The Keycloak team is proud to announce the release of Keycloak 1.1.0.Final. Highlights in this release includes:
* SAML 2.0
* Jetty, Tomcat and Fuse adapters
* HTTP Security Proxy
* Automatic migration of db schema
We’re already started working on features for the next release. Some exiting features coming soon includes:
* Identity brokering
* Custom user profiles
* OpenID Connect interop
I have just downloaded the 1.1.0.Final release and found that every 5
seconds the admin console browser page refreshes. This is, I think,
preventing me from adding my realm.json export file. I am
using keycloak-appliance-dist-all-1.1.0.Final. Please advise.
As a side note, I was trying to see if the 1.1.0.Final release correctly
handled the KEYCLOAK_RESOURCE role added to the Oauth Client for one of my
realms. Since the usage of this client is trusted, so want to not have to
grant access to the resources every time for the client. There is nothing
in the documentation on how to set that up, only in the Login Algorithm
page on the github wiki. Please advise as how to use this feature.
“Problems cannot be solved by the same level of thinking that created them.”
“Learn from yesterday, live for today, hope for tomorrow. The important
thing is not to stop questioning.
Albert Einstein <http://thinkexist.com/quotes/albert_einstein/>
I was thinking of having a few aggregate modules instead of having one
jboss-deployment-structure.xml that includes everything (50+ modules).
keycloak-server - includes base SPIs and keycloak-providers module
keycloak-providers - includes JPA and infinispan providers by default
keycloak-mongo-providers - all stuff that uses mongo
keycloak-jpa-providers - all stuff that uses jpa
keycloak-infinispan-providers - all stuff that uses infinispan
keycloak-social-plugins - all social provider plugins
This way, if dependencies need to be added/removed/modified, you don't
have to edit the WAR.
Sorry I've taken so long... A lot of distractions this week.
JBoss, a division of Red Hat
Travis CI is now running tests automatically when there's a new push or PR to Keycloak. The results can be seen here https://travis-ci.org/keycloak/keycloak, but Travis also adds the status of the tests to each PRs comment section.
This only tests JDK7 and H2 in-mem, so we still need Jenkins for that. I've changed Jenkins to not run any tests on pushes, but instead it runs all tests every 24h.
Am 26. Januar 2015 um 20:49 schrieb Bill Burke <bburke(a)redhat.com>:
> On 1/26/2015 1:31 PM, Michael Gerber wrote:
>>> Am 26.01.2015 um 18:36 schrieb Bill Burke <bburke(a)redhat.com
>>> On 1/26/2015 12:12 PM, Michael Gerber wrote:
>>>>> Am 26.01.2015 um 16:54 schrieb Bill Burke <bburke(a)redhat.com
>>>>>> On 1/26/2015 8:45 AM, Stian Thorgersen wrote:
>>>>>> ----- Original Message -----
>>>>>>> From: "Bill Burke" <bburke(a)redhat.com <mailto:email@example.com>>
>>>>>>> To: keycloak-dev(a)lists.jboss.org <mailto:firstname.lastname@example.org>
>>>>>>> Sent: Monday, January 26, 2015 2:27:30 PM
>>>>>>> Subject: Re: [keycloak-dev] Rest password can cause cookie not found
>>>>>>> Wouldn't this work?
>>>>>>> 1) store "state" of state cookie in user session.
>>>>>>> 2) embed user session and state of state cookie in URL
>>>>>>> Of course this screws up your "shorter URL" crusade.
>>>>>> I'm not following - the problem isn't remembering the state
>>>>>> variable in Keycloak, that's already sorted as we already store all
>>>>>> the query params passed by the client in the client session (state,
>>>>>> redirect_uri, etc). The problem is storing it on the adapter side.
>>>>> I think I get it...
>>>>> 1. Send email
>>>>> 2. Close browser
>>>>> 3. Open browser
>>>>> 4. Click email link
>>>>> 5. Reset password
>>>>> 6. Redirect back to app
>>>>> 7. App barfs because of state cookie
>>>>> Persistent state cookie sounds like cleanest and simplest solution. I
>>>>> just worry we'll introduce different bugs, or if we're opening up some
>>>>> kind of security hole. Maybe I'm just paranoid.
>>>> That doesn't work if the user uses two different browsers. This is
>>>> the case in a lot of companies (at least in Switzerland :)) where the
>>>> users are forced to use ie (default) but rather work with firefox.
>>> Unless we extend the protocol, or don’t redirect from the email, I
>>> don’t see a fix.
>> If the password reset process would redirect without the code and state
>> param, than the adapter would redirect back to the keycloak, and
>> keycloak can authenticate the user with its identity cookie…
>> But I don’t know if that is ok with the protocol.
> So maybe have a session cookie that is set by the auth server. If that
> cookie is set when clicking the email url, redirect with code, if not,
> redirect without it.
That sounds good, what do the other think about this fallback option?
I can update the JIRA issue if anybody is happy with that solution.
> Bill Burke
> JBoss, a division of Red Hat
SyncProvidersTest.testLDAPSync and CookieTokenStoreAdapterTest.testTokenInCookieRefresh are failing for me once in a while. Also fails on Jenkins.
SyncProvidersTest.testLDAPSync:142->assertUserImported:191 expected:<User5FN[Updated]> but was:<User5FN>
Anyone know why these are failing?
Someone reported https://issues.jboss.org/browse/KEYCLOAK-1014. In summary if you click on reset password, close the browser, then click the link in the email to recover password the state cookie won't be set.
Some suggestions on how to solve this:
* Store state variable in non-session cookie (with some sensible expiration 24h?)
* Generate/verify state using HMAC on the server-side instead of using uuid
* Improve error message on client side if state is not correct, basically asking user to re-login - can this be easily implemented in the app itself with the adapter today?
KEYCLOAK-996 is about allowing clients to select an existing identity provider when sending an authentication request to the server. Initially, this is all about passing the IdP id and automatically redirect the user to its login page. Without even show KC's login page.
IMO instead of using an "idp_hint", like proposed in that JIRA, we may start using the "acr_values" parameter as defined by OIDC specs. I think this parameter better fits the purpose and will allow us to support LoAs in the future as well.
The acr value in this case would be something like "idp-X", where X is the id of the identity provider.
What do you think ?