Associate social account with IDM user
by Stian Thorgersen
We need to be able to associate multiple social providers with an IDM user. At the moment this is not based on the username of the account (for example google.23897892sdf). This has to main drawbacks:
* Horrible username
* Can only associate a single social account with an IDM user
What is the best way to store this information? We mainly need to store what social providers a user has linked and the social userid. In the future we may also want to associate access tokens as well. We also need to lookup a user based on the social provider + social userid.
11 years, 5 months
Working on the HTML for the Admin Console
by Gabriel Cardoso
I'm working on the HTML for the Admin console, initially for the Application creation page.
I will structure it using Twitter Bootstrap 3 and create a custom stylesheet above it to provide the Red Hat Look and Feel.
The expected result is something like the image below.
I'll structure the page according to what we discussed on the wireframes.
Gabriel
11 years, 5 months
Keycloak as OAuth 2 compliant authorization server?
by Matt Wringe
Could someone please clarify if one of the goals of keycloak is to
provide an oauth 2.0 compliant authorization server?
I am trying to figure out if I should be filing bugs and submitting
patches, or if keycloak is only meant to have a oauth like semblance.
Thanks,
Matt Wringe
11 years, 5 months
AFK next few weeks
by Bill Burke
I'll be away from keycloak next few weeks. I'm going on vacation
Thurs-Monday. Then I need to finish up Restful Java book revision.
I'll be answering emails when I can.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11 years, 5 months
TOTP setup
by Stian Thorgersen
I've added support for configuring TOTP to the registration process. At the moment the way it works is if the realm has both password and totp as required credentials the user is required to configure totp during the registration. To validate that the user has configured TOTP correctly the user has to provide a valid authentication code in the registration form.
This only covers the use case when TOTP is required by the realm. I think users should be able to enable TOTP even though it's not required by the realm. For example a bank would require TOTP, but a mail provider would let users choose what level of security they want themselves. Users should also be able to manage the TOTP settings for their account. For example to change the TOTP, or to remove (only if not required by realm).
This ties in to having a proper place for users to manage their accounts. See https://github.com/keycloak/keycloak/wiki/User-Account-Management.
To try this out yourself edit "examples/as7-eap-demo/server/src/main/resources/META-INF/testrealm.json" and change:
"requiredCredentials": [ "password" ],
to
"requiredCredentials": [ "password", "totp" ],
This enables totp for the demo realm used by customer-portal and product-portal. To enable it for the SaaS edit org.keycloak.example.demo.DemoApplication#install and add:
defaultRealm.addRequiredCredential(CredentialRepresentation.TOTP);
The approach taken above is just to get something working quickly. I propose that we improve this to work like this:
* When a user first registers there will be a checkbox to enable TOTP if the users wants to - if TOTP is required by the realm this checkbox will always be enabled (and the user won't be able to change it)
* After clicking register the user is forwarded to the configure TOTP page (in user account management)
* If a user doesn't complete the above form, or a user registered prior to totp being set as required for the realm, when a user tries to login the user is forwarded to the configure TOTP page
* The TOTP page should list out the available TOTP providers (ATM only Google authenticator is supported) and show instructions for the user to configure it. A user should be required to enter a valid authenticator code to enable TOTP
Later a user can view the TOTP settings for his account through the user account management. If totp is not required by the realm the user can also remove the totp. A user can always change the totp, again this required providing a valid authenticator code.
11 years, 5 months
Manage accounts page
by Stian Thorgersen
It would be good to have a manage your account page for Keycloak
Basically it's a place that let's you:
* View and change your user profile
* Change your password
* Manage OTP (enable/disable)
* Manage social accounts (view linked, add/remove)
* View audit history
For social login if "review profile on social registration" is enabled for the realm we can simply forward the user to this page on first login + it's also a nice place to manage linking multiple accounts.
11 years, 5 months
Token not active error
by Stian Thorgersen
Bill,
If I leave customer-portal open for a while I get the a token is not active error in the server log (see stack trace below). After that the only way I can get things working again is to manually remove the session cookie with JSSONID in it.
I've moved the stuff from AbstractLoginService into OAuthUtil which just has a bunch of static methods. This is because I had to change SocialResource as the callback endpoint shouldn't contain the realm (see https://issues.jboss.org/browse/KEYCLOAK-33).
I don't think I've broken it, but I may have :/
------------------
16:46:48,268 ERROR [org.keycloak.adapters.as7.CatalinaBearerTokenAuthenticator] (http-localhost-127.0.0.1-8080-7) Failed to verify token: org.keycloak.VerificationException: Token is not active.
at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:39) [keycloak-core-1.0-alpha-1.jar:]
at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:19) [keycloak-core-1.0-alpha-1.jar:]
at org.keycloak.adapters.as7.CatalinaBearerTokenAuthenticator.login(CatalinaBearerTokenAuthenticator.java:77) [keycloak-as7-adapter-1.0-alpha-1.jar:]
at org.keycloak.adapters.as7.BearerTokenAuthenticatorValve.authenticate(BearerTokenAuthenticatorValve.java:67) [keycloak-as7-adapter-1.0-alpha-1.jar:]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:455) [jbossweb-7.0.13.Final.jar:]
at org.keycloak.adapters.as7.BearerTokenAuthenticatorValve.invoke(BearerTokenAuthenticatorValve.java:57) [keycloak-as7-adapter-1.0-alpha-1.jar:]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_21]
16:46:48,276 WARN [org.apache.http.impl.client.DefaultHttpClient] (http-localhost-127.0.0.1-8080-3) Authentication error: Unable to respond to any of these challenges: {bearer=WWW-Authenticate: Bearer realm="demo", error="invalid_token", error_description="Token is not active."}
16:46:48,278 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/customer-portal].[jsp]] (http-localhost-127.0.0.1-8080-3) Servlet.service() for servlet jsp threw exception: javax.ws.rs.ProcessingException: Unable to find a MessageBodyReader of content-type text/html;charset=utf-8 and type interface java.util.List
at org.jboss.resteasy.core.interception.ClientReaderInterceptorContext.throwReaderNotFound(ClientReaderInterceptorContext.java:39) [resteasy-jaxrs-3.0.2.Final.jar:]
at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.getReader(AbstractReaderInterceptorContext.java:73) [resteasy-jaxrs-3.0.2.Final.jar:]
at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:50) [resteasy-jaxrs-3.0.2.Final.jar:]
at org.jboss.resteasy.plugins.interceptors.encoding.GZIPDecodingInterceptor.aroundReadFrom(GZIPDecodingInterceptor.java:59) [resteasy-jaxrs-3.0.2.Final.jar:]
at org.jboss.resteasy.core.interception.AbstractReaderInterceptorContext.proceed(AbstractReaderInterceptorContext.java:53) [resteasy-jaxrs-3.0.2.Final.jar:]
at org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readFrom(ClientResponse.java:244) [resteasy-client-3.0.2.Final.jar:]
at org.jboss.resteasy.client.jaxrs.internal.ClientResponse.readEntity(ClientResponse.java:178) [resteasy-client-3.0.2.Final.jar:]
at org.jboss.resteasy.specimpl.BuiltResponse.readEntity(BuiltResponse.java:223) [resteasy-jaxrs-3.0.2.Final.jar:]
at org.jboss.resteasy.example.oauth.CustomerDatabaseClient.getCustomers(CustomerDatabaseClient.java:29) [classes:]
at org.apache.jsp.customers.view_jsp._jspService(view_jsp.java:74)
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [jbossweb-7.0.13.Final.jar:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:369) [jbossweb-7.0.13.Final.jar:]
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:326) [jbossweb-7.0.13.Final.jar:]
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:253) [jbossweb-7.0.13.Final.jar:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:329) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:248) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:275) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:161) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:489) [jbossweb-7.0.13.Final.jar:]
at org.keycloak.adapters.as7.OAuthManagedResourceValve.invoke(OAuthManagedResourceValve.java:104) [keycloak-as7-adapter-1.0-alpha-1.jar:]
at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:153) [jboss-as-web-7.1.1.Final.jar:7.1.1.Final]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.13.Final.jar:]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.13.Final.jar:]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.13.Final.jar:]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.13.Final.jar:]
at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_21]
11 years, 5 months
Default roles for realms and applications
by Stian Thorgersen
I've added default roles to realms. Basically it's a list of roles that are assigned to users that self-register (either through registration form or social login).
We need the same for applications as well. I assume in this case when a new user is registered we would list all applications for the realm, and add the default roles for the user to each application?
11 years, 5 months
DDoS
by Bill Burke
DDoS, another good reason to use Openshift cartridges rather than a SaaS
server.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
11 years, 5 months