Stateless session management pushed
by Marek Posolda
Some summary of my changes:
- Added new parameter "http_session_id" to code-to-token request. It's
not mandatory and used just for AS7/Wildfly adapters. In Keycloak, it's
saved as note in ClientSessionModel.
- ResourceAdminManager refactored to use the IDs of httpSession, which
are retrieved from ClientSessions. Removed username and
keycloakSessionId from LogoutAction
- Adapter statistics removed and everything related to them.
- UndertowUserSessionManagement and CatalinaUserManagement are now fully
stateless.
- Added new config option to adapters 'always-refresh-token' as we
discussed. If it's true, then adapter will always send request to
refresh accessToken during authentication (doesn't apply for bearer
authentication, just for cookie). In the end I've used this approach
instead of validating accessToken . It seems to be safer (no window) and
you are always fine with 1 additional request. This option is useful in
cluster in case that you have non-distributable sessions. With
non-distributable it could happen that your user logged on node1, but
logout request from KC is handled on node2 where httpSession doesn't
exist. This is no issue with "distributable" sessions as those are
replicated and hence logout can happen on any node.
- https://issues.jboss.org/browse/KEYCLOAK-741 -- If refreshing token
fails from adapters, then httpSession is invalidated immediatelly
So clustering on adapters side works well now for both Wildfly & EAP 6.3
Questions & remaining work:
- I am not so happy with logout for apps with non-distributable HTTP
sessions. It can be handled with 'always-refresh-token' but it's
performance penalty to always refresh token. The alternative might be to
send also hostname in code-to-token request. This would help as
ResourceAdminManager will be able to detect to which node send request
for invalidate http session. Does it worth adding it?
- Is it ok to have parameter like "http_session_id" or should it be
instead something more generic like "adapter_session_id" ? I am not sure
if 'Http Session' is not JEE specific term? I looked at OpenID connect
and there is no something like this mentioned (In fact OpenID Connect
doesn't handle single-sign-out)
- Should we add https://issues.jboss.org/browse/KEYCLOAK-702 (Support
for storing token in cookie instead of HttpSession) or is it ok to leave
it for later? Note that for logout it will require
'always-refresh-token' or "hostname" stuff I mentioned above.
thoughts?
Marek
8 years, 8 months
Creating Users with no Email Address
by Ken Finnigan
Hi,
It used to be possible to create multiple users with no email address.
With 1.0.1.Final, and maybe earlier versions, it's no longer possible. As
soon as a user is created with no email address set, any other user created
is not able to not have an email address.
The Keycloak Admin console doesn't specify email address as a required
field, so I was wondering whether this is a bug, and whether it's a bug in
the UI or the model?
No problems in creating a JIRA, wanted to verify I wasn't mistaken with
what's happening.
Thanks
Ken Finnigan
8 years, 8 months
important changes/additions
by Bill Burke
Some recent changes in my last commit.
* Just changed the admin console to use ids instead of names for
applications in URLs because of the Angular encoding bug. I will do
this for oauth clients tomorrow.
* Admin REST API is backwards compatible, but I added an additional
parallel path where appropriate so that REST queries can use app ids
instead of names. I will be doing the same for oauth clients too.
* I added attributes to ClientModel as well as a new protocol property.
There's some extra metadata that SAML needs to store. Flags and
client keypairs.
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 8 months
admin console will use IDs for urls
by Bill Burke
Usings URLs for applicaiton and oauth client names will be the norm for
SAML and probably also very common for openid-connect too since a lot of
spec examples use URLs IIRC.
Angular JS does not like URLs specifically encoded slashes. I've tried
a bunch of things, but can't really get everything to work completely
and properly. We should just switch back to IDs for referencing
applications and oauth clients. To facilitate that I'm going to keep
the old REST api, but add
realms/{realm-name}/applications-by-id/{id}
realms/{realm-name}/oauth-clients-by-id/{id}
Very minimal changes on the server side, but the admin console is going
to require a lot of work :(
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 8 months
need angular js help!
by Bill Burke
I can't figure out how to encode a link in a html page for angular js
<td><a
href="#/realms/{{realm.realm}}/applications/{{app.name |
encodeUri}}">{{app.name}}</a></td>
I wrote a filter to do this "encodeUri" that is getting invoked, but the
link still is not encoded when displayed. ARG!!!!
module.filter('encodeUri', function($window) {
return function(str) {
var str = encodeURIComponent(shit);
return str;
};
});
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 8 months
Data migration strategy
by Stian Thorgersen
As mentioned before to allow users from keeping their existing database when upgrading to a new version we'll need a migration strategy.
There's 3 separate things to deal with: JPA database, Mongo database and finally JSON representation (exports). For 1.1.0.Beta1 as the JPA and Mongo schemas have changed we'll need to sort out for this release. JSON representations have not changed (afaik) so we can leave this for later when it's needed.
For relational databases I propose (and I have a working prototype for this) we use Liquibase. Liquibase makes it possible to create a generic "change-set" that transforms a database from one version to the next. As it supports creating these change-sets from a running database it's fairly trivial to generate this automatically and only requires a short review. If data in any columns needs updating or adding that still needs to be done manually. The change-sets are also database agnostic and Liquibase concerts these into SQL specific to the current database. I've made a JPAUpdaterSpi, with Liquibase being an optional provider. This means there's no hard dependency on Liquibase. However, if it's not included it won't be possible to upgrade the database automatically. In that case the user could use Liquibase command line tool to update the database manually.
For Mongo databases I propose something similar to Liquibase, but we'll have to write it ourselves. We'll create an interface that has one method transform(DB db), and for each release where data has changed we'll have to provide an implementation of this that can rewrite the data. We'll maintain a list of these transformations, and store which has been applied in a collection.
For representations (again we don't need this now) we'll do something similar to Mongo, a chain of transforms that can convert the JSON representations from one version to the next.
With regards to Liquibase there was recently a thread on tag that suggest we discuss inclusion of 3rd party components in projects. AeroGear also have similar needs and they want to use LiquiBase as well. Just to make sure there's no issues with using Liquibase I'll write a mail to tag. Although, other similar projects are far from as nice as Liquibase (don't have database agnostic script, don't have automatic generation of changsets, etc.). If we had to do it manually we'd have to replicate what Liquibase does with regards to recording applied changes in a table, then we'd also have to write SQL scripts for each release for each database we support.
First before I write mail to tag. Any objections to using Liquibase here? Or proposals for another solution?
8 years, 8 months
node.js support
by Lucas Holmquist
so i know node.js support is on the road map, i was wondering if you guys have any thoughts on what that will look like at this point?
I’m playing around with the idea of creating an “adapter” for passport.js, http://passportjs.org/, that would hook into KC.
-Luke
8 years, 8 months
What causes this?
by Stan Silvert
I've screwed something up. I've seen this before, but I can't for the
life of me remember what causes it. Look familiar to any of you guys?
09:00:40,332 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-8)
MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./customer-portal:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./customer-portal:
Failed to start service
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1904)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
Source) [rt.jar:1.7.0_51]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
Source) [rt.jar:1.7.0_51]
at java.lang.Thread.run(Unknown Source) [rt.jar:1.7.0_51]
Caused by: java.lang.RuntimeException: java.lang.RuntimeException:
UT010039: Unknown authentication mechanism KEYCLOAK
at
io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:219)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:87)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.start(UndertowDeploymentService.java:72)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
... 3 more
Caused by: java.lang.RuntimeException: UT010039: Unknown authentication
mechanism KEYCLOAK
at
io.undertow.servlet.core.DeploymentManagerImpl.setupSecurityHandlers(DeploymentManagerImpl.java:320)
at
io.undertow.servlet.core.DeploymentManagerImpl.deploy(DeploymentManagerImpl.java:195)
... 7 more
8 years, 8 months
