Remaining work for beta-4
by Stian Thorgersen
Outstanding work for beta-4:
* User federation - what's the status?
* Require SSL by default - see previous email, I think we should add this for beta-4
* Access token validation endpoint (KEYCLOAK-585)
* Rename AuditListener/Provider to EventListener/Provider (KEYCLOAK-586, KEYCLOAK-587) - should we do this?
* Support HttpServletRequest.authenticate() (KEYCLOAK-575) - should be simple enough?
* Turn off cookie cache for all http clients (KEYCLOAK-537) - not sure I understand this issue? isn't sticky sessions something that's configured by the load balancer?
* RealmModel should have a link to realm admin app (KEYCLOAK-486) - I don't think the admin console should refer to the app by name, instead it should either have a link or at least the id of the app associated with the realm
* Issue with deploying on AS7 (KEYCLOAK-572) - should be fixed with new PL release, but do we really care about supporting AS7?
Issues I propose we push to beta-5:
* LDAP sync - should this go into beta-5? or even wait until after final?
* Stress tests (KEYCLOAK-514) - we still haven't tested with a large amount of users
* DB optimizations (KEYCLOAK-515) - maybe push this to after final?
* "Transaction not active" while performing a shutdown (KEYCLOAK-470) - I can't replicate this, do we close or just set to no fix version?
* Login with totp includes password in clear text (KEYCLOAK-576) - afaik it's not good to include the password in plain-text in the html set to the client, which we do atm
Anything else?
As a reminder, I'm on PTO next week and Marek is on PTO tomorrow.
10 years, 4 months
Enable SSL by default
by Stian Thorgersen
To make sure no-one goes of and uses Keycloak in production without HTTPS we should require SSL by default. To still allow developers to play with Keycloak without having to configure HTTPS first we should allow non-HTTPS if accessed via localhost only.
10 years, 4 months
Sync + federation
by Marek Posolda
Hi,
at this moment I have Sync with LDAP working (one way sync for importing
LDAP users into Keycloak). I tested with ActiveDirectory and OpenDS. On
both I have paginated and also full/partial periodic sync working. Also
UserFederationProvider seems to be working with Active Directory now!
Pedro mentioned that he will do timestamped picketlink release once we
need it. So far all the LDAP related issues should be fixed, so I've
asked him for doing one. Let me know if you are aware of more issues.
The question is how to properly incorporate sync with current federation
stuff? It looks that both should work together (for example if customer
is going to write his FederationProvider to retrieve data from his DB,
he will also likely want to sync users from same DB). Also sync process
would likely need access to the federation configuration in
UserFederationProviderModel, but some configuration of Sync will be
common for all FederationProviders (For example pagination, periodic for
full/partial sync etc). So I wonder if we can add properties like this
directly into UserFederationProviderModel:
boolean enablePagination;
int pageSize;
long fullSyncPeriod; // -1 if periodic fullSync should be disabled
long partialSyncPeriod; // -1 if perodic partialSync should be disabled
And for Admin console UI, we can have some common template, which can be
added into page of particular Federation Provider. For example on
federated-ldap.html or federated-generic.html there can be checkbox on
the bottom of the page like "enable synchronization of users" and when
people check it, it will display other settings (pagination, period for
full/partial sync, button for trigger sync directly from admin console etc).
Also not sure how to properly incorporate it into UserFederationProvider
API... Actually UserFederationProvider is supposed to be per-session
component whenever Sync process may actually use more
session/transaction lifecycles. So adding methods for sync directly into
UserFederationProvider may not work though... I wonder if we can have
method on UserFederationProviderFactory:
UserSyncProvider getInstance(KeycloakSessionFactory sessionFactory,
UserFederationProviderModel model);
And UserSyncProvider being something like this:
public interface UserSyncProvider {
void syncAllUsers(KeycloakSessionFactory sessionFactory,
UserFederationProviderFactory fedFactory, String realmId,
UserFederationProviderModel fedModel)
void syncChangedUsers(KeycloakSessionFactory sessionFactory,
UserFederationProviderFactory fedFactory, String realmId,
UserFederationProviderModel fedModel, Date lastSync);
}
UserFederationProviderFactory may not be needed though as it can be
retrieved from KeycloakSessionFactory+UserFederationProviderModel, just
a convenience as UserSyncProvider will likely almost always need it. wdyt?
Note that I already have sync working with LDAP, so once we decide on
API+configuration and once we have picketlink release, I can easily
incorporate it.
Marek
10 years, 5 months
release timelines
by Bill Burke
I set up the release timelines. IMO, the dates are set with no moving
of them unless there is a blocker bug.
Beta-4: August 6th. This can't be delayed. Whatever is not done by
EOD Monday is deferred.
1.0-RC-1: August 21st.
1.0.0.Final: September 9th.
We have 34 outstanding issues.
There should only be bug fixes, example/docs, and minor look and feel
changes after RC1. The week before the final release, I'll be updating
all the screencasts so there should be no visual changes please!
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 5 months
almost done with my UserFederation work
by Bill Burke
General changes:
* method signatures have changed a little on UserFederationProvider
* UserFederationProviderModel exposes priority and display name.
Display name is what will be shown in the federation provider list in
the admin console. It defaults to the id of the provider.
* UserFederationProviderFactory now has a getOptions() method. This
lists attributes available for configuration on generic html page.
(Same as auth provider did).
LDAP changes:
* LDAPFederationProvider has new config option called EditMode
- READ_ONLY mode. Exception will be thrown if UserModel.setFirst,
Last, Email, or Username is called. Also, if update of password is
performed
- WRITEABLE mode. Calls LDAP server to update those 4 attributes and
password
- UNSYNCED mode. Doesn't callback to LDAP server to update. Password
can be overridden locally.
* LDAPFederationProvider has new config option syncRegistrations
true/false. If set to true, if the provider has priority, any addUser()
call will add the user to LDAP too.
UI work:
* There is an LDAP specific screen
* There is a generic user federation provider configuration screen
* Searches now query user providers and should show up on user list page.
* View user page will show a link back to the User Federation Provider
if the user has been loaded via federation.
Left to be done:
* Behavior on when a provider is deleted.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 5 months
Need advice on bootstrapping Keycloak
by Stan Silvert
Hi guys,
My overall goal is to unite JBoss user-facing products via Keycloak
SSO. The first major task is make it as easy as possible to use
Keycloak with the WildFly web console. I have this working, but it
takes quite a bit of setup.
Ideally, there should be a simple switch in WildFly that says, "Use
Keycloak for web console", and it all just works.
So I'm looking for ideas on how to automate these setup tasks:
* Deploy Keycloak auth server and keycloak-ds.xml
* Seed the database with an initial realm, user, roles, and two applications
* Create keycloak.json files or populate keycloak subsystem for the two
apps.
Thanks in advance,
Stan
10 years, 5 months
need feedback on pluggable fed console UI
by Bill Burke
I'm kind of at a block with providing an SPI to plugin federation
provider console UIs.
I would need to:
1. Provide a way to dynamically load the javascript of the plug
- index.html could be processed with Freemarker or some other brute
force means to add the appropriate <script> elements
- Could add <script> tags within javascript (not sure about this, see
$routeProvider
2. $routeProvider can only be set up once it seems? Function pointers
need to already be established for controllers.
3. We have to worry about name clashes with other admin console angular
components?
I'm just not sure I want to create a full-fledged "portlet" spi at this
late juncture. My thinking is to hard code LDAP and any other provider
has to be configured through keycloak_server.json or via a generic
properties page.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 5 months
