October 2014 - keycloak-dev - Jboss List Archives

by Stian Thorgersen

We want adapters, PicketLink already has quite a few, can we utilise that? Can we provide a single Keycloak PicketLink adapter for everything Java, and then get the correct level of integration and features for: * Fuse * BRMS * WildFly/EAP (Elytron) * JavaEE (WildFly/EAP, Tomcat, Jetty) * Spring * Anything else? Obviously the main benefit is that we don't have to write our own, but would potentially also allow users to switch to another IdP without recoding.

10 years, 2 months

1
0
0 / 0

Is it ok to support multiple managementUrls per application?

by Marek Posolda

The problem I am looking at is sending "Push NotBefore" from keycloak to adapters in cluster. Basically the info about push notBefore should be propagated to all cluster nodes where application is deployed. ATM I am seeing 2 possibilities: a) More managementUrls per ApplicationModel. People would need to configure all nodes where adapter is deployed . Then Keycloak ( ResourceAdminManager ) will be able to send "global" events like pushNotBefore or "logoutAll" to all those nodes. "Normal" logouts will be sent just to single node like now . b) Ensure that notBefore can be replicated on adapters side. I don't like this tbh. It requires adapters to be in replicated cluster, which may not be an option for many deployments, who want to rely just on sticky session. Any of those is not super-ideal, but I don't have better idea to ensure cluster-safe propagation of NotBefore and global logout to all cluster nodes. Better ideas? I have (b) already prototyped and working, but wanted to have ack from you before go further, cleanup, start changing admin console etc. Marek

10 years, 2 months

2
6
0 / 0

Refresh token expires too

by Corinne Krych

Hello Keycloak Today I run into an issue [1] related to the fact that in Keycloak server, refresh tokens are: - renewed after each refresh token request. as described in second paragraph here http://tools.ietf.org/html/rfc6749#section-10.4, - expirable, which is more a surprise to me. (nothing like that in oauth2 spec) So for iOS sdk we’ll need to adjust our logic in here [2] and cater to the fact that if refresh token is expired we’ll need to go through grant ptopup again. To get refresh token expriation date one way is ask to renew refresh and hit a 400, "Refresh token expired” or decode refresh token as done in key cloak.js [3]. Thanks @mposolda for the links. @summers @passos: I guess it’s something you’ll need to consider too for Android sdk. ++ Corinne —————— AeroGear iOS tech lead [1] https://issues.jboss.org/browse/AGIOS-294 [2] https://github.com/aerogear/aerogear-ios-oauth2/blob/master/AeroGearOAuth... [3] https://github.com/keycloak/keycloak/blob/master/integration/js/src/main/..., https://github.com/keycloak/keycloak/blob/master/integration/js/src/main/...

10 years, 2 months

2
4
0 / 0

Is cluster secured?

by Bill Burke

I can't seem to find any configuration file for infinispan caches. Are they set up to be secured? -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

10 years, 2 months

2
1
0 / 0

Does Keycloak support HA?

by Bappaditya Gorai (bgorai)

Hi Keycloak Dev Team, We are planning to install multiple Keycloak instance behind Load Balancer ,therefore wanted to check whether Keycloak supports HA. If yes, then please let us know since which version HA support is available. We are currently using 1.0-beta-3 with some customization. Thanks Bappaditya

10 years, 2 months

2
1
0 / 0

Automatic sign out from admin console

by Marek Posolda

Sorry to restore the discussion about admin console timeouts, but the situation is still not ideal though... Consider scenario: - I have ssoSessionIdleTimeout 5 minutes - Now I login to admin console and I want to create new federation provider - I am disturbed for 5 minutes - Now I want to go back to admin console and finish creating my federation provider. After filling all the values, I click "Add" button. But session is idle, so I am signed-out and all values I filled in admin console are lost. I wonder if we can still improve things a bit to avoid this? Maybe restore idleTimeout plugin, but instead of having hardcoded timeout value, it will periodically ask Keycloak (say in 1 minutes intervals) for send the remaining timeout value? Also it would need to display the topbar warning with "you will be logged out in N seconds" in case that there are 2 minutes remaining, so it's visible in KC admin console for at least 1 minute. It's still not super-ideal and won't handle all scenarios though (for example if user is going out of browser for these 5 minutes and he comes back, he will be just signed-out). So I am not sure if it worth an effort to add that? Note that this may not be an issue just for KC admin console, but for other JS apps secured by keycloak too (See liveoak admin console https://issues.jboss.org/browse/LIVEOAK-475 ) Marek

10 years, 2 months

1
0
0 / 0

liquibase problems breaking my build

by Bill Burke

Can you explain this liquipoop stuff and how it effects things? I am unable to build locally. I've added a column to RealmEntity and now I'm getting a column not found exception on startup in the testsuite. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

10 years, 2 months

2
2
0 / 0

Database migration support added

by Stian Thorgersen

I've added database migration support. In summary: * JPA migration is done with Liquibase * Mongo migration is done in a similar way, but no 3rd party lib (Mongo is easier as it's schema-less and single vendor) * connectionsJpa and connectionsMongo will automatically update the database (if databaseSchema = update) For more details look at https://github.com/keycloak/keycloak/blob/master/misc/UpdatingDatabaseSch... If there's any issues let me know!

10 years, 2 months

1
0
0 / 0

Authentication SPI

by Stian Thorgersen

We should consider adding an Authentication SPI. This would be something similar to what we used to have, but should be more flexible (for example allow redirect to other IdPs). This could be used for: * Kerberos bridge * Authenticate with external IdP (SAML or OpenID Connect) * Add custom authentication providers * Additional authentication mechanisms (fingerprint, hardware keys, etc.) Same SPI could also be used for custom multi-factor authenticators. As well as for authenticating non-human users (cert, jwt, etc.). A realm should be able to have more than one authentication mechanism. For example by default users authenticate with username/password (through the user store), but all users with a specific email domain authenticate with an external IdP. At the same time a user could have one or more main authenticators (password, hardware devices, etc.) and one or more secondary authenticators (totp, hardware token, etc.). Certainly needs a lot more thinking/design, but if it's something we're interested in I'd like to look at it.

10 years, 2 months

2
4
0 / 0

Revert changing from Google Authenticator to FreeOTP

by Stian Thorgersen

I'm not a big fan of the recent change from Google Authenticator to FreeOTP. * Google Authenticator is far more widely used than FreeOTP * We have existing users that use Google Authenticator (we know it works for both, but they and their users don't) To support FreeOTP we need to add support for multiple OTP providers so developers/users themselves can choose between the providers, not us.

10 years, 2 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev October 2014