak when
 running within a Docker container?
In-Reply-To: <CAHTQH9+LkM4he7YkmWfTn72vqOmPaC3gcrxLFpfXvG3W7Wf+qw@mail.gmail.com>
References: <CAHTQH9+LkM4he7YkmWfTn72vqOmPaC3gcrxLFpfXvG3W7Wf+qw@mail.gmail.com>
Message-ID: <20190417041053.GB5749@abstractj.org>

Hi Melissa, try something like this:

docker run -d --name keycloak -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -p 8080:8080 \
-v /path/to/yourrealm.json:/somepath/yourrealm.json \
-it jboss/keycloak:master \
-Dkeycloak.migration.action=import \
-Dkeycloak.migration.provider=singleFile \
-Dkeycloak.migration.file=/somepath/yourrealm.json \
-Dkeycloak.migration.strategy=OVERWRITE_EXISTING

I took all the information from
https://hub.docker.com/r/jboss/keycloak/. I hope it helps.

On 2019-04-15, Melissa Palmer wrote:
> Hi
> 
> How do you export a REALM from keycloak when running within a Docker
> container?
> 
> *If running Keycloak via docker, eg: using *
> docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin
> -e DB_VENDOR=h2 --name kc jboss/keycloak
> 
> How can you export a realm that you have added via the UI?
> 
> Thanks in Advance
> Melissa
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From melissa.palmer at gmail.com  Wed Apr 17 00:47:56 2019
From: melissa.palmer at gmail.com (Melissa Palmer)
Date: Wed, 17 Apr 2019 06:47:56 +0200
Subject: [keycloak-user] How do you export a REALM from keycloak when
 running within a Docker container?
In-Reply-To: <20190417041053.GB5749@abstractj.org>
References: <CAHTQH9+LkM4he7YkmWfTn72vqOmPaC3gcrxLFpfXvG3W7Wf+qw@mail.gmail.com>
	<20190417041053.GB5749@abstractj.org>
Message-ID: <CAHTQH9J_xMrMi66ZDzkbJk+QLf6TnO4n6QHE=JomNqHmbO3u9w@mail.gmail.com>

Thanks Bruno, I was specifically looking for ability to EXPORT a realm on a
running docker container. What's on the docker hub page and below is all
about importing an existing realm.

I did manage to solve this using the following:
If you start keycloak with::
docker run -d -p 8180:8080 -e KEYCLOAK_USER=admin -e
KEYCLOAK_PASSWORD=admin -e DB_VENDOR=h2 -v $(pwd):/tmp --name kc
jboss/keycloak:4.7.0.Final

You can then get the export from this instance by running:
docker exec -it kc keycloak/bin/standalone.sh
-Djboss.socket.binding.port-offset=100 -Dkeycloak.migration.action=export
-Dkeycloak.migration.provider=singleFile
-Dkeycloak.migration.realmName=my_realm
-Dkeycloak.migration.usersExportStrategy=REALM_FILE
-Dkeycloak.migration.file=/tmp/my_realm.json

Notice I am needing to go onto a currently running container and then
- run the export on a different port
- such that there are no port clashes of existing process running on that
container already

Thanks
Melissa


On Wed, 17 Apr 2019 at 06:10, Bruno Oliveira <bruno at abstractj.org> wrote:

> Hi Melissa, try something like this:
>
> docker run -d --name keycloak -e KEYCLOAK_USER=admin -e
> KEYCLOAK_PASSWORD=admin -p 8080:8080 \
> -v /path/to/yourrealm.json:/somepath/yourrealm.json \
> -it jboss/keycloak:master \
> -Dkeycloak.migration.action=import \
> -Dkeycloak.migration.provider=singleFile \
> -Dkeycloak.migration.file=/somepath/yourrealm.json \
> -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
>
> I took all the information from
> https://hub.docker.com/r/jboss/keycloak/. I hope it helps.
>
> On 2019-04-15, Melissa Palmer wrote:
> > Hi
> >
> > How do you export a REALM from keycloak when running within a Docker
> > container?
> >
> > *If running Keycloak via docker, eg: using *
> > docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin
> > -e DB_VENDOR=h2 --name kc jboss/keycloak
> >
> > How can you export a realm that you have added via the UI?
> >
> > Thanks in Advance
> > Melissa
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> abstractj
>

From melissa.palmer at gmail.com  Wed Apr 17 01:01:04 2019
From: melissa.palmer at gmail.com (Melissa Palmer)
Date: Wed, 17 Apr 2019 07:01:04 +0200
Subject: [keycloak-user] How do you export a REALM from keycloak when
 running within a Docker container?
In-Reply-To: <CAHTQH9J_xMrMi66ZDzkbJk+QLf6TnO4n6QHE=JomNqHmbO3u9w@mail.gmail.com>
References: <CAHTQH9+LkM4he7YkmWfTn72vqOmPaC3gcrxLFpfXvG3W7Wf+qw@mail.gmail.com>
	<20190417041053.GB5749@abstractj.org>
	<CAHTQH9J_xMrMi66ZDzkbJk+QLf6TnO4n6QHE=JomNqHmbO3u9w@mail.gmail.com>
Message-ID: <CAHTQH9+u+s2G2tAmE7i-HS7Sm2DP-dA+_9jeek3LdSzAqNPH5Q@mail.gmail.com>

I have raised a Jira at:   https://issues.jboss.org/browse/KEYCLOAK-10082

On Wed, 17 Apr 2019 at 06:47, Melissa Palmer <melissa.palmer at gmail.com>
wrote:

> Thanks Bruno, I was specifically looking for ability to EXPORT a realm on
> a running docker container. What's on the docker hub page and below is all
> about importing an existing realm.
>
> I did manage to solve this using the following:
> If you start keycloak with::
> docker run -d -p 8180:8080 -e KEYCLOAK_USER=admin -e
> KEYCLOAK_PASSWORD=admin -e DB_VENDOR=h2 -v $(pwd):/tmp --name kc
> jboss/keycloak:4.7.0.Final
>
> You can then get the export from this instance by running:
> docker exec -it kc keycloak/bin/standalone.sh
> -Djboss.socket.binding.port-offset=100 -Dkeycloak.migration.action=export
> -Dkeycloak.migration.provider=singleFile
> -Dkeycloak.migration.realmName=my_realm
> -Dkeycloak.migration.usersExportStrategy=REALM_FILE
> -Dkeycloak.migration.file=/tmp/my_realm.json
>
> Notice I am needing to go onto a currently running container and then
> - run the export on a different port
> - such that there are no port clashes of existing process running on that
> container already
>
> Thanks
> Melissa
>
>
> On Wed, 17 Apr 2019 at 06:10, Bruno Oliveira <bruno at abstractj.org> wrote:
>
>> Hi Melissa, try something like this:
>>
>> docker run -d --name keycloak -e KEYCLOAK_USER=admin -e
>> KEYCLOAK_PASSWORD=admin -p 8080:8080 \
>> -v /path/to/yourrealm.json:/somepath/yourrealm.json \
>> -it jboss/keycloak:master \
>> -Dkeycloak.migration.action=import \
>> -Dkeycloak.migration.provider=singleFile \
>> -Dkeycloak.migration.file=/somepath/yourrealm.json \
>> -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
>>
>> I took all the information from
>> https://hub.docker.com/r/jboss/keycloak/. I hope it helps.
>>
>> On 2019-04-15, Melissa Palmer wrote:
>> > Hi
>> >
>> > How do you export a REALM from keycloak when running within a Docker
>> > container?
>> >
>> > *If running Keycloak via docker, eg: using *
>> > docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e
>> KEYCLOAK_PASSWORD=admin
>> > -e DB_VENDOR=h2 --name kc jboss/keycloak
>> >
>> > How can you export a realm that you have added via the UI?
>> >
>> > Thanks in Advance
>> > Melissa
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> --
>>
>> abstractj
>>
>

From melissa.palmer at gmail.com  Wed Apr 17 01:28:46 2019
From: melissa.palmer at gmail.com (Melissa Palmer)
Date: Wed, 17 Apr 2019 07:28:46 +0200
Subject: [keycloak-user] How do you export a REALM from keycloak when
 running within a Docker container?
In-Reply-To: <CAHTQH9+u+s2G2tAmE7i-HS7Sm2DP-dA+_9jeek3LdSzAqNPH5Q@mail.gmail.com>
References: <CAHTQH9+LkM4he7YkmWfTn72vqOmPaC3gcrxLFpfXvG3W7Wf+qw@mail.gmail.com>
	<20190417041053.GB5749@abstractj.org>
	<CAHTQH9J_xMrMi66ZDzkbJk+QLf6TnO4n6QHE=JomNqHmbO3u9w@mail.gmail.com>
	<CAHTQH9+u+s2G2tAmE7i-HS7Sm2DP-dA+_9jeek3LdSzAqNPH5Q@mail.gmail.com>
Message-ID: <CAHTQH9J-zbgSxJLpKnMDVuzQizHcZAfj9844EihP3EbgkAYEJA@mail.gmail.com>

And a PR at:   https://github.com/jboss-dockerfiles/keycloak/pull/189

On Wed, 17 Apr 2019 at 07:01, Melissa Palmer <melissa.palmer at gmail.com>
wrote:

> I have raised a Jira at:   https://issues.jboss.org/browse/KEYCLOAK-10082
>
> On Wed, 17 Apr 2019 at 06:47, Melissa Palmer <melissa.palmer at gmail.com>
> wrote:
>
>> Thanks Bruno, I was specifically looking for ability to EXPORT a realm on
>> a running docker container. What's on the docker hub page and below is all
>> about importing an existing realm.
>>
>> I did manage to solve this using the following:
>> If you start keycloak with::
>> docker run -d -p 8180:8080 -e KEYCLOAK_USER=admin -e
>> KEYCLOAK_PASSWORD=admin -e DB_VENDOR=h2 -v $(pwd):/tmp --name kc
>> jboss/keycloak:4.7.0.Final
>>
>> You can then get the export from this instance by running:
>> docker exec -it kc keycloak/bin/standalone.sh
>> -Djboss.socket.binding.port-offset=100 -Dkeycloak.migration.action=export
>> -Dkeycloak.migration.provider=singleFile
>> -Dkeycloak.migration.realmName=my_realm
>> -Dkeycloak.migration.usersExportStrategy=REALM_FILE
>> -Dkeycloak.migration.file=/tmp/my_realm.json
>>
>> Notice I am needing to go onto a currently running container and then
>> - run the export on a different port
>> - such that there are no port clashes of existing process running on that
>> container already
>>
>> Thanks
>> Melissa
>>
>>
>> On Wed, 17 Apr 2019 at 06:10, Bruno Oliveira <bruno at abstractj.org> wrote:
>>
>>> Hi Melissa, try something like this:
>>>
>>> docker run -d --name keycloak -e KEYCLOAK_USER=admin -e
>>> KEYCLOAK_PASSWORD=admin -p 8080:8080 \
>>> -v /path/to/yourrealm.json:/somepath/yourrealm.json \
>>> -it jboss/keycloak:master \
>>> -Dkeycloak.migration.action=import \
>>> -Dkeycloak.migration.provider=singleFile \
>>> -Dkeycloak.migration.file=/somepath/yourrealm.json \
>>> -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
>>>
>>> I took all the information from
>>> https://hub.docker.com/r/jboss/keycloak/. I hope it helps.
>>>
>>> On 2019-04-15, Melissa Palmer wrote:
>>> > Hi
>>> >
>>> > How do you export a REALM from keycloak when running within a Docker
>>> > container?
>>> >
>>> > *If running Keycloak via docker, eg: using *
>>> > docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e
>>> KEYCLOAK_PASSWORD=admin
>>> > -e DB_VENDOR=h2 --name kc jboss/keycloak
>>> >
>>> > How can you export a realm that you have added via the UI?
>>> >
>>> > Thanks in Advance
>>> > Melissa
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>> --
>>>
>>> abstractj
>>>
>>

From sblanc at redhat.com  Wed Apr 17 02:03:42 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 17 Apr 2019 08:03:42 +0200
Subject: [keycloak-user] keycloak-quickstarts: docker and/or
	docker-compose?
In-Reply-To: <20190417040109.GA5749@abstractj.org>
References: <CAHTQH9Job+dCKHBpqOTH38sViXpJ5kpjd8Hj-CtpnfeOWTFAWA@mail.gmail.com>
	<CAM5SUC5BMxmCeFOuJK5ZhBNx3yp70E=K85NCH7WwbzP=pHjn4A@mail.gmail.com>
	<CAHTQH9LrMycYw6ni=W3pSSf-FQi_7FoV-cPPV52+phTFgYMDCA@mail.gmail.com>
	<20190409014647.GA12882@abstractj.org>
	<29B463CD-2B51-4FEB-AC1D-CBA49D7F1CF1@gmail.com>
	<20190417040109.GA5749@abstractj.org>
Message-ID: <CAMZCGg905+r4ASO9hmyfvBYPLtFiw3W9jutAwSscwDbRn=W30w@mail.gmail.com>

Hi Melissa,

If think the first approach is the preferred one, this gives more
flexibility to the user if he wants to modify/play a bit with the
application.

Sebi

On Wed, Apr 17, 2019 at 6:01 AM Bruno Oliveira <bruno at abstractj.org> wrote:

> Sorry for the late response Melissa, I believe Sebastien may have some
> input on this.
>
> On 2019-04-09, Melissa Palmer wrote:
> > Thanks Bruno, ok will see what I can do.
> >
> > A question on this: with regard to the deployment of the api?s or ui?s
> protected by keycloak (ie: those deployed to the WildFly server). What is
> approach you?d be looking for/suggest?
> > - ability to deploy the app to WildFly still via maven command
> > - or that?s built into a custom docker image with the WildFly-adapter
> too?
> >
> > Thanks
> > Melissa
> >
> > > On 09 Apr 2019, at 3:46 AM, Bruno Oliveira <bruno at abstractj.org>
> wrote:
> > >
> > > Hi Melissa, you are correct. Unfortunately we still don't have a Docker
> > > image for the quickstarts.
> > >
> > > We had this Jira https://issues.jboss.org/browse/KEYCLOAK-6307 to
> track
> > > this. Feel free to reopen if you would like to help on it, we would be
> more
> > > than happy to review a pull-request.
> > >
> > >> On 2019-04-08, Melissa Palmer wrote:
> > >> Hi Bruno
> > >>
> > >> Thanks, for that link but its not quite what I am looking for.
> > >>
> > >> I am looking for a Docker way of getting the keycloak quickstarts
> running
> > >> ie:
> > >> https://github.com/keycloak/keycloak-quickstarts/
> > >>
> > >> For example to get the
> > >>
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz
> > >> currently you need to get Keycloak, WildFly running, WildFly needs to
> have
> > >> the Keycloak Adapter client installed and so on...
> > >>
> > >> I am looking for a docker image and/or docker-compose file which would
> > >> start up all of the above for the
> > >>
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-uma-photoz
> > >> quick start.
> > >>
> > >> I have started to set something up myself, along the lines of
> > >> ```
> > >> git clone git at github.com:keycloak/keycloak-quickstarts.git
> > >> git checkout tags/4.7.0.Final
> > >>
> > >> cd keycloak-quickstarts/app-authz-uma-photoz
> > >>
> > >> docker run -d -p 8080:8080 -e KEYCLOAK_USER=admin -e
> > >> KEYCLOAK_PASSWORD=admin -e DB_VENDOR=h2 -e
> > >> KEYCLOAK_IMPORT=/tmp/photoz-realm.json -v
> > >> photoz-realm.json:/tmp/photoz-realm.json --name kc
> > >> jboss/keycloak:4.7.0.Final
> > >>
> > >>
> > >> docker run -d -p 8081:8080 -p 9991:9990 -it --name wildfly
> > >> jboss/keycloak-adapter-wildfly:4.7.0.Final
> > >> ```
> > >>
> > >> But wondering if there is already something for this out there, I
> have not
> > >> been able to find myself.
> > >>
> > >> Thanks
> > >> Melissa
> > >>
> > >>
> > >>> On Mon, 8 Apr 2019 at 19:53, Bruno Oliveira <bruno at abstractj.org>
> wrote:
> > >>>
> > >>> Hi Melissa, I believe this is what you're looking for
> > >>> https://github.com/jboss-dockerfiles/keycloak
> > >>>
> > >>> I hope it helps.
> > >>>
> > >>> On Mon, Apr 8, 2019 at 1:51 PM Melissa Palmer <
> melissa.palmer at gmail.com>
> > >>> wrote:
> > >>>>
> > >>>> Hi
> > >>>>
> > >>>> Are there any docker images and or docker-compose files from
> Keycloak
> > >>>> quickstarts?
> > >>>>
> > >>>> ie: that setup the Keycloak server (with imported Realm), WildFly
> server
> > >>>> with Keycloak client adapter into it
> > >>>>
> > >>>> Thanks in Advance
> > >>>> Melissa
> > >>>> _______________________________________________
> > >>>> keycloak-user mailing list
> > >>>> keycloak-user at lists.jboss.org
> > >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
> > >>>
> > >>>
> > >>>
> > >>> --
> > >>> - abstractj
> > >>>
> > >
> > > --
> > >
> > > abstractj
>
> --
>
> abstractj
>

From testoauth55 at gmail.com  Wed Apr 17 03:45:13 2019
From: testoauth55 at gmail.com (Bruce Wings)
Date: Wed, 17 Apr 2019 13:15:13 +0530
Subject: [keycloak-user] converting OIDC token to SAML
Message-ID: <CANAVTmP8-1saq9RuF4hoFTvzGv9sSEfD7+u0ux__qLUHV-ZEtQ@mail.gmail.com>

I have successfully integrated few of my apps with keycloak (with OIDC
tokens). However there is a 3rd party app which works on SAML tokens. I am
wondering is it possible to use my existing keycloak system to send SAML
tokens to this third party app?
i.e. I want to use keycloak as IDP and SP and generate SAML tokens and send
it to this 3rd party app. Is this scenario even possible?

From kapilkumarjoshi001 at gmail.com  Wed Apr 17 05:08:35 2019
From: kapilkumarjoshi001 at gmail.com (kapil joshi)
Date: Wed, 17 Apr 2019 14:38:35 +0530
Subject: [keycloak-user] Password expiry policy not working for
	federated user
In-Reply-To: <CAMLZ2vkBsaXZOfWGLUrzbefVa1mW6YAFRHXbCCS5cf6X5EuR4g@mail.gmail.com>
References: <CAMLZ2vkBsaXZOfWGLUrzbefVa1mW6YAFRHXbCCS5cf6X5EuR4g@mail.gmail.com>
Message-ID: <CAMLZ2vmUROZSfam8L=jDgX=SDOPS5FemCVjh2NQxeG7Ajt7X0Q@mail.gmail.com>

Hi All,

We are using OpenLDAP.

I found out that there is ldap mapper precisely
user-account-control-mapper, by adding this LDAP password policy will be
respected.
on doing this we are getting update password UI, on login. But while
updating the password we are getting below error:

On update the password:

On UI: Could not modify attribute for DN [uid=xxxxxxx,dc=tt,dc=zz,dc=br]

On ldap.log we can see below error coming up:

conn=1159 op=1 do_modify: get_ctrls failed


Please suggest us what are we missing or can correct in our configuration.


Thanks & Regards

Kapil




On Thu, Apr 11, 2019 at 7:32 PM kapil joshi <kapilkumarjoshi001 at gmail.com>
wrote:

> Hi All,
>
> Password expiry policy not working for federated user. We can see that the
> password has expired for LDAP user, which was set to 90 days, but user can
> still login to UI via keycloak authentication.
>
> Kindly point us what are we missing.
>
> Please note we have enabled the switch to sync password policy with
> federated user.
>
> Thanks & regards
>
> Kapil
>

From kapilkumarjoshi001 at gmail.com  Wed Apr 17 07:13:30 2019
From: kapilkumarjoshi001 at gmail.com (kapil joshi)
Date: Wed, 17 Apr 2019 16:43:30 +0530
Subject: [keycloak-user] Password expiry policy not working for
	federated user
In-Reply-To: <CAMLZ2vmUROZSfam8L=jDgX=SDOPS5FemCVjh2NQxeG7Ajt7X0Q@mail.gmail.com>
References: <CAMLZ2vkBsaXZOfWGLUrzbefVa1mW6YAFRHXbCCS5cf6X5EuR4g@mail.gmail.com>
	<CAMLZ2vmUROZSfam8L=jDgX=SDOPS5FemCVjh2NQxeG7Ajt7X0Q@mail.gmail.com>
Message-ID: <CAMLZ2vnQEfvq5LzekUjiSTfVBD2+tQtyWTTD=e=HV_EzuZudqg@mail.gmail.com>

As i understand, there is no support for OpenLDAP, can we still create
custom mappers and map attributes like pwdLastSet to pwdChangedTime

such that few password policies like password expiry time works. ?

Thanks & Regards
Kapil

On Wed, Apr 17, 2019 at 2:38 PM kapil joshi <kapilkumarjoshi001 at gmail.com>
wrote:

> Hi All,
>
> We are using OpenLDAP.
>
> I found out that there is ldap mapper precisely
> user-account-control-mapper, by adding this LDAP password policy will be
> respected.
> on doing this we are getting update password UI, on login. But while
> updating the password we are getting below error:
>
> On update the password:
>
> On UI: Could not modify attribute for DN [uid=xxxxxxx,dc=tt,dc=zz,dc=br]
>
> On ldap.log we can see below error coming up:
>
> conn=1159 op=1 do_modify: get_ctrls failed
>
>
> Please suggest us what are we missing or can correct in our configuration.
>
>
> Thanks & Regards
>
> Kapil
>
>
>
>
> On Thu, Apr 11, 2019 at 7:32 PM kapil joshi <kapilkumarjoshi001 at gmail.com>
> wrote:
>
>> Hi All,
>>
>> Password expiry policy not working for federated user. We can see that
>> the password has expired for LDAP user, which was set to 90 days, but user
>> can still login to UI via keycloak authentication.
>>
>> Kindly point us what are we missing.
>>
>> Please note we have enabled the switch to sync password policy with
>> federated user.
>>
>> Thanks & regards
>>
>> Kapil
>>
>

From psilva at redhat.com  Wed Apr 17 08:00:08 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 17 Apr 2019 09:00:08 -0300
Subject: [keycloak-user] converting OIDC token to SAML
In-Reply-To: <CANAVTmP8-1saq9RuF4hoFTvzGv9sSEfD7+u0ux__qLUHV-ZEtQ@mail.gmail.com>
References: <CANAVTmP8-1saq9RuF4hoFTvzGv9sSEfD7+u0ux__qLUHV-ZEtQ@mail.gmail.com>
Message-ID: <CAJrcDBfqNFqRLg3C_B4pg=b1OyZAb4-o_FCydZgLvFxOnvpinQ@mail.gmail.com>

If you want to exchange access/id tokens for saml assertions, the token
exchange does not support SAML.

On Wed, Apr 17, 2019 at 4:48 AM Bruce Wings <testoauth55 at gmail.com> wrote:

> I have successfully integrated few of my apps with keycloak (with OIDC
> tokens). However there is a 3rd party app which works on SAML tokens. I am
> wondering is it possible to use my existing keycloak system to send SAML
> tokens to this third party app?
> i.e. I want to use keycloak as IDP and SP and generate SAML tokens and send
> it to this 3rd party app. Is this scenario even possible?
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From mail at hpzach.at  Wed Apr 17 08:04:36 2019
From: mail at hpzach.at (Hanspeter Zach)
Date: Wed, 17 Apr 2019 14:04:36 +0200
Subject: [keycloak-user] basic questions regarding realm limitations and
	user provider (sap)
Message-ID: <CADEBqasR7fX=uOZUSdOgCm8v2Rko7tKLPA1cG3CUKciQa=Fq8Q@mail.gmail.com>

We're considering using Keycloak as our IAM and we've now been asked a few
basic questions that someone on the list might be able to answer.



- Are there any limitations (performance?) on the number of realms that can
be created?  Does anyone have any experience?



- There is a need to have the same user base (AD) across multiple realms.
Does the user provider have to be entered for each realm, or can this be
done more elegantly with the master realm?



- Are there any empirical values regarding the connection of SAP (EWM) as
Identity Provider or even as User Provider?


Thanks for the information!


---
PGP-Key: .: https://keybase.io/hpz/key.asc :.
mail AT hpzach.at

From francesco.longo at linksfoundation.com  Wed Apr 17 09:30:39 2019
From: francesco.longo at linksfoundation.com (Francesco Longo)
Date: Wed, 17 Apr 2019 13:30:39 +0000
Subject: [keycloak-user] Help setup SSL certificate on keycloak
Message-ID: <DB6P195MB04221387E2F18A55052B6777E4250@DB6P195MB0422.EURP195.PROD.OUTLOOK.COM>

Goodmorning, I'm Francesco Longo and I'm a researcher at Links Foundation. I'trying to setup keycloak as authentication and authorization service for a European project and I have some problem setting up an SSL certificate.

I find the way to use HTTPS in keycloak using docker (just run the docker image with the 8443 port mapping and it automatically create a self-signed certificate) but I'd like to put a valid SSL certificate because I get the error "self signed certificate" when I do some request to my keycloak protected server...

I found your guide where it is explained how to put a certificate but it is not clear to me where it is necessary to put the keystore file and what file to edit or modify in order to have HTTPS.

I'll be very gratefull if some of you could help me to solve my doubts.

Thank you very much for your availability.
Best regards,

[LINKS Foundation]

Facebook<https://www.facebook.com/linksfoundation/> | Twitter<https://twitter.com/linksfoundation> | LinkedIn<https://www.linkedin.com/company/links-%E2%80%93-leading-innovation-&-knowledge-for-society/>

Francesco Longo
Rsearcher | Linksfoundation.com<https://linksfoundation.com/>
T. +39 0112276440
francesco.longo at linksfoundation.com<mailto:nome.cognome at linksfoundation.com>

Personal account: LinkedIn<https://www.linkedin.com/in/france193/> | Skype<https://join.skype.com/invite/jt9vIqDeuk6G>

________________________________
[Please consider the environment]

Rispetta l'ambiente, pensa prima di stampare questa e-mail
Please consider the environment before printing this email


________________________________

Questo documento ? formato esclusivamente per il destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere esclusivamente confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 -GDPR- e quindi ne ? proibita l'utilizzazione ulteriore non autorizzata. Se avete ricevuto per errore questo messaggio, Vi preghiamo cortesemente di contattare immediatamente il mittente e cancellare la e-mail. Grazie.

Confidentiality Notice - This e-mail message including any attachments is for the sole use of the intended recipient and may contain confidential and privileged information pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 -GDPR-. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

From leon.kuper at gmail.com  Wed Apr 17 09:45:26 2019
From: leon.kuper at gmail.com (Leon K)
Date: Wed, 17 Apr 2019 09:45:26 -0400
Subject: [keycloak-user] Keycloak behind reverse proxy Master realm access
	restrictions
Message-ID: <CACLzeJy3_er5if1uWc9XhqysB_ZMNqGgJ92AxarG=X=TkPAMNg@mail.gmail.com>

Hello,

Ubuntu 18.04
Keycloak 5.0
Nginx 1.15.8

I have set up Nginx reverse proxy to proxy_pass to Keycloak server.
This post
http://lists.jboss.org/pipermail/keycloak-user/2015-September/003012.html
doesn't help me to protect access from the Internet to the Master realm it
does but with some caveats)
If I am using:
/auth/realms/{realm}/
/auth/realms/master
/auth/realms
/auth/admin/

it can restrict access to the Master realm but the login screen is
different (see attached).
Can you help me with this issue?

If it is not possible, I will stick probably to that ugly login screen
rather then expose the Master realm to the Internet hostility.

Thank you.


<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
Virus-free.
www.avg.com
<http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
<#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Keycloak-Nginx-Login-Screen.jpg
Type: image/jpeg
Size: 18043 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190417/0f57eb47/attachment-0001.jpg 

From sylvain.malnuit at lyra-network.com  Wed Apr 17 10:05:44 2019
From: sylvain.malnuit at lyra-network.com (Sylvain Malnuit)
Date: Wed, 17 Apr 2019 16:05:44 +0200 (CEST)
Subject: [keycloak-user] Help setup SSL certificate on keycloak
In-Reply-To: <DB6P195MB04221387E2F18A55052B6777E4250@DB6P195MB0422.EURP195.PROD.OUTLOOK.COM>
References: <DB6P195MB04221387E2F18A55052B6777E4250@DB6P195MB0422.EURP195.PROD.OUTLOOK.COM>
Message-ID: <004401d4f526$a653f730$f2fbe590$@lyra-network.com>

Hi,
It's an internal mechanism of Wildlfy (see
http://www.mastertheboss.com/jboss-server/jboss-security/complete-tutorial
-for-configuring-ssl-https-on-wildfly)
You create a keystore (jks) in a expected folder (or override the path
with a parameter) and declare realm in wildlfy.

It's not very difficult. Follow the tutorial and it's workfine.
Depending the version of keycloak (associated Wildlfy version -  Elytron
or not), cli command scan be different.

Good luck

-----Message d'origine-----
De?: keycloak-user-bounces at lists.jboss.org
[mailto:keycloak-user-bounces at lists.jboss.org] De la part de Francesco
Longo
Envoy??: mercredi 17 avril 2019 15:31
??: keycloak-user at lists.jboss.org
Objet?: [keycloak-user] Help setup SSL certificate on keycloak

Goodmorning, I'm Francesco Longo and I'm a researcher at Links Foundation.
I'trying to setup keycloak as authentication and authorization service for
a European project and I have some problem setting up an SSL certificate.

I find the way to use HTTPS in keycloak using docker (just run the docker
image with the 8443 port mapping and it automatically create a self-signed
certificate) but I'd like to put a valid SSL certificate because I get the
error "self signed certificate" when I do some request to my keycloak
protected server...

I found your guide where it is explained how to put a certificate but it
is not clear to me where it is necessary to put the keystore file and what
file to edit or modify in order to have HTTPS.

I'll be very gratefull if some of you could help me to solve my doubts.

Thank you very much for your availability.
Best regards,

[LINKS Foundation]

Facebook<https://www.facebook.com/linksfoundation/> |
Twitter<https://twitter.com/linksfoundation> |
LinkedIn<https://www.linkedin.com/company/links-%E2%80%93-leading-innovati
on-&-knowledge-for-society/>

Francesco Longo
Rsearcher | Linksfoundation.com<https://linksfoundation.com/>
T. +39 0112276440
francesco.longo at linksfoundation.com<mailto:nome.cognome at linksfoundation.co
m>

Personal account: LinkedIn<https://www.linkedin.com/in/france193/> |
Skype<https://join.skype.com/invite/jt9vIqDeuk6G>

________________________________
[Please consider the environment]

Rispetta l'ambiente, pensa prima di stampare questa e-mail Please consider
the environment before printing this email


________________________________

Questo documento ? formato esclusivamente per il destinatario. Tutte le
informazioni ivi contenute, compresi eventuali allegati, sono da ritenere
esclusivamente confidenziali e riservate secondo i termini del vigente
D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016
-GDPR- e quindi ne ? proibita l'utilizzazione ulteriore non autorizzata.
Se avete ricevuto per errore questo messaggio, Vi preghiamo cortesemente
di contattare immediatamente il mittente e cancellare la e-mail. Grazie.

Confidentiality Notice - This e-mail message including any attachments is
for the sole use of the intended recipient and may contain confidential
and privileged information pursuant to Legislative Decree 196/2003 and the
European General Data Protection Regulation 679/2016 -GDPR-. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From jdennis at redhat.com  Wed Apr 17 10:36:51 2019
From: jdennis at redhat.com (John Dennis)
Date: Wed, 17 Apr 2019 10:36:51 -0400
Subject: [keycloak-user] Help setup SSL certificate on keycloak
In-Reply-To: <DB6P195MB04221387E2F18A55052B6777E4250@DB6P195MB0422.EURP195.PROD.OUTLOOK.COM>
References: <DB6P195MB04221387E2F18A55052B6777E4250@DB6P195MB0422.EURP195.PROD.OUTLOOK.COM>
Message-ID: <6c3b719c-d8f4-d8f7-0661-f6dd52532ef3@redhat.com>

On 4/17/19 9:30 AM, Francesco Longo wrote:
> Goodmorning, I'm Francesco Longo and I'm a researcher at Links Foundation. I'trying to setup keycloak as authentication and authorization service for a European project and I have some problem setting up an SSL certificate.
> 
> I find the way to use HTTPS in keycloak using docker (just run the docker image with the 8443 port mapping and it automatically create a self-signed certificate) but I'd like to put a valid SSL certificate because I get the error "self signed certificate" when I do some request to my keycloak protected server...
> 
> I found your guide where it is explained how to put a certificate but it is not clear to me where it is necessary to put the keystore file and what file to edit or modify in order to have HTTPS.
> 
> I'll be very gratefull if some of you could help me to solve my doubts.

The container doc explains it:
https://hub.docker.com/r/jboss/keycloak/

Setting up TLS(SSL)
Keycloak image allows you to specify both a private key and a 
certificate for serving HTTPS. In that case you need to provide two files:

tls.crt - a certificate
tls.key - a private key
Those files need to be mounted in /etc/x509/https directory. The image 
will automatically convert them into a Java keystore and reconfigure 
Wildfly to use it.


-- 
John Dennis

From ssancheti at mail.com  Wed Apr 17 10:50:53 2019
From: ssancheti at mail.com (Sandeep Sancheti)
Date: Wed, 17 Apr 2019 16:50:53 +0200
Subject: [keycloak-user] Keycloak -2FA Token Reset
Message-ID: <trinity-6663a7fe-67a4-40b0-a3b2-6bc061a13402-1555512653000@msvc-mesg-gmxus009>


Hi,

I?m helping my organisation to build and portal framework and one of the module is user login where Keycloak is being used as IDAM. One of the feature which we have enabled is 2 factor authentication and I?ve requirement to allow user to reset their 2FA token but my understanding from reading few blogs is that it is only possible via forgotten password flow. Is my understanding correct or I?m missing something? Could you please advise.

One of the other team is using WS02 as API manager and there?s option where if user need to reset token then admin can delete secret key from user?s profile which will then prompt user to rescan a new code on attempt to login. If Keycloak doesn?t have out of the box feature, can similar steps be done in Keycloak to reset token?

Regards
Sandeep


From jdennis at redhat.com  Wed Apr 17 11:49:55 2019
From: jdennis at redhat.com (John Dennis)
Date: Wed, 17 Apr 2019 11:49:55 -0400
Subject: [keycloak-user] Help setup SSL certificate on keycloak
In-Reply-To: <004401d4f526$a653f730$f2fbe590$@lyra-network.com>
References: <DB6P195MB04221387E2F18A55052B6777E4250@DB6P195MB0422.EURP195.PROD.OUTLOOK.COM>
	<004401d4f526$a653f730$f2fbe590$@lyra-network.com>
Message-ID: <397235c9-ae53-e8b8-9993-70851dc80cc1@redhat.com>

On 4/17/19 10:05 AM, Sylvain Malnuit wrote:
> Hi,
> It's an internal mechanism of Wildlfy (see
> http://www.mastertheboss.com/jboss-server/jboss-security/complete-tutorial
> -for-configuring-ssl-https-on-wildfly)
> You create a keystore (jks) in a expected folder (or override the path
> with a parameter) and declare realm in wildlfy.
> 
> It's not very difficult. Follow the tutorial and it's workfine.
> Depending the version of keycloak (associated Wildlfy version -  Elytron
> or not), cli command scan be different.

I think you missed the OP's statement he was using Keycloak in a container.

-- 
John Dennis

From mhuin at redhat.com  Wed Apr 17 12:22:38 2019
From: mhuin at redhat.com (Matthieu Huin)
Date: Wed, 17 Apr 2019 18:22:38 +0200
Subject: [keycloak-user] Is it possible to extend the default max size of
	user attributes?
Message-ID: <CADNCi7fPhYOcdDpn6jmFP5Sfk8Pe6E_rU3yZit3wMG521rQnJw@mail.gmail.com>

Hello,

I would like to store a user's public SSH keys as a custom attribute in
Keycloak 5.0. Unfortunately it seems that the default max size of
attributes is 255 characters. Is it possible to configure this to an
arbitrarily higher value?

Thanks,

MHU

From mhuin at redhat.com  Wed Apr 17 12:39:12 2019
From: mhuin at redhat.com (Matthieu Huin)
Date: Wed, 17 Apr 2019 18:39:12 +0200
Subject: [keycloak-user] Publish login events to a MQTT broker
Message-ID: <CADNCi7cZ_Txocr5SK2B6UgUea9QLYjcxVjeAwgytsEFW-t5T+A@mail.gmail.com>

Hello,

I've been trying to follow [1] in order to have Keycloak 5.0 publish login
events to a MQTT Broker, but I don't see any messages being sent to the
broker when logging in to any realm. I've attached my standalone.xml config
file after running the cli script. Is there anything I am missing? Is there
a better way to achieve this?

Thanks,

MHU

[1]
https://issues.jboss.org/browse/KEYCLOAK-2302?focusedCommentId=13191048&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13191048
-------------- next part --------------
A non-text attachment was scrubbed...
Name: standalone.xml
Type: text/xml
Size: 33446 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190417/056c9dd9/attachment-0001.xml 

From akhilputhiry at gmail.com  Wed Apr 17 12:41:51 2019
From: akhilputhiry at gmail.com (Akhil Lawrence)
Date: Wed, 17 Apr 2019 22:11:51 +0530
Subject: [keycloak-user] Python client / adapter for keycloak
Message-ID: <CAJLQkkZ2ms_ebG2aojZQ-YLnpvzH==N=d7jK1J-bjeQy603pmA@mail.gmail.com>

Hi Keycloak users,

I wanted to use keycloak in my python apps.
I could not find a proper client/adapter for keycloak.
So I decided to write one client for keycloak in Python.
The beta version is ready https://github.com/puthiry-lab/keycloak-client
Please do check this out and let me know the feedback.
I would like to work further on it and would love to make it part of the
official keycloak repo

Thanks,
Akhil Lawrence
www.akhilputhiry.in

From alfonso at alfonsoalba.com  Wed Apr 17 12:45:05 2019
From: alfonso at alfonsoalba.com (=?ISO-8859-1?Q?Alfonso_Alba_Garc=EDa?=)
Date: Wed, 17 Apr 2019 18:45:05 +0200
Subject: [keycloak-user] How to implement access to resources based on
	resource roles
Message-ID: <5CB75811.9030909@alfonsoalba.com>

Hi guys,

We have a rails app with a very simple Role-Based access control model. 
The thing is that this very simple model needs to become something much 
more fine grained and I think that keycloak is the right tool for that.

We need a permission system to do the following:

* "Organisations" have users with different roles: Owner, Admins, 
Collaborators and Members. These roles are what we call "Resource Roles"

* "Organisations" have modules or packages (for example "Events package" 
or "Email package") that the owner can buy. Only the users with resource 
role "Owner" can buy these item

* Owners and Admins of an organisation can edit the organization profile 
or any resource of the organization (Event, Meeting, Contact, etc)

* Owners and Admins of an organisation can add users to packages. For 
example, user XXXX will have permission to edit,create,destroy and view 
any resource created in module YYYY in organisation ZZZZ.

* Owners and Admins can add Collaborators: a collaborator will have 
permission to access certain organisation resources, for example, 
collaborator XXX will have permission to edit Event YYYYY

* Owners and Admins can add Members: a member will have permission to 
see all the resources from all the active packages that are marked as 
"visible by members only"

* Members can edit the organization resources they create inside the 
packages they have access to

* Packages have limits: if you the organisation is free, you can only 
create 2 events for example.

*etc, etc, etc...

These are just a few of the permissions we need. At the moment, the 
product owner is changing the roles and permissions regularly trying to 
find the best way to monetise and test the business model. We need a way 
to deploy those changes as soon as possible and I think keycloak can 
help us with this task!

I've done some research about this use case and I found these two 
threads [1], [2] in which a similar (simplified) model is discussed.

I've installed keycloak locally and now I'm trying to implement these 
requirements. I've started with the ones I think are the easiest: The 
organisation Owner an Administrator. Following what's suggested in the 
threads mentioned above, I implemented these resource roles as follows:

* Create three scopes: organisation:edit, organisation:view, 
organisation:billing

* Create a resource "Organisation 1" with scopes organisation:edit, 
organisation:view and organisation:billing

* Create two client roles "Organisation 1 Owner" and "Organisation 1 
Administrator"

* Create two policies: "Organisation 1 Owner Policy" and "Organisation 1 
Administrator Policy"

* Create one scope-permission "Organisation 1 Managers Permissions" that 
allows users with roles "Organisation 1 Owner" or "Organisation 1 
Administrator" get permission for the scopes organisation:edit and 
organisation:view

* Create one scope-permission "Organisation 1 Owners Permissions" that 
allows users with roles "Organisation 1 Owner" access the scope 
organisation:billing

I created these for three organisations and as well as several users. 
I've been playing around with them using the Evaluate functionality of 
the keycloak client and apparently everything is working fine. Now I'm 
thinking about how I could implement the access to the packages I 
mentioned above, the members, etc, but before I continue I have several 
questions:

* Since users can have different roles in different organisations, I'm 
creating only one realm. I guess that's ok since different realms do not 
share users.

* For every organisation that we create in our application we will need 
to create all the policies, roles and permissions described above. Is 
this supposed to be like that or am I missing something?

* If this is the way to do it, I was wondering if it's a good idea to 
create a Resource Server (i.e. a new client inside the realm) for each 
organisation. This way I can create a client organisation-1-client with 
all the resources, policies and permissions for "Organisation 1". I 
think that this will make deleting an organisation quite easy after the 
user deletes the organisation, I just need to delete de client 
organisation-1-client. I don't know if this a good idea or not, has it 
any negative impact in performance? will this make the application code 
more difficult? or may be this not a good practice for any reason?

Thanks for your time. Regards,

Alfonso


-------
[1] http://lists.jboss.org/pipermail/keycloak-user/2016-August/007309.html
[2] http://lists.jboss.org/pipermail/keycloak-user/2018-June/014347.html

From akhilputhiry at gmail.com  Wed Apr 17 13:00:34 2019
From: akhilputhiry at gmail.com (Akhil Lawrence)
Date: Wed, 17 Apr 2019 22:30:34 +0530
Subject: [keycloak-user] Fwd: Python client / adapter for keycloak
In-Reply-To: <CAJLQkkZ2ms_ebG2aojZQ-YLnpvzH==N=d7jK1J-bjeQy603pmA@mail.gmail.com>
References: <CAJLQkkZ2ms_ebG2aojZQ-YLnpvzH==N=d7jK1J-bjeQy603pmA@mail.gmail.com>
Message-ID: <CAJLQkkYfv0uY20H2kObDmHHhK+B1RUt-MJeTtAikYoPajDu1cQ@mail.gmail.com>

Hi Keycloak users,

I wanted to use keycloak in my python apps.
I could not find a proper client/adapter for keycloak.
So I decided to write one client for keycloak in Python.
The beta version is ready https://github.com/puthiry-lab/keycloak-client
Please do check this out and let me know the feedback.
I would like to work further on it and would love to make it part of the
official keycloak repo

Thanks,
Akhil Lawrence
www.akhilputhiry.in

From psilva at redhat.com  Wed Apr 17 14:26:49 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 17 Apr 2019 15:26:49 -0300
Subject: [keycloak-user] How to implement access to resources based on
 resource roles
In-Reply-To: <5CB75811.9030909@alfonsoalba.com>
References: <5CB75811.9030909@alfonsoalba.com>
Message-ID: <CAJrcDBdLzbRPwHJgSWm0Yt28_P91uubFCeo8TuyA+iGtMdXccA@mail.gmail.com>

Hi,

Some comments inline ...

On Wed, Apr 17, 2019 at 2:16 PM Alfonso Alba Garc?a <alfonso at alfonsoalba.com>
wrote:

> I've installed keycloak locally and now I'm trying to implement these
> requirements. I've started with the ones I think are the easiest: The
> organisation Owner an Administrator. Following what's suggested in the
> threads mentioned above, I implemented these resource roles as follows:
>
> * Create three scopes: organisation:edit, organisation:view,
> organisation:billing
>
> * Create a resource "Organisation 1" with scopes organisation:edit,
> organisation:view and organisation:billing
>
> * Create two client roles "Organisation 1 Owner" and "Organisation 1
> Administrator"
>
> * Create two policies: "Organisation 1 Owner Policy" and "Organisation 1
> Administrator Policy"
>
> * Create one scope-permission "Organisation 1 Managers Permissions" that
> allows users with roles "Organisation 1 Owner" or "Organisation 1
> Administrator" get permission for the scopes organisation:edit and
> organisation:view
>
> * Create one scope-permission "Organisation 1 Owners Permissions" that
> allows users with roles "Organisation 1 Owner" access the scope
> organisation:billing
>
>
Your policy model is fine but I think you can make it simpler if you just
use groups to represent organization membership.

By using groups, you can have a single "Organization Resource",
"Organization Managers Permissions" and "Organization Owner Permission".
Your policies could benefit from claims pushed by your application [1] in
order to make decisions based on whether or not the user is a member of an
organization plus the RBAC.

For instance, if you have in Keycloak a group "organization-foo" and your
application provides a REST endpoint like "/api/organizations/foo", you
could send the request URI to your policies, extract the "foo" part of it
and check if the user is member of organization-foo. I think the same logic
could be applied to other resource types.

You could check this example [2].

[1]
https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point
[2]
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-rest-employee



> I created these for three organisations and as well as several users.
> I've been playing around with them using the Evaluate functionality of
> the keycloak client and apparently everything is working fine. Now I'm
> thinking about how I could implement the access to the packages I
> mentioned above, the members, etc, but before I continue I have several
> questions:
>
> * Since users can have different roles in different organisations, I'm
> creating only one realm. I guess that's ok since different realms do not
> share users.
>
> * For every organisation that we create in our application we will need
> to create all the policies, roles and permissions described above. Is
> this supposed to be like that or am I missing something?
>
> * If this is the way to do it, I was wondering if it's a good idea to
> create a Resource Server (i.e. a new client inside the realm) for each
> organisation. This way I can create a client organisation-1-client with
> all the resources, policies and permissions for "Organisation 1". I
> think that this will make deleting an organisation quite easy after the
> user deletes the organisation, I just need to delete de client
> organisation-1-client. I don't know if this a good idea or not, has it
> any negative impact in performance? will this make the application code
> more difficult? or may be this not a good practice for any reason?
>

I would recommend you to try other approaches like that one I suggested. I
can think about another one using resource types.

Considering your current design, I think the addition of a new organization
is pretty much related to a provisioning logic backed by our REST APIs, so
you can automatize this process. But I hope you can find an alternative ...


>
> Thanks for your time. Regards,
>
> Alfonso
>
>
> -------
> [1] http://lists.jboss.org/pipermail/keycloak-user/2016-August/007309.html
> [2] http://lists.jboss.org/pipermail/keycloak-user/2018-June/014347.html
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From aechols at bfcsaz.com  Wed Apr 17 14:49:26 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Wed, 17 Apr 2019 11:49:26 -0700
Subject: [keycloak-user] Azure AD - ImmutableID
Message-ID: <CAHj77GWeMk7je_4u_U9S_pga_k9vFcMFWggoYmZEWAxSuwOazQ@mail.gmail.com>

Hello All,

I've been working on getting SAML2 working with Azure AD Education. I've
gotten it working using the article listed below, with the exception of the
ImmutableID (When you attempt to login to Azure AD, Keycloak generates a
random GUID to each user who attempts to login). I can convert get their
ImmutableID and the users can login successfully:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp#set-up-a-trust-between-your-saml-identity-provider-and-azure-ad

So to set the tone here, I'm federating all my accounts from Server 2016 AD
with 2016 forest level. I'm trying to figure out how to get each
users ImmutableID by converting the objectGUID to the ImmutableID and add
the following attribute to every user which is populated with the
ImmutableID:

saml.persistent.name.id.for.urn:federation:MicrosoftOnline

Azure AD's ImmutableID is based off of the objectGUID in the on-prem AD and
not stored in the local AD from what I can tell. I have to use Get-MsolUser
PoSH commandlet to get their ImmutableID.

How do I convert the objectGUID by importing it into Keycloak, then
converting it to the ImmutableID in Keycloak for all users? It sure would
stink adding it by hand to every user...

I'm able to convert the objectGUID locally using something like, but is
useless in Keycloak:

$userUPN = "user at domain.com"
$guid = [guid]((Get-ADUser -LdapFilter
"(userPrincipalName=$userUPN)").objectGuid)
$immutableId = [System.Convert]::ToBase64String($guid.ToByteArray())

Thanks in advance for any assistance :)
--
Aaron Echols

From jblashka at redhat.com  Wed Apr 17 16:00:48 2019
From: jblashka at redhat.com (Jared Blashka)
Date: Wed, 17 Apr 2019 16:00:48 -0400
Subject: [keycloak-user] Configure authorization to only allow subset of
	user management actions?
Message-ID: <CALO-DfAj8hu2QidL-XiyrACir7f-0icJgtDZ5L5_7F1oBFBYNg@mail.gmail.com>

I've got a client application that wants to be able to remotely trigger the
password reset flow for some users. I see the execute-actions-email
endpoint on the user resource but it looks like the only permission check
present looks to see if that client has full management access for that
user or not. I don't want to allow the possibility of the client managing
other aspects of the user. Is there any way I can restrict this client to
only trigger the update password action or would I be better off adding my
own RealmResourceProvider for this?

From lilian.benoit at lbenoit.fr  Wed Apr 17 17:58:34 2019
From: lilian.benoit at lbenoit.fr (Lilian BENOIT)
Date: Wed, 17 Apr 2019 23:58:34 +0200
Subject: [keycloak-user] Publish login events to a MQTT broker
In-Reply-To: <CADNCi7cZ_Txocr5SK2B6UgUea9QLYjcxVjeAwgytsEFW-t5T+A@mail.gmail.com>
References: <CADNCi7cZ_Txocr5SK2B6UgUea9QLYjcxVjeAwgytsEFW-t5T+A@mail.gmail.com>
Message-ID: <c72591b688585d6bdd159c936c470d45@lbenoit.fr>

Hi,

Issue mentionned seems outdated.

You should use Event Listener SPI
Link to doc : 
https://www.keycloak.org/docs/5.0/server_development/index.html#_events
Link to quickstart : 
https://github.com/keycloak/keycloak-quickstarts/tree/5.0.0/event-listener-sysout

---
Regards,
Lilian

Le 17/04/2019 18:39, Matthieu Huin a ?crit?:
> Hello,
> 
> I've been trying to follow [1] in order to have Keycloak 5.0 publish 
> login
> events to a MQTT Broker, but I don't see any messages being sent to the
> broker when logging in to any realm. I've attached my standalone.xml 
> config
> file after running the cli script. Is there anything I am missing? Is 
> there
> a better way to achieve this?
> 
> Thanks,
> 
> MHU
> 
> [1]
> https://issues.jboss.org/browse/KEYCLOAK-2302?focusedCommentId=13191048&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-13191048
> 
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From aechols at bfcsaz.com  Wed Apr 17 18:34:19 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Wed, 17 Apr 2019 15:34:19 -0700
Subject: [keycloak-user] Azure AD - ImmutableID
In-Reply-To: <CAHj77GWeMk7je_4u_U9S_pga_k9vFcMFWggoYmZEWAxSuwOazQ@mail.gmail.com>
References: <CAHj77GWeMk7je_4u_U9S_pga_k9vFcMFWggoYmZEWAxSuwOazQ@mail.gmail.com>
Message-ID: <CAHj77GUReWf7hZXbURcBsH2xh=wFwEZodmpYBJ39MhAaiV+D7A@mail.gmail.com>

Ok, so I figured it out. Just wanted to leave the solution here in case
anyone else needs it. Looking through the source, I found that Keycloak
will convert objectGUID to base64 automatically on import from LDAP.

I created a new mapper in my User Federated LDAP with the following
settings:

Name:  saml.persistent.name.id.for.urn:federation:MicrosoftOnline
Mapper Type: user-attribute-ldap-mapper
User Model Attribute:
saml.persistent.name.id.for.urn:federation:MicrosoftOnline
LDAP Attribute: objectGUID
Read Only: ON
Always Read Value from LDAP: ON
Is Mandatory in LDAP: OFF
Is Binary Attribute: OFF

All users now have the
saml.persistent.name.id.for.urn:federation:MicrosoftOnline
attribute added to every account in Keycloak and users can login as
expected.
--
Aaron Echols

On Wed, Apr 17, 2019 at 11:49 AM Aaron Echols <aechols at bfcsaz.com> wrote:

> Hello All,
>
> I've been working on getting SAML2 working with Azure AD Education. I've
> gotten it working using the article listed below, with the exception of the
> ImmutableID (When you attempt to login to Azure AD, Keycloak generates a
> random GUID to each user who attempts to login). I can convert get their
> ImmutableID and the users can login successfully:
>
>
> https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-fed-saml-idp#set-up-a-trust-between-your-saml-identity-provider-and-azure-ad
>
> So to set the tone here, I'm federating all my accounts from Server 2016
> AD with 2016 forest level. I'm trying to figure out how to get each
> users ImmutableID by converting the objectGUID to the ImmutableID and add
> the following attribute to every user which is populated with the
> ImmutableID:
>
> saml.persistent.name.id.for.urn:federation:MicrosoftOnline
>
> Azure AD's ImmutableID is based off of the objectGUID in the on-prem AD
> and not stored in the local AD from what I can tell. I have to use
> Get-MsolUser PoSH commandlet to get their ImmutableID.
>
> How do I convert the objectGUID by importing it into Keycloak, then
> converting it to the ImmutableID in Keycloak for all users? It sure would
> stink adding it by hand to every user...
>
> I'm able to convert the objectGUID locally using something like, but is
> useless in Keycloak:
>
> $userUPN = "user at domain.com"
> $guid = [guid]((Get-ADUser -LdapFilter
> "(userPrincipalName=$userUPN)").objectGuid)
> $immutableId = [System.Convert]::ToBase64String($guid.ToByteArray())
>
> Thanks in advance for any assistance :)
> --
> Aaron Echols
>

From keycloak-user at bulk.harnly.net  Wed Apr 17 22:49:47 2019
From: keycloak-user at bulk.harnly.net (Aaron Harnly)
Date: Thu, 18 Apr 2019 02:49:47 +0000
Subject: [keycloak-user] Keycloak behind reverse proxy Master realm
	access restrictions
In-Reply-To: <CACLzeJy3_er5if1uWc9XhqysB_ZMNqGgJ92AxarG=X=TkPAMNg@mail.gmail.com>
References: <CACLzeJy3_er5if1uWc9XhqysB_ZMNqGgJ92AxarG=X=TkPAMNg@mail.gmail.com>
Message-ID: <CAGn2m+dcg-8jxA=j0k7xD=LB5q+bZ4LKcTWCAVSXASzZekjkTw@mail.gmail.com>

Hi Leon, can you share the nginx config you are using?

On Wed, Apr 17, 2019 at 1:45 PM Leon K <leon.kuper at gmail.com> wrote:
>
> Hello,
>
> Ubuntu 18.04
> Keycloak 5.0
> Nginx 1.15.8
>
> I have set up Nginx reverse proxy to proxy_pass to Keycloak server.
> This post
> http://lists.jboss.org/pipermail/keycloak-user/2015-September/003012.html
> doesn't help me to protect access from the Internet to the Master realm it
> does but with some caveats)
> If I am using:
> /auth/realms/{realm}/
> /auth/realms/master
> /auth/realms
> /auth/admin/
>
> it can restrict access to the Master realm but the login screen is
> different (see attached).
> Can you help me with this issue?
>
> If it is not possible, I will stick probably to that ugly login screen
> rather then expose the Master realm to the Internet hostility.
>
> Thank you.
>
>
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
> Virus-free.
> www.avg.com
> <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail>
> <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From testoauth55 at gmail.com  Thu Apr 18 00:18:57 2019
From: testoauth55 at gmail.com (Bruce Wings)
Date: Thu, 18 Apr 2019 09:48:57 +0530
Subject: [keycloak-user] converting OIDC token to SAML
In-Reply-To: <CAJrcDBfqNFqRLg3C_B4pg=b1OyZAb4-o_FCydZgLvFxOnvpinQ@mail.gmail.com>
References: <CANAVTmP8-1saq9RuF4hoFTvzGv9sSEfD7+u0ux__qLUHV-ZEtQ@mail.gmail.com>
	<CAJrcDBfqNFqRLg3C_B4pg=b1OyZAb4-o_FCydZgLvFxOnvpinQ@mail.gmail.com>
Message-ID: <CANAVTmO6obo=QTi=OS-43D40oBSYG0wY9L_-uu08PVRD_ANvDA@mail.gmail.com>

Thanks Pedro,

I guess, then an alternative and a very good solution that keycloak
provides is to integrate the same SAML provider(which is being used by 3rd
party app) with Keycloak and extract the SAML token from it and pass on
this token to 3rd party app.

I followed the official doc:
https://www.keycloak.org/docs/4.5/server_admin/index.html#retrieving-external-idp-tokens


After configuring the SAML provider, I turned on the Stored Tokens Readable
and Stored Tokens switches, however I am still receiving

*"errorMessage": "Client [myApp] not authorized to retrieve tokens from
identity provider [saml1]."*

In the doc there is 1 more configuration - "This access token will need to
have the broker client-level role read-token set" but I do not know where
to set this particular option. Any idea?


On Wed, Apr 17, 2019 at 5:30 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> If you want to exchange access/id tokens for saml assertions, the token
> exchange does not support SAML.
>
> On Wed, Apr 17, 2019 at 4:48 AM Bruce Wings <testoauth55 at gmail.com> wrote:
>
>> I have successfully integrated few of my apps with keycloak (with OIDC
>> tokens). However there is a 3rd party app which works on SAML tokens. I am
>> wondering is it possible to use my existing keycloak system to send SAML
>> tokens to this third party app?
>> i.e. I want to use keycloak as IDP and SP and generate SAML tokens and
>> send
>> it to this 3rd party app. Is this scenario even possible?
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From testoauth55 at gmail.com  Thu Apr 18 00:31:39 2019
From: testoauth55 at gmail.com (Bruce Wings)
Date: Thu, 18 Apr 2019 10:01:39 +0530
Subject: [keycloak-user] converting OIDC token to SAML
In-Reply-To: <CANAVTmO6obo=QTi=OS-43D40oBSYG0wY9L_-uu08PVRD_ANvDA@mail.gmail.com>
References: <CANAVTmP8-1saq9RuF4hoFTvzGv9sSEfD7+u0ux__qLUHV-ZEtQ@mail.gmail.com>
	<CAJrcDBfqNFqRLg3C_B4pg=b1OyZAb4-o_FCydZgLvFxOnvpinQ@mail.gmail.com>
	<CANAVTmO6obo=QTi=OS-43D40oBSYG0wY9L_-uu08PVRD_ANvDA@mail.gmail.com>
Message-ID: <CANAVTmNzbpiKQxBiYkjbeDD7mj5zZiEB2SJj=9nODPFBtCf8Hw@mail.gmail.com>

Answer to my previous question:

Only step needed after adding SAML provider is to turn on Stored Tokens
Readable and Stored Tokens switches. The reason I was getting above error
was because for already imported user, this role will not get set. Only for
newly imported users(users imported after turning on switches, it will get
set)

But this is a very handy solution from keycloak to extract SAML tokens.

On Thu, Apr 18, 2019 at 9:48 AM Bruce Wings <testoauth55 at gmail.com> wrote:

> Thanks Pedro,
>
> I guess, then an alternative and a very good solution that keycloak
> provides is to integrate the same SAML provider(which is being used by 3rd
> party app) with Keycloak and extract the SAML token from it and pass on
> this token to 3rd party app.
>
> I followed the official doc:
> https://www.keycloak.org/docs/4.5/server_admin/index.html#retrieving-external-idp-tokens
>
>
> After configuring the SAML provider, I turned on the Stored Tokens
> Readable and Stored Tokens switches, however I am still receiving
>
> *"errorMessage": "Client [myApp] not authorized to retrieve tokens from
> identity provider [saml1]."*
>
> In the doc there is 1 more configuration - "This access token will need
> to have the broker client-level role read-token set" but I do not know
> where to set this particular option. Any idea?
>
>
> On Wed, Apr 17, 2019 at 5:30 PM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> If you want to exchange access/id tokens for saml assertions, the token
>> exchange does not support SAML.
>>
>> On Wed, Apr 17, 2019 at 4:48 AM Bruce Wings <testoauth55 at gmail.com>
>> wrote:
>>
>>> I have successfully integrated few of my apps with keycloak (with OIDC
>>> tokens). However there is a 3rd party app which works on SAML tokens. I
>>> am
>>> wondering is it possible to use my existing keycloak system to send SAML
>>> tokens to this third party app?
>>> i.e. I want to use keycloak as IDP and SP and generate SAML tokens and
>>> send
>>> it to this 3rd party app. Is this scenario even possible?
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>

From sylvain.malnuit at lyra-network.com  Thu Apr 18 03:15:12 2019
From: sylvain.malnuit at lyra-network.com (Sylvain Malnuit)
Date: Thu, 18 Apr 2019 09:15:12 +0200 (CEST)
Subject: [keycloak-user] Help setup SSL certificate on keycloak
In-Reply-To: <DB6P195MB04227CE0E1617ABB26A8C9B6E4250@DB6P195MB0422.EURP195.PROD.OUTLOOK.COM>
References: <DB6P195MB04221387E2F18A55052B6777E4250@DB6P195MB0422.EURP195.PROD.OUTLOOK.COM>,
	<004401d4f526$a653f730$f2fbe590$@lyra-network.com>
	<DB6P195MB04227CE0E1617ABB26A8C9B6E4250@DB6P195MB0422.EURP195.PROD.OUTLOOK.COM>
Message-ID: <003301d4f5b6$763b2e70$62b18b50$@lyra-network.com>

Francesco,

If you use the official Keycloak image, they introduce cer file conversion
mechanism. (see previous answer)

and
https://github.com/jboss-dockerfiles/keycloak/blob/master/server/tools/x50
9.sh

and readme
https://github.com/jboss-dockerfiles/keycloak/tree/master/server (find
TLS)



Otherwise (custom docker image 
),  You must use Wildfly mechanism and
implement the same mechanism to import your certificale.



If Keycloak(Wildfly) doesn?t detect jks, it will generate a jks with
auto-signed certificate (see warning in logs). In Docker environment, you
can mount (secrets 
)  your certificates and convert them to jks (see
KEYSTORES_STORAGE in x509.sh script for exemple)



bye



De : Francesco Longo [mailto:francesco.longo at linksfoundation.com]
Envoy? : mercredi 17 avril 2019 17:53
? : Sylvain Malnuit <sylvain.malnuit at lyra-network.com>
Objet : Re: [keycloak-user] Help setup SSL certificate on keycloak



Hi! Thank you for your answer, but I can't understand. I have a valid
certificate (.cer file) and I don understand how to import on keycloak..
The problem is that I use keycloak on a docker container on a portainer
configuration. I provide HTTPS with a selfsigned certificate running
docker container and keycloak with a mapped port like 8443. Now I cannot
understand how to setup this certificate on keycloak and the
guide/tutorial is not so clear because I don't understand where to put the
.cer file and what file edit...



I have to create a keystore from the .cer file?



Could you provide me a better understanding procedure?

Thank you very much!



  <https://linksfoundation.com/firma/links_logo.png>

 <https://www.facebook.com/linksfoundation/> Facebook |
<https://twitter.com/linksfoundation> Twitter |
<https://www.linkedin.com/company/links-%E2%80%93-leading-innovation-&-kno
wledge-for-society/> LinkedIn

Francesco Longo
Rsearcher |  <https://linksfoundation.com/> Linksfoundation.com
T. +39 0112276440
francesco.longo at linksfoundation.com
<mailto:nome.cognome at linksfoundation.com>

Personal account: LinkedIn <https://www.linkedin.com/in/france193/>  |
Skype <https://join.skype.com/invite/jt9vIqDeuk6G>

  _____


  <https://linksfoundation.com/firma/recycle.png>

Rispetta l'ambiente, pensa prima di stampare questa e-mail
Please consider the environment before printing this email

  _____

Questo documento ? formato esclusivamente per il destinatario. Tutte le
informazioni ivi contenute, compresi eventuali allegati, sono da ritenere
esclusivamente confidenziali e riservate secondo i termini del vigente
D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016
-GDPR- e quindi ne ? proibita l'utilizzazione ulteriore non autorizzata.
Se avete ricevuto per errore questo messaggio, Vi preghiamo cortesemente
di contattare immediatamente il mittente e cancellare la e-mail. Grazie.

Confidentiality Notice - This e-mail message including any attachments is
for the sole use of the intended recipient and may contain confidential
and privileged information pursuant to Legislative Decree 196/2003 and the
European General Data Protection Regulation 679/2016 -GDPR-. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message.

  _____

From: Sylvain Malnuit <sylvain.malnuit at lyra-network.com
<mailto:sylvain.malnuit at lyra-network.com> >
Sent: Wednesday, April 17, 2019 16:05
To: Francesco Longo; keycloak-user at lists.jboss.org
<mailto:keycloak-user at lists.jboss.org>
Subject: RE: [keycloak-user] Help setup SSL certificate on keycloak



Hi,
It's an internal mechanism of Wildlfy (see
http://www.mastertheboss.com/jboss-server/jboss-security/complete-tutorial
-for-configuring-ssl-https-on-wildfly)
You create a keystore (jks) in a expected folder (or override the path
with a parameter) and declare realm in wildlfy.

It's not very difficult. Follow the tutorial and it's workfine.
Depending the version of keycloak (associated Wildlfy version -  Elytron
or not), cli command scan be different.

Good luck

-----Message d'origine-----
De : keycloak-user-bounces at lists.jboss.org
<mailto:keycloak-user-bounces at lists.jboss.org>
[mailto:keycloak-user-bounces at lists.jboss.org] De la part de Francesco
Longo
Envoy? : mercredi 17 avril 2019 15:31
? : keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
Objet : [keycloak-user] Help setup SSL certificate on keycloak

Goodmorning, I'm Francesco Longo and I'm a researcher at Links Foundation.
I'trying to setup keycloak as authentication and authorization service for
a European project and I have some problem setting up an SSL certificate.

I find the way to use HTTPS in keycloak using docker (just run the docker
image with the 8443 port mapping and it automatically create a self-signed
certificate) but I'd like to put a valid SSL certificate because I get the
error "self signed certificate" when I do some request to my keycloak
protected server...

I found your guide where it is explained how to put a certificate but it
is not clear to me where it is necessary to put the keystore file and what
file to edit or modify in order to have HTTPS.

I'll be very gratefull if some of you could help me to solve my doubts.

Thank you very much for your availability.
Best regards,

[LINKS Foundation]

Facebook<https://www.facebook.com/linksfoundation/> |
Twitter<https://twitter.com/linksfoundation> |
LinkedIn<https://www.linkedin.com/company/links-%E2%80%93-leading-innovati
<https://www.linkedin.com/company/links-%E2%80%93-leading-innovati%0bon-&-
knowledge-for-society/>
on-&-knowledge-for-society/>

Francesco Longo
Rsearcher | Linksfoundation.com<https://linksfoundation.com/>
T. +39 0112276440
francesco.longo at linksfoundation.com
<mailto:francesco.longo at linksfoundation.com%3cmailto:nome.cognome at linksfou
ndation.co> <mailto:nome.cognome at linksfoundation.co
m>

Personal account: LinkedIn<https://www.linkedin.com/in/france193/> |
Skype<https://join.skype.com/invite/jt9vIqDeuk6G>

________________________________
[Please consider the environment]

Rispetta l'ambiente, pensa prima di stampare questa e-mail Please consider
the environment before printing this email


________________________________

Questo documento ? formato esclusivamente per il destinatario. Tutte le
informazioni ivi contenute, compresi eventuali allegati, sono da ritenere
esclusivamente confidenziali e riservate secondo i termini del vigente
D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016
-GDPR- e quindi ne ? proibita l'utilizzazione ulteriore non autorizzata.
Se avete ricevuto per errore questo messaggio, Vi preghiamo cortesemente
di contattare immediatamente il mittente e cancellare la e-mail. Grazie.

Confidentiality Notice - This e-mail message including any attachments is
for the sole use of the intended recipient and may contain confidential
and privileged information pursuant to Legislative Decree 196/2003 and the
European General Data Protection Regulation 679/2016 -GDPR-. Any
unauthorized review, use, disclosure or distribution is prohibited. If you
are not the intended recipient, please contact the sender by reply e-mail
and destroy all copies of the original message.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user


From sylvain.malnuit at lyra-network.com  Thu Apr 18 03:29:16 2019
From: sylvain.malnuit at lyra-network.com (Sylvain Malnuit)
Date: Thu, 18 Apr 2019 09:29:16 +0200 (CEST)
Subject: [keycloak-user] Keycloak -2FA Token Reset
In-Reply-To: <trinity-6663a7fe-67a4-40b0-a3b2-6bc061a13402-1555512653000@msvc-mesg-gmxus009>
References: <trinity-6663a7fe-67a4-40b0-a3b2-6bc061a13402-1555512653000@msvc-mesg-gmxus009>
Message-ID: <003f01d4f5b8$6d523a40$47f6aec0$@lyra-network.com>

Hi Sandeep,
Last year, I had the same question. It's possible to reset OTP in the user 
profile (Authenticator/Trash).
I  didn't find API to do a reset remotely and integrate QR code in our front 
office.
Have you found any information in last official API documentation (Keycloak 
5.0)?

-----Message d'origine-----
De : keycloak-user-bounces at lists.jboss.org 
[mailto:keycloak-user-bounces at lists.jboss.org] De la part de Sandeep 
Sancheti
Envoy? : mercredi 17 avril 2019 16:51
? : keycloak-user at lists.jboss.org
Objet : [keycloak-user] Keycloak -2FA Token Reset


Hi,

I?m helping my organisation to build and portal framework and one of the 
module is user login where Keycloak is being used as IDAM. One of the 
feature which we have enabled is 2 factor authentication and I?ve 
requirement to allow user to reset their 2FA token but my understanding from 
reading few blogs is that it is only possible via forgotten password flow. 
Is my understanding correct or I?m missing something? Could you please 
advise.

One of the other team is using WS02 as API manager and there?s option where 
if user need to reset token then admin can delete secret key from user?s 
profile which will then prompt user to rescan a new code on attempt to 
login. If Keycloak doesn?t have out of the box feature, can similar steps be 
done in Keycloak to reset token?

Regards
Sandeep

_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From Sebastian.Schuster at bosch-si.com  Thu Apr 18 03:55:23 2019
From: Sebastian.Schuster at bosch-si.com (Schuster Sebastian (INST-CSS/BSV-OS2))
Date: Thu, 18 Apr 2019 07:55:23 +0000
Subject: [keycloak-user] Is it possible to extend the default max size
	of	user attributes?
In-Reply-To: <CADNCi7fPhYOcdDpn6jmFP5Sfk8Pe6E_rU3yZit3wMG521rQnJw@mail.gmail.com>
References: <CADNCi7fPhYOcdDpn6jmFP5Sfk8Pe6E_rU3yZit3wMG521rQnJw@mail.gmail.com>
Message-ID: <9aa67418fe47451199ffde0827cee74f@bosch-si.com>

Hi Matthieu,

The way we did this was to add a custom migration to our docker image like that:
We added a file jpa-changelog-4.3.0-attributes.xml with the following content:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>

<databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">

    <changeSet author="xyz at example.com" id="4.3.0-attributes">
        <preConditions onSqlOutput="TEST" onFail="MARK_RAN">
            <dbms type="mssql" />
        </preConditions>

        <modifyDataType tableName="USER_ATTRIBUTE" columnName="VALUE" newDataType="NVARCHAR(MAX)"/>
    </changeSet>

</databaseChangeLog>

And run the following script when creating our image:
#!/bin/bash

KEYCLOAK_VERSION=$1

model_jpa="keycloak-model-jpa-${KEYCLOAK_VERSION}.jar"
match='    <include file=\"META-INF\/jpa-changelog-4.3.0.xml\"\/>'
insert='    <include file=\"META-INF\/jpa-changelog-4.3.0-attributes.xml\"\/>'
file="META-INF/jpa-changelog-master.xml"

jar -xf $model_jpa $file

sed -i "s/$match/$match\n$insert/" $file

mv jpa-changelog-4.3.0-attributes.xml ./META-INF/

jar -uf $model_jpa ./META-INF/

I admit it is pretty hacky but it does its job and did not cause any problems so far.

Best regards,
Sebastian



Mit freundlichen Gr??en / Best regards

Dr.-Ing. Sebastian Schuster

Open Source Services (INST-CSS/BSV-OS2) 
Bosch?Software Innovations?GmbH | Ullsteinstr. 128 | 12109 Berlin | GERMANY | www.bosch-si.com
Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Fax +49 30 726112-100 | Sebastian.Schuster at bosch-si.com

Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B 
Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr. Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic 



-----Urspr?ngliche Nachricht-----
Von: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> Im Auftrag von Matthieu Huin
Gesendet: Mittwoch, 17. April 2019 18:23
An: keycloak-user at lists.jboss.org
Betreff: [keycloak-user] Is it possible to extend the default max size of user attributes?

Hello,

I would like to store a user's public SSH keys as a custom attribute in Keycloak 5.0. Unfortunately it seems that the default max size of attributes is 255 characters. Is it possible to configure this to an arbitrarily higher value?

Thanks,

MHU
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From admadm at virgilio.it  Thu Apr 18 04:33:51 2019
From: admadm at virgilio.it (admadm at virgilio.it)
Date: Thu, 18 Apr 2019 11:33:51 +0300
Subject: [keycloak-user] =?utf-8?q?Issue_with_logut?=
Message-ID: <1555576431.523486929@f4.my.com>


Hello,
we installed KC 5.0.0 and started developing java api, now we've encountered a problem with logout.
When we try to logout user via java, auth with valid toke (clientid + secret),? we get http failure with 400 response: invalid_client_credentials. Now we've debugged the code and Discovered that the ClientIdAndSecretCredentialsProvider class has null clientsecret, how is that possible? How could we fix this?

From mhuin at redhat.com  Thu Apr 18 04:47:12 2019
From: mhuin at redhat.com (Matthieu Huin)
Date: Thu, 18 Apr 2019 10:47:12 +0200
Subject: [keycloak-user] Is it possible to extend the default max size
 of user attributes?
In-Reply-To: <9aa67418fe47451199ffde0827cee74f@bosch-si.com>
References: <CADNCi7fPhYOcdDpn6jmFP5Sfk8Pe6E_rU3yZit3wMG521rQnJw@mail.gmail.com>
	<9aa67418fe47451199ffde0827cee74f@bosch-si.com>
Message-ID: <CADNCi7eGyJdbEV5LNPKkuRUjttBrMa7N+PEU0r7NLmFyWZVC9Q@mail.gmail.com>

Thanks, I will try this out! On a side note, do I need to enter values
concatenated with '##' in order to store multiple values in a custom
attribute?

On Thu, Apr 18, 2019 at 9:55 AM Schuster Sebastian (INST-CSS/BSV-OS2) <
Sebastian.Schuster at bosch-si.com> wrote:

> Hi Matthieu,
>
> The way we did this was to add a custom migration to our docker image like
> that:
> We added a file jpa-changelog-4.3.0-attributes.xml with the following
> content:
>
> <?xml version="1.0" encoding="UTF-8" standalone="no"?>
>
> <databaseChangeLog xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="
> http://www.liquibase.org/xml/ns/dbchangelog
> http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-3.1.xsd">
>
>     <changeSet author="xyz at example.com" id="4.3.0-attributes">
>         <preConditions onSqlOutput="TEST" onFail="MARK_RAN">
>             <dbms type="mssql" />
>         </preConditions>
>
>         <modifyDataType tableName="USER_ATTRIBUTE" columnName="VALUE"
> newDataType="NVARCHAR(MAX)"/>
>     </changeSet>
>
> </databaseChangeLog>
>
> And run the following script when creating our image:
> #!/bin/bash
>
> KEYCLOAK_VERSION=$1
>
> model_jpa="keycloak-model-jpa-${KEYCLOAK_VERSION}.jar"
> match='    <include file=\"META-INF\/jpa-changelog-4.3.0.xml\"\/>'
> insert='    <include
> file=\"META-INF\/jpa-changelog-4.3.0-attributes.xml\"\/>'
> file="META-INF/jpa-changelog-master.xml"
>
> jar -xf $model_jpa $file
>
> sed -i "s/$match/$match\n$insert/" $file
>
> mv jpa-changelog-4.3.0-attributes.xml ./META-INF/
>
> jar -uf $model_jpa ./META-INF/
>
> I admit it is pretty hacky but it does its job and did not cause any
> problems so far.
>
> Best regards,
> Sebastian
>
>
>
> Mit freundlichen Gr??en / Best regards
>
> Dr.-Ing. Sebastian Schuster
>
> Open Source Services (INST-CSS/BSV-OS2)
> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> GERMANY | www.bosch-si.com
> Tel. +49 30 726112-485 | Mobil +49 152 02177668 | Fax +49 30 726112-100 |
> Sebastian.Schuster at bosch-si.com
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr.
> Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic
>
>
>
> -----Urspr?ngliche Nachricht-----
> Von: keycloak-user-bounces at lists.jboss.org <
> keycloak-user-bounces at lists.jboss.org> Im Auftrag von Matthieu Huin
> Gesendet: Mittwoch, 17. April 2019 18:23
> An: keycloak-user at lists.jboss.org
> Betreff: [keycloak-user] Is it possible to extend the default max size of
> user attributes?
>
> Hello,
>
> I would like to store a user's public SSH keys as a custom attribute in
> Keycloak 5.0. Unfortunately it seems that the default max size of
> attributes is 255 characters. Is it possible to configure this to an
> arbitrarily higher value?
>
> Thanks,
>
> MHU
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From kapilkumarjoshi001 at gmail.com  Thu Apr 18 05:15:30 2019
From: kapilkumarjoshi001 at gmail.com (kapil joshi)
Date: Thu, 18 Apr 2019 14:45:30 +0530
Subject: [keycloak-user] Password expiry policy not working for
	federated user
In-Reply-To: <CAMLZ2vnQEfvq5LzekUjiSTfVBD2+tQtyWTTD=e=HV_EzuZudqg@mail.gmail.com>
References: <CAMLZ2vkBsaXZOfWGLUrzbefVa1mW6YAFRHXbCCS5cf6X5EuR4g@mail.gmail.com>
	<CAMLZ2vmUROZSfam8L=jDgX=SDOPS5FemCVjh2NQxeG7Ajt7X0Q@mail.gmail.com>
	<CAMLZ2vnQEfvq5LzekUjiSTfVBD2+tQtyWTTD=e=HV_EzuZudqg@mail.gmail.com>
Message-ID: <CAMLZ2v=soO3FKPdgGGahg4Nw=fQeqRhigkGPpGZDpDfBHAPLhA@mail.gmail.com>

Hi All,

Gentle reminder, on the last few questions asked, can someone from keycloak
team answer or guide us with few hints, so that we can proceed, we are kind
of blocked.
Also, can someone point me the table where i can find last password change
time in keycloak. We have integrated keycloak with postgres.

Thanks & regards
Kapil

On Wed, Apr 17, 2019 at 4:43 PM kapil joshi <kapilkumarjoshi001 at gmail.com>
wrote:

> As i understand, there is no support for OpenLDAP, can we still create
> custom mappers and map attributes like pwdLastSet to pwdChangedTime
>
> such that few password policies like password expiry time works. ?
>
> Thanks & Regards
> Kapil
>
> On Wed, Apr 17, 2019 at 2:38 PM kapil joshi <kapilkumarjoshi001 at gmail.com>
> wrote:
>
>> Hi All,
>>
>> We are using OpenLDAP.
>>
>> I found out that there is ldap mapper precisely
>> user-account-control-mapper, by adding this LDAP password policy will be
>> respected.
>> on doing this we are getting update password UI, on login. But while
>> updating the password we are getting below error:
>>
>> On update the password:
>>
>> On UI: Could not modify attribute for DN [uid=xxxxxxx,dc=tt,dc=zz,dc=br]
>>
>> On ldap.log we can see below error coming up:
>>
>> conn=1159 op=1 do_modify: get_ctrls failed
>>
>>
>> Please suggest us what are we missing or can correct in our configuration.
>>
>>
>> Thanks & Regards
>>
>> Kapil
>>
>>
>>
>>
>> On Thu, Apr 11, 2019 at 7:32 PM kapil joshi <kapilkumarjoshi001 at gmail.com>
>> wrote:
>>
>>> Hi All,
>>>
>>> Password expiry policy not working for federated user. We can see that
>>> the password has expired for LDAP user, which was set to 90 days, but user
>>> can still login to UI via keycloak authentication.
>>>
>>> Kindly point us what are we missing.
>>>
>>> Please note we have enabled the switch to sync password policy with
>>> federated user.
>>>
>>> Thanks & regards
>>>
>>> Kapil
>>>
>>

From leon.kuper at gmail.com  Thu Apr 18 06:36:13 2019
From: leon.kuper at gmail.com (Leon K)
Date: Thu, 18 Apr 2019 06:36:13 -0400
Subject: [keycloak-user] Keycloak behind reverse proxy Master realm
	access restrictions
In-Reply-To: <CAGn2m+dcg-8jxA=j0k7xD=LB5q+bZ4LKcTWCAVSXASzZekjkTw@mail.gmail.com>
References: <CACLzeJy3_er5if1uWc9XhqysB_ZMNqGgJ92AxarG=X=TkPAMNg@mail.gmail.com>
	<CAGn2m+dcg-8jxA=j0k7xD=LB5q+bZ4LKcTWCAVSXASzZekjkTw@mail.gmail.com>
Message-ID: <CACLzeJy2D6s_Lu6rVRpA7harNSAS-ceYgs3wDrKa7_aww8UzSw@mail.gmail.com>

Hi Aaron,

I am not sure if it is OK to use s cross-reference between forums. But this
is my post on Stack Overflow:
https://stackoverflow.com/questions/55578690/keycloak-with-wildfly-application-behind-a-nginx-reverse-proxy

Thanks.

On Wed, Apr 17, 2019, 10:49 PM Aaron Harnly <keycloak-user at bulk.harnly.net>
wrote:

> Hi Leon, can you share the nginx config you are using?
>
> On Wed, Apr 17, 2019 at 1:45 PM Leon K <leon.kuper at gmail.com> wrote:
> >
> > Hello,
> >
> > Ubuntu 18.04
> > Keycloak 5.0
> > Nginx 1.15.8
> >
> > I have set up Nginx reverse proxy to proxy_pass to Keycloak server.
> > This post
> >
> http://lists.jboss.org/pipermail/keycloak-user/2015-September/003012.html
> > doesn't help me to protect access from the Internet to the Master realm
> it
> > does but with some caveats)
> > If I am using:
> > /auth/realms/{realm}/
> > /auth/realms/master
> > /auth/realms
> > /auth/admin/
> >
> > it can restrict access to the Master realm but the login screen is
> > different (see attached).
> > Can you help me with this issue?
> >
> > If it is not possible, I will stick probably to that ugly login screen
> > rather then expose the Master realm to the Internet hostility.
> >
> > Thank you.
> >
> >
> > <
> http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
> >
> > Virus-free.
> > www.avg.com
> > <
> http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail
> >
> > <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From alfonso at alfonsoalba.com  Thu Apr 18 07:09:53 2019
From: alfonso at alfonsoalba.com (=?ISO-8859-1?Q?Alfonso_Alba_Garc=EDa?=)
Date: Thu, 18 Apr 2019 13:09:53 +0200
Subject: [keycloak-user] How to implement access to resources based on
	resource roles
In-Reply-To: <5CB75811.9030909@alfonsoalba.com>
References: <5CB75811.9030909@alfonsoalba.com>
Message-ID: <5CB85B01.5030107@alfonsoalba.com>

Hi Pedro,

Thanks a lot for your answer. I will have a look at the three things you 
are suggesting: groups, resource types and pushing claims.

At the moment I'm having a deeper look at the Policy Enforcer 
documentation. I consider that I read that part of the documentation and 
did not get it right. As you suggest, pushing claims can simplify my 
policies. I had a look at the app-authz-rest-employee[1] and
app-authz-rest-springboot[2] examples. I already have some ideas about 
it after going through them. I will post an update after trying a little 
more.

Just one last question: in the first post I asked if using one client 
per organisation would be a good idea or not. Has anybody some advice 
about this? I don't know if I'm using the client to do something it's 
not supposed to do.

Thanks again,

Alfonso

--------
[1] 
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-rest-employee
[2] 
https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-rest-springboot 


Alfonso Alba Garc?a wrote:
> Hi Pedro,
>
> Thanks a lot for your answer. I will have a look at the three things you
> are suggesting: groups, resource types and pushing claims.
>
> At the moment I'm having a deeper look at the Policy Enforcer
> documentation. I consider that I read that part of the documentation and
> did not get it right. As you suggest, pushing claims can simplify my
> policies. I had a look at the app-authz-rest-employee[1] and
> app-authz-rest-springboot[2] examples. I already have some ideas about
> it after going through them. I will post an update after trying a little
> more.
>
> Just one last question: in the first post I asked if using one client
> per organisation would be a good idea or not. Has anybody some advice
> about this? I don't know if I'm using the client to do something it's
> not supposed to do.
>
> Thanks again,
>
> Alfonso
>
> --------
> [1]
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-rest-employee
>
> [2]
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-rest-springboot
>

From psilva at redhat.com  Thu Apr 18 08:18:04 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Thu, 18 Apr 2019 09:18:04 -0300
Subject: [keycloak-user] converting OIDC token to SAML
In-Reply-To: <CANAVTmNzbpiKQxBiYkjbeDD7mj5zZiEB2SJj=9nODPFBtCf8Hw@mail.gmail.com>
References: <CANAVTmP8-1saq9RuF4hoFTvzGv9sSEfD7+u0ux__qLUHV-ZEtQ@mail.gmail.com>
	<CAJrcDBfqNFqRLg3C_B4pg=b1OyZAb4-o_FCydZgLvFxOnvpinQ@mail.gmail.com>
	<CANAVTmO6obo=QTi=OS-43D40oBSYG0wY9L_-uu08PVRD_ANvDA@mail.gmail.com>
	<CANAVTmNzbpiKQxBiYkjbeDD7mj5zZiEB2SJj=9nODPFBtCf8Hw@mail.gmail.com>
Message-ID: <CAJrcDBcyJEoiG-GaakpD4=Z=uRyGOSJTcFHcGgRXAADfuOGe=w@mail.gmail.com>

Out of curiosity, so the 3rd party is already using Keycloak as  SAML IdP ?

On Thu, Apr 18, 2019 at 1:32 AM Bruce Wings <testoauth55 at gmail.com> wrote:

> Answer to my previous question:
>
> Only step needed after adding SAML provider is to turn on Stored Tokens
> Readable and Stored Tokens switches. The reason I was getting above error
> was because for already imported user, this role will not get set. Only for
> newly imported users(users imported after turning on switches, it will get
> set)
>
> But this is a very handy solution from keycloak to extract SAML tokens.
>
> On Thu, Apr 18, 2019 at 9:48 AM Bruce Wings <testoauth55 at gmail.com> wrote:
>
>> Thanks Pedro,
>>
>> I guess, then an alternative and a very good solution that keycloak
>> provides is to integrate the same SAML provider(which is being used by 3rd
>> party app) with Keycloak and extract the SAML token from it and pass on
>> this token to 3rd party app.
>>
>> I followed the official doc:
>> https://www.keycloak.org/docs/4.5/server_admin/index.html#retrieving-external-idp-tokens
>>
>>
>> After configuring the SAML provider, I turned on the Stored Tokens
>> Readable and Stored Tokens switches, however I am still receiving
>>
>> *"errorMessage": "Client [myApp] not authorized to retrieve tokens from
>> identity provider [saml1]."*
>>
>> In the doc there is 1 more configuration - "This access token will need
>> to have the broker client-level role read-token set" but I do not know
>> where to set this particular option. Any idea?
>>
>>
>> On Wed, Apr 17, 2019 at 5:30 PM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> If you want to exchange access/id tokens for saml assertions, the token
>>> exchange does not support SAML.
>>>
>>> On Wed, Apr 17, 2019 at 4:48 AM Bruce Wings <testoauth55 at gmail.com>
>>> wrote:
>>>
>>>> I have successfully integrated few of my apps with keycloak (with OIDC
>>>> tokens). However there is a 3rd party app which works on SAML tokens. I
>>>> am
>>>> wondering is it possible to use my existing keycloak system to send SAML
>>>> tokens to this third party app?
>>>> i.e. I want to use keycloak as IDP and SP and generate SAML tokens and
>>>> send
>>>> it to this 3rd party app. Is this scenario even possible?
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>

From alfonso at alfonsoalba.com  Thu Apr 18 08:36:52 2019
From: alfonso at alfonsoalba.com (=?UTF-8?B?QWxmb25zbyBBbGJhIEdhcmPDrWE=?=)
Date: Thu, 18 Apr 2019 14:36:52 +0200
Subject: [keycloak-user] How to implement access to resources based on
 resource roles
In-Reply-To: <CAJrcDBcV-_zLLPO75st_jEuRo_Zg+EF4TyWw4etdByFmoFfYFQ@mail.gmail.com>
References: <5CB75811.9030909@alfonsoalba.com>
	<CAJrcDBdLzbRPwHJgSWm0Yt28_P91uubFCeo8TuyA+iGtMdXccA@mail.gmail.com>
	<5CB85AD0.5030607@alfonsoalba.com>
	<CAJrcDBcV-_zLLPO75st_jEuRo_Zg+EF4TyWw4etdByFmoFfYFQ@mail.gmail.com>
Message-ID: <5CB86F64.8020807@alfonsoalba.com>

As you mentioned, at the moment our "organisations" are more similar to 
groups than to real organisational units. We have one realm that holds 
all our users and a simple client to login users and implement the 
authorisation.

However, you made an important remark about SaaS and realms... I have to 
think again about your "random thought", I knew about user federation 
but I was not aware that I can delegate authentication to other realms. 
I guess it's similar to when you activate "login with facebook", right? 
But instead of that I will have a "login with Eden". I have to dig 
deeper in Identity Brokering and user federation. Thanks again, you have 
been super-helpfull!!  :-)




Pedro Igor Silva wrote:
> It really depends on how different the organization settings are.
>
> Without knowing your use case in details, I assume that an organization
> may have different client applications. A SaaS solution would have
> organizations mapping to realms and not clients. In this case, each
> organization has its own user database and security settings.
>
> It seems that your use case is more likely related with groups as
> organizations given that you have a shared user database.
>
> FYI, the identity broker feature set in Keycloak can help to solve the
> "shared user database" across realms problem if you want to keep a
> single realm as them the main repository of users and still have these
> users "federated" to other dependent realms. Suppose you have an "Eden"
> realm where you manage all your users. Then you have "Organization Foo"
> realm and "Organization Bar" realm. Each of these realms would be
> configured to delegate authentication to "Eden" realm and thus have
> users federated across all of them. Just a random thought :)
>
> On Thu, Apr 18, 2019 at 8:09 AM Alfonso Alba Garc?a
> <alfonso at alfonsoalba.com <mailto:alfonso at alfonsoalba.com>> wrote:
>
>     Hi Pedro,
>
>     Thanks a lot for your answer. I will have a look at the three things
>     you
>     are suggesting: groups, resource types and pushing claims.
>
>     At the moment I'm having a deeper look at the Policy Enforcer
>     documentation. I consider that I read that part of the documentation
>     and
>     did not get it right. As you suggest, pushing claims can simplify my
>     policies. I had a look at the app-authz-rest-employee[1] and
>     app-authz-rest-springboot[2] examples. I already have some ideas about
>     it after going through them. I will post an update after trying a
>     little
>     more.
>
>     Just one last question: in the first post I asked if using one client
>     per organisation would be a good idea or not. Has anybody some advice
>     about this? I don't know if I'm using the client to do something it's
>     not supposed to do.
>
>     Thanks again,
>
>     Alfonso
>
>     --------
>     [1]
>     https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-rest-employee
>     [2]
>     https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-rest-springboot
>
>     Pedro Igor Silva wrote:
>      > Hi,
>      >
>      > Some comments inline ...
>      >
>      > On Wed, Apr 17, 2019 at 2:16 PM Alfonso Alba Garc?a
>      > <alfonso at alfonsoalba.com <mailto:alfonso at alfonsoalba.com>
>     <mailto:alfonso at alfonsoalba.com <mailto:alfonso at alfonsoalba.com>>>
>     wrote:
>      >
>      >     I've installed keycloak locally and now I'm trying to
>     implement these
>      >     requirements. I've started with the ones I think are the
>     easiest: The
>      >     organisation Owner an Administrator. Following what's
>     suggested in the
>      >     threads mentioned above, I implemented these resource roles
>     as follows:
>      >
>      >     * Create three scopes: organisation:edit, organisation:view,
>      >     organisation:billing
>      >
>      >     * Create a resource "Organisation 1" with scopes
>     organisation:edit,
>      >     organisation:view and organisation:billing
>      >
>      >     * Create two client roles "Organisation 1 Owner" and
>     "Organisation 1
>      >     Administrator"
>      >
>      >     * Create two policies: "Organisation 1 Owner Policy" and
>      > "Organisation 1
>      >     Administrator Policy"
>      >
>      >     * Create one scope-permission "Organisation 1 Managers
>     Permissions"
>      >     that
>      >     allows users with roles "Organisation 1 Owner" or "Organisation 1
>      >     Administrator" get permission for the scopes
>     organisation:edit and
>      >     organisation:view
>      >
>      >     * Create one scope-permission "Organisation 1 Owners
>     Permissions" that
>      >     allows users with roles "Organisation 1 Owner" access the scope
>      >     organisation:billing
>      >
>      >
>      > Your policy model is fine but I think you can make it simpler if you
>      > just use groups to represent organization membership.
>      >
>      > By using groups, you can have a single "Organization Resource",
>      > "Organization Managers Permissions" and "Organization Owner
>     Permission".
>      > Your policies could benefit from claims pushed by your
>     application [1]
>      > in order to make decisions based on whether or not the user is a
>     member
>      > of an organization plus the RBAC.
>      >
>      > For instance, if you have in Keycloak a group "organization-foo" and
>      > your application provides a REST endpoint like
>     "/api/organizations/foo",
>      > you could send the request URI to your policies, extract the
>     "foo" part
>      > of it and check if the user is member of organization-foo. I
>     think the
>      > same logic could be applied to other resource types.
>      >
>      > You could check this example [2].
>      >
>      > [1]
>      >
>     https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point
>      > [2]
>      >
>     https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-rest-employee
>      >
>      >     I created these for three organisations and as well as
>     several users.
>      >     I've been playing around with them using the Evaluate
>     functionality of
>      >     the keycloak client and apparently everything is working
>     fine. Now I'm
>      >     thinking about how I could implement the access to the packages I
>      >     mentioned above, the members, etc, but before I continue I
>     have several
>      >     questions:
>      >
>      >     * Since users can have different roles in different
>     organisations, I'm
>      >     creating only one realm. I guess that's ok since different
>     realms do
>      >     not
>      >     share users.
>      >
>      >     * For every organisation that we create in our application we
>     will need
>      >     to create all the policies, roles and permissions described
>     above. Is
>      >     this supposed to be like that or am I missing something?
>      >
>      >     * If this is the way to do it, I was wondering if it's a good
>     idea to
>      >     create a Resource Server (i.e. a new client inside the realm)
>     for each
>      >     organisation. This way I can create a client
>     organisation-1-client with
>      >     all the resources, policies and permissions for "Organisation
>     1". I
>      >     think that this will make deleting an organisation quite easy
>     after the
>      >     user deletes the organisation, I just need to delete de client
>      >     organisation-1-client. I don't know if this a good idea or
>     not, has it
>      >     any negative impact in performance? will this make the
>     application code
>      >     more difficult? or may be this not a good practice for any
>     reason?
>      >
>      >
>      > I would recommend you to try other approaches like that one I
>     suggested.
>      > I can think about another one using resource types.
>      >
>      > Considering your current design, I think the addition of a new
>      > organization is pretty much related to a provisioning logic backed by
>      > our REST APIs, so you can automatize this process. But I hope you can
>      > find an alternative ...
>      >
>      >
>      >     Thanks for your time. Regards,
>      >
>      >     Alfonso
>      >
>      >
>      >     -------
>      >     [1]
>      >
>     http://lists.jboss.org/pipermail/keycloak-user/2016-August/007309.html
>      >     [2]
>     http://lists.jboss.org/pipermail/keycloak-user/2018-June/014347.html
>      >     _______________________________________________
>      >     keycloak-user mailing list
>      > keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>
>     <mailto:keycloak-user at lists.jboss.org
>     <mailto:keycloak-user at lists.jboss.org>>
>      > https://lists.jboss.org/mailman/listinfo/keycloak-user
>      >
>

From kiran.kumar2 at hotmail.co.uk  Thu Apr 18 09:34:39 2019
From: kiran.kumar2 at hotmail.co.uk (Kiran Kumar Gubbi Veerajinendra)
Date: Thu, 18 Apr 2019 13:34:39 +0000
Subject: [keycloak-user] Regarding Keycloak custom
	'UserNamePasswordFormFactory'
Message-ID: <LNXP123MB261733797C87F27F59466CD491260@LNXP123MB2617.GBRP123.PROD.OUTLOOK.COM>

Hi,

We have requirement where the Browser Keycloak user login authentication will be performed by the external rest api in the backend. Please suggest how do I achieve this.

Kind Regards,
Kiran


From valsarajpv at gmail.com  Thu Apr 18 10:52:13 2019
From: valsarajpv at gmail.com (valsaraj pv)
Date: Thu, 18 Apr 2019 20:22:13 +0530
Subject: [keycloak-user] Duplicate email not supported
Message-ID: <CAOA-0XsbM=461C3nmW_SUQkXGCVqYZ3G=WhfTW_G-+mSn8h95Q@mail.gmail.com>

Hi,

I have checked in latest KC version & still there is issue with importing
users with duplicate email from LDAP using KC user federation. Is there any
option to disable duplicate email check/constraint?

Thanks,
Valsaraj Viswanathan

From bruno at abstractj.org  Thu Apr 18 11:22:41 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 18 Apr 2019 12:22:41 -0300
Subject: [keycloak-user] Fwd: Python client / adapter for keycloak
In-Reply-To: <CAJLQkkYfv0uY20H2kObDmHHhK+B1RUt-MJeTtAikYoPajDu1cQ@mail.gmail.com>
References: <CAJLQkkZ2ms_ebG2aojZQ-YLnpvzH==N=d7jK1J-bjeQy603pmA@mail.gmail.com>
	<CAJLQkkYfv0uY20H2kObDmHHhK+B1RUt-MJeTtAikYoPajDu1cQ@mail.gmail.com>
Message-ID: <20190418152241.GB13252@abstractj.org>

Hi Akhil, thanks for sharing. For protecting apps not covered by the
Java Adapter or Node.js adapter our standard recomendation is
Gatekeeper.

At the moment we don't have enough bandwidth to maintain another
adapter. But I believe you can submit[1] your project to the extensions
page https://www.keycloak.org/extensions.html, so other community
members can benefit from it.

[1] - https://github.com/keycloak/keycloak.github.io/blob/master/extensions.html

On 2019-04-17, Akhil Lawrence wrote:
> Hi Keycloak users,
> 
> I wanted to use keycloak in my python apps.
> I could not find a proper client/adapter for keycloak.
> So I decided to write one client for keycloak in Python.
> The beta version is ready https://github.com/puthiry-lab/keycloak-client
> Please do check this out and let me know the feedback.
> I would like to work further on it and would love to make it part of the
> official keycloak repo
> 
> Thanks,
> Akhil Lawrence
> www.akhilputhiry.in
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 

abstractj

From testoauth55 at gmail.com  Thu Apr 18 12:01:13 2019
From: testoauth55 at gmail.com (Bruce Wings)
Date: Thu, 18 Apr 2019 21:31:13 +0530
Subject: [keycloak-user] converting OIDC token to SAML
In-Reply-To: <CAJrcDBcyJEoiG-GaakpD4=Z=uRyGOSJTcFHcGgRXAADfuOGe=w@mail.gmail.com>
References: <CANAVTmP8-1saq9RuF4hoFTvzGv9sSEfD7+u0ux__qLUHV-ZEtQ@mail.gmail.com>
	<CAJrcDBfqNFqRLg3C_B4pg=b1OyZAb4-o_FCydZgLvFxOnvpinQ@mail.gmail.com>
	<CANAVTmO6obo=QTi=OS-43D40oBSYG0wY9L_-uu08PVRD_ANvDA@mail.gmail.com>
	<CANAVTmNzbpiKQxBiYkjbeDD7mj5zZiEB2SJj=9nODPFBtCf8Hw@mail.gmail.com>
	<CAJrcDBcyJEoiG-GaakpD4=Z=uRyGOSJTcFHcGgRXAADfuOGe=w@mail.gmail.com>
Message-ID: <CANAVTmNWZhw6hUDexqM6_SMxB4qUb9Sxodn9=F8Cgr_3FX45rA@mail.gmail.com>

No.
Actually 3rd party app is using Okta as SAML IDP.
So I added another app in okta for my keycloak server. Now when user logs
into keycloak using this okta integration, i received keycloak access token
embedded with okta SAML token.

On Thursday, April 18, 2019, Pedro Igor Silva <psilva at redhat.com> wrote:

> Out of curiosity, so the 3rd party is already using Keycloak as  SAML IdP ?
>
> On Thu, Apr 18, 2019 at 1:32 AM Bruce Wings <testoauth55 at gmail.com> wrote:
>
>> Answer to my previous question:
>>
>> Only step needed after adding SAML provider is to turn on Stored Tokens
>> Readable and Stored Tokens switches. The reason I was getting above
>> error was because for already imported user, this role will not get set.
>> Only for newly imported users(users imported after turning on switches, it
>> will get set)
>>
>> But this is a very handy solution from keycloak to extract SAML tokens.
>>
>> On Thu, Apr 18, 2019 at 9:48 AM Bruce Wings <testoauth55 at gmail.com>
>> wrote:
>>
>>> Thanks Pedro,
>>>
>>> I guess, then an alternative and a very good solution that keycloak
>>> provides is to integrate the same SAML provider(which is being used by 3rd
>>> party app) with Keycloak and extract the SAML token from it and pass on
>>> this token to 3rd party app.
>>>
>>> I followed the official doc: https://www.keycloak.org/
>>> docs/4.5/server_admin/index.html#retrieving-external-idp-tokens
>>>
>>> After configuring the SAML provider, I turned on the Stored Tokens
>>> Readable and Stored Tokens switches, however I am still receiving
>>>
>>> *"errorMessage": "Client [myApp] not authorized to retrieve tokens from
>>> identity provider [saml1]."*
>>>
>>> In the doc there is 1 more configuration - "This access token will need
>>> to have the broker client-level role read-token set" but I do not know
>>> where to set this particular option. Any idea?
>>>
>>>
>>> On Wed, Apr 17, 2019 at 5:30 PM Pedro Igor Silva <psilva at redhat.com>
>>> wrote:
>>>
>>>> If you want to exchange access/id tokens for saml assertions, the token
>>>> exchange does not support SAML.
>>>>
>>>> On Wed, Apr 17, 2019 at 4:48 AM Bruce Wings <testoauth55 at gmail.com>
>>>> wrote:
>>>>
>>>>> I have successfully integrated few of my apps with keycloak (with OIDC
>>>>> tokens). However there is a 3rd party app which works on SAML tokens.
>>>>> I am
>>>>> wondering is it possible to use my existing keycloak system to send
>>>>> SAML
>>>>> tokens to this third party app?
>>>>> i.e. I want to use keycloak as IDP and SP and generate SAML tokens and
>>>>> send
>>>>> it to this 3rd party app. Is this scenario even possible?
>>>>> _______________________________________________
>>>>> keycloak-user mailing list
>>>>> keycloak-user at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>>
>>>>

From alfonso at alfonsoalba.com  Sat Apr 20 04:27:03 2019
From: alfonso at alfonsoalba.com (=?ISO-8859-1?Q?Alfonso_Alba_Garc=EDa?=)
Date: Sat, 20 Apr 2019 10:27:03 +0200
Subject: [keycloak-user] Cannot update the user realmRoles using the Admin
	API
Message-ID: <5CBAD7D7.9060609@alfonsoalba.com>

Hi,

I'm using the keycloak Admin API to create a new user with the 
"subscriptor" role from my application.

I've found issue KEYCLOAK-6080 [1] in Jira which says that you first 
have to create the user and then set the roles. That's what I'm trying 
to do.

1- First, get a token for the Admin API using the admin user from the 
master realm:

curl -d "client_id=admin-cli" \
      -d "MYUSERNAME" \
      -d "MYPASSWORD" \
     -d "grant_type=password" \
 
"https://mykeycloakserver/auth/realms/master/protocol/openid-connect/token"

2- set shell variable "access_token" with the provided access_token

3- Change the user firstName and realmRoles of the "demo-rails-app" realm
curl -X PUT \
-H"Content-Type: application/json" \
-H "Authorization: Bearer ${access_token}"
-d '{"realmRoles":["subscriptor"], "firstName":"NEW FIRST NAME"}'\
https://mykeycloakserver/auth/admin/realms/demo-rails-app/users/80ef4038-...

The firstName of the user field is properly updated, however the user 
realm roles are not modified. Am I doing something wrong?. I've tried to 
pass a string instead of an array or use the role ID instead of the role 
name but neither of them worked.

Regards,

Alfonso

------
1 - https://issues.jboss.org/browse/KEYCLOAK-6080

From aechols at bfcsaz.com  Sun Apr 21 23:26:26 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Sun, 21 Apr 2019 20:26:26 -0700
Subject: [keycloak-user] Meraki SP
Message-ID: <CAHj77GXPJ7uRMWsc38W-Qi7m4vtVoGTi=V6t=jsh08jHe7=XNw@mail.gmail.com>

Hello All,

I'm working on adding Meraki as an SP to Keycloak 5.0.0. It requires that
Keycloak be setup for idP initiated SSO, which I've configured. I have
everything working great, but I'm running into an issue where Keycloak will
not passthrough a SAML attribute using mappers.

Per the docs here:
https://documentation.meraki.com/zGeneral_Administration/Managing_Dashboard_Access/Configuring_SAML_Single_Sign-on_for_Dashboard

I need to pass a role attribute through that matches what I've setup as the
SAML Administrator Roles in Meraki. I've done that and have a role setup as
IT, Management, etc.

In Active Directory the 'department' attribute is set to the role that is
needed. I've created the federated mapper 'dept' that is mapped to
'department' in AD. Users in Keycloak have that attribute populated
successfully with the correct data.

In the client for Meraki, I've created a mapper name '
https://dashboard.meraki.com/saml/attributes/role' and set the it as a
'user property' with a property of 'dept' and a general friendly name and
then set the 'SAML Attribute Name' to role.

Looking at the SAML login, this never is passed through at all. The only
way I can get it to pass a role value of 'IT' is by creating a 'Hardcoded
Attribute' with a 'Attribute Value' of 'IT' with a mapper name of '
https://dashboard.meraki.com/saml/attributes/role', it will then login
successfully to Meraki. There are other groups that will be logging into
Meraki, otherwise I'd just leave it hardcoded. I get below in the SAML
transaction when hardcoding the attribute:

<saml:Attribute
                FriendlyName="Department"
                Name="role"

NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
                <saml:AttributeValue
                    xmlns:xs="http://www.w3.org/2001/XMLSchema"
                    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xsi:type="xs:string">IT
</saml:AttributeValue>

I've never had this issue of passing other attributes through before, can
anyone let me know if I'm going about this wrong and if so, what am I
missing? Thanks :)
--
Aaron Echols

From alfonso at alfonsoalba.com  Mon Apr 22 11:20:27 2019
From: alfonso at alfonsoalba.com (=?ISO-8859-1?Q?Alfonso_Alba_Garc=EDa?=)
Date: Mon, 22 Apr 2019 17:20:27 +0200
Subject: [keycloak-user] Cannot update the user realmRoles using the
	Admin API
In-Reply-To: <5CBAD7D7.9060609@alfonsoalba.com>
References: <5CBAD7D7.9060609@alfonsoalba.com>
Message-ID: <5CBDDBBB.5010508@alfonsoalba.com>

Hi again!

I answer my own question here just in case somebody else runs into the 
same issue. I managed to add the "subscriptor" role using the one of the 
RoleMappipngs endpoints [1] of the Admin API instead of the users endpoint:

curl --X POST -H"Content-type: application/json"
-H "Authorization: Bearer ${access_token}"
-d '[{"id":"62cd0bf0-63f5-4b03-8c24-84e19dccef3b","name":"user"}]' 
https://mykeycloakserver/auth/admin/realms/demo-rails-app/users/80XXXX/role-mappings/realm

Regards,

Alfonso

----
[1] https://www.keycloak.org/docs-api/6.0/rest-api/#_addrealmrolemappings

Alfonso Alba Garc?a wrote:
> Hi,
>
> I'm using the keycloak Admin API to create a new user with the
> "subscriptor" role from my application.
>
> I've found issue KEYCLOAK-6080 [1] in Jira which says that you first
> have to create the user and then set the roles. That's what I'm trying
> to do.
>
> 1- First, get a token for the Admin API using the admin user from the
> master realm:
>
> curl -d "client_id=admin-cli" \
> -d "MYUSERNAME" \
> -d "MYPASSWORD" \
> -d "grant_type=password" \
>
> "https://mykeycloakserver/auth/realms/master/protocol/openid-connect/token"
>
> 2- set shell variable "access_token" with the provided access_token
>
> 3- Change the user firstName and realmRoles of the "demo-rails-app" realm
> curl -X PUT \
> -H"Content-Type: application/json" \
> -H "Authorization: Bearer ${access_token}"
> -d '{"realmRoles":["subscriptor"], "firstName":"NEW FIRST NAME"}'\
> https://mykeycloakserver/auth/admin/realms/demo-rails-app/users/80ef4038-...
>
>
> The firstName of the user field is properly updated, however the user
> realm roles are not modified. Am I doing something wrong?. I've tried to
> pass a string instead of an array or use the role ID instead of the role
> name but neither of them worked.
>
> Regards,
>
> Alfonso
>
> ------
> 1 - https://issues.jboss.org/browse/KEYCLOAK-6080

From alfonso at alfonsoalba.com  Mon Apr 22 12:06:39 2019
From: alfonso at alfonsoalba.com (=?UTF-8?B?QWxmb25zbyBBbGJhIEdhcmPDrWE=?=)
Date: Mon, 22 Apr 2019 18:06:39 +0200
Subject: [keycloak-user] How to implement access to resources based on
 resource roles
In-Reply-To: <CAJrcDBdLzbRPwHJgSWm0Yt28_P91uubFCeo8TuyA+iGtMdXccA@mail.gmail.com>
References: <5CB75811.9030909@alfonsoalba.com>
	<CAJrcDBdLzbRPwHJgSWm0Yt28_P91uubFCeo8TuyA+iGtMdXccA@mail.gmail.com>
Message-ID: <5CBDE68F.1080302@alfonsoalba.com>

Hi,

I've been able to simplify the policy model a lot by posting claims to 
the resource server. Since I'm using rails and there is no adapter and 
no policy enforcer implementation, I'm just making calls to the REST API 
and sending the claims with the context that I need.

Instead of create a resource for each new entity that the user creates, 
in our resource server we create just one resource for each resource 
type, for example:

     {
       "name": "Event Resource",
       "type": "Event",
       "ownerManagedAccess": false,
       "displayName": "Event Resource",
       "attributes": {},
       "_id": "XXXXXXX",
       "uris": [
         "http://localhost:3000/events/*
       ],
       "scopes": [
         {
           "name": "event:create"
         },
         {
           "name": "event:edit"
         },
         {
           "name": "event:show"
         },
         {
           "name": "event:destroy"
         }
       ]
     }


     {
       "name": "Meeting Resource",
       "type": "Meeting",
       "ownerManagedAccess": false,
       "displayName": "Meeting Resource",
       "attributes": {},
       "_id": "XXXXXXX",
       "uris": [
         "http://localhost:3000/meetings/*
       ],
       "scopes": [
         {
           "name": "meeting:create"
         },
         {
           "name": "meeting:edit"
         },
         {
           "name": "meeting:show"
         },
         {
           "name": "meeting:destroy"
         }
       ]
     }

I created one Rule-based policy in javascript that reads all the claims 
passed by our app in the API call and then decides if the user has 
access to a particular instance of the resource.

Doing this I managed to simplify the policy model substantially. On the 
other hand, we have to pass to the resource server all the context 
(around 15 claims) needed by the policy to know it the user can access a 
resource. I'm wondering if this Ok or I'm putting too much logic in the 
application side that should be in keycloak.

Furthermore, with this policy model I when I get the entitlements for a 
user, the token that we get does not contain a list of resources to 
which the user has access. This means we would need to query the 
resource server individually for any resource the user wants to access.

I'm quite new to keycloak and UMA. Before, all this logic was 
implemented in our application and I'm trying to figure out who should 
do what. Since we have a lot of rules, I have the feeling that the 
application should provide the context (claims) and keycloak should 
implement the rules to grant access to the resources based on that 
context. Am I seeing this right?

Thanks again for your help.

Alfonso.



Pedro Igor Silva wrote:
> Hi,
>
> Some comments inline ...
>
> On Wed, Apr 17, 2019 at 2:16 PM Alfonso Alba Garc?a
> <alfonso at alfonsoalba.com <mailto:alfonso at alfonsoalba.com>> wrote:
>
>     I've installed keycloak locally and now I'm trying to implement these
>     requirements. I've started with the ones I think are the easiest: The
>     organisation Owner an Administrator. Following what's suggested in the
>     threads mentioned above, I implemented these resource roles as follows:
>
>     * Create three scopes: organisation:edit, organisation:view,
>     organisation:billing
>
>     * Create a resource "Organisation 1" with scopes organisation:edit,
>     organisation:view and organisation:billing
>
>     * Create two client roles "Organisation 1 Owner" and "Organisation 1
>     Administrator"
>
>     * Create two policies: "Organisation 1 Owner Policy" and
>     "Organisation 1
>     Administrator Policy"
>
>     * Create one scope-permission "Organisation 1 Managers Permissions"
>     that
>     allows users with roles "Organisation 1 Owner" or "Organisation 1
>     Administrator" get permission for the scopes organisation:edit and
>     organisation:view
>
>     * Create one scope-permission "Organisation 1 Owners Permissions" that
>     allows users with roles "Organisation 1 Owner" access the scope
>     organisation:billing
>
>
> Your policy model is fine but I think you can make it simpler if you
> just use groups to represent organization membership.
>
> By using groups, you can have a single "Organization Resource",
> "Organization Managers Permissions" and "Organization Owner Permission".
> Your policies could benefit from claims pushed by your application [1]
> in order to make decisions based on whether or not the user is a member
> of an organization plus the RBAC.
>
> For instance, if you have in Keycloak a group "organization-foo" and
> your application provides a REST endpoint like "/api/organizations/foo",
> you could send the request URI to your policies, extract the "foo" part
> of it and check if the user is member of organization-foo. I think the
> same logic could be applied to other resource types.
>
> You could check this example [2].
>
> [1]
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point
> [2]
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-rest-employee
>
>     I created these for three organisations and as well as several users.
>     I've been playing around with them using the Evaluate functionality of
>     the keycloak client and apparently everything is working fine. Now I'm
>     thinking about how I could implement the access to the packages I
>     mentioned above, the members, etc, but before I continue I have several
>     questions:
>
>     * Since users can have different roles in different organisations, I'm
>     creating only one realm. I guess that's ok since different realms do
>     not
>     share users.
>
>     * For every organisation that we create in our application we will need
>     to create all the policies, roles and permissions described above. Is
>     this supposed to be like that or am I missing something?
>
>     * If this is the way to do it, I was wondering if it's a good idea to
>     create a Resource Server (i.e. a new client inside the realm) for each
>     organisation. This way I can create a client organisation-1-client with
>     all the resources, policies and permissions for "Organisation 1". I
>     think that this will make deleting an organisation quite easy after the
>     user deletes the organisation, I just need to delete de client
>     organisation-1-client. I don't know if this a good idea or not, has it
>     any negative impact in performance? will this make the application code
>     more difficult? or may be this not a good practice for any reason?
>
>
> I would recommend you to try other approaches like that one I suggested.
> I can think about another one using resource types.
>
> Considering your current design, I think the addition of a new
> organization is pretty much related to a provisioning logic backed by
> our REST APIs, so you can automatize this process. But I hope you can
> find an alternative ...
>
>
>     Thanks for your time. Regards,
>
>     Alfonso
>
>
>     -------
>     [1]
>     http://lists.jboss.org/pipermail/keycloak-user/2016-August/007309.html
>     [2] http://lists.jboss.org/pipermail/keycloak-user/2018-June/014347.html
>     _______________________________________________
>     keycloak-user mailing list
>     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From ghuey at southalabama.edu  Mon Apr 22 17:14:00 2019
From: ghuey at southalabama.edu (ghuey at southalabama.edu)
Date: Mon, 22 Apr 2019 16:14:00 -0500
Subject: [keycloak-user] Tie admin console login to external LDAP user store
Message-ID: <014801d4f950$4e958a30$ebc09e90$@southalabama.edu>

I can't seem to find this information explicitly documented although it
seems there is a test case on github but I am not having any luck with it.
I have successfully created a connection to our LDAP server under User
Federation, but I am not clear on where you tell Keycloak that the admin
console should authenticate against that defined LDAP instead of the
internal user store it uses by default.  It may not be that simple.  Again I
want to be clear, this is simply leveraging my ldap to actually long into
the Admin console of Keycloak, NOT, using ldap credentials for an IDP for
SSO which I will be working on eventually.

 

Thank you for everyone's time.


From sg at salih.xyz  Tue Apr 23 05:31:09 2019
From: sg at salih.xyz (Salih Gedik)
Date: Tue, 23 Apr 2019 12:31:09 +0300
Subject: [keycloak-user] Non SSL backend servers through SSL loadbalancer
Message-ID: <47735991556011869@iva4-ba508a90b0c0.qloud-c.yandex.net>

Hello community,

We are running a Spring Boot app and app itself is not running HTTPS however our load balancers where requests are made SSL and passing traffic insecure to backend. However in this scenario I am unable to get the token verified after successful login. In log 
I see that it says :: Adapter requires SSL. Request http://keycloakserver

Keycloak server is supposed to be on https url however it requests http as the app itself is http. How would you setup such configuration? What am I missing?

Thank you
Salih


From draganj at gmail.com  Tue Apr 23 07:46:47 2019
From: draganj at gmail.com (Dragan Jotanovic)
Date: Tue, 23 Apr 2019 12:46:47 +0100
Subject: [keycloak-user] Triggering reset password mail sending
	programmatically
Message-ID: <CAJSsW4pFZS0PvxTioYKeT-W7UkcLQmQk9mNpj1Z54k1bOLPZyA@mail.gmail.com>

Does anyone have an example for how to trigger reset password email sending
programmatically?
I'm trying to send the reset credentials mail from my custom user storage
provider, initially when I import user from external database.
I tried searching through documentation and examples but couldn't find
anything.

Thanks,
Dragan

From psilva at redhat.com  Tue Apr 23 15:03:26 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Tue, 23 Apr 2019 16:03:26 -0300
Subject: [keycloak-user] How to implement access to resources based on
 resource roles
In-Reply-To: <5CBDE68F.1080302@alfonsoalba.com>
References: <5CB75811.9030909@alfonsoalba.com>
	<CAJrcDBdLzbRPwHJgSWm0Yt28_P91uubFCeo8TuyA+iGtMdXccA@mail.gmail.com>
	<5CBDE68F.1080302@alfonsoalba.com>
Message-ID: <CAJrcDBdZLfMwRtuV7+ZB-BgRjvNWf8f0+W_UBFQ2m3gdfsBPrw@mail.gmail.com>

When doing context-based authorization you need to provide all the
information you need in order to make the correct decisions. I would not
say you are bringing logic to your app but the opposite, where you are just
passing the facts that you need to be processed by your rules/policies.
IMO, what you are doing is fine. Just keep in mind that you might
eventually have some information/claim within the token already.

Regarding the entitlement request, I think you are not getting the
permissions because now your policies are based on certain claims ?

On Mon, Apr 22, 2019 at 1:06 PM Alfonso Alba Garc?a <alfonso at alfonsoalba.com>
wrote:

> Hi,
>
> I've been able to simplify the policy model a lot by posting claims to
> the resource server. Since I'm using rails and there is no adapter and
> no policy enforcer implementation, I'm just making calls to the REST API
> and sending the claims with the context that I need.
>
> Instead of create a resource for each new entity that the user creates,
> in our resource server we create just one resource for each resource
> type, for example:
>
>      {
>        "name": "Event Resource",
>        "type": "Event",
>        "ownerManagedAccess": false,
>        "displayName": "Event Resource",
>        "attributes": {},
>        "_id": "XXXXXXX",
>        "uris": [
>          "http://localhost:3000/events/*
>        ],
>        "scopes": [
>          {
>            "name": "event:create"
>          },
>          {
>            "name": "event:edit"
>          },
>          {
>            "name": "event:show"
>          },
>          {
>            "name": "event:destroy"
>          }
>        ]
>      }
>
>
>      {
>        "name": "Meeting Resource",
>        "type": "Meeting",
>        "ownerManagedAccess": false,
>        "displayName": "Meeting Resource",
>        "attributes": {},
>        "_id": "XXXXXXX",
>        "uris": [
>          "http://localhost:3000/meetings/*
>        ],
>        "scopes": [
>          {
>            "name": "meeting:create"
>          },
>          {
>            "name": "meeting:edit"
>          },
>          {
>            "name": "meeting:show"
>          },
>          {
>            "name": "meeting:destroy"
>          }
>        ]
>      }
>
> I created one Rule-based policy in javascript that reads all the claims
> passed by our app in the API call and then decides if the user has
> access to a particular instance of the resource.
>
> Doing this I managed to simplify the policy model substantially. On the
> other hand, we have to pass to the resource server all the context
> (around 15 claims) needed by the policy to know it the user can access a
> resource. I'm wondering if this Ok or I'm putting too much logic in the
> application side that should be in keycloak.
>
> Furthermore, with this policy model I when I get the entitlements for a
> user, the token that we get does not contain a list of resources to
> which the user has access. This means we would need to query the
> resource server individually for any resource the user wants to access.
>
> I'm quite new to keycloak and UMA. Before, all this logic was
> implemented in our application and I'm trying to figure out who should
> do what. Since we have a lot of rules, I have the feeling that the
> application should provide the context (claims) and keycloak should
> implement the rules to grant access to the resources based on that
> context. Am I seeing this right?
>
> Thanks again for your help.
>
> Alfonso.
>
>
>
> Pedro Igor Silva wrote:
> > Hi,
> >
> > Some comments inline ...
> >
> > On Wed, Apr 17, 2019 at 2:16 PM Alfonso Alba Garc?a
> > <alfonso at alfonsoalba.com <mailto:alfonso at alfonsoalba.com>> wrote:
> >
> >     I've installed keycloak locally and now I'm trying to implement these
> >     requirements. I've started with the ones I think are the easiest: The
> >     organisation Owner an Administrator. Following what's suggested in
> the
> >     threads mentioned above, I implemented these resource roles as
> follows:
> >
> >     * Create three scopes: organisation:edit, organisation:view,
> >     organisation:billing
> >
> >     * Create a resource "Organisation 1" with scopes organisation:edit,
> >     organisation:view and organisation:billing
> >
> >     * Create two client roles "Organisation 1 Owner" and "Organisation 1
> >     Administrator"
> >
> >     * Create two policies: "Organisation 1 Owner Policy" and
> >     "Organisation 1
> >     Administrator Policy"
> >
> >     * Create one scope-permission "Organisation 1 Managers Permissions"
> >     that
> >     allows users with roles "Organisation 1 Owner" or "Organisation 1
> >     Administrator" get permission for the scopes organisation:edit and
> >     organisation:view
> >
> >     * Create one scope-permission "Organisation 1 Owners Permissions"
> that
> >     allows users with roles "Organisation 1 Owner" access the scope
> >     organisation:billing
> >
> >
> > Your policy model is fine but I think you can make it simpler if you
> > just use groups to represent organization membership.
> >
> > By using groups, you can have a single "Organization Resource",
> > "Organization Managers Permissions" and "Organization Owner Permission".
> > Your policies could benefit from claims pushed by your application [1]
> > in order to make decisions based on whether or not the user is a member
> > of an organization plus the RBAC.
> >
> > For instance, if you have in Keycloak a group "organization-foo" and
> > your application provides a REST endpoint like "/api/organizations/foo",
> > you could send the request URI to your policies, extract the "foo" part
> > of it and check if the user is member of organization-foo. I think the
> > same logic could be applied to other resource types.
> >
> > You could check this example [2].
> >
> > [1]
> >
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_enforcer_claim_information_point
> > [2]
> >
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-rest-employee
> >
> >     I created these for three organisations and as well as several users.
> >     I've been playing around with them using the Evaluate functionality
> of
> >     the keycloak client and apparently everything is working fine. Now
> I'm
> >     thinking about how I could implement the access to the packages I
> >     mentioned above, the members, etc, but before I continue I have
> several
> >     questions:
> >
> >     * Since users can have different roles in different organisations,
> I'm
> >     creating only one realm. I guess that's ok since different realms do
> >     not
> >     share users.
> >
> >     * For every organisation that we create in our application we will
> need
> >     to create all the policies, roles and permissions described above. Is
> >     this supposed to be like that or am I missing something?
> >
> >     * If this is the way to do it, I was wondering if it's a good idea to
> >     create a Resource Server (i.e. a new client inside the realm) for
> each
> >     organisation. This way I can create a client organisation-1-client
> with
> >     all the resources, policies and permissions for "Organisation 1". I
> >     think that this will make deleting an organisation quite easy after
> the
> >     user deletes the organisation, I just need to delete de client
> >     organisation-1-client. I don't know if this a good idea or not, has
> it
> >     any negative impact in performance? will this make the application
> code
> >     more difficult? or may be this not a good practice for any reason?
> >
> >
> > I would recommend you to try other approaches like that one I suggested.
> > I can think about another one using resource types.
> >
> > Considering your current design, I think the addition of a new
> > organization is pretty much related to a provisioning logic backed by
> > our REST APIs, so you can automatize this process. But I hope you can
> > find an alternative ...
> >
> >
> >     Thanks for your time. Regards,
> >
> >     Alfonso
> >
> >
> >     -------
> >     [1]
> >
> http://lists.jboss.org/pipermail/keycloak-user/2016-August/007309.html
> >     [2]
> http://lists.jboss.org/pipermail/keycloak-user/2018-June/014347.html
> >     _______________________________________________
> >     keycloak-user mailing list
> >     keycloak-user at lists.jboss.org <mailto:keycloak-user at lists.jboss.org>
> >     https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
>

From valsarajpv at gmail.com  Wed Apr 24 02:15:15 2019
From: valsarajpv at gmail.com (valsaraj pv)
Date: Wed, 24 Apr 2019 11:45:15 +0530
Subject: [keycloak-user] Secure logins from different devices
Message-ID: <CAOA-0XveunGXz+X8C85EKyJhSZzJAzCuBCE_sCvzT=WC5TtGcQ@mail.gmail.com>

Hi,

We need to determine ?typical? usage for a user and then flag sign-in from
lesser known locations. Is there any feature option in Keycloak or can
expect in future versions?

Also, is it possible to set a custom browser workflow for a client in KC?
We are using 3.4 version.

Thanks!

From uo67113 at gmail.com  Wed Apr 24 03:11:48 2019
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Wed, 24 Apr 2019 09:11:48 +0200
Subject: [keycloak-user] Non SSL backend servers through SSL loadbalancer
In-Reply-To: <47735991556011869@iva4-ba508a90b0c0.qloud-c.yandex.net>
References: <47735991556011869@iva4-ba508a90b0c0.qloud-c.yandex.net>
Message-ID: <CACp70MkmgyTD4ue8Pe2OWY-gMcP4JC-TzJzy5DP8RCVAJGBLGw@mail.gmail.com>

Hello Salih,

Me I was suffering a similar issue using the saml2 java adapter in tomcat
[1].

org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.handleSamlResponse
Request URI 'http://my.domain/ui/saml' does not match SAML request
destination 'https://my.domain/ui/saml'


The back-end connector has no SSL/TLS configured, however I am "cheating"
through the scheme [2] attribute of the connector:

<Connector scheme="https" port="8401" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8402" />

If you are using the embedded tomcat in spring boot I guess that you can
configure it [3]. Or perhaps it would be faster and simpler for a quick
test just deploying the war in an apache tomcat and setting scheme="https".

Hope it helps,

Luis

[1]
https://www.keycloak.org/docs/latest/securing_apps/index.html#java-adapters-2
[2] https://tomcat.apache.org/tomcat-9.0-doc/config/http.html
[3]
https://docs.spring.io/spring-boot/docs/current/reference/html/howto-embedded-web-servers.html





El mar., 23 abr. 2019 a las 11:39, Salih Gedik (<sg at salih.xyz>) escribi?:

> Hello community,
>
> We are running a Spring Boot app and app itself is not running HTTPS
> however our load balancers where requests are made SSL and passing traffic
> insecure to backend. However in this scenario I am unable to get the token
> verified after successful login. In log
> I see that it says :: Adapter requires SSL. Request http://keycloakserver
>
> Keycloak server is supposed to be on https url however it requests http as
> the app itself is http. How would you setup such configuration? What am I
> missing?
>
> Thank you
> Salih
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>


-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

From Lars.Wilhelmsen at thales.no  Wed Apr 24 05:05:52 2019
From: Lars.Wilhelmsen at thales.no (Lars Wilhelmsen)
Date: Wed, 24 Apr 2019 09:05:52 +0000
Subject: [keycloak-user] Admin REST API: Create new User Federation Provider?
Message-ID: <a2bfc84e741f4cfeac5de94b3f625830@Thales.no>

Hi,

Re. https://www.keycloak.org/docs-api/5.0/rest-api/index.html , I can't find a way to wire up a new User Federation Provider (LDAP/AD).

Is it not supported, is it not documented, or have I just misread the documentation?

Regards,

Lars Wilhelmsen

From Lars.Wilhelmsen at thales.no  Wed Apr 24 05:25:42 2019
From: Lars.Wilhelmsen at thales.no (Lars Wilhelmsen)
Date: Wed, 24 Apr 2019 09:25:42 +0000
Subject: [keycloak-user] Python client / adapter for keycloak
In-Reply-To: <CAJLQkkZ2ms_ebG2aojZQ-YLnpvzH==N=d7jK1J-bjeQy603pmA@mail.gmail.com>
References: <CAJLQkkZ2ms_ebG2aojZQ-YLnpvzH==N=d7jK1J-bjeQy603pmA@mail.gmail.com>
Message-ID: <3fa1876a6e994542b37664fe7033c969@Thales.no>

Hi,

 Thanks for sharing, I will definitely check it out!

 Regards,

 Lars Wilhelmsen

-----Original Message-----
From: keycloak-user-bounces at lists.jboss.org <keycloak-user-bounces at lists.jboss.org> On Behalf Of Akhil Lawrence
Sent: onsdag 17. april 2019 18:42
To: keycloak-user at lists.jboss.org
Subject: [keycloak-user] Python client / adapter for keycloak

Hi Keycloak users,

I wanted to use keycloak in my python apps.
I could not find a proper client/adapter for keycloak.
So I decided to write one client for keycloak in Python.
The beta version is ready https://github.com/puthiry-lab/keycloak-client
Please do check this out and let me know the feedback.
I would like to work further on it and would love to make it part of the official keycloak repo

Thanks,
Akhil Lawrence
www.akhilputhiry.in
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-user


From liqiang at fit2cloud.com  Wed Apr 24 05:40:22 2019
From: liqiang at fit2cloud.com (=?UTF-8?B?5byg56uL5by6?=)
Date: Wed, 24 Apr 2019 17:40:22 +0800
Subject: [keycloak-user] Keycloak Cluster Setup And Configuration
Message-ID: <CAOHSYr4r=QOczXEasPjvwQahsS4idncp34kgneTjFM4SHohk9A@mail.gmail.com>

Hi there,

Due to the mail size and attachment limits, I post the details to a github
repo.
https://github.com/zhangliqiang/keycloak-cluster-setup-and-configuration

FYI.

???

FIT2CLOUD

From sg at salih.xyz  Wed Apr 24 06:38:38 2019
From: sg at salih.xyz (Salih Gedik)
Date: Wed, 24 Apr 2019 13:38:38 +0300
Subject: [keycloak-user] Non SSL backend servers through SSL loadbalancer
In-Reply-To: <CACp70MkmgyTD4ue8Pe2OWY-gMcP4JC-TzJzy5DP8RCVAJGBLGw@mail.gmail.com>
References: <47735991556011869@iva4-ba508a90b0c0.qloud-c.yandex.net>
	<CACp70MkmgyTD4ue8Pe2OWY-gMcP4JC-TzJzy5DP8RCVAJGBLGw@mail.gmail.com>
Message-ID: <33795661556102318@iva8-582db1f60497.qloud-c.yandex.net>


Hello Luis,

Thank you for sharing your solution. I will try to apply this and see what happens!

Salih
-- 


24.04.2019, 10:15, "Luis Rodr?guez Fern?ndez" <uo67113 at gmail.com>:
> Hello Salih,
>
> Me I was suffering a similar issue using the saml2 java adapter in tomcat
> [1].
>
> org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.handleSamlResponse
> Request URI 'http://my.domain/ui/saml' does not match SAML request
> destination 'https://my.domain/ui/saml'
>
> The back-end connector has no SSL/TLS configured, however I am "cheating"
> through the scheme [2] attribute of the connector:
>
> <Connector scheme="https" port="8401" protocol="HTTP/1.1"
> ???????????????connectionTimeout="20000"
> ???????????????redirectPort="8402" />
>
> If you are using the embedded tomcat in spring boot I guess that you can
> configure it [3]. Or perhaps it would be faster and simpler for a quick
> test just deploying the war in an apache tomcat and setting scheme="https".
>
> Hope it helps,
>
> Luis
>
> [1]
> https://www.keycloak.org/docs/latest/securing_apps/index.html#java-adapters-2
> [2] https://tomcat.apache.org/tomcat-9.0-doc/config/http.html
> [3]
> https://docs.spring.io/spring-boot/docs/current/reference/html/howto-embedded-web-servers.html
>
> El mar., 23 abr. 2019 a las 11:39, Salih Gedik (<sg at salih.xyz>) escribi?:
>
>> ?Hello community,
>>
>> ?We are running a Spring Boot app and app itself is not running HTTPS
>> ?however our load balancers where requests are made SSL and passing traffic
>> ?insecure to backend. However in this scenario I am unable to get the token
>> ?verified after successful login. In log
>> ?I see that it says :: Adapter requires SSL. Request http://keycloakserver
>>
>> ?Keycloak server is supposed to be on https url however it requests http as
>> ?the app itself is http. How would you setup such configuration? What am I
>> ?missing?
>>
>> ?Thank you
>> ?Salih
>>
>> ?_______________________________________________
>> ?keycloak-user mailing list
>> ?keycloak-user at lists.jboss.org
>> ?https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
>
> "Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
>
> - Samuel Beckett
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From psilva at redhat.com  Wed Apr 24 09:03:48 2019
From: psilva at redhat.com (Pedro Igor Silva)
Date: Wed, 24 Apr 2019 10:03:48 -0300
Subject: [keycloak-user] Keycloak Cluster Setup And Configuration
In-Reply-To: <CAOHSYr4r=QOczXEasPjvwQahsS4idncp34kgneTjFM4SHohk9A@mail.gmail.com>
References: <CAOHSYr4r=QOczXEasPjvwQahsS4idncp34kgneTjFM4SHohk9A@mail.gmail.com>
Message-ID: <CAJrcDBeR4F=Uq=M6rDAY-VUaoh_kR=OrcLYj2=RPmkQ=xih=iw@mail.gmail.com>

Hi,

I think this is a great writeup and you could probably send a PR with a
blog to the website?

Regards.
Pedro Igor

On Wed, Apr 24, 2019 at 6:42 AM ??? <liqiang at fit2cloud.com> wrote:

> Hi there,
>
> Due to the mail size and attachment limits, I post the details to a github
> repo.
> https://github.com/zhangliqiang/keycloak-cluster-setup-and-configuration
>
> FYI.
>
> ???
>
> FIT2CLOUD
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From sblanc at redhat.com  Wed Apr 24 09:14:14 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Wed, 24 Apr 2019 15:14:14 +0200
Subject: [keycloak-user] Keycloak Cluster Setup And Configuration
In-Reply-To: <CAJrcDBeR4F=Uq=M6rDAY-VUaoh_kR=OrcLYj2=RPmkQ=xih=iw@mail.gmail.com>
References: <CAOHSYr4r=QOczXEasPjvwQahsS4idncp34kgneTjFM4SHohk9A@mail.gmail.com>
	<CAJrcDBeR4F=Uq=M6rDAY-VUaoh_kR=OrcLYj2=RPmkQ=xih=iw@mail.gmail.com>
Message-ID: <CAMZCGg_TO-Gtr6E---86tVGZ2cG6JhDLG1E=W0HTfPNLnMw6EA@mail.gmail.com>

+1 that's funny I was writing more or less the same answer as you when I
saw your answer appearing ;)
Blog Post is a good start and we are still figuring out how we could
regroup all these knowledge is an easily searchable way.

Thanks ??? for sharing this.



On Wed, Apr 24, 2019 at 3:05 PM Pedro Igor Silva <psilva at redhat.com> wrote:

> Hi,
>
> I think this is a great writeup and you could probably send a PR with a
> blog to the website?
>
> Regards.
> Pedro Igor
>
> On Wed, Apr 24, 2019 at 6:42 AM ??? <liqiang at fit2cloud.com> wrote:
>
> > Hi there,
> >
> > Due to the mail size and attachment limits, I post the details to a
> github
> > repo.
> > https://github.com/zhangliqiang/keycloak-cluster-setup-and-configuration
> >
> > FYI.
> >
> > ???
> >
> > FIT2CLOUD
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

From justinwilliams42 at gmail.com  Wed Apr 24 11:43:59 2019
From: justinwilliams42 at gmail.com (Justin Williams)
Date: Wed, 24 Apr 2019 08:43:59 -0700
Subject: [keycloak-user] X509 Registration Flow
Message-ID: <CAPj_fOvxYFEmAUyA8TNZntN0PFvu0Gyb=8k=DDkeBx6FHJ05Mw@mail.gmail.com>

Hello,

I currently have Keycloak (5.0.0) configured to use X.509 client
certificate authentication. However I have not been able to figure out a
good way to handle the registration flow. What I would like to happen is
have the `username` field on the registration form automatically populated
with the certificate CN. Is there a way to handle this out of the box, or
do I need to write a custom authentication SPI?

Thanks,
Justin W.

From j9dy1g at gmail.com  Wed Apr 24 12:22:01 2019
From: j9dy1g at gmail.com (Jody H)
Date: Wed, 24 Apr 2019 18:22:01 +0200
Subject: [keycloak-user] Keycloak in HA mode on Kubernetes fails with
 "invalid_code" when requesting tokens
Message-ID: <CADqF5bd_1iuwaGSXAF5FPxKms8NtnTjAuhVxdyD5mRkNQJRNJw@mail.gmail.com>

Hi,

we have some trouble to generate tokens with the authentication code flow
in our Keycloak 5.0.0 cluster.
Some information about the cluster:
1) We have a cluster with 3 instances in Kubernetes, deployed by the
Keycloak Helm Chart (
https://github.com/helm/charts/tree/master/stable/keycloak)
2) I can see that some Infinispan stuff is going on in the logs when the
cluster is starting up. I have checked that the shell script that is
executed on startup contains the " -c standalone-ha.xml" switch. I can not
find any mentions of the string "standalone-ha.xml" in the log output
though.
3) Our cluster is loadbalanced with a HAProxy
4) The webservice we want to access is secured by Keycloak Gatekeeper (
https://github.com/keycloak/keycloak-gatekeeper)

When using a browser to log in to keycloak-secured websites (i.e. websites
that use the keycloak cluster to perform the OIDC authentication code flow
and authenticate our users), we did not see problems so far. The keycloak
gatekeeper "proxy" is redirecting to keycloak when no cookie is present for
login, trading in the code for id, access and refresh tokens and passing
the access_token to the reverse-proxied website after successful login.

To test our APIs we would like to use Postman.
However, when using Postman with its built-in OAuth 2.0 authentication, we
see a problem that is reproducible on 4 laptops which are in the same LAN
as the keycloak cluster. Postman can request access tokens by using the
authentication code flow in its GUI. In Postmans "Get New Access Token"
window, we use these settings:
1. callback url: the same redirect_uri that is pointing to the Keycloak
gatekeeper callback endpoint (/oauth/callback endpoint)
2. auth url:
https://keycloak.domain/auth/realms/our-realm/protocol/openid-connect/auth
3. access token url:
https://keycloak.domain/auth/realms/our-realm/protocol/openid-connect/token
4. client-id: client-id from Keycloak
5. client-secet: client-secret from Keycloak
6. scope: openid
7. Client Authentication: "Send as Basic Auth header"

When clicking the "Request Token" button in Postman, we receive the error
"invalid_code" in roughly 9 out of 10 tries. Basically, if we spam the
button, sometimes it works but most of the time it does not. For another
laptop which is connected via VPN and thus has a higher latency, the
requests work just fine.

I am thinking about the following:
Is it possible that the initial request is sent to keycloak-0, then
returned to the client (postman) and then immediately sent back to the
loadbalancer-url to trade in the code for tokens... and then hits another
instance due to loadbalancing, for example keycloak-1, which has no
information about the authentication process that was initiated on
keycloak-0? The invalid_code error is returned after just 4 milliseconds,
which is rather fast. Maybe the cluster is not properly synchronizing in
time? Any idea on how to fix this?

Thanks
Jody

From liqiang at fit2cloud.com  Wed Apr 24 12:35:21 2019
From: liqiang at fit2cloud.com (=?UTF-8?B?5byg56uL5by6?=)
Date: Thu, 25 Apr 2019 00:35:21 +0800
Subject: [keycloak-user] Keycloak Cluster Setup And Configuration
In-Reply-To: <CAMZCGg_TO-Gtr6E---86tVGZ2cG6JhDLG1E=W0HTfPNLnMw6EA@mail.gmail.com>
References: <CAOHSYr4r=QOczXEasPjvwQahsS4idncp34kgneTjFM4SHohk9A@mail.gmail.com>
	<CAJrcDBeR4F=Uq=M6rDAY-VUaoh_kR=OrcLYj2=RPmkQ=xih=iw@mail.gmail.com>
	<CAMZCGg_TO-Gtr6E---86tVGZ2cG6JhDLG1E=W0HTfPNLnMw6EA@mail.gmail.com>
Message-ID: <CAOHSYr5vOvafRBbLBiyzzRNNWmohE_YUzCXG74bo3EPffYEWWw@mail.gmail.com>

Hi,

Good to know it's useful :)
I will send a PR to the blog.


Sebastien Blanc <sblanc at redhat.com>?2019?4?24? ????9:14???

> +1 that's funny I was writing more or less the same answer as you when I
> saw your answer appearing ;)
> Blog Post is a good start and we are still figuring out how we could
> regroup all these knowledge is an easily searchable way.
>
> Thanks ??? for sharing this.
>
>
>
> On Wed, Apr 24, 2019 at 3:05 PM Pedro Igor Silva <psilva at redhat.com>
> wrote:
>
>> Hi,
>>
>> I think this is a great writeup and you could probably send a PR with a
>> blog to the website?
>>
>> Regards.
>> Pedro Igor
>>
>> On Wed, Apr 24, 2019 at 6:42 AM ??? <liqiang at fit2cloud.com> wrote:
>>
>> > Hi there,
>> >
>> > Due to the mail size and attachment limits, I post the details to a
>> github
>> > repo.
>> >
>> https://github.com/zhangliqiang/keycloak-cluster-setup-and-configuration
>> >
>> > FYI.
>> >
>> > ???
>> >
>> > FIT2CLOUD
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user at lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> --
???

?????, FIT2CLOUD

http://fit2cloud.com | Mobile +86-18701062478 <%2B86-17710309880>

???????????7????????A?715?


????????????????????? ??? ? ??? ? ???

From liqiang at fit2cloud.com  Wed Apr 24 13:44:44 2019
From: liqiang at fit2cloud.com (=?UTF-8?B?5byg56uL5by6?=)
Date: Thu, 25 Apr 2019 01:44:44 +0800
Subject: [keycloak-user] Keycloak in HA mode on Kubernetes fails with
 "invalid_code" when requesting tokens
In-Reply-To: <CADqF5bd_1iuwaGSXAF5FPxKms8NtnTjAuhVxdyD5mRkNQJRNJw@mail.gmail.com>
References: <CADqF5bd_1iuwaGSXAF5FPxKms8NtnTjAuhVxdyD5mRkNQJRNJw@mail.gmail.com>
Message-ID: <CAOHSYr4ZOZp2OA2kaMC_d+5GX2MYgbH7R0X-yVHuj0u+V7eqSg@mail.gmail.com>

Hi,

I met the exactly same issue before long but I didn't use kube_ping.
I suppose your pods didn't well clustered, to verify this you can check the
logs which will
 show you all numbers in the cluster.

BTW this repo might give you some clue.
https://github.com/zhangliqiang/keycloak-cluster-setup-and-configuration




Jody H <j9dy1g at gmail.com>?2019?4?25? ????1:07???

> Hi,
>
> we have some trouble to generate tokens with the authentication code flow
> in our Keycloak 5.0.0 cluster.
> Some information about the cluster:
> 1) We have a cluster with 3 instances in Kubernetes, deployed by the
> Keycloak Helm Chart (
> https://github.com/helm/charts/tree/master/stable/keycloak)
> 2) I can see that some Infinispan stuff is going on in the logs when the
> cluster is starting up. I have checked that the shell script that is
> executed on startup contains the " -c standalone-ha.xml" switch. I can not
> find any mentions of the string "standalone-ha.xml" in the log output
> though.
> 3) Our cluster is loadbalanced with a HAProxy
> 4) The webservice we want to access is secured by Keycloak Gatekeeper (
> https://github.com/keycloak/keycloak-gatekeeper)
>
> When using a browser to log in to keycloak-secured websites (i.e. websites
> that use the keycloak cluster to perform the OIDC authentication code flow
> and authenticate our users), we did not see problems so far. The keycloak
> gatekeeper "proxy" is redirecting to keycloak when no cookie is present for
> login, trading in the code for id, access and refresh tokens and passing
> the access_token to the reverse-proxied website after successful login.
>
> To test our APIs we would like to use Postman.
> However, when using Postman with its built-in OAuth 2.0 authentication, we
> see a problem that is reproducible on 4 laptops which are in the same LAN
> as the keycloak cluster. Postman can request access tokens by using the
> authentication code flow in its GUI. In Postmans "Get New Access Token"
> window, we use these settings:
> 1. callback url: the same redirect_uri that is pointing to the Keycloak
> gatekeeper callback endpoint (/oauth/callback endpoint)
> 2. auth url:
> https://keycloak.domain/auth/realms/our-realm/protocol/openid-connect/auth
> 3. access token url:
> https://keycloak.domain/auth/realms/our-realm/protocol/openid-connect/token
> 4. client-id: client-id from Keycloak
> 5. client-secet: client-secret from Keycloak
> 6. scope: openid
> 7. Client Authentication: "Send as Basic Auth header"
>
> When clicking the "Request Token" button in Postman, we receive the error
> "invalid_code" in roughly 9 out of 10 tries. Basically, if we spam the
> button, sometimes it works but most of the time it does not. For another
> laptop which is connected via VPN and thus has a higher latency, the
> requests work just fine.
>
> I am thinking about the following:
> Is it possible that the initial request is sent to keycloak-0, then
> returned to the client (postman) and then immediately sent back to the
> loadbalancer-url to trade in the code for tokens... and then hits another
> instance due to loadbalancing, for example keycloak-1, which has no
> information about the authentication process that was initiated on
> keycloak-0? The invalid_code error is returned after just 4 milliseconds,
> which is rather fast. Maybe the cluster is not properly synchronizing in
> time? Any idea on how to fix this?
>
> Thanks
> Jody
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
-- 
???

?????, FIT2CLOUD

http://fit2cloud.com | Mobile +86-18701062478 <%2B86-17710309880>

???????????7????????A?715?


????????????????????? ??? ? ??? ? ???

From liqiang at fit2cloud.com  Thu Apr 25 00:52:56 2019
From: liqiang at fit2cloud.com (=?UTF-8?B?5byg56uL5by6?=)
Date: Thu, 25 Apr 2019 12:52:56 +0800
Subject: [keycloak-user] Keycloak Cluster Setup And Configuration
In-Reply-To: <CAOHSYr5vOvafRBbLBiyzzRNNWmohE_YUzCXG74bo3EPffYEWWw@mail.gmail.com>
References: <CAOHSYr4r=QOczXEasPjvwQahsS4idncp34kgneTjFM4SHohk9A@mail.gmail.com>
	<CAJrcDBeR4F=Uq=M6rDAY-VUaoh_kR=OrcLYj2=RPmkQ=xih=iw@mail.gmail.com>
	<CAMZCGg_TO-Gtr6E---86tVGZ2cG6JhDLG1E=W0HTfPNLnMw6EA@mail.gmail.com>
	<CAOHSYr5vOvafRBbLBiyzzRNNWmohE_YUzCXG74bo3EPffYEWWw@mail.gmail.com>
Message-ID: <CAOHSYr7fVzwubpVzndy0WJL4X0XhhZVYNTdKH2M427WDOV5uvw@mail.gmail.com>

Hi,

The PR has been sent, please review and approve if it's ok.
https://github.com/keycloak/keycloak-web/pull/58


???

FIT2CLOUD


??? <liqiang at fit2cloud.com> ?2019?4?25??? ??12:35???

> Hi,
>
> Good to know it's useful :)
> I will send a PR to the blog.
>
>
> Sebastien Blanc <sblanc at redhat.com>?2019?4?24? ????9:14???
>
>> +1 that's funny I was writing more or less the same answer as you when I
>> saw your answer appearing ;)
>> Blog Post is a good start and we are still figuring out how we could
>> regroup all these knowledge is an easily searchable way.
>>
>> Thanks ??? for sharing this.
>>
>>
>>
>> On Wed, Apr 24, 2019 at 3:05 PM Pedro Igor Silva <psilva at redhat.com>
>> wrote:
>>
>>> Hi,
>>>
>>> I think this is a great writeup and you could probably send a PR with a
>>> blog to the website?
>>>
>>> Regards.
>>> Pedro Igor
>>>
>>> On Wed, Apr 24, 2019 at 6:42 AM ??? <liqiang at fit2cloud.com> wrote:
>>>
>>> > Hi there,
>>> >
>>> > Due to the mail size and attachment limits, I post the details to a
>>> github
>>> > repo.
>>> >
>>> https://github.com/zhangliqiang/keycloak-cluster-setup-and-configuration
>>> >
>>> > FYI.
>>> >
>>> > ???
>>> >
>>> > FIT2CLOUD
>>> > _______________________________________________
>>> > keycloak-user mailing list
>>> > keycloak-user at lists.jboss.org
>>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>> --
> ???
>
> ?????, FIT2CLOUD
>
> http://fit2cloud.com | Mobile +86-18701062478 <%2B86-17710309880>
>
> ???????????7????????A?715?
>
>
> ????????????????????? ??? ? ??? ? ???
>

From sthorger at redhat.com  Thu Apr 25 03:27:03 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 25 Apr 2019 09:27:03 +0200
Subject: [keycloak-user] Keycloak 6.0.1 released
Message-ID: <CAJgngAfT4-_Zb54VnqXhXHZm_FEF3hobb4iW2FwhRoVyEvqRYw@mail.gmail.com>

https://www.keycloak.org/2019/04/keycloak-601-released.html

From j9dy1g at gmail.com  Thu Apr 25 05:58:15 2019
From: j9dy1g at gmail.com (Jody H)
Date: Thu, 25 Apr 2019 11:58:15 +0200
Subject: [keycloak-user] Keycloak in HA mode on Kubernetes fails with
 "invalid_code" when requesting tokens
In-Reply-To: <CAOHSYr4ZOZp2OA2kaMC_d+5GX2MYgbH7R0X-yVHuj0u+V7eqSg@mail.gmail.com>
References: <CADqF5bd_1iuwaGSXAF5FPxKms8NtnTjAuhVxdyD5mRkNQJRNJw@mail.gmail.com>
	<CAOHSYr4ZOZp2OA2kaMC_d+5GX2MYgbH7R0X-yVHuj0u+V7eqSg@mail.gmail.com>
Message-ID: <CADqF5bdbXD51t_7nQ+irYe=+bXHSADioJgX9+50zUUTUwTe+pA@mail.gmail.com>

Hi,
the Helm chart has not yet switched to KUBE_PING, it is using DNS_PING with
a headless service in Kubernetes.
A snippet from the statefulset.yaml:
- name: JGROUPS_DISCOVERY_PROTOCOL
value: "dns.DNS_PING"
- name: JGROUPS_DISCOVERY_PROPERTIES
value: "dns_query={{ template "keycloak.fullname" . }}-headless.{{
.Release.Namespace }}.svc.{{ .Values.clusterDomain }}"


In the logs, here of node keycloak-0, it looks like the nodes join the
cluster successfully?
15:23:52,017 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-1) ISPN000078: Starting JGroups channel ejb
15:23:52,017 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-2) ISPN000078: Starting JGroups channel ejb
15:23:52,020 INFO  [org.infinispan.CLUSTER] (MSC service thread 1-1)
ISPN000094: Received new cluster view for channel ejb: [iam-keycloak-2|8]
(3) [iam-keycloak-2, iam-keycloak-1, iam-keycloak-0]
15:23:52,020 INFO  [org.infinispan.CLUSTER] (MSC service thread 1-2)
ISPN000094: Received new cluster view for channel ejb: [iam-keycloak-2|8]
(3) [iam-keycloak-2, iam-keycloak-1, iam-keycloak-0]
15:23:52,028 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-1) ISPN000079: Channel ejb local address is iam-keycloak-0,
physical addresses are [10.xxx.x.149:7600]
15:23:52,028 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-2) ISPN000079: Channel ejb local address is iam-keycloak-0,
physical addresses are [10.xxx.x.149:7600]
15:23:52,084 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-2) ISPN000078: Starting JGroups channel ejb
15:23:52,084 INFO  [org.infinispan.CLUSTER] (MSC service thread 1-2)
ISPN000094: Received new cluster view for channel ejb: [iam-keycloak-2|8]
(3) [iam-keycloak-2, iam-keycloak-1, iam-keycloak-0]
15:23:52,085 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-2) ISPN000079: Channel ejb local address is iam-keycloak-0,
physical addresses are [10.xxx.x.149:7600]
15:23:52,090 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-1) ISPN000078: Starting JGroups channel ejb
15:23:52,091 INFO  [org.infinispan.CLUSTER] (MSC service thread 1-1)
ISPN000094: Received new cluster view for channel ejb: [iam-keycloak-2|8]
(3) [iam-keycloak-2, iam-keycloak-1, iam-keycloak-0]
15:23:52,092 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-1) ISPN000079: Channel ejb local address is iam-keycloak-0,
physical addresses are [10.xxx.x.149:7600]
15:23:52,118 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-2) ISPN000078: Starting JGroups channel ejb
15:23:52,118 INFO  [org.infinispan.CLUSTER] (MSC service thread 1-2)
ISPN000094: Received new cluster view for channel ejb: [iam-keycloak-2|8]
(3) [iam-keycloak-2, iam-keycloak-1, iam-keycloak-0]
15:23:52,119 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-2) ISPN000079: Channel ejb local address is iam-keycloak-0,
physical addresses are [10.xxx.x.149:7600]
15:23:52,277 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 57) WFLYCLINF0002: Started authorization cache from keycloak
container
15:23:52,277 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 56) WFLYCLINF0002: Started realms cache from keycloak
container
15:23:52,277 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 61) WFLYCLINF0002: Started users cache from keycloak
container
15:23:52,277 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 62) WFLYCLINF0002: Started keys cache from keycloak container
15:23:52,587 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 63) WFLYCLINF0002: Started clientSessions cache from
keycloak container
15:23:52,588 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 53) WFLYCLINF0002: Started offlineSessions cache from
keycloak container
15:23:52,593 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 52) WFLYCLINF0002: Started work cache from keycloak container
15:23:52,593 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 58) WFLYCLINF0002: Started sessions cache from keycloak
container
15:23:52,593 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 59) WFLYCLINF0002: Started authenticationSessions cache from
keycloak container
15:23:52,593 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 55) WFLYCLINF0002: Started actionTokens cache from keycloak
container
15:23:52,593 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 60) WFLYCLINF0002: Started offlineClientSessions cache from
keycloak container
15:23:52,593 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 54) WFLYCLINF0002: Started loginFailures cache from keycloak
container
15:23:52,593 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 64) WFLYCLINF0002: Started client-mappings cache from ejb
container
15:23:53,596 INFO  [org.keycloak.services] (ServerService Thread Pool --
64) KC-SERVICES0001: Loading config from standalone.xml or domain.xml
15:23:53,926 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 64) WFLYCLINF0002: Started realmRevisions cache from
keycloak container
15:23:53,930 INFO  [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 64) WFLYCLINF0002: Started userRevisions cache from keycloak
container
15:23:53,934 INFO [org.jboss.as.clustering.infinispan] (ServerService
Thread Pool -- 64) WFLYCLINF0002: Started authorizationRevisions cache from
keycloak container

I can see that the Helm chart also sets these clustering values when in HA
mode (
https://github.com/helm/charts/blob/master/stable/keycloak/values.yaml#L148-L149
-->
https://github.com/helm/charts/blob/master/stable/keycloak/scripts/ha.cli ):
/subsystem=infinispan/cache-container=keycloak/distributed-cache=sessions:write-attribute(name=owners,
value=${env.CACHE_OWNERS:2})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=authenticationSessions:write-attribute(name=owners,
value=${env.CACHE_OWNERS:2})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineSessions:write-attribute(name=owners,
value=${env.CACHE_OWNERS:2})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=clientSessions:write-attribute(name=owners,
value=${env.CACHE_OWNERS:2})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=offlineClientSessions:write-attribute(name=owners,
value=${env.CACHE_OWNERS:2})
/subsystem=infinispan/cache-container=keycloak/distributed-cache=loginFailures:write-attribute(name=owners,
value=${env.CACHE_OWNERS:2})

/subsystem=jgroups/channel=ee:write-attribute(name=stack, value=tcp)

Not sure about the default value of "2" for the CACHE_OWNERS part. The ENV
variable CACHE_OWNERS is not set in the default values.yaml so the value
I'm currently using is 2 as well.
Because I have a 3 instance cluster, wouldn't I be better off with a value
of "3" in all of those configurations?

Any further ideas? How did you fix the issue in your configuration?
Thanks


Am Mi., 24. Apr. 2019 um 19:44 Uhr schrieb ??? <liqiang at fit2cloud.com>:

> Hi,
>
> I met the exactly same issue before long but I didn't use kube_ping.
> I suppose your pods didn't well clustered, to verify this you can check
> the logs which will
>  show you all numbers in the cluster.
>
> BTW this repo might give you some clue.
> https://github.com/zhangliqiang/keycloak-cluster-setup-and-configuration
>
>
>
>
> Jody H <j9dy1g at gmail.com>?2019?4?25? ????1:07???
>
>> Hi,
>>
>> we have some trouble to generate tokens with the authentication code flow
>> in our Keycloak 5.0.0 cluster.
>> Some information about the cluster:
>> 1) We have a cluster with 3 instances in Kubernetes, deployed by the
>> Keycloak Helm Chart (
>> https://github.com/helm/charts/tree/master/stable/keycloak)
>> 2) I can see that some Infinispan stuff is going on in the logs when the
>> cluster is starting up. I have checked that the shell script that is
>> executed on startup contains the " -c standalone-ha.xml" switch. I can not
>> find any mentions of the string "standalone-ha.xml" in the log output
>> though.
>> 3) Our cluster is loadbalanced with a HAProxy
>> 4) The webservice we want to access is secured by Keycloak Gatekeeper (
>> https://github.com/keycloak/keycloak-gatekeeper)
>>
>> When using a browser to log in to keycloak-secured websites (i.e. websites
>> that use the keycloak cluster to perform the OIDC authentication code flow
>> and authenticate our users), we did not see problems so far. The keycloak
>> gatekeeper "proxy" is redirecting to keycloak when no cookie is present
>> for
>> login, trading in the code for id, access and refresh tokens and passing
>> the access_token to the reverse-proxied website after successful login.
>>
>> To test our APIs we would like to use Postman.
>> However, when using Postman with its built-in OAuth 2.0 authentication, we
>> see a problem that is reproducible on 4 laptops which are in the same LAN
>> as the keycloak cluster. Postman can request access tokens by using the
>> authentication code flow in its GUI. In Postmans "Get New Access Token"
>> window, we use these settings:
>> 1. callback url: the same redirect_uri that is pointing to the Keycloak
>> gatekeeper callback endpoint (/oauth/callback endpoint)
>> 2. auth url:
>> https://keycloak.domain/auth/realms/our-realm/protocol/openid-connect/auth
>> 3. access token url:
>>
>> https://keycloak.domain/auth/realms/our-realm/protocol/openid-connect/token
>> 4. client-id: client-id from Keycloak
>> 5. client-secet: client-secret from Keycloak
>> 6. scope: openid
>> 7. Client Authentication: "Send as Basic Auth header"
>>
>> When clicking the "Request Token" button in Postman, we receive the error
>> "invalid_code" in roughly 9 out of 10 tries. Basically, if we spam the
>> button, sometimes it works but most of the time it does not. For another
>> laptop which is connected via VPN and thus has a higher latency, the
>> requests work just fine.
>>
>> I am thinking about the following:
>> Is it possible that the initial request is sent to keycloak-0, then
>> returned to the client (postman) and then immediately sent back to the
>> loadbalancer-url to trade in the code for tokens... and then hits another
>> instance due to loadbalancing, for example keycloak-1, which has no
>> information about the authentication process that was initiated on
>> keycloak-0? The invalid_code error is returned after just 4 milliseconds,
>> which is rather fast. Maybe the cluster is not properly synchronizing in
>> time? Any idea on how to fix this?
>>
>> Thanks
>> Jody
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
> --
> ???
>
> ?????, FIT2CLOUD
>
> http://fit2cloud.com | Mobile +86-18701062478 <%2B86-17710309880>
>
> ???????????7????????A?715?
>
>
> ????????????????????? ??? ? ??? ? ???
>

From ah.ping.luk at gmail.com  Thu Apr 25 07:17:15 2019
From: ah.ping.luk at gmail.com (Paul Luk)
Date: Thu, 25 Apr 2019 19:17:15 +0800
Subject: [keycloak-user] Seek for information on Keycloak adoption
Message-ID: <CAGP=A8R6C97iEbat1-C+Gu1z410Td10V=6Ju7bP8xDc7yOU_oQ@mail.gmail.com>

Hi all,

  i am doing a research on adoption of Keycloak.

  Background - my company is a healthcare company (managed many hospitals
and offer 24x7x365 business) that run hundreds of in-house developed
systems, as well as acquire some 3rd party products.

  Currently, for the in-house developed systems, they have their own
authentication/authorization mechanism, mostly:
  1. user credentials & attributes stored in DB
  2. active directory for authentication and DB for user attributes

  There are dedicate support for maintenance and support of each system
and, when downtime is required, support will liaise with users to arrange
for downtime. There won't be a period that all systems can down for
maintenance.

  To reduce repeated effort spent on authentication and authorization of
each systems, i am checking whether we can adopt Keycloak to help,
especially on:
  1. OpenID Connect 1.0 + JWT  (to achieve single sign on in the future)
  2. OAuth 2.0 (password grant) + JWT (seems be a good path for legacy app
migration)
  3. SAML2/Kerberos [mainly for backward compatibility / integration with
other party]

  My concern on Keycloak adoption are:
  1. Do Keycloak are flexible enough to extend to cater for different
authentication requirement? we will definitely requested to support custom
or standard authentication (e.g. specialized login form, FIDO2, RSA
hardware token, trust device check...etc).

     Though there is a developer guide, but i found there is not much
information about:
     1. Keycloak internal architecture or login/system flow which is useful
for developer to know more about how to extend Keycloak
2. how to create a custom login form (the keycloak theme is not suitable
for internal use, i want to write my own login form)

   2. For high availability, in my company, the Keycloak service need at
least deployed to 2 or more datacenters, can you share your experience of
Keycloak high availability (in terms of maintenance and setup, stability,
performance...)

   3. After adoption of Keycloak, all systems will make use of it/depends
on it, i am worry about the system update/patching as we cannot have a
period to  shutdown all Keycloak instances for upgrade/patching (which will
impact ALL systems...vs currently, individual systems down for maintenance
will smaller impact to hospital operations).

   Can you share you experience of system upgrade/patching? Do you have
experience to update Keycloak without downtime?

   4. For version upgrade consideration, where can i find known security
issue/vulnerability of each Keycloak version?

   5. In keycloak, the recommended way to restrict who (user from active
directory) can login which application? Use seperate realm for each
application?

   Thank you.

From gonzalofj at gmail.com  Thu Apr 25 07:27:00 2019
From: gonzalofj at gmail.com (=?UTF-8?Q?Gonzalo_Ferreyra_Jofr=C3=A9?=)
Date: Thu, 25 Apr 2019 13:27:00 +0200
Subject: [keycloak-user] Docker compose change port
Message-ID: <CAAZic-xpMs2hCQ8SG=n_cASesSkFwyFWQP7kRw9QCNer7FBDog@mail.gmail.com>

Hi guys,

I've been using keycloak for a while now but lately I've been trying to
change the HTTP PORT to XXXX through my docker-compose without success. The
server is always started on port 8080.

My docker-compose file looks something like this. Am I doing something
wrong?

version: '3'
services:
  keycloak:
    image: jboss/keycloak:6.0.1
    environment:
     KEYCLOAK_USER: admin
     KEYCLOAK_PASSWORD: admin
     *KEYCLOAK_HTTP_PORT*: 8888
     KEYCLOAK_LOGLEVEL: DEBUG
    ports:
      - "8777:8888"

Thank you,
Gonzalo

From craig at baseventure.com  Thu Apr 25 08:02:02 2019
From: craig at baseventure.com (Craig Setera)
Date: Thu, 25 Apr 2019 07:02:02 -0500
Subject: [keycloak-user] Any schema updates from 5.0.0 -> 6.0.1?
Message-ID: <CAPVdwjptyAFihUg9k1r5ex3YwWTSdEn8hJwHnJ32-UKPoVeVfQ@mail.gmail.com>

Given the discussion of the CVE that was fixed in 6.0.1, I'm thinking we
should probably jump to 6.0.1 from our current 5.0.0.  Can anyone tell me
if there were database-related changes between those releases?  From a more
general viewpoint where are those types of migrations documented?  (I
checked the server install and server admin guides, but didn't see anything)

Thanks,
Craig

=================================
*Craig Setera*

*Chief Technology Officer*

From sblanc at redhat.com  Thu Apr 25 08:11:41 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Thu, 25 Apr 2019 14:11:41 +0200
Subject: [keycloak-user] Any schema updates from 5.0.0 -> 6.0.1?
In-Reply-To: <CAPVdwjptyAFihUg9k1r5ex3YwWTSdEn8hJwHnJ32-UKPoVeVfQ@mail.gmail.com>
References: <CAPVdwjptyAFihUg9k1r5ex3YwWTSdEn8hJwHnJ32-UKPoVeVfQ@mail.gmail.com>
Message-ID: <CAMZCGg8raB3uxLsB+WOX-KBw8pXkv=GvwNj3wVgyrGnk=9eYcw@mail.gmail.com>

Have you seen the migration documentation
https://www.keycloak.org/docs/latest/upgrading/index.html ?

On Thu, Apr 25, 2019 at 2:06 PM Craig Setera <craig at baseventure.com> wrote:

> Given the discussion of the CVE that was fixed in 6.0.1, I'm thinking we
> should probably jump to 6.0.1 from our current 5.0.0.  Can anyone tell me
> if there were database-related changes between those releases?  From a more
> general viewpoint where are those types of migrations documented?  (I
> checked the server install and server admin guides, but didn't see
> anything)
>
> Thanks,
> Craig
>
> =================================
> *Craig Setera*
>
> *Chief Technology Officer*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From craig at baseventure.com  Thu Apr 25 08:13:29 2019
From: craig at baseventure.com (Craig Setera)
Date: Thu, 25 Apr 2019 07:13:29 -0500
Subject: [keycloak-user] Any schema updates from 5.0.0 -> 6.0.1?
In-Reply-To: <CAMZCGg8raB3uxLsB+WOX-KBw8pXkv=GvwNj3wVgyrGnk=9eYcw@mail.gmail.com>
References: <CAPVdwjptyAFihUg9k1r5ex3YwWTSdEn8hJwHnJ32-UKPoVeVfQ@mail.gmail.com>
	<CAMZCGg8raB3uxLsB+WOX-KBw8pXkv=GvwNj3wVgyrGnk=9eYcw@mail.gmail.com>
Message-ID: <CAPVdwjpKy3p_vRT-gO+VGFAVN8JgSdrdDKT6YrVFKoYKkTh64A@mail.gmail.com>

I completely missed that one.  Thanks so much for the pointer.

=================================
*Craig Setera*

*Chief Technology Officer*




On Thu, Apr 25, 2019 at 7:11 AM Sebastien Blanc <sblanc at redhat.com> wrote:

> Have you seen the migration documentation
> https://www.keycloak.org/docs/latest/upgrading/index.html ?
>
> On Thu, Apr 25, 2019 at 2:06 PM Craig Setera <craig at baseventure.com>
> wrote:
>
>> Given the discussion of the CVE that was fixed in 6.0.1, I'm thinking we
>> should probably jump to 6.0.1 from our current 5.0.0.  Can anyone tell me
>> if there were database-related changes between those releases?  From a
>> more
>> general viewpoint where are those types of migrations documented?  (I
>> checked the server install and server admin guides, but didn't see
>> anything)
>>
>> Thanks,
>> Craig
>>
>> =================================
>> *Craig Setera*
>>
>> *Chief Technology Officer*
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>

From craig at baseventure.com  Thu Apr 25 09:00:12 2019
From: craig at baseventure.com (Craig Setera)
Date: Thu, 25 Apr 2019 08:00:12 -0500
Subject: [keycloak-user] Any schema updates from 5.0.0 -> 6.0.1?
In-Reply-To: <CAPVdwjpKy3p_vRT-gO+VGFAVN8JgSdrdDKT6YrVFKoYKkTh64A@mail.gmail.com>
References: <CAPVdwjptyAFihUg9k1r5ex3YwWTSdEn8hJwHnJ32-UKPoVeVfQ@mail.gmail.com>
	<CAMZCGg8raB3uxLsB+WOX-KBw8pXkv=GvwNj3wVgyrGnk=9eYcw@mail.gmail.com>
	<CAPVdwjpKy3p_vRT-gO+VGFAVN8JgSdrdDKT6YrVFKoYKkTh64A@mail.gmail.com>
Message-ID: <CAPVdwjr3YWqobGUMj3wpg26in=f_k4ovvBjGW18gR_2tV05JSQ@mail.gmail.com>

Looking at the code directly.  It appears that the last Liquibase update
was for 4.8.0 if I'm reading things correctly?  If so, it would seen that
at least from the perspective of 5.0.0 -> 6.0.1 there should be no schema
upgrades to be concerned about?

=================================
*Craig Setera*

*Chief Technology Officer*




On Thu, Apr 25, 2019 at 7:13 AM Craig Setera <craig at baseventure.com> wrote:

> I completely missed that one.  Thanks so much for the pointer.
>
> =================================
> *Craig Setera*
>
> *Chief Technology Officer*
>
>
>
>
> On Thu, Apr 25, 2019 at 7:11 AM Sebastien Blanc <sblanc at redhat.com> wrote:
>
>> Have you seen the migration documentation
>> https://www.keycloak.org/docs/latest/upgrading/index.html ?
>>
>> On Thu, Apr 25, 2019 at 2:06 PM Craig Setera <craig at baseventure.com>
>> wrote:
>>
>>> Given the discussion of the CVE that was fixed in 6.0.1, I'm thinking we
>>> should probably jump to 6.0.1 from our current 5.0.0.  Can anyone tell me
>>> if there were database-related changes between those releases?  From a
>>> more
>>> general viewpoint where are those types of migrations documented?  (I
>>> checked the server install and server admin guides, but didn't see
>>> anything)
>>>
>>> Thanks,
>>> Craig
>>>
>>> =================================
>>> *Craig Setera*
>>>
>>> *Chief Technology Officer*
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>

From ssancheti at mail.com  Thu Apr 25 09:19:27 2019
From: ssancheti at mail.com (Sandeep Sancheti)
Date: Thu, 25 Apr 2019 15:19:27 +0200
Subject: [keycloak-user] OIDC to SAML Exchange
Message-ID: <trinity-fa754f75-4d30-40fe-b5cc-bbb3fce4fbfd-1556198367472@3c-app-mailcom-lxa16>


From zingl.manfred at gmail.com  Thu Apr 25 10:18:53 2019
From: zingl.manfred at gmail.com (Manfred Zingl)
Date: Thu, 25 Apr 2019 16:18:53 +0200
Subject: [keycloak-user] Keycloak generic authorization with patterns as
	role name
Message-ID: <CAC5PZgzN93xQ0UdmksXFGOq_SuMF-7vm6UERooa7Q4iCY3pOTA@mail.gmail.com>

Hi.

I'm right now playing around with keycloak in order to evaluate if it is
suitable as an IAM and SSO solution at our company.

I learned that there are to main approaches to do authorization:
programmatic vs externalized authorization

http://lists.jboss.org/pipermail/keycloak-user/2018-October/015996.html

Externalized authorization is not possible in our case because our API is
not designed so fine grained that we could grant/restrict access on
resource level. Even if we change the API, the result for a get request
should be filtered by the roles defined in the access token transfered with
the request. So I think we have to follow the programmatic approach.
Also our Application and its resources are very generic, so I'm searching
for a solution where I can define permissions/roles very generic like by a
pattern.

for example:
  "fixProductGroup:*::edit"
or
  "fixProductGroup:/1|2|3/::view"
or even concatenated conditions
  "fixProductGroup:/5|8|13/::pricingColumn::edit"

This is not very beautiful, maybe it would be better to define such roles
as json, in order to easier parsing and checking on resource server side.
Json content is currently (Keycloak 5.0.0) not possible as role names
(internal server error) and I'm not sure if this is a very good idea at all.

What do you think? Am I totally wrong here and in which direction should I
investigate.

Thank you very much,
Mane

From orivat at janua.fr  Thu Apr 25 12:15:51 2019
From: orivat at janua.fr (Olivier Rivat)
Date: Thu, 25 Apr 2019 18:15:51 +0200
Subject: [keycloak-user] docker quickstart example compilation is failing
 (keycloak 6.0.1) in photoz example
Message-ID: <73797a4a-fe75-49dc-77b9-9fca300ed143@janua.fr>

Hi,


Keyclaok 6.01 docker quickstart compilation is failing with error
java.lang.RuntimeException: Could not obtain configuration from server 
[http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration

The instructions are taken from
https://hub.docker.com/r/abstractj/keycloak-quickstarts?ref=login

The endpoint 
http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration 
deos not exist.
The (real) endpoint is 
http://localhost:8180/auth/realms/photoz/.well-known/uma2-configuration

This has to be fixed in the docker? quickstart example



Regards,

Olivier Rivat

--------------------------------------------------------------------------------------------------------------------


DEBUG] No <id> element was found in the POM - Getting credentials from 
CLI entry
[DEBUG] No <id> element was found in the POM - Getting credentials from 
CLI entry
[DEBUG] Executing deployment
[INFO] 
------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] 
------------------------------------------------------------------------
[INFO] Total time: 3.474 s
[INFO] Finished at: 2019-04-25T15:49:30+00:00
[INFO] Final Memory: 30M/366M
[INFO] 
------------------------------------------------------------------------
[ERROR] Failed to execute goal 
org.wildfly.plugins:wildfly-maven-plugin:1.2.0.Final:deploy 
(default-cli) on project photoz-uma-restful-api: Failed to execute goal 
deploy: {"WFLYCTL0062: Composite operatio
n failed and was rolled back. Steps that failed:" => {"Operation step-1" 
=> {"WFLYCTL0080: Failed services" => 
{"jboss.deployment.unit.\"photoz-uma-restful-api.war\".undertow-deployment" 
=> "java.lang.Run
timeException: Could not obtain configuration from server 
[http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration].
[ERROR] Caused by: java.lang.RuntimeException: Could not obtain 
configuration from server 
[http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration].
[ERROR] Caused by: java.lang.RuntimeException: Error executing http 
method [org.apache.http.client.methods.RequestBuilder at 2c0b0edc]. 
Response : null
[ERROR] Caused by: java.net.ConnectException: Connection refused 
(Connection refused)"}}}}
[ERROR] -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to 
execute goal org.wildfly.plugins:wildfly-maven-plugin:1.2.0.Final:deploy 
(default-cli) on project photoz-uma-restful-api: Failed to execut
e goal deploy: {"WFLYCTL0062: Composite operation failed and was rolled 
back. Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080: 
Failed services" => {"jboss.deployment.unit.\"photoz-uma-restful-
api.war\".undertow-deployment" => "java.lang.RuntimeException: Could not 
obtain configuration from server 
[http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration].
 ??? Caused by: java.lang.RuntimeException: Could not obtain 
configuration from server 
[http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration].
 ??? Caused by: java.lang.RuntimeException: Error executing http method 
[org.apache.http.client.methods.RequestBuilder at 2c0b0edc]. Response : null
 ??? Caused by: java.net.ConnectException: Connection refused 
(Connection refused)"}}}}
 ??? at 
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:212)
 ??? at 
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
 ??? at 
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
 ??? at 
org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
 ??? at 
org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
 ??? at 
org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)


------------------------------------------------------------------------------------------------------------------





From abhi.raghav007 at gmail.com  Thu Apr 25 12:23:55 2019
From: abhi.raghav007 at gmail.com (abhishek raghav)
Date: Thu, 25 Apr 2019 21:53:55 +0530
Subject: [keycloak-user] HA mode with JDBC_PING shows warning in the logs
 after migration to 4.8.3 from 3.4.3
Message-ID: <CAJmz6fvZdvj5ted0xtgnrHR4kW0Yay7SUkqO5q_FG6BQ5yxLOw@mail.gmail.com>

Hi

After the migration of keycloak HA configurations from 3.4.3.Final to
4.8.3.Final, I am seeing some WARNINGS on one of the nodes of keycloak
immediately after the keycloak is started with 2 nodes. This occurs after
every time when the cluster is scaled up or whenever infinispan is trying
to update the cluster member list.
I am using JDBC_PING to achieve clustering in keycloak.

Below is the stacktrace -

2019-04-24 12:20:43,687 WARN
>> [org.infinispan.topology.ClusterTopologyManagerImpl]
>> (transport-thread--p18-t2) [dcidqdcosagent08] KEYCLOAK DEV 1.5.RC
>> ISPN000197: Error updating cluster member list:
>> org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out
>> waiting for responses for request 1 from dcidqdcosagent02
>
>                   at
>> org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167)
>
>                   at
>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
>
>                   at
>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
>
>                   at
>> java.util.concurrent.FutureTask.run(FutureTask.java:266)
>
>                   at
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
>
>                   at
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>
>                   at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>
>                   at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>
>                   at java.lang.Thread.run(Thread.java:748)
>
>                   Suppressed: org.infinispan.util.logging.TraceException
>
>                                     at
>> org.infinispan.remoting.transport.Transport.invokeRemotely(Transport.java:75)
>
>                                     at
>> org.infinispan.topology.ClusterTopologyManagerImpl.confirmMembersAvailable(ClusterTopologyManagerImpl.java:525)
>
>                                     at
>> org.infinispan.topology.ClusterTopologyManagerImpl.updateCacheMembers(ClusterTopologyManagerImpl.java:508)
>
>

Now after I searched, I really did not see anyone reported such error on
keycloak but there is similar bug reported in WILDLFY 14 and is categorized
as a blocker in WILDLFY 14.This bug is already fixed in WILDLFY 15.
https://issues.jboss.org/browse/WFLY-10736?attachmentViewMode=list

Now since keycloak 4.8 is also based on WILDLFY 14, these WARNINGS could be
because of this blocker in WILDFLY 14.

What should I do to get rid this error. Is this really a problem in
keycloak 4.8.3.Final. Did anyone notice any such issue while running
keycloak 4.8.3 in HA mode.
Is there a workaround to fix this.


One more thing we noticed is - It is regarding a property in JDBC_PING
protocol we are using in our 3.4.3 setup i.e. "clear_table_on_view_change"
but it is no more supported in 4.8 version. and thus the JGROUPSPING table
is filled up with lot of stale entries. Is there a workaround to clear the
table after view change in 4.8 also.

Thanks
Abhishek

From kmizuki88 at yahoo.com  Thu Apr 25 14:32:12 2019
From: kmizuki88 at yahoo.com (Mizuki Karasawa)
Date: Thu, 25 Apr 2019 18:32:12 +0000 (UTC)
Subject: [keycloak-user] trouble importing user from ldap when using broker
	feature
References: <1386883559.488283.1556217132698.ref@mail.yahoo.com>
Message-ID: <1386883559.488283.1556217132698@mail.yahoo.com>

Hi,
I configured LDAP for user federation with Kerberos integrated, then I added external identify Providers via the broker feature.If a user was previously imported to local Keycloak db, the account linking process will work successfully while users login via external providers.However if the user was not imported to local keycloak db yet, following 'First Broker Login' auth flow, once users logged in via external provider and updated their profile, during 'Create User if Unique' stage (importing users),?if the email address with the user associated with multiple accounts in LDAP, the importing will fail.?
As the symptom, the browser throws error '?We?re sorry...Unexpected error when handling authentication request to identity provider.?'
I'm attaching the debugging log as a reference at the bottom of this email as well.But in reality it's pretty common to have multiple accounts associated with the same email address (at least in our case), for example, some accounts there are for running programs/services but associated with particular person's email for convenience. I wonder if there is a work-around or some ways to configure and avoid this issue.? Does someone have the same experience and have advices on that?

Ex, debugging log is attached (with the error portion high lighted)

2019-04-24 15:45:04,220 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper

2019-04-24 15:45:04,220 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false

2019-04-24 15:45:04,220 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper ?commit

2019-04-24 15:45:04,220 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end

2019-04-24 15:45:04,220 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$776/1511347521

2019-04-24 15:45:09,220 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper

2019-04-24 15:45:09,221 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false

2019-04-24 15:45:09,221 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper ?commit

2019-04-24 15:45:09,221 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end

2019-04-24 15:45:09,221 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$776/1511347521

2019-04-24 15:45:12,488 DEBUG [io.undertow.request] (default I/O-7) Matched prefix path /auth for path /auth/realms/SDCC2/login-actions/first-broker-login

2019-04-24 15:45:12,488 DEBUG [io.undertow.request.security] (default task-260) Attempting to authenticate /auth/realms/SDCC2/login-actions/first-broker-login, authentication required: false

2019-04-24 15:45:12,488 DEBUG [io.undertow.request.security] (default task-260) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism at 6854b209 for /auth/realms/SDCC2/login-actions/first-broker-login

2019-04-24 15:45:12,488 DEBUG [io.undertow.request.security] (default task-260) Authentication result was ATTEMPTED for /auth/realms/SDCC2/login-actions/first-broker-login

2019-04-24 15:45:12,488 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-260) new JtaTransactionWrapper

2019-04-24 15:45:12,488 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-260) was existing? false

2019-04-24 15:45:12,489 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-260) RESTEASY002315: PathInfo: /realms/SDCC2/login-actions/first-broker-login

2019-04-24 15:45:12,489 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-260) Will use client 'test2-oidc' in back-to-application link

2019-04-24 15:45:12,489 DEBUG [org.keycloak.services.util.CookieHelper] (default task-260) {1} cookie found in the requests header

2019-04-24 15:45:12,489 DEBUG [org.keycloak.services.util.CookieHelper] (default task-260) {1} cookie found in the cookies field

2019-04-24 15:45:12,489 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-260) Found AUTH_SESSION_ID cookie with value a1069878-5c31-41d6-9d29-9cfa61e6b806.mktst1

2019-04-24 15:45:12,490 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-260) authenticationAction

2019-04-24 15:45:12,491 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-260) processAction: e3d20da0-9a2a-49ba-aeaf-c7503a648d67

2019-04-24 15:45:12,491 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-260) check: idp-review-profile requirement: REQUIRED

2019-04-24 15:45:12,491 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-260) action: idp-review-profile

2019-04-24 15:45:12,491 DEBUG [org.keycloak.authentication.authenticators.broker.IdpReviewProfileAuthenticator] (default task-260) Profile updated successfully after first authentication with identity provider 'CILogon' for broker user 'http://cilogon.org/serverA/users/2706181'.

2019-04-24 15:45:12,491 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-260) authenticator SUCCESS: idp-review-profile

2019-04-24 15:45:12,491 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-260) processFlow

2019-04-24 15:45:12,491 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-260) check execution: idp-create-user-if-unique requirement: ALTERNATIVE

2019-04-24 15:45:12,491 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-260) authenticator: idp-create-user-if-unique

2019-04-24 15:45:12,491 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-260) invoke authenticator.authenticate: idp-create-user-if-unique

2019-04-24 15:45:12,492 DEBUG [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] (default task-260) Hibernate RegisteredSynchronization successfully registered with JTA platform

2019-04-24 15:45:12,492 DEBUG [org.hibernate.SQL] (default task-260)

? ? select

? ? ? ? userentity0_.ID as ID1_75_,

? ? ? ? userentity0_.CREATED_TIMESTAMP as CREATED_2_75_,

? ? ? ? userentity0_.EMAIL as EMAIL3_75_,

? ? ? ? userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_75_,

? ? ? ? userentity0_.EMAIL_VERIFIED as EMAIL_VE5_75_,

? ? ? ? userentity0_.ENABLED as ENABLED6_75_,

? ? ? ? userentity0_.FEDERATION_LINK as FEDERATI7_75_,

? ? ? ? userentity0_.FIRST_NAME as FIRST_NA8_75_,

? ? ? ? userentity0_.LAST_NAME as LAST_NAM9_75_,

? ? ? ? userentity0_.NOT_BEFORE as NOT_BEF10_75_,

? ? ? ? userentity0_.REALM_ID as REALM_I11_75_,

? ? ? ? userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE12_75_,

? ? ? ? userentity0_.USERNAME as USERNAM13_75_

? ? from

? ? ? ? USER_ENTITY userentity0_

? ? where

? ? ? ? userentity0_.EMAIL=?

? ? ? ? and userentity0_.REALM_ID=?

2019-04-24 15:45:12,492 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default task-260) KeycloakDS: getConnection(null, WrappedConnectionRequestInfo at 1f75e0ca[userName=sa]) [0/20]

2019-04-24 15:45:12,492 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-260) Initiating JDBC connection release from afterStatement

2019-04-24 15:45:12,503 WARN ?[org.keycloak.services] (default task-260) KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelDuplicateException: Error - multiple LDAP objects found but expected just one

 at org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:189)

 at org.keycloak.storage.ldap.LDAPStorageProvider.queryByEmail(LDAPStorageProvider.java:540)

 at org.keycloak.storage.ldap.LDAPStorageProvider.getUserByEmail(LDAPStorageProvider.java:546)

 at org.keycloak.storage.UserStorageManager.getUserByEmail(UserStorageManager.java:408)

 at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByEmail(UserCacheSession.java:380)

 at org.keycloak.authentication.authenticators.broker.IdpCreateUserIfUniqueAuthenticator.checkExistingUser(IdpCreateUserIfUniqueAuthenticator.java:123)

 at org.keycloak.authentication.authenticators.broker.IdpCreateUserIfUniqueAuthenticator.authenticateImpl(IdpCreateUserIfUniqueAuthenticator.java:69)

 at org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator.authenticate(AbstractIdpAuthenticator.java:74)

 at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:221)

 at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:117)

 at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)

 at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)

 at org.keycloak.services.resources.LoginActionsService.brokerLoginFlow(LoginActionsService.java:779)

 at org.keycloak.services.resources.LoginActionsService.firstBrokerLoginPost(LoginActionsService.java:702)

 at sun.reflect.GeneratedMethodAccessor1032.invoke(Unknown Source)

 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

 at java.lang.reflect.Method.invoke(Method.java:498)

 at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)

 at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)

 at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)

 at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)

 at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)

 at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)

 at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)

 at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)

 at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)

 at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:439)

 at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)

 at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)

 at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)

 at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)

 at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)

 at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)

 at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)

 at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)

 at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)

 at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)

 at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)

 at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)

 at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)

 at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)

 at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)

 at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)

 at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)

 at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)

 at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)

 at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

 at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)

 at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)

 at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

 at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)

 at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)

 at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)

 at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)

 at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)

 at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)

 at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

 at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)

 at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

 at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)

 at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)

 at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)

 at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)

 at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)

 at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)

 at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)

 at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)

 at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)

 at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)

 at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)

 at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)

 at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)

 at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)

 at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)

 at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)

 at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)

 at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)

 at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)

 at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)

 at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)

 at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)

 at java.lang.Thread.run(Thread.java:748)




2019-04-24 15:45:12,504 WARN ?[org.keycloak.events] (default task-260) type=UPDATE_PROFILE_ERROR, realmId=SDCC2, clientId=test2-oidc, userId=null, ipAddress=443, error=invalid_user_credentials, identity_provider=CILogon, auth_method=openid-connect, updated_email=mizuki at yahoo.com, redirect_uri=https://test2.racf.bnl.gov/*, identity_provider_identity=http://cilogon.org/serverA/users/2706181, code_id=be-xYIYKAlCQjhk3D28GVOorE8krIRO-XhMM79zYQOI

2019-04-24 15:45:12,505 DEBUG [freemarker.cache] (default task-260) Couldn't find template in cache for "error.ftl"("en_US", UTF-8, parsed); will try to load it.



Thanks!
Mizuki Karasawa

From bruno at abstractj.org  Thu Apr 25 15:32:52 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Thu, 25 Apr 2019 16:32:52 -0300
Subject: [keycloak-user] [keycloak-dev] docker quickstart example
 compilation is failing (keycloak 6.0.1) in photoz example
In-Reply-To: <73797a4a-fe75-49dc-77b9-9fca300ed143@janua.fr>
References: <73797a4a-fe75-49dc-77b9-9fca300ed143@janua.fr>
Message-ID: <20190425193252.GB753@abstractj.org>

Hi Olivier, as far as I can tell, at the moment there's no official
Keycloak Docker quickstart example. The link you provided came from my
repository and honestly, that's very dated, from 6 months ago.

If you're looking for the most recent version of the quickstarts, please
take a look here https://github.com/keycloak/keycloak-quickstarts.


On 2019-04-25, Olivier Rivat wrote:
> Hi,
> 
> 
> Keyclaok 6.01 docker quickstart compilation is failing with error
> java.lang.RuntimeException: Could not obtain configuration from server 
> [http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration
> 
> The instructions are taken from
> https://hub.docker.com/r/abstractj/keycloak-quickstarts?ref=login
> 
> The endpoint 
> http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration 
> deos not exist.
> The (real) endpoint is 
> http://localhost:8180/auth/realms/photoz/.well-known/uma2-configuration
> 
> This has to be fixed in the docker? quickstart example
> 
> 
> 
> Regards,
> 
> Olivier Rivat
> 
> --------------------------------------------------------------------------------------------------------------------
> 
> 
> DEBUG] No <id> element was found in the POM - Getting credentials from 
> CLI entry
> [DEBUG] No <id> element was found in the POM - Getting credentials from 
> CLI entry
> [DEBUG] Executing deployment
> [INFO] 
> ------------------------------------------------------------------------
> [INFO] BUILD FAILURE
> [INFO] 
> ------------------------------------------------------------------------
> [INFO] Total time: 3.474 s
> [INFO] Finished at: 2019-04-25T15:49:30+00:00
> [INFO] Final Memory: 30M/366M
> [INFO] 
> ------------------------------------------------------------------------
> [ERROR] Failed to execute goal 
> org.wildfly.plugins:wildfly-maven-plugin:1.2.0.Final:deploy 
> (default-cli) on project photoz-uma-restful-api: Failed to execute goal 
> deploy: {"WFLYCTL0062: Composite operatio
> n failed and was rolled back. Steps that failed:" => {"Operation step-1" 
> => {"WFLYCTL0080: Failed services" => 
> {"jboss.deployment.unit.\"photoz-uma-restful-api.war\".undertow-deployment" 
> => "java.lang.Run
> timeException: Could not obtain configuration from server 
> [http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration].
> [ERROR] Caused by: java.lang.RuntimeException: Could not obtain 
> configuration from server 
> [http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration].
> [ERROR] Caused by: java.lang.RuntimeException: Error executing http 
> method [org.apache.http.client.methods.RequestBuilder at 2c0b0edc]. 
> Response : null
> [ERROR] Caused by: java.net.ConnectException: Connection refused 
> (Connection refused)"}}}}
> [ERROR] -> [Help 1]
> org.apache.maven.lifecycle.LifecycleExecutionException: Failed to 
> execute goal org.wildfly.plugins:wildfly-maven-plugin:1.2.0.Final:deploy 
> (default-cli) on project photoz-uma-restful-api: Failed to execut
> e goal deploy: {"WFLYCTL0062: Composite operation failed and was rolled 
> back. Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080: 
> Failed services" => {"jboss.deployment.unit.\"photoz-uma-restful-
> api.war\".undertow-deployment" => "java.lang.RuntimeException: Could not 
> obtain configuration from server 
> [http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration].
>  ??? Caused by: java.lang.RuntimeException: Could not obtain 
> configuration from server 
> [http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration].
>  ??? Caused by: java.lang.RuntimeException: Error executing http method 
> [org.apache.http.client.methods.RequestBuilder at 2c0b0edc]. Response : null
>  ??? Caused by: java.net.ConnectException: Connection refused 
> (Connection refused)"}}}}
>  ??? at 
> org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:212)
>  ??? at 
> org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
>  ??? at 
> org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
>  ??? at 
> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
>  ??? at 
> org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
>  ??? at 
> org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
> 
> 
> ------------------------------------------------------------------------------------------------------------------
> 
> 
> 
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

-- 

abstractj

From Kevin.Fox at pnnl.gov  Thu Apr 25 20:29:17 2019
From: Kevin.Fox at pnnl.gov (Fox, Kevin M)
Date: Fri, 26 Apr 2019 00:29:17 +0000
Subject: [keycloak-user] keycloak-client-controller (k8s integration)
Message-ID: <1A3C52DFCD06494D8528644858247BF01C30CBBF@EX10MBOX03.pnnl.gov>

I just bumped into this project:
https://github.com/kiwigrid/keycloak-client-controller

As Kubernetes and Keycloak are being used more frequently together, I thought it might be good to bring it to your attention if you hadn't already seen it. It looks like it could be quite useful to automating some deployments.

Thanks,
Kevin

From aechols at bfcsaz.com  Thu Apr 25 20:45:12 2019
From: aechols at bfcsaz.com (Aaron Echols)
Date: Thu, 25 Apr 2019 17:45:12 -0700
Subject: [keycloak-user] Meraki SP
In-Reply-To: <CAHj77GXPJ7uRMWsc38W-Qi7m4vtVoGTi=V6t=jsh08jHe7=XNw@mail.gmail.com>
References: <CAHj77GXPJ7uRMWsc38W-Qi7m4vtVoGTi=V6t=jsh08jHe7=XNw@mail.gmail.com>
Message-ID: <CAHj77GUbiWFNmuSuaB8VYV8Dud77VcoZYkHKE-DtUO6Qubbzhg@mail.gmail.com>

Hi,

I just wanted to see if anyone had any other ideas about this. Thanks! :)
--
Aaron Echols

On Sun, Apr 21, 2019 at 8:26 PM Aaron Echols <aechols at bfcsaz.com> wrote:

> Hello All,
>
> I'm working on adding Meraki as an SP to Keycloak 5.0.0. It requires that
> Keycloak be setup for idP initiated SSO, which I've configured. I have
> everything working great, but I'm running into an issue where Keycloak will
> not passthrough a SAML attribute using mappers.
>
> Per the docs here:
> https://documentation.meraki.com/zGeneral_Administration/Managing_Dashboard_Access/Configuring_SAML_Single_Sign-on_for_Dashboard
>
> I need to pass a role attribute through that matches what I've setup as
> the SAML Administrator Roles in Meraki. I've done that and have a role
> setup as IT, Management, etc.
>
> In Active Directory the 'department' attribute is set to the role that is
> needed. I've created the federated mapper 'dept' that is mapped to
> 'department' in AD. Users in Keycloak have that attribute populated
> successfully with the correct data.
>
> In the client for Meraki, I've created a mapper name '
> https://dashboard.meraki.com/saml/attributes/role' and set the it as a
> 'user property' with a property of 'dept' and a general friendly name and
> then set the 'SAML Attribute Name' to role.
>
> Looking at the SAML login, this never is passed through at all. The only
> way I can get it to pass a role value of 'IT' is by creating a 'Hardcoded
> Attribute' with a 'Attribute Value' of 'IT' with a mapper name of '
> https://dashboard.meraki.com/saml/attributes/role', it will then login
> successfully to Meraki. There are other groups that will be logging into
> Meraki, otherwise I'd just leave it hardcoded. I get below in the SAML
> transaction when hardcoding the attribute:
>
> <saml:Attribute
>                 FriendlyName="Department"
>                 Name="role"
>
> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
>                 <saml:AttributeValue
>                     xmlns:xs="http://www.w3.org/2001/XMLSchema"
>                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>                     xsi:type="xs:string">IT
> </saml:AttributeValue>
>
> I've never had this issue of passing other attributes through before, can
> anyone let me know if I'm going about this wrong and if so, what am I
> missing? Thanks :)
> --
> Aaron Echols
>

From mposolda at redhat.com  Fri Apr 26 03:58:19 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 26 Apr 2019 09:58:19 +0200
Subject: [keycloak-user] X509 Registration Flow
In-Reply-To: <CAPj_fOvxYFEmAUyA8TNZntN0PFvu0Gyb=8k=DDkeBx6FHJ05Mw@mail.gmail.com>
References: <CAPj_fOvxYFEmAUyA8TNZntN0PFvu0Gyb=8k=DDkeBx6FHJ05Mw@mail.gmail.com>
Message-ID: <62f0dedf-125c-03c0-ee45-8ae9b9bcae49@redhat.com>

On 24/04/2019 17:43, Justin Williams wrote:
> Hello,
>
> I currently have Keycloak (5.0.0) configured to use X.509 client
> certificate authentication. However I have not been able to figure out a
> good way to handle the registration flow. What I would like to happen is
> have the `username` field on the registration form automatically populated
> with the certificate CN. Is there a way to handle this out of the box, or
> do I need to write a custom authentication SPI?

I think you need to write custom Authentication SPI. See documentation 
for the Registration SPI - maybe we have some examples or quickstarts 
for this, but not 100% sure.

Marek

>
> Thanks,
> Justin W.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From mposolda at redhat.com  Fri Apr 26 04:08:54 2019
From: mposolda at redhat.com (Marek Posolda)
Date: Fri, 26 Apr 2019 10:08:54 +0200
Subject: [keycloak-user] trouble importing user from ldap when using
 broker feature
In-Reply-To: <1386883559.488283.1556217132698@mail.yahoo.com>
References: <1386883559.488283.1556217132698.ref@mail.yahoo.com>
	<1386883559.488283.1556217132698@mail.yahoo.com>
Message-ID: <5f6f8ffe-0c2f-3b74-20c7-ac10c1135ec9@redhat.com>

In that case, I think you may need to switch realm option for Duplicate 
emails allowed, which is disabled by default. In that case, duplicate 
emails are not checked and also it is not pssible to login with email 
(as KC won;t know which user it should use in case there are multiple 
users with same email).

Marek


On 25/04/2019 20:32, Mizuki Karasawa wrote:
> Hi,
> I configured LDAP for user federation with Kerberos integrated, then I added external identify Providers via the broker feature.If a user was previously imported to local Keycloak db, the account linking process will work successfully while users login via external providers.However if the user was not imported to local keycloak db yet, following 'First Broker Login' auth flow, once users logged in via external provider and updated their profile, during 'Create User if Unique' stage (importing users),?if the email address with the user associated with multiple accounts in LDAP, the importing will fail.
> As the symptom, the browser throws error '?We?re sorry...Unexpected error when handling authentication request to identity provider.?'
> I'm attaching the debugging log as a reference at the bottom of this email as well.But in reality it's pretty common to have multiple accounts associated with the same email address (at least in our case), for example, some accounts there are for running programs/services but associated with particular person's email for convenience. I wonder if there is a work-around or some ways to configure and avoid this issue.? Does someone have the same experience and have advices on that?
>
> Ex, debugging log is attached (with the error portion high lighted)
>
> 2019-04-24 15:45:04,220 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
>
> 2019-04-24 15:45:04,220 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
>
> 2019-04-24 15:45:04,220 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper ?commit
>
> 2019-04-24 15:45:04,220 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end
>
> 2019-04-24 15:45:04,220 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$776/1511347521
>
> 2019-04-24 15:45:09,220 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) new JtaTransactionWrapper
>
> 2019-04-24 15:45:09,221 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) was existing? false
>
> 2019-04-24 15:45:09,221 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper ?commit
>
> 2019-04-24 15:45:09,221 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (Timer-2) JtaTransactionWrapper end
>
> 2019-04-24 15:45:09,221 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$776/1511347521
>
> 2019-04-24 15:45:12,488 DEBUG [io.undertow.request] (default I/O-7) Matched prefix path /auth for path /auth/realms/SDCC2/login-actions/first-broker-login
>
> 2019-04-24 15:45:12,488 DEBUG [io.undertow.request.security] (default task-260) Attempting to authenticate /auth/realms/SDCC2/login-actions/first-broker-login, authentication required: false
>
> 2019-04-24 15:45:12,488 DEBUG [io.undertow.request.security] (default task-260) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism at 6854b209 for /auth/realms/SDCC2/login-actions/first-broker-login
>
> 2019-04-24 15:45:12,488 DEBUG [io.undertow.request.security] (default task-260) Authentication result was ATTEMPTED for /auth/realms/SDCC2/login-actions/first-broker-login
>
> 2019-04-24 15:45:12,488 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-260) new JtaTransactionWrapper
>
> 2019-04-24 15:45:12,488 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-260) was existing? false
>
> 2019-04-24 15:45:12,489 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-260) RESTEASY002315: PathInfo: /realms/SDCC2/login-actions/first-broker-login
>
> 2019-04-24 15:45:12,489 DEBUG [org.keycloak.services.resources.SessionCodeChecks] (default task-260) Will use client 'test2-oidc' in back-to-application link
>
> 2019-04-24 15:45:12,489 DEBUG [org.keycloak.services.util.CookieHelper] (default task-260) {1} cookie found in the requests header
>
> 2019-04-24 15:45:12,489 DEBUG [org.keycloak.services.util.CookieHelper] (default task-260) {1} cookie found in the cookies field
>
> 2019-04-24 15:45:12,489 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-260) Found AUTH_SESSION_ID cookie with value a1069878-5c31-41d6-9d29-9cfa61e6b806.mktst1
>
> 2019-04-24 15:45:12,490 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-260) authenticationAction
>
> 2019-04-24 15:45:12,491 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-260) processAction: e3d20da0-9a2a-49ba-aeaf-c7503a648d67
>
> 2019-04-24 15:45:12,491 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-260) check: idp-review-profile requirement: REQUIRED
>
> 2019-04-24 15:45:12,491 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-260) action: idp-review-profile
>
> 2019-04-24 15:45:12,491 DEBUG [org.keycloak.authentication.authenticators.broker.IdpReviewProfileAuthenticator] (default task-260) Profile updated successfully after first authentication with identity provider 'CILogon' for broker user 'http://cilogon.org/serverA/users/2706181'.
>
> 2019-04-24 15:45:12,491 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-260) authenticator SUCCESS: idp-review-profile
>
> 2019-04-24 15:45:12,491 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-260) processFlow
>
> 2019-04-24 15:45:12,491 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-260) check execution: idp-create-user-if-unique requirement: ALTERNATIVE
>
> 2019-04-24 15:45:12,491 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-260) authenticator: idp-create-user-if-unique
>
> 2019-04-24 15:45:12,491 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-260) invoke authenticator.authenticate: idp-create-user-if-unique
>
> 2019-04-24 15:45:12,492 DEBUG [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] (default task-260) Hibernate RegisteredSynchronization successfully registered with JTA platform
>
> 2019-04-24 15:45:12,492 DEBUG [org.hibernate.SQL] (default task-260)
>
>  ? ? select
>
>  ? ? ? ? userentity0_.ID as ID1_75_,
>
>  ? ? ? ? userentity0_.CREATED_TIMESTAMP as CREATED_2_75_,
>
>  ? ? ? ? userentity0_.EMAIL as EMAIL3_75_,
>
>  ? ? ? ? userentity0_.EMAIL_CONSTRAINT as EMAIL_CO4_75_,
>
>  ? ? ? ? userentity0_.EMAIL_VERIFIED as EMAIL_VE5_75_,
>
>  ? ? ? ? userentity0_.ENABLED as ENABLED6_75_,
>
>  ? ? ? ? userentity0_.FEDERATION_LINK as FEDERATI7_75_,
>
>  ? ? ? ? userentity0_.FIRST_NAME as FIRST_NA8_75_,
>
>  ? ? ? ? userentity0_.LAST_NAME as LAST_NAM9_75_,
>
>  ? ? ? ? userentity0_.NOT_BEFORE as NOT_BEF10_75_,
>
>  ? ? ? ? userentity0_.REALM_ID as REALM_I11_75_,
>
>  ? ? ? ? userentity0_.SERVICE_ACCOUNT_CLIENT_LINK as SERVICE12_75_,
>
>  ? ? ? ? userentity0_.USERNAME as USERNAM13_75_
>
>  ? ? from
>
>  ? ? ? ? USER_ENTITY userentity0_
>
>  ? ? where
>
>  ? ? ? ? userentity0_.EMAIL=?
>
>  ? ? ? ? and userentity0_.REALM_ID=?
>
> 2019-04-24 15:45:12,492 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default task-260) KeycloakDS: getConnection(null, WrappedConnectionRequestInfo at 1f75e0ca[userName=sa]) [0/20]
>
> 2019-04-24 15:45:12,492 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-260) Initiating JDBC connection release from afterStatement
>
> 2019-04-24 15:45:12,503 WARN ?[org.keycloak.services] (default task-260) KC-SERVICES0013: Failed authentication: org.keycloak.models.ModelDuplicateException: Error - multiple LDAP objects found but expected just one
>
>   at org.keycloak.storage.ldap.idm.query.internal.LDAPQuery.getFirstResult(LDAPQuery.java:189)
>
>   at org.keycloak.storage.ldap.LDAPStorageProvider.queryByEmail(LDAPStorageProvider.java:540)
>
>   at org.keycloak.storage.ldap.LDAPStorageProvider.getUserByEmail(LDAPStorageProvider.java:546)
>
>   at org.keycloak.storage.UserStorageManager.getUserByEmail(UserStorageManager.java:408)
>
>   at org.keycloak.models.cache.infinispan.UserCacheSession.getUserByEmail(UserCacheSession.java:380)
>
>   at org.keycloak.authentication.authenticators.broker.IdpCreateUserIfUniqueAuthenticator.checkExistingUser(IdpCreateUserIfUniqueAuthenticator.java:123)
>
>   at org.keycloak.authentication.authenticators.broker.IdpCreateUserIfUniqueAuthenticator.authenticateImpl(IdpCreateUserIfUniqueAuthenticator.java:69)
>
>   at org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator.authenticate(AbstractIdpAuthenticator.java:74)
>
>   at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:221)
>
>   at org.keycloak.authentication.DefaultAuthenticationFlow.processAction(DefaultAuthenticationFlow.java:117)
>
>   at org.keycloak.authentication.AuthenticationProcessor.authenticationAction(AuthenticationProcessor.java:873)
>
>   at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:292)
>
>   at org.keycloak.services.resources.LoginActionsService.brokerLoginFlow(LoginActionsService.java:779)
>
>   at org.keycloak.services.resources.LoginActionsService.firstBrokerLoginPost(LoginActionsService.java:702)
>
>   at sun.reflect.GeneratedMethodAccessor1032.invoke(Unknown Source)
>
>   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
>   at java.lang.reflect.Method.invoke(Method.java:498)
>
>   at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
>
>   at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:509)
>
>   at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:399)
>
>   at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:363)
>
>   at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
>
>   at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:365)
>
>   at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:337)
>
>   at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
>
>   at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
>
>   at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:439)
>
>   at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
>
>   at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
>
>   at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
>
>   at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
>
>   at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
>
>   at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
>
>   at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>
>   at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>
>   at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
>
>   at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
>
>   at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
>
>   at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
>
>   at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
>
>   at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
>
>   at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
>
>   at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
>
>   at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
>
>   at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>
>   at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>
>   at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>   at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
>
>   at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
>
>   at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>   at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
>
>   at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
>
>   at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
>
>   at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
>
>   at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
>
>   at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
>
>   at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>   at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>
>   at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>   at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
>
>   at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
>
>   at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
>
>   at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
>
>   at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
>
>   at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
>
>   at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
>
>   at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
>
>   at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
>
>   at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>
>   at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>
>   at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>
>   at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
>
>   at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
>
>   at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
>
>   at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
>
>   at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
>
>   at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
>
>   at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
>
>   at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
>
>   at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
>
>   at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
>
>   at java.lang.Thread.run(Thread.java:748)
>
>
>
>
> 2019-04-24 15:45:12,504 WARN ?[org.keycloak.events] (default task-260) type=UPDATE_PROFILE_ERROR, realmId=SDCC2, clientId=test2-oidc, userId=null, ipAddress=443, error=invalid_user_credentials, identity_provider=CILogon, auth_method=openid-connect, updated_email=mizuki at yahoo.com, redirect_uri=https://test2.racf.bnl.gov/*, identity_provider_identity=http://cilogon.org/serverA/users/2706181, code_id=be-xYIYKAlCQjhk3D28GVOorE8krIRO-XhMM79zYQOI
>
> 2019-04-24 15:45:12,505 DEBUG [freemarker.cache] (default task-260) Couldn't find template in cache for "error.ftl"("en_US", UTF-8, parsed); will try to load it.
>
>
>
> Thanks!
> Mizuki Karasawa
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



From Matthias.RIEDL at frequentis.com  Fri Apr 26 04:36:31 2019
From: Matthias.RIEDL at frequentis.com (RIEDL Matthias)
Date: Fri, 26 Apr 2019 08:36:31 +0000
Subject: [keycloak-user] Keycloak for RH-SSO 7.4
Message-ID: <5997413f519b498bb2b42f54fac63b7b@frequentis.com>

Given the information about RH-SSO versions and their Keycloak derivations at https://www.keycloak.org/support.html, I would like to know if there's an indication on what version RH-SSO 7.4.0.GA is (most probably) going to be based on?

Thanks,
Matthias Riedl


From slaskawi at redhat.com  Fri Apr 26 05:21:07 2019
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Fri, 26 Apr 2019 11:21:07 +0200
Subject: [keycloak-user] X509 Registration Flow
In-Reply-To: <62f0dedf-125c-03c0-ee45-8ae9b9bcae49@redhat.com>
References: <CAPj_fOvxYFEmAUyA8TNZntN0PFvu0Gyb=8k=DDkeBx6FHJ05Mw@mail.gmail.com>
	<62f0dedf-125c-03c0-ee45-8ae9b9bcae49@redhat.com>
Message-ID: <CAA9R9O48vSKbf8AyMGmW6DWCFv8BuY+eAkWr+2UemmPxn1N-dQ@mail.gmail.com>

As far as I remember the X509 registration flow is not implemented.

You may search the mailing list from my previous responses on similar
topics. I believe someone from the community volunteered to contribute it
(but I might be wrong here).

On Fri, Apr 26, 2019 at 10:00 AM Marek Posolda <mposolda at redhat.com> wrote:

> On 24/04/2019 17:43, Justin Williams wrote:
> > Hello,
> >
> > I currently have Keycloak (5.0.0) configured to use X.509 client
> > certificate authentication. However I have not been able to figure out a
> > good way to handle the registration flow. What I would like to happen is
> > have the `username` field on the registration form automatically
> populated
> > with the certificate CN. Is there a way to handle this out of the box, or
> > do I need to write a custom authentication SPI?
>
> I think you need to write custom Authentication SPI. See documentation
> for the Registration SPI - maybe we have some examples or quickstarts
> for this, but not 100% sure.
>
> Marek
>
> >
> > Thanks,
> > Justin W.
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From eduard.matuszak at worldline.com  Fri Apr 26 05:34:03 2019
From: eduard.matuszak at worldline.com (Matuszak, Eduard)
Date: Fri, 26 Apr 2019 09:34:03 +0000
Subject: [keycloak-user] Brokering-sample with google-authentication does
 not work with Keycloak6/Wildfly16
Message-ID: <61D077C6283D454FAFD06F6AC4AB74D73DD268BC@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>

Hello

I tried to check the keycloak/examples/broker/google-authentication-sample with Keycloak 6.0.0 and Wildfly 16.0.0. Unfortunately org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider is not able to connect to all google endpoints and fails with timeout. With my "old" system (Keycloak 2.5.5 and Wildfly 10.0.1) on the same machine the correspondig example succeeded. Proxy-settings via -DhttpProxy-Java-runtime-parameters had been done, so this may not be the problem.

Interesting(?): I observed that the connection to https://accounts.google.com/o/oauth2/v2/auth done in the same(!) class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider just before in the performLogin-method in contrast did(!) succeed (google complains when pushing the "g"-login-button when required redirect-setting is not done).

Do you have any idea or fix to overcome this error?

Best regards, Eduard Matuszak


PS: This is the stack-trace of the timeout-exception when AbstractOAuth2IdentityProvider tried to connect to oauth2.googleapis.com:


10:35:49,298 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-53) Failed to make identity provider oauth callback: org.apache.http.conn.HttpHostConnectException: Connect to oauth2.googleapis.com:443 [oauth2.googleapis.com/172.217.16.138, oauth2.googleapis.com/172.217.18.106, oauth2.googleapis.com/172.217.22.74, oauth2.googleapis.com/172.217.22.10, oauth2.googleapis.com/216.58.205.234, oauth2.googleapis.com/172.217.21.202, oauth2.googleapis.com/216.58.208.42, oauth2.googleapis.com/172.217.16.170, oauth2.googleapis.com/216.58.206.10, oauth2.googleapis.com/172.217.23.170, oauth2.googleapis.com/172.217.16.202, oauth2.googleapis.com/172.217.18.170, oauth2.googleapis.com/172.217.18.10, oauth2.googleapis.com/172.217.22.106, oauth2.googleapis.com/216.58.210.10] failed: Connection timed out: connect
        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:159)
        at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
        at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
        at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
        at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
        at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
        at org.keycloak.broker.provider.util.SimpleHttp.makeRequest(SimpleHttp.java:199)
        at org.keycloak.broker.provider.util.SimpleHttp.asResponse(SimpleHttp.java:163)
        at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:155)
        at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:418)
        at sun.reflect.GeneratedMethodAccessor715.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:497)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
        at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:400)
        at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:364)
        at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:366)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:338)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:439)
        at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
        at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
        at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
        at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
        at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
        at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.lambda$handleRequest$1(ElytronRunAsHandler.java:68)
        at org.wildfly.security.auth.server.FlexibleIdentityAssociation.runAsFunctionEx(FlexibleIdentityAssociation.java:103)
        at org.wildfly.security.auth.server.Scoped.runAsFunctionEx(Scoped.java:161)
        at org.wildfly.security.auth.server.Scoped.runAs(Scoped.java:73)
        at org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.handleRequest(ElytronRunAsHandler.java:67)
        at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
        at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
        at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:364)
        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
        at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
        at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.net.ConnectException: Connection timed out: connect
        at java.net.TwoStacksPlainSocketImpl.socketConnect(Native Method)
        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
        at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
        at java.net.Socket.connect(Socket.java:589)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:339)
        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
        ... 84 more



From sblanc at redhat.com  Fri Apr 26 05:39:29 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Fri, 26 Apr 2019 11:39:29 +0200
Subject: [keycloak-user] Triggering reset password mail sending
	programmatically
In-Reply-To: <CAJSsW4pFZS0PvxTioYKeT-W7UkcLQmQk9mNpj1Z54k1bOLPZyA@mail.gmail.com>
References: <CAJSsW4pFZS0PvxTioYKeT-W7UkcLQmQk9mNpj1Z54k1bOLPZyA@mail.gmail.com>
Message-ID: <CAMZCGg9rEWcWuPZCHMHH-53a3x8oMbsW827zsG8-u_g6gk--gg@mail.gmail.com>

Have you looked at the rest docs :
https://www.keycloak.org/docs-api/6.0/rest-api/index.html#_users_resource

isn't  "Send a update account email to the user An email contains a link
the user can click to perform a set of required actions." what you are
looking for ?


On Tue, Apr 23, 2019 at 2:08 PM Dragan Jotanovic <draganj at gmail.com> wrote:

> Does anyone have an example for how to trigger reset password email sending
> programmatically?
> I'm trying to send the reset credentials mail from my custom user storage
> provider, initially when I import user from external database.
> I tried searching through documentation and examples but couldn't find
> anything.
>
> Thanks,
> Dragan
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sthorger at redhat.com  Fri Apr 26 07:27:38 2019
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 26 Apr 2019 13:27:38 +0200
Subject: [keycloak-user] Keycloak for RH-SSO 7.4
In-Reply-To: <5997413f519b498bb2b42f54fac63b7b@frequentis.com>
References: <5997413f519b498bb2b42f54fac63b7b@frequentis.com>
Message-ID: <CAJgngAdT67x13LZQOVt8gDCjCZ-LDU8-XRRWaePUriF4wL93NA@mail.gmail.com>

https://issues.jboss.org/projects/KEYCLOAK?selectedItem=com.atlassian.jira.jira-projects-plugin%3Arelease-page&status=no-filter

Subject to change obviously ;)

On Fri, 26 Apr 2019 at 10:45, RIEDL Matthias <Matthias.RIEDL at frequentis.com>
wrote:

> Given the information about RH-SSO versions and their Keycloak derivations
> at https://www.keycloak.org/support.html, I would like to know if there's
> an indication on what version RH-SSO 7.4.0.GA is (most probably) going to
> be based on?
>
> Thanks,
> Matthias Riedl
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From slaskawi at redhat.com  Fri Apr 26 08:41:11 2019
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Fri, 26 Apr 2019 14:41:11 +0200
Subject: [keycloak-user] [keycloak-dev] HA mode with JDBC_PING shows
 warning in the logs after migration to 4.8.3 from 3.4.3
In-Reply-To: <CAJmz6fvZdvj5ted0xtgnrHR4kW0Yay7SUkqO5q_FG6BQ5yxLOw@mail.gmail.com>
References: <CAJmz6fvZdvj5ted0xtgnrHR4kW0Yay7SUkqO5q_FG6BQ5yxLOw@mail.gmail.com>
Message-ID: <CAA9R9O5jCWQDCj3Ruf9w-kRwS9E_vK1x=dx6aLbeB5-7wESJjQ@mail.gmail.com>

There was a bunch of fixed to JGroups a while ago, including changes in
JDBC_PING.

Could you please rerun your setup with Keycloak >= 5.0.0? I believe some of
the issues (or maybe even all of them) should be fixed.

On Thu, Apr 25, 2019 at 7:19 PM abhishek raghav <abhi.raghav007 at gmail.com>
wrote:

> Hi
>
> After the migration of keycloak HA configurations from 3.4.3.Final to
> 4.8.3.Final, I am seeing some WARNINGS on one of the nodes of keycloak
> immediately after the keycloak is started with 2 nodes. This occurs after
> every time when the cluster is scaled up or whenever infinispan is trying
> to update the cluster member list.
> I am using JDBC_PING to achieve clustering in keycloak.
>
> Below is the stacktrace -
>
> 2019-04-24 12:20:43,687 WARN
> >> [org.infinispan.topology.ClusterTopologyManagerImpl]
> >> (transport-thread--p18-t2) [dcidqdcosagent08] KEYCLOAK DEV 1.5.RC
> >> ISPN000197: Error updating cluster member list:
> >> org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out
> >> waiting for responses for request 1 from dcidqdcosagent02
> >
> >                   at
> >>
> org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167)
> >
> >                   at
> >>
> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
> >
> >                   at
> >>
> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
> >
> >                   at
> >> java.util.concurrent.FutureTask.run(FutureTask.java:266)
> >
> >                   at
> >>
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
> >
> >                   at
> >>
> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
> >
> >                   at
> >>
> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
> >
> >                   at
> >>
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
> >
> >                   at java.lang.Thread.run(Thread.java:748)
> >
> >                   Suppressed: org.infinispan.util.logging.TraceException
> >
> >                                     at
> >>
> org.infinispan.remoting.transport.Transport.invokeRemotely(Transport.java:75)
> >
> >                                     at
> >>
> org.infinispan.topology.ClusterTopologyManagerImpl.confirmMembersAvailable(ClusterTopologyManagerImpl.java:525)
> >
> >                                     at
> >>
> org.infinispan.topology.ClusterTopologyManagerImpl.updateCacheMembers(ClusterTopologyManagerImpl.java:508)
> >
> >
>
> Now after I searched, I really did not see anyone reported such error on
> keycloak but there is similar bug reported in WILDLFY 14 and is categorized
> as a blocker in WILDLFY 14.This bug is already fixed in WILDLFY 15.
> https://issues.jboss.org/browse/WFLY-10736?attachmentViewMode=list
>
> Now since keycloak 4.8 is also based on WILDLFY 14, these WARNINGS could be
> because of this blocker in WILDFLY 14.
>
> What should I do to get rid this error. Is this really a problem in
> keycloak 4.8.3.Final. Did anyone notice any such issue while running
> keycloak 4.8.3 in HA mode.
> Is there a workaround to fix this.
>
>
> One more thing we noticed is - It is regarding a property in JDBC_PING
> protocol we are using in our 3.4.3 setup i.e. "clear_table_on_view_change"
> but it is no more supported in 4.8 version. and thus the JGROUPSPING table
> is filled up with lot of stale entries. Is there a workaround to clear the
> table after view change in 4.8 also.
>
> Thanks
> Abhishek
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

From ccouzens at gmail.com  Sat Apr 27 08:26:47 2019
From: ccouzens at gmail.com (Chris Couzens)
Date: Sat, 27 Apr 2019 13:26:47 +0100
Subject: [keycloak-user] License of Admin Rest API documentation
Message-ID: <CALwZgaZVSL-FRToGZE5PQzxq1-WWDxNe2PeQtPf41ok4raiw9A@mail.gmail.com>

Hi,

I'm interested in writing a little tool to translate the HTML from the
Admin Rest API documentation (
https://www.keycloak.org/docs-api/5.0/rest-api/index.html) into an OpenAPI
specification.

When I'm done, I'd like to publish the resulting OpenAPI specification.

Is the online documentation subject to the Keycloak's project's copyright?
And would the resulting OpenAPI specification also be subject to Keycloak's
copyright?

Can you advise me on what steps if any I should take to avoid infringing
licenses?

Ideally I'd like to publish my tool on GitHub using the MIT license. And
I'd like to embed the original HTML into my project (for test cases and as
an insurance against the online version changing dramatically).

Kind regards,

Chris

From lists at merit.unu.edu  Sat Apr 27 12:46:44 2019
From: lists at merit.unu.edu (mj)
Date: Sat, 27 Apr 2019 18:46:44 +0200
Subject: [keycloak-user] upgrade keycloak, elytron issue
Message-ID: <456a4c19-c5da-a99d-1181-31d8322c501d@merit.unu.edu>

Hi,

We're running keycloak 4.0.0, and were trying to upgrade straight to 
latest, but it failed. Then we tried upgrading to latest release 4.8.3 
first, but it gave the same error, namely:

> root at kc:/opt/keycloak-4.8.3.Final# bin/jboss-cli.sh --file=bin/migrate-standalone.cli 
> *** Begin Migration ***
> 
> Adding eviction strategy to keycloak users cache container...
> {"outcome" => "success"}
> {"outcome" => "success"}
> 
> Updating authorization cache container..
> {"outcome" => "success"}
> {"outcome" => "success"}
> 
> Adding spi=userFederatedStorage...
> {"outcome" => "success"}
> 
> Updating eviction and expiration in local-cache=keys...
> {"outcome" => "success"}
> {"outcome" => "success"}
> {"outcome" => "success"}
> 
> Adding eviction strategy to keycloak realms cache...
> {"outcome" => "success"}
> {"outcome" => "success"}
> 
> Removing declaration for userFederatedStorage SPI
> {"outcome" => "success"}
> 
> Updating eviction in local-cache=authorization...
> {"outcome" => "success"}
> 
> Adding spi=hostname...
> {"outcome" => "success"}
> {"outcome" => "success"}
> 
> Adding permission-set=login-permission to elytron
> {"outcome" => "success"}
> {"outcome" => "success"}
> {
>     "outcome" => "failed",
>     "failure-description" => "WFLYCTL0216: Management resource '[
>     (\"subsystem\" => \"elytron\"),
>     (\"simple-permission-mapper\" => \"default-permission-mapper\")
> ]' not found",
>     "rolled-back" => true
> }

We did some google, but found no clear answer. Can anyone tell us why 
the cannot fails, with the above error?

Thanks!

MJ

From thomas.isaksen at toyota.no  Sun Apr 28 04:33:55 2019
From: thomas.isaksen at toyota.no (Konsulent Thomas Isaksen (TNO))
Date: Sun, 28 Apr 2019 08:33:55 +0000
Subject: [keycloak-user] Mapping Claims from Identity providers
Message-ID: <AM6PR06MB4168A393188D4D6320B5463487380@AM6PR06MB4168.eurprd06.prod.outlook.com>

I have configured Azure as my identity provider and I am assigning roles to my users in Keycloak based on claims I get from Azure.
Once I have defined one or more Role Mappers and sign in with my Keycloak user for the first time the mapping is done and working as expected, however,
once I create additional mappings the roles of the user are no longer updated. The only way to get an updated mapping is to delete my Keycloack user and sign in again.

I tried to look it up in the documentation:

Mapping Claims and Assertions
https://www.keycloak.org/docs/3.2/server_admin/topics/identity-broker/mappers.html

..
"Each new user that logs into your realm via an external identity provider will have an entry for it created in the local Keycloak database. The act of importing metadata from the SAML or OIDC assertions and claims will create this data with the local realm database."
...

Does this mean that I cannot expect new claim mappings to apply to existing users? Is there any way to do this ?


--
Thomas Isaksen

From chasecurry at gmail.com  Sun Apr 28 10:31:24 2019
From: chasecurry at gmail.com (Nick Curry)
Date: Sun, 28 Apr 2019 09:31:24 -0500
Subject: [keycloak-user] Grant a Keycloak client service account
	fine-grained permissions on /auth/admin/realms/{realm}/users.
Message-ID: <CAE+a8_fSX1MCV+oqeNn0Ss5unpFHX6G9iO_TzSbwc7Sns_Dy5Q@mail.gmail.com>

I would like to grant only the following Keycloak admin permission to the
service account associated with a particular realm client:


   - POST /auth/admin/realms/{realm}/users


Is there a way to do this without assigning the entire realm-management
manage-users role's set of admin permissions to the client service account?

I want to give the client the ability to create users, but not any of the
other API endpoint's permissions.

Thanks,

From abhi.raghav007 at gmail.com  Mon Apr 29 03:43:49 2019
From: abhi.raghav007 at gmail.com (abhishek raghav)
Date: Mon, 29 Apr 2019 13:13:49 +0530
Subject: [keycloak-user] [keycloak-dev] HA mode with JDBC_PING shows
 warning in the logs after migration to 4.8.3 from 3.4.3
In-Reply-To: <CAA9R9O5jCWQDCj3Ruf9w-kRwS9E_vK1x=dx6aLbeB5-7wESJjQ@mail.gmail.com>
References: <CAJmz6fvZdvj5ted0xtgnrHR4kW0Yay7SUkqO5q_FG6BQ5yxLOw@mail.gmail.com>
	<CAA9R9O5jCWQDCj3Ruf9w-kRwS9E_vK1x=dx6aLbeB5-7wESJjQ@mail.gmail.com>
Message-ID: <CAJmz6fsi1HO=-MS=CuTtAj-8W_Mafw2kjHN2RS1K-r-tpoQTkg@mail.gmail.com>

Thanks Sebastian.

I tried running the same setup with 5.0.0 of keycloak, I did not see any
such errors which I reported in my first email. This was definitely a
Wildfly issue and not keycloak.

Regarding my 2nd question - i.e. support of "clear_table_on_view_change"
property. I see that jgroups has removed support of this property. So lets
say if JGROUPSPING table has lot stale entries, while keycloak starts
booting up - each time keycloak node will try to JOIN with all the entries
already present in the JGROUPSPING table and thus time taken for the
service to start will be more. If that timeline is more than 300s, keycloak
does not start and reports timeout error.
This scenario is highly possible in cloud scenarios, since there the
keycloak nodes can start on any available host/IP since no of nodes are not
fixed.

Can you suggest any workaround to fix this.

*- Best Regards*
   Abhishek Raghav








On Fri, Apr 26, 2019 at 6:11 PM Sebastian Laskawiec <slaskawi at redhat.com>
wrote:

> There was a bunch of fixed to JGroups a while ago, including changes in
> JDBC_PING.
>
> Could you please rerun your setup with Keycloak >= 5.0.0? I believe some
> of the issues (or maybe even all of them) should be fixed.
>
> On Thu, Apr 25, 2019 at 7:19 PM abhishek raghav <abhi.raghav007 at gmail.com>
> wrote:
>
>> Hi
>>
>> After the migration of keycloak HA configurations from 3.4.3.Final to
>> 4.8.3.Final, I am seeing some WARNINGS on one of the nodes of keycloak
>> immediately after the keycloak is started with 2 nodes. This occurs after
>> every time when the cluster is scaled up or whenever infinispan is trying
>> to update the cluster member list.
>> I am using JDBC_PING to achieve clustering in keycloak.
>>
>> Below is the stacktrace -
>>
>> 2019-04-24 12:20:43,687 WARN
>> >> [org.infinispan.topology.ClusterTopologyManagerImpl]
>> >> (transport-thread--p18-t2) [dcidqdcosagent08] KEYCLOAK DEV 1.5.RC
>> >> ISPN000197: Error updating cluster member list:
>> >> org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out
>> >> waiting for responses for request 1 from dcidqdcosagent02
>> >
>> >                   at
>> >>
>> org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167)
>> >
>> >                   at
>> >>
>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
>> >
>> >                   at
>> >>
>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
>> >
>> >                   at
>> >> java.util.concurrent.FutureTask.run(FutureTask.java:266)
>> >
>> >                   at
>> >>
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
>> >
>> >                   at
>> >>
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>> >
>> >                   at
>> >>
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>> >
>> >                   at
>> >>
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>> >
>> >                   at java.lang.Thread.run(Thread.java:748)
>> >
>> >                   Suppressed: org.infinispan.util.logging.TraceException
>> >
>> >                                     at
>> >>
>> org.infinispan.remoting.transport.Transport.invokeRemotely(Transport.java:75)
>> >
>> >                                     at
>> >>
>> org.infinispan.topology.ClusterTopologyManagerImpl.confirmMembersAvailable(ClusterTopologyManagerImpl.java:525)
>> >
>> >                                     at
>> >>
>> org.infinispan.topology.ClusterTopologyManagerImpl.updateCacheMembers(ClusterTopologyManagerImpl.java:508)
>> >
>> >
>>
>> Now after I searched, I really did not see anyone reported such error on
>> keycloak but there is similar bug reported in WILDLFY 14 and is
>> categorized
>> as a blocker in WILDLFY 14.This bug is already fixed in WILDLFY 15.
>> https://issues.jboss.org/browse/WFLY-10736?attachmentViewMode=list
>>
>> Now since keycloak 4.8 is also based on WILDLFY 14, these WARNINGS could
>> be
>> because of this blocker in WILDFLY 14.
>>
>> What should I do to get rid this error. Is this really a problem in
>> keycloak 4.8.3.Final. Did anyone notice any such issue while running
>> keycloak 4.8.3 in HA mode.
>> Is there a workaround to fix this.
>>
>>
>> One more thing we noticed is - It is regarding a property in JDBC_PING
>> protocol we are using in our 3.4.3 setup i.e. "clear_table_on_view_change"
>> but it is no more supported in 4.8 version. and thus the JGROUPSPING table
>> is filled up with lot of stale entries. Is there a workaround to clear the
>> table after view change in 4.8 also.
>>
>> Thanks
>> Abhishek
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>

From francesco.longo at linksfoundation.com  Mon Apr 29 04:15:56 2019
From: francesco.longo at linksfoundation.com (Francesco Longo)
Date: Mon, 29 Apr 2019 08:15:56 +0000
Subject: [keycloak-user] Setting up SSL certificate on keycloak container
Message-ID: <DB6P195MB04228450EA35A271E491D8A8E4390@DB6P195MB0422.EURP195.PROD.OUTLOOK.COM>

Good morning! I have a problem setting up keycloak on a docker container, using portainer, installing the SSL certificate.

  *   I installed from portainer the official jboss keycloak image (5.0.0) setting up the internal 8443 port (in this case it recognize to use HTTPS).
  *   I have my 2 files (.csr and .key certificates) placed on the /etc/x509/https folder of the docker container.

I have some errors:

  *   Connecting to the keycloak:port/auth I get the error: "Error code: SSL_ERROR_NO_CYPHER_OVERLAP" and I cannot connect to that page...
  *   Performing a request to my application that is protected by keycloak I get a response error:
"Error: write EPROTO 140495380186944:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:../deps/openssl/openssl/ssl/s23_clnt.c:802:"...

Can somebody help me? What's wrong with the SSL configuration on the keycloak side?

[LINKS Foundation]

Facebook<https://www.facebook.com/linksfoundation/> | Twitter<https://twitter.com/linksfoundation> | LinkedIn<https://www.linkedin.com/company/links-%E2%80%93-leading-innovation-&-knowledge-for-society/>

Francesco Longo
Rsearcher | Linksfoundation.com<https://linksfoundation.com/>
T. +39 0112276440
francesco.longo at linksfoundation.com<mailto:nome.cognome at linksfoundation.com>

Personal account: LinkedIn<https://www.linkedin.com/in/france193/> | Skype<https://join.skype.com/invite/jt9vIqDeuk6G>

________________________________
[Please consider the environment]

Rispetta l'ambiente, pensa prima di stampare questa e-mail
Please consider the environment before printing this email


________________________________

Questo documento ? formato esclusivamente per il destinatario. Tutte le informazioni ivi contenute, compresi eventuali allegati, sono da ritenere esclusivamente confidenziali e riservate secondo i termini del vigente D.Lgs. 196/2003 in materia di privacy e del Regolamento europeo 679/2016 -GDPR- e quindi ne ? proibita l'utilizzazione ulteriore non autorizzata. Se avete ricevuto per errore questo messaggio, Vi preghiamo cortesemente di contattare immediatamente il mittente e cancellare la e-mail. Grazie.

Confidentiality Notice - This e-mail message including any attachments is for the sole use of the intended recipient and may contain confidential and privileged information pursuant to Legislative Decree 196/2003 and the European General Data Protection Regulation 679/2016 -GDPR-. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

From fabrice.geslin-prestataire at laposte.fr  Mon Apr 29 06:10:18 2019
From: fabrice.geslin-prestataire at laposte.fr (GESLIN Fabrice)
Date: Mon, 29 Apr 2019 10:10:18 +0000
Subject: [keycloak-user] How to dynamically trigger a custom required action
	in a flow ?
Message-ID: <AM6PR01MB4359C01F27C0DA2DA4E366A5BB390@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>

Hi,

We're trying to trigger a custom required action  as part of the reset credential.

For this we plan to mimic the implementation of the authenticate method of the org.keycloak.authentication.authenticators.resetcred.ResetPassword.java :

    @Override
    public void authenticate(AuthenticationFlowContext context) {
        if (context.getExecution().isRequired() ||
                (context.getExecution().isOptional() &&
                        configuredFor(context))) {
            context.getAuthenticationSession().addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
        }
        context.success();
    }


But the question is what value should we pass to the addRequiredAction() ?

This method seems to only accept the predefined required actions mapped to the values from the  UserModel.RequiredAction enum.

Any help is welcome .

Fabrice Geslin

Groupe La Poste

Post-scriptum La Poste

Ce message est confidentiel. Sous reserve de tout accord conclu par
ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
engagement de la part de La Poste. Toute publication, utilisation ou
diffusion, meme partielle, doit etre autorisee prealablement. Si vous
n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur.

From craig at baseventure.com  Mon Apr 29 08:21:08 2019
From: craig at baseventure.com (Craig Setera)
Date: Mon, 29 Apr 2019 07:21:08 -0500
Subject: [keycloak-user] Authenticator Examples?
Message-ID: <CAPVdwjrX=tUd9H3wQWAicFnkOscaNFhNdho_MEf-v8zjw7jc9Q@mail.gmail.com>

I'm back to trying to get my "user invitation" functionality working
correctly again.  As part of that, I'm digging into the documentation
around authenticators, required actions, etc yet again.  I'm seeing the
references to the examples, however it seems like those examples are now
gone from the master branch?  Where were the examples moved to?  Is there a
reason they were moved out of the primary repo?  At the moment, it seems
like the server developer guide is out of sync with the actual code.

Thanks,
Craig

=================================
*Craig Setera*

*Chief Technology Officer*

From sblanc at redhat.com  Mon Apr 29 08:31:44 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Mon, 29 Apr 2019 14:31:44 +0200
Subject: [keycloak-user] Authenticator Examples?
In-Reply-To: <CAPVdwjrX=tUd9H3wQWAicFnkOscaNFhNdho_MEf-v8zjw7jc9Q@mail.gmail.com>
References: <CAPVdwjrX=tUd9H3wQWAicFnkOscaNFhNdho_MEf-v8zjw7jc9Q@mail.gmail.com>
Message-ID: <CAMZCGg_KtOPFKuX=UbMx74NXrBypqwESN9QR2m=oe=biuu75pw@mail.gmail.com>

Hi,

Examples can be found in the quickstarts repo :
https://github.com/keycloak/keycloak-quickstarts
I think this one should help you :
https://github.com/keycloak/keycloak-quickstarts/tree/latest/action-token-authenticator

And thanks for pointing out the outdated references in the doc we will fix
that.

Seb

On Mon, Apr 29, 2019 at 2:28 PM Craig Setera <craig at baseventure.com> wrote:

> I'm back to trying to get my "user invitation" functionality working
> correctly again.  As part of that, I'm digging into the documentation
> around authenticators, required actions, etc yet again.  I'm seeing the
> references to the examples, however it seems like those examples are now
> gone from the master branch?  Where were the examples moved to?  Is there a
> reason they were moved out of the primary repo?  At the moment, it seems
> like the server developer guide is out of sync with the actual code.
>
> Thanks,
> Craig
>
> =================================
> *Craig Setera*
>
> *Chief Technology Officer*
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From sblanc at redhat.com  Mon Apr 29 08:35:25 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Mon, 29 Apr 2019 14:35:25 +0200
Subject: [keycloak-user] How to dynamically trigger a custom required
 action in a flow ?
In-Reply-To: <AM6PR01MB4359C01F27C0DA2DA4E366A5BB390@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>
References: <AM6PR01MB4359C01F27C0DA2DA4E366A5BB390@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>
Message-ID: <CAMZCGg_8e5QaYChOheSvLOmf9-gxHTbc1-5Q2r0+gGkV4X=H_Q@mail.gmail.com>

Hi,

When you says it does not accept it, you have an exception at runtime ?
Because you have addRequiredAction(String string)

On Mon, Apr 29, 2019 at 12:13 PM GESLIN Fabrice <
fabrice.geslin-prestataire at laposte.fr> wrote:

> Hi,
>
> We're trying to trigger a custom required action  as part of the reset
> credential.
>
> For this we plan to mimic the implementation of the authenticate method of
> the org.keycloak.authentication.authenticators.resetcred.ResetPassword.java
> :
>
>     @Override
>     public void authenticate(AuthenticationFlowContext context) {
>         if (context.getExecution().isRequired() ||
>                 (context.getExecution().isOptional() &&
>                         configuredFor(context))) {
>
> context.getAuthenticationSession().addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
>         }
>         context.success();
>     }
>
>
> But the question is what value should we pass to the addRequiredAction() ?
>
> This method seems to only accept the predefined required actions mapped to
> the values from the  UserModel.RequiredAction enum.
>
> Any help is welcome .
>
> Fabrice Geslin
>
> Groupe La Poste
>
> Post-scriptum La Poste
>
> Ce message est confidentiel. Sous reserve de tout accord conclu par
> ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
> engagement de la part de La Poste. Toute publication, utilisation ou
> diffusion, meme partielle, doit etre autorisee prealablement. Si vous
> n'etes pas destinataire de ce message, merci d'en avertir immediatement
> l'expediteur.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>

From bruno at abstractj.org  Mon Apr 29 09:58:12 2019
From: bruno at abstractj.org (Bruno Oliveira)
Date: Mon, 29 Apr 2019 10:58:12 -0300
Subject: [keycloak-user] Authenticator Examples?
In-Reply-To: <CAMZCGg_KtOPFKuX=UbMx74NXrBypqwESN9QR2m=oe=biuu75pw@mail.gmail.com>
References: <CAPVdwjrX=tUd9H3wQWAicFnkOscaNFhNdho_MEf-v8zjw7jc9Q@mail.gmail.com>
	<CAMZCGg_KtOPFKuX=UbMx74NXrBypqwESN9QR2m=oe=biuu75pw@mail.gmail.com>
Message-ID: <CAM5SUC4k_YidHtKgh3BCXa6sWUt0RYdO6K8p_GH_ywM3Pncw5g@mail.gmail.com>

The authenticator example was removed by mistake. We're going to
recover and put it back.

On Mon, Apr 29, 2019 at 9:31 AM Sebastien Blanc <sblanc at redhat.com> wrote:
>
> Hi,
>
> Examples can be found in the quickstarts repo :
> https://github.com/keycloak/keycloak-quickstarts
> I think this one should help you :
> https://github.com/keycloak/keycloak-quickstarts/tree/latest/action-token-authenticator
>
> And thanks for pointing out the outdated references in the doc we will fix
> that.
>
> Seb
>
> On Mon, Apr 29, 2019 at 2:28 PM Craig Setera <craig at baseventure.com> wrote:
>
> > I'm back to trying to get my "user invitation" functionality working
> > correctly again.  As part of that, I'm digging into the documentation
> > around authenticators, required actions, etc yet again.  I'm seeing the
> > references to the examples, however it seems like those examples are now
> > gone from the master branch?  Where were the examples moved to?  Is there a
> > reason they were moved out of the primary repo?  At the moment, it seems
> > like the server developer guide is out of sync with the actual code.
> >
> > Thanks,
> > Craig
> >
> > =================================
> > *Craig Setera*
> >
> > *Chief Technology Officer*
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user



-- 
- abstractj

From ntle at castortech.com  Mon Apr 29 11:41:29 2019
From: ntle at castortech.com (Nhut Thai Le)
Date: Mon, 29 Apr 2019 11:41:29 -0400
Subject: [keycloak-user] how to generate password for user using realm
	password policy
Message-ID: <CAJVRZt982_oXmNOu5n=_EacUuvYges4ea7-sYNjjKb8gZm3n+w@mail.gmail.com>

Hello,

I'm using admin broker to manage users and i need to generate password for
user using the existing password policies of the realm. Which class
should I use? An example is much appreciated.

Thai Le

From craig at baseventure.com  Mon Apr 29 11:48:06 2019
From: craig at baseventure.com (Craig Setera)
Date: Mon, 29 Apr 2019 10:48:06 -0500
Subject: [keycloak-user] Implementing "user invitation" functionality in
	Keycloak
Message-ID: <CAPVdwjqOWLOoknSfsaiyR=6p1k6wWqYbZW5Zs8xqCWPM70SAhA@mail.gmail.com>

I'm continuing to attempt to get my "user invitation" functionality working
again.  While I'm 99% certain it worked at some point in the past, I can't
for the life of me get it going again now.  I have not found a working
combination of action tokens, required actions and authenticators to make
this work.

>From the feature perspective, the goal is a user-facing flow similar to the
following:

   - Within our application, a properly authorized user adds a new user to
   our system (using their email address)
   - The addition of that user triggers an email to that user with a
   (action token) link they can click on
   - The link takes them into Keycloak where they can set their "initial"
   password via a form
   - Once that is completed, they are transitioned to the login page

In my case, I have the initial action token email working (via a REST
resource provider).  Within that action token handler, I'm trying to find a
combination of authenticators and/or required actions to pull together the
necessary "challenge" and processing of that challenge.  However, I can't
seem to find a combination that Keycloak is happy with and does what I need
it to do.

When looking at similar combinations of required actions and
authenticators, like those found in the quickstarts, it seems like they
work in reverse of this.  The authenticator initiates the action token and
not the other way around.  Am I misunderstanding what I can/should do here?

Can anyone offer any suggestions or pointers on how to properly handle that
part of the user facing behavior?  This is similar in functionality to
reset credentials, but at the same time it is not the same and our product
folks don't want to see "reset" when the user has not yet set credentials.
Thanks,
Craig

=================================
*Craig Setera*

*Chief Technology Officer*

From fabrice.geslin-prestataire at laposte.fr  Tue Apr 30 03:43:29 2019
From: fabrice.geslin-prestataire at laposte.fr (GESLIN Fabrice)
Date: Tue, 30 Apr 2019 07:43:29 +0000
Subject: [keycloak-user] How to dynamically trigger a custom required
 action in a flow ?
In-Reply-To: <CAMZCGg_8e5QaYChOheSvLOmf9-gxHTbc1-5Q2r0+gGkV4X=H_Q@mail.gmail.com>
References: <AM6PR01MB4359C01F27C0DA2DA4E366A5BB390@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>
	<CAMZCGg_8e5QaYChOheSvLOmf9-gxHTbc1-5Q2r0+gGkV4X=H_Q@mail.gmail.com>
Message-ID: <AM6PR01MB4359416150CC096CB704866DBB3A0@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>

Hi S?bastien,

We?ve finally found the addRequiredAction() function with the String parameter and it works.

But we felt into a new issue due to the fact that the required actions are sometime handled sorted and sometime not sorted.

For instance, at the end of the authentication flow processing, when the required actions are processed, they are treated in an arbitrary order that doesn?t even correspond to the order in which they were added.  In Keycloak release 4.8.3.FINAL, The call stack leads to line 893 of org.keycloak.services.managers.AuthenticationManager that is:

    public static String nextRequiredAction(final KeycloakSession session, final AuthenticationSessionModel authSession,
                                            final ClientConnection clientConnection,
                                            final HttpRequest request, final UriInfo uriInfo, final EventBuilder event) {
        final RealmModel realm = authSession.getRealm();
        final UserModel user = authSession.getAuthenticatedUser();
        final ClientModel client = authSession.getClient();

        evaluateRequiredActionTriggers(session, authSession, clientConnection, request, uriInfo, event, realm, user);

        if (!user.getRequiredActions().isEmpty()) {
            return user.getRequiredActions().iterator().next();
        }
        if (!authSession.getRequiredActions().isEmpty()) {
            return authSession.getRequiredActions().iterator().next();
        }

This causes the user to be redirected to the URI of the required action that has been arbitrarily selected. But when the browser GET the corresponding URI, the call stack reaches line 1045 of org.keycloak.services.managers.AuthenticationManager where the required actions are sorted according to their priorities or their names (?!?):


    protected static Response executionActions(KeycloakSession session, AuthenticationSessionModel authSession,

                                               HttpRequest request, EventBuilder event, RealmModel realm, UserModel user,

                                               Set<String> requiredActions) {



        List<RequiredActionProviderModel> sortedRequiredActions = sortRequiredActionsByPriority(realm, requiredActions);



        for (RequiredActionProviderModel model : sortedRequiredActions) {

            RequiredActionFactory factory = (RequiredActionFactory)session.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, model.getProviderId());

            if (factory == null) {

                throw new RuntimeException("Unable to find factory for Required Action: " + model.getProviderId() + " did you forget to declare it in a META-INF/services file?");

            }

            RequiredActionContextResult context = new RequiredActionContextResult(authSession, realm, event, session, request, user, factory);

            RequiredActionProvider actionProvider = null;

            try {

                actionProvider = createRequiredAction(context);

            } catch (AuthenticationFlowException e) {

                if (e.getResponse() != null) {

                    return e.getResponse();

                }

                throw e;

            }

            actionProvider.requiredActionChallenge(context);

The side effect of this inconsistency is that in our case, where we?ve added a custom required action after the UPDATE_PASSWORD required action to the reset credential flow, the user is first redirected to the URI of our custom action (which is not what we expected) AND the form that is challenged to the user once redirected is the one from the UPDATE_PASSWORD action !

The question is how can we have the required actions that are added to a flow be processed according to the order in which they are added ?

Regards,

Fabrice Geslin

Groupe La Poste

De : Sebastien Blanc [mailto:sblanc at redhat.com]
Envoy? : lundi 29 avril 2019 14:35
? : GESLIN Fabrice <fabrice.geslin-prestataire at laposte.fr>
Cc : keycloak-user at lists.jboss.org
Objet : Re: [keycloak-user] How to dynamically trigger a custom required action in a flow ?

Hi,

When you says it does not accept it, you have an exception at runtime ? Because you have addRequiredAction(String string)

On Mon, Apr 29, 2019 at 12:13 PM GESLIN Fabrice <fabrice.geslin-prestataire at laposte.fr<mailto:fabrice.geslin-prestataire at laposte.fr>> wrote:
Hi,

We're trying to trigger a custom required action  as part of the reset credential.

For this we plan to mimic the implementation of the authenticate method of the org.keycloak.authentication.authenticators.resetcred.ResetPassword.java :

    @Override
    public void authenticate(AuthenticationFlowContext context) {
        if (context.getExecution().isRequired() ||
                (context.getExecution().isOptional() &&
                        configuredFor(context))) {
            context.getAuthenticationSession().addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
        }
        context.success();
    }


But the question is what value should we pass to the addRequiredAction() ?

This method seems to only accept the predefined required actions mapped to the values from the  UserModel.RequiredAction enum.

Any help is welcome .

Fabrice Geslin

Groupe La Poste

Post-scriptum La Poste

Ce message est confidentiel. Sous reserve de tout accord conclu par
ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
engagement de la part de La Poste. Toute publication, utilisation ou
diffusion, meme partielle, doit etre autorisee prealablement. Si vous
n'etes pas destinataire de ce message, merci d'en avertir immediatement l'expediteur.
_______________________________________________
keycloak-user mailing list
keycloak-user at lists.jboss.org<mailto:keycloak-user at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user

Post-scriptum La Poste

Ce message est confidentiel. Sous reserve de tout accord conclu par
ecrit entre vous et La Poste, son contenu ne represente en aucun cas un engagement de la part de La Poste. Toute publication, utilisation ou diffusion, meme partielle, doit etre autorisee prealablement. Si vous n'etes pas destinataire de ce message, merci d'en avertir immediatement
l'expediteur.

From sblanc at redhat.com  Tue Apr 30 04:19:09 2019
From: sblanc at redhat.com (Sebastien Blanc)
Date: Tue, 30 Apr 2019 10:19:09 +0200
Subject: [keycloak-user] How to dynamically trigger a custom required
 action in a flow ?
In-Reply-To: <AM6PR01MB4359416150CC096CB704866DBB3A0@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>
References: <AM6PR01MB4359C01F27C0DA2DA4E366A5BB390@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>
	<CAMZCGg_8e5QaYChOheSvLOmf9-gxHTbc1-5Q2r0+gGkV4X=H_Q@mail.gmail.com>
	<AM6PR01MB4359416150CC096CB704866DBB3A0@AM6PR01MB4359.eurprd01.prod.exchangelabs.com>
Message-ID: <CAMZCGg_9q7qpvgoT-mmLB65tY4xyFzkf523vumeTmBS0e-V6wQ@mail.gmail.com>

If you believe their is a inconsistency please open a JIRA, tbh I don't
know that much about the implementation details of this part.
You probably have but worth asking : have you set the priority of your
custom required action ? I can see that "Update password" has prio 30 , so
your custom action should be >30 (0 is the highest priority) if you want it
to be run after.
And regarding sort by names and priority, if I look at the implementation
of the comparator it looks like it first sort by prio and after that by
name (if they have the same prio).




On Tue, Apr 30, 2019 at 9:43 AM GESLIN Fabrice <
fabrice.geslin-prestataire at laposte.fr> wrote:

> Hi S?bastien,
>
>
>
> We?ve finally found the addRequiredAction() function with the String
> parameter and it works.
>
>
>
> But we felt into a new issue due to the fact that the required actions are
> sometime handled sorted and sometime not sorted.
>
>
>
> For instance, at the end of the authentication flow processing, when the
> required actions are processed, they are treated in an arbitrary order that
> doesn?t even correspond to the order in which they were added.  In Keycloak
> release 4.8.3.FINAL, The call stack leads to line 893 of
> org.keycloak.services.managers.AuthenticationManager that is:
>
>
>
>     public static String nextRequiredAction(final KeycloakSession session,
> final AuthenticationSessionModel authSession,
>
>                                             final ClientConnection
> clientConnection,
>
>                                             final HttpRequest request,
> final UriInfo uriInfo, final EventBuilder event) {
>
>         final RealmModel realm = authSession.getRealm();
>
>         final UserModel user = authSession.getAuthenticatedUser();
>
>         final ClientModel client = authSession.getClient();
>
>
>
>         evaluateRequiredActionTriggers(session, authSession,
> clientConnection, request, uriInfo, event, realm, user);
>
>
>
>         if (!user.getRequiredActions().isEmpty()) {
>
>             return user.getRequiredActions().iterator().next();
>
>         }
>
>         if (!authSession.getRequiredActions().isEmpty()) {
>
>             return authSession.getRequiredActions().iterator().next();
>
>         }
>
>
>
> This causes the user to be redirected to the URI of the required action
> that has been arbitrarily selected. *But* when the browser GET the
> corresponding URI, the call stack reaches line 1045 of
> org.keycloak.services.managers.AuthenticationManager where the required
> actions are sorted according to their priorities or their names (?!?):
>
>
>
>     protected static Response executionActions(KeycloakSession session, AuthenticationSessionModel authSession,
>
>                                                HttpRequest request, EventBuilder event, RealmModel realm, UserModel user,
>
>                                                Set<String> requiredActions) {
>
>
>
>         List<RequiredActionProviderModel> sortedRequiredActions = sortRequiredActionsByPriority(realm, requiredActions);
>
>
>
>         for (RequiredActionProviderModel model : sortedRequiredActions) {
>
>             RequiredActionFactory factory = (RequiredActionFactory)session.getKeycloakSessionFactory().getProviderFactory(RequiredActionProvider.class, model.getProviderId());
>
>             if (factory == null) {
>
>                 throw new RuntimeException("Unable to find factory for Required Action: " + model.getProviderId() + " did you forget to declare it in a META-INF/services file?");
>
>             }
>
>             RequiredActionContextResult context = new RequiredActionContextResult(authSession, realm, event, session, request, user, factory);
>
>             RequiredActionProvider actionProvider = null;
>
>             try {
>
>                 actionProvider = createRequiredAction(context);
>
>             } catch (AuthenticationFlowException e) {
>
>                 if (e.getResponse() != null) {
>
>                     return e.getResponse();
>
>                 }
>
>                 throw e;
>
>             }
>
>             actionProvider.requiredActionChallenge(context);
>
>
>
> The side effect of this inconsistency is that in our case, where we?ve
> added a custom required action after the UPDATE_PASSWORD required action to
> the reset credential flow, the user is first redirected to the URI of our
> custom action (which is not what we expected) AND the form that is
> challenged to the user once redirected is the one from the UPDATE_PASSWORD
> action !
>
>
>
> The question is how can we have the required actions that are added to a
> flow be processed according to the order in which they are added ?
>
>
>
> Regards,
>
>
>
> Fabrice Geslin
>
>
>
> Groupe La Poste
>
>
>
> *De :* Sebastien Blanc [mailto:sblanc at redhat.com]
> *Envoy? :* lundi 29 avril 2019 14:35
> *? :* GESLIN Fabrice <fabrice.geslin-prestataire at laposte.fr>
> *Cc :* keycloak-user at lists.jboss.org
> *Objet :* Re: [keycloak-user] How to dynamically trigger a custom
> required action in a flow ?
>
>
>
> Hi,
>
>
>
> When you says it does not accept it, you have an exception at runtime ?
> Because you have addRequiredAction(String string)
>
>
>
> On Mon, Apr 29, 2019 at 12:13 PM GESLIN Fabrice <
> fabrice.geslin-prestataire at laposte.fr> wrote:
>
> Hi,
>
> We're trying to trigger a custom required action  as part of the reset
> credential.
>
> For this we plan to mimic the implementation of the authenticate method of
> the org.keycloak.authentication.authenticators.resetcred.ResetPassword.java
> :
>
>     @Override
>     public void authenticate(AuthenticationFlowContext context) {
>         if (context.getExecution().isRequired() ||
>                 (context.getExecution().isOptional() &&
>                         configuredFor(context))) {
>
> context.getAuthenticationSession().addRequiredAction(UserModel.RequiredAction.UPDATE_PASSWORD);
>         }
>         context.success();
>     }
>
>
> But the question is what value should we pass to the addRequiredAction() ?
>
> This method seems to only accept the predefined required actions mapped to
> the values from the  UserModel.RequiredAction enum.
>
> Any help is welcome .
>
> Fabrice Geslin
>
> Groupe La Poste
>
> Post-scriptum La Poste
>
> Ce message est confidentiel. Sous reserve de tout accord conclu par
> ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
> engagement de la part de La Poste. Toute publication, utilisation ou
> diffusion, meme partielle, doit etre autorisee prealablement. Si vous
> n'etes pas destinataire de ce message, merci d'en avertir immediatement
> l'expediteur.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> Post-scriptum La Poste
>
> Ce message est confidentiel. Sous reserve de tout accord conclu par
> ecrit entre vous et La Poste, son contenu ne represente en aucun cas un
> engagement de la part de La Poste. Toute publication, utilisation ou
> diffusion, meme partielle, doit etre autorisee prealablement. Si vous
> n'etes pas destinataire de ce message, merci d'en avertir immediatement
> l'expediteur.
>

From chttl582 at gmail.com  Tue Apr 30 06:09:49 2019
From: chttl582 at gmail.com (Jon Huang)
Date: Tue, 30 Apr 2019 18:09:49 +0800
Subject: [keycloak-user] Keycloak cluster setup on Openshift
Message-ID: <CAP45m-ZywB1dt8GLf=Fz02KTA0Jzwgs3JsrngeLz9VHTv=98xg@mail.gmail.com>

Dear Keycloakers

On my local environment, I set up Keycloak cluster with multi-cast and it's
OK.
However, there are some issues which might be related to infinispan when I
migrate to Openshift with KUBE_PING.
(btw, I tested with Keycloak version: 4.8.1 docker version)

I put detail log in attachment and hope it helps. (log below is abstract
version)
It seems that infinispan timeout and not working correctly (which works in
my local environment though)
Does anyone have same experience on Openshift?
Thanks

*Firstly, node 1 detected node2*
[org.infinispan.CLUSTER] (thread-15,ejb,kc-22-qzws9) ISPN000094: Received
new cluster view for channel ejb: [kc-22-qzws9|5] (2) [kc-22-qzws9,
kc-22-wf2pf]
[org.infinispan.CLUSTER] (thread-15,ejb,kc-22-qzws9) ISPN100000: Node
kc-22-wf2pf joined the cluster
[org.infinispan.CLUSTER] (remote-thread--p13-t6) [Context=loginFailures]
ISPN100002: Starting rebalance with members [kc-22-qzws9, kc-22-wf2pf],
phase READ_OLD_WRITE_ALL, topology id 2
...
*Then some error happened*
*[log from node1:]*
[org.infinispan.topology.ClusterTopologyManagerImpl]
(transport-thread--p24-t3) ISPN000197: Error updating cluster member list:
org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out
waiting for responses for request 2 from kc-22-wf2pf
at
org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167)
at
org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
at
org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
... 1 more
[org.infinispan.statetransfer.StateConsumerImpl] (transport-thread--p16-t9)
ISPN000208: No live owners found for segments {0-255} of cache
clientSessions. Excluded owners: []
*[log from node2:]*
[org.jboss.msc.service.fail] (ServerService Thread Pool -- 58) MSC000001:
Failed to start service
org.wildfly.clustering.infinispan.cache.keycloak.offlineClientSessions:
org.jboss.msc.service.StartException in service
org.wildfly.clustering.infinispan.cache.keycloak.offlineClientSessions:
org.infinispan.commons.CacheException: Unable to invoke method public void
org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
throws java.lang.Exception on object of type StateTransferManagerImpl
at
org.wildfly.clustering.service.FunctionalService.start(FunctionalService.java:70)
at
org.wildfly.clustering.service.AsyncServiceConfigurator$AsyncService.lambda$start$0(AsyncServiceConfigurator.java:117)
...
Caused by: org.infinispan.commons.CacheException: Unable to invoke method
public void
org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
throws java.lang.Exception on object of type StateTransferManagerImpl
at
org.infinispan.commons.util.SecurityActions.lambda$invokeAccessibly$0(SecurityActions.java:83)
at
org.infinispan.commons.util.SecurityActions.doPrivileged(SecurityActions.java:71)
at
org.infinispan.commons.util.SecurityActions.invokeAccessibly(SecurityActions.java:76)
at
org.infinispan.commons.util.ReflectionUtil.invokeAccessibly(ReflectionUtil.java:185)
... 7 more
Caused by: org.infinispan.commons.CacheException: Initial state transfer
timed out for cache offlineClientSessions on kc-22-wf2pf
at
org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete(StateTransferManagerImpl.java:233)
... 30 more
[org.jboss.as.controller.management-operation] (Controller Boot Thread)
WFLYCTL0013: Operation ("add") failed - address: ([
    ("subsystem" => "infinispan"),
    ("cache-container" => "keycloak"),
    ("replicated-cache" => "work")
]) - failure description: {"WFLYCTL0080: Failed services" => {"
org.wildfly.clustering.infinispan.cache.keycloak.work" =>
"org.infinispan.commons.CacheException: Unable to invoke method public void
org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Unable to invoke
method public void
org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
throws java.lang.Exception on object of type StateTransferManagerImpl
    Caused by: org.infinispan.commons.CacheException: Initial state
transfer timed out for cache work on kc-22-wf2pf"}}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: keycloakError.log
Type: application/octet-stream
Size: 10950 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-user/attachments/20190430/fb6f2daa/attachment-0001.obj 

From lists at merit.unu.edu  Tue Apr 30 06:23:08 2019
From: lists at merit.unu.edu (lists)
Date: Tue, 30 Apr 2019 12:23:08 +0200
Subject: [keycloak-user] upgrade keycloak, elytron issue
In-Reply-To: <456a4c19-c5da-a99d-1181-31d8322c501d@merit.unu.edu>
References: <456a4c19-c5da-a99d-1181-31d8322c501d@merit.unu.edu>
Message-ID: <e7952f52-5643-9b36-e1d5-9cbfe211c46b@merit.unu.edu>

Hi,

So we tried upgrading one release at the time.

We noticed that the elytron error occured at the migrate-standalone.cli 
step from 4.3 -> 4.4. We decided to simply ignore the error, and launch 
4.4 anyway, which worked fine. :-)

So it was probably just a warning, safe to ignore hopefully..

Continued upgrading, no problems until 4.6, which suddenly refuses to 
load the mysql connector, using the *exact* same config (copied) from 
all previous version.

Error upon keycloak launch:

> 11:53:44,860 ERROR [org.jboss.as.controller.management-operation] (ServerService Thread Pool -- 28) WFLYCTL0013: Operation ("add") failed - address: ([
>     ("subsystem" => "datasources"),
>     ("jdbc-driver" => "mysql")
> ]) - failure description: "WFLYJCA0114: Failed to load datasource class: org.mysql.Driver"

Our module.xml and the mysql-connector-java-5.1.40-bin.jar worked on all 
previous versions... We used the same standalone.xml as etc before. (in 
fact: we copied the complete configuration dir, as stated in the upgrade 
docs)

> <?xml version="1.0" ?>
> <module xmlns="urn:jboss:module:1.3" name="org.mysql">
> 
>     <resources>
>         <resource-root path="mysql-connector-java-5.1.40-bin.jar"/>
>     </resources>
> 
>     <dependencies>
>         <module name="javax.api"/>
>         <module name="javax.transaction.api"/>
>     </dependencies>
> </module>

Any ideas whats up with keycloak 4.6 (and up) and the mysql connector?

(we are running debian 9 with mariadb btw, but this connector/config has 
always worked for keycloak)

Tips?

MJ

From lists at merit.unu.edu  Tue Apr 30 06:56:10 2019
From: lists at merit.unu.edu (lists)
Date: Tue, 30 Apr 2019 12:56:10 +0200
Subject: [keycloak-user] upgrade keycloak, elytron issue
In-Reply-To: <e7952f52-5643-9b36-e1d5-9cbfe211c46b@merit.unu.edu>
References: <456a4c19-c5da-a99d-1181-31d8322c501d@merit.unu.edu>
	<e7952f52-5643-9b36-e1d5-9cbfe211c46b@merit.unu.edu>
Message-ID: <070df7d0-1f5c-7c64-ed82-b3daa91e58d7@merit.unu.edu>



On 30-4-2019 12:23, lists wrote:
>> <?xml version="1.0" ?>
>> <module xmlns="urn:jboss:module:1.3" name="org.mysql">
>>
>>      <resources>
>>          <resource-root path="mysql-connector-java-5.1.40-bin.jar"/>
>>      </resources>
>>
>>      <dependencies>
>>          <module name="javax.api"/>
>>          <module name="javax.transaction.api"/>
>>      </dependencies>
>> </module>
> 

We also tried mysql-connector-java-5.1.47-bin.jar (latest 5.1) and also 
mariadb-java-client-2.4.1.jar  and mysql-connector-java-8.0.16.jar (both 
without suffix -bin) but same result.

From mrestelli at cuebiq.com  Tue Apr 30 07:06:01 2019
From: mrestelli at cuebiq.com (Matteo Restelli)
Date: Tue, 30 Apr 2019 13:06:01 +0200
Subject: [keycloak-user] Understanding access token storage
Message-ID: <CAHpjjTZmiKhv2va0=J6zDK+=+=Bq+fjPK-MnYCT4Dr=ZbD+Gsw@mail.gmail.com>

Hi all,
As far as i know,  the best practice for a Single Page Application is to
have the access token stored inside an HttpOnly Cookie. This means that the
token endpoint must return tokens into a cookie provided with the response.
Am i right? If yes, how can i achieve this behaviour?

Thank you very much,
Matteo

-- 

Like <https://www.facebook.com/cuebiq/> I Follow  
<https://twitter.com/Cuebiq>I Connect 
<https://www.linkedin.com/company/cuebiq>


This email is reserved 
exclusively for sending and receiving messages inherent working activities, 
and is not intended nor authorized for personal use. Therefore, any 
outgoing messages or incoming response messages will be treated as company 
messages and will be subject to the corporate IT policy and may possibly to 
be read by persons other than by the subscriber of the box. Confidential 
information may be contained in this message. If you are not the address 
indicated in this message, please do not copy or deliver this message to 
anyone. In such case, you should notify the sender immediately and delete 
the original message.

From eduard.matuszak at worldline.com  Tue Apr 30 08:31:01 2019
From: eduard.matuszak at worldline.com (Matuszak, Eduard)
Date: Tue, 30 Apr 2019 12:31:01 +0000
Subject: [keycloak-user] FW: Brokering-sample with google-authentication
 does not work with Keycloak6/Wildfly16
Message-ID: <61D077C6283D454FAFD06F6AC4AB74D73DD29CFC@DEFTHW99EZ1MSX.ww931.my-it-solutions.net>

Answer: According to the Docu https://www.keycloak.org/docs/latest/server_installation/index.html#outgoing-http-requests<https://www.keycloak.org/docs/latest/server_installation/index.html> we now have to configure the proxy settings in standalone<>.xml. Proxy settings done via httpProxy..-Java-runtime-parameters do (no more) have effects to the HTTPClient Keycloak is applying.

_____________________________________________
From: Matuszak, Eduard
Sent: Friday, April 26, 2019 11:34 AM
To: 'keycloak-user at lists.jboss.org'
Subject: Brokering-sample with google-authentication does not work with Keycloak6/Wildfly16


Hello

I tried to check the keycloak/examples/broker/google-authentication-sample with Keycloak 6.0.0 and Wildfly 16.0.0. Unfortunately org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider is not able to connect to all google endpoints and fails with timeout. With my "old" system (Keycloak 2.5.5 and Wildfly 10.0.1) on the same machine the correspondig example succeeded. Proxy-settings via -DhttpProxy-Java-runtime-parameters had been done, so this may not be the problem.

Interesting(?): I observed that the connection to https://accounts.google.com/o/oauth2/v2/auth done in the same(!) class org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider just before in the performLogin-method in contrast did(!) succeed (google complains when pushing the "g"-login-button when required redirect-setting is not done).

Do you have any idea or fix to overcome this error?

Best regards, Eduard Matuszak


PS: This is the stack-trace of the timeout-exception when AbstractOAuth2IdentityProvider tried to connect to oauth2.googleapis.com:


10:35:49,298 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (default task-53) Failed to make identity provider oauth callback: org.apache.http.conn.HttpHostConnectException: Connect to oauth2.googleapis.com:443 [oauth2.googleapis.com/172.217.16.138, oauth2.googleapis.com/172.217.18.106, oauth2.googleapis.com/172.217.22.74, oauth2.googleapis.com/172.217.22.10, oauth2.googleapis.com/216.58.205.234, oauth2.googleapis.com/172.217.21.202, oauth2.googleapis.com/216.58.208.42, oauth2.googleapis.com/172.217.16.170, oauth2.googleapis.com/216.58.206.10, oauth2.googleapis.com/172.217.23.170, oauth2.googleapis.com/172.217.16.202, oauth2.googleapis.com/172.217.18.170, oauth2.googleapis.com/172.217.18.10, oauth2.googleapis.com/172.217.22.106, oauth2.googleapis.com/216.58.210.10] failed: Connection timed out: connect
        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:159)
        at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
        at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
        at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
        at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
        at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
        at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
        at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
        at org.keycloak.broker.provider.util.SimpleHttp.makeRequest(SimpleHttp.java:199)
        at org.keycloak.broker.provider.util.SimpleHttp.asResponse(SimpleHttp.java:163)
        at org.keycloak.broker.provider.util.SimpleHttp.asString(SimpleHttp.java:155)
        at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:418)
        at sun.reflect.GeneratedMethodAccessor715.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:497)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139)
        at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:400)
        at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:364)
        at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:366)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:338)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
        at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:439)
        at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:229)
        at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:135)
        at org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:355)
        at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:138)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:215)
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:791)
        at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
        at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
        at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
        at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
        at org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.lambda$handleRequest$1(ElytronRunAsHandler.java:68)
        at org.wildfly.security.auth.server.FlexibleIdentityAssociation.runAsFunctionEx(FlexibleIdentityAssociation.java:103)
        at org.wildfly.security.auth.server.Scoped.runAsFunctionEx(Scoped.java:161)
        at org.wildfly.security.auth.server.Scoped.runAs(Scoped.java:73)
        at org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.handleRequest(ElytronRunAsHandler.java:67)
        at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
        at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
        at org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
        at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
        at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
        at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1502)
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
        at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:364)
        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
        at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
        at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.net.ConnectException: Connection timed out: connect
        at java.net.TwoStacksPlainSocketImpl.socketConnect(Native Method)
        at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
        at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
        at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
        at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:172)
        at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
        at java.net.Socket.connect(Socket.java:589)
        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:339)
        at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
        ... 84 more



From lists at merit.unu.edu  Tue Apr 30 09:12:10 2019
From: lists at merit.unu.edu (lists)
Date: Tue, 30 Apr 2019 15:12:10 +0200
Subject: [keycloak-user] upgrade keycloak, elytron issue
In-Reply-To: <070df7d0-1f5c-7c64-ed82-b3daa91e58d7@merit.unu.edu>
References: <456a4c19-c5da-a99d-1181-31d8322c501d@merit.unu.edu>
	<e7952f52-5643-9b36-e1d5-9cbfe211c46b@merit.unu.edu>
	<070df7d0-1f5c-7c64-ed82-b3daa91e58d7@merit.unu.edu>
Message-ID: <e133620c-5e7f-6998-47c7-49ad2a23ac66@merit.unu.edu>

ok, i have now changed everything from org.mysql to com.mysql and that 
helped.

Strange.

On 30-4-2019 12:56, lists wrote:
> 
> 
> On 30-4-2019 12:23, lists wrote:
>>> <?xml version="1.0" ?>
>>> <module xmlns="urn:jboss:module:1.3" name="org.mysql">
>>>
>>>       <resources>
>>>           <resource-root path="mysql-connector-java-5.1.40-bin.jar"/>
>>>       </resources>
>>>
>>>       <dependencies>
>>>           <module name="javax.api"/>
>>>           <module name="javax.transaction.api"/>
>>>       </dependencies>
>>> </module>
>>
> 
> We also tried mysql-connector-java-5.1.47-bin.jar (latest 5.1) and also
> mariadb-java-client-2.4.1.jar  and mysql-connector-java-8.0.16.jar (both
> without suffix -bin) but same result.
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> 

From mechanix at live.de  Tue Apr 30 18:08:23 2019
From: mechanix at live.de (The Mechanix)
Date: Tue, 30 Apr 2019 22:08:23 +0000
Subject: [keycloak-user] Keycloak,
	Openresty and fine grain authorization not working
Message-ID: <VI1PR08MB41733DFE03D5BE2C2C6594DBDE3A0@VI1PR08MB4173.eurprd08.prod.outlook.com>

Hi,

I?m relative new to KC but I?ve read a lot of documentations in the past few days and I managed to get a (almost) working POC.. 
An overview can be found here [1] 

The setup is fairly easy, we just want to authenticate some web services.(HTML)
The components used are all docker containers:

- OpenResty Cluster 1.13.6.2-1 (Keepalived + GlusterFS) with lua-resty-openidc
- Keycloak Cluster 6.0.1
- PostgerSQL Cluster 9.6.12
- Nginx for the web services

In KC, I created a client ?metropolis? [2] and a user ?ckent?. Whenever I call the protected URL I get redirected to KC, can authenticate and I?m landing on the web service page. So far so good.

Now, I just wanted to see what happens if I negate the default policy:

// by default, grants any permission associated with this policy
$evaluation.grant();

<negate>

A quick evaluation shows following:

Default Resource             
Result
DENY
Scopes
No scopes available.
Policies
? Default Permission decision was DENY by UNANIMOUS decision.
	? Default Policy voted to DENY.


According to the results, I should not be able to access the resource anymore, right? But this doesn?t happen, I?m still able to login (after killing the session in KC). What am I missing?

Here [3] is the openresty config.

Any hints are much appreciated. 

Thanks

[1] https://i.imgur.com/z3E6Fn2.jpg
[2] https://i.imgur.com/J15kXFG.png
[3| https://pastebin.com/7zfHePYK


From testoauth55 at gmail.com  Tue Apr 30 23:35:33 2019
From: testoauth55 at gmail.com (Bruce Wings)
Date: Wed, 1 May 2019 09:05:33 +0530
Subject: [keycloak-user] Unable to integrate SAML 2 provider - Pingfederate
Message-ID: <CANAVTmPHs7ZE1zOUTJ8BqNWJWwVZY1mOWTvcmfOdYrd5wPn_vQ@mail.gmail.com>

I have successfully integrated OKTA as SAML 2 provider.
Now I am trying to integrate Pingfederate as SAML 2 provider. Pingfederate
successfully redirctes back to keycloak :
( <myhost>/auth/realms/<myRealm>/broker/pingfed/endpoint )

But keycloak gives following error trace:

2019-04-30 13:27:23,196 ERROR
[org.keycloak.services.error.KeycloakErrorHandler] (default task-3)
Uncaught server error:
org.keycloak.broker.provider.IdentityBrokerException: Could not process
response from SAML identity provider.
at
org.keycloak.broker.saml.SAMLEndpoint$Binding.handleLoginResponse(SAMLEndpoint.java:450)
at
org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:485)
at
org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:243)
at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:159)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at
org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:510)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:401)
at
org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$0(ResourceMethodInvoker.java:365)
at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:367)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:339)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:137)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:106)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:132)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:441)
at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:231)
at
org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:137)
at
org.jboss.resteasy.core.interception.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:361)
at
org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:140)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:217)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:227)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1514)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:360)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830)
at
org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
at
org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
at
org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.lang.NullPointerException