Why do I have to enter the OTP?
by Bill Burke
Why does a user have to enter in the OTP generated by their mobile
device? Wouldn't it be cooler if the steps were:
1. Enter in username password in the browser
2. Browser blocks and wait for...
3. Press a button on your OTP iphone app
4. iphone app sends an HTTP message to Keycloak with username and
generated OTP (in background)
5. Keycloak sees if a browser app is waiting for OTP verification, then
verifies OTP if so.
6. Browser unblocks and lets user in.
Now, the user doesn't ever have to enter the OTP (and mess it up like I
do all the time). They just need their mobile device.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years
logout by redirect
by Bill Burke
* Adding a flag to ClientModel "backchannelLogout"
* Adding a method to LoginProtocol "Response
redirectLogout(UserSessionModel, ClientSessionModel)"
* Adding a flag to ClientSessionModel "loggedOut" ... or ... rename the
Action attribute to State and add a "LOGGED_OUT" state.
* Adding a redirectLogout REST endpoint for OIDC.
* Adding a redirectLogout REST endpoint for adapters.
Algorithm will be:
1. do all backchannel logouts
2. Find a logged in client
3. Redirect based on protocol
4. Receive logout success from a redirection, goto 2
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years
Device registration and verification
by Pedro Igor Silva
Hi,
I was wondering if we can support device registration and verification during login as follows:
1) Users can enable/disable behavior in admin console for a specific realm.
2) After a successful login, KC checks if the user's device is known. For instance, Browser and Operating System.
3) If not recognized, KC shows a page asking user if he wants to enable the device.
4) KC sends an email to user with a code.
5) When trying to login again, user must provide the code to register the new device and get authenticated.
6) For now on, users can authenticate without asking for permission if using the same device.
Any thoughts ?
Regards.
Pedro Igor
10 years
Keycloak Wildfly adapter question
by Nguyen, Dinh
Hi all,
I already have Wildfly 8.1.0.Final installed, and try to install Keycloak war distribtion 1.1.0.Beta2. When deploying the client Keycload Wildfly adapter dist 1.1.0.Beta2 to Wildfly, I notice that the adapter overrides the some Wildfly module file to use different jar file than the one provided by Wildfly. In particular,
1. the file ../modules/system/layers/base/org/jboss/as/cli/main/module.xml is replaced to use wildfly-cli-1.0.0.Alpha12.jar instead of the provided file wildfly-cli-8.1.0.Final.jar.
2. The file ../modules/system/layers/base/org/jboss/aesh/main/module.xml is replaced to use aesh-0.33.12.jar instead of the Wildfly provided file ash-0.33.11.jar
My question are:
1. What is the difference of the Wildfly provided jar files and the Keycloak ones?
2. Why Keycloak uses a different files than the one provided by the Wildfly distribution?
3. Is there any impact if I uses the Wildfly provided jar files instead of the Keycloak one?
Thanks.
10 years
NPE after migrate to 1.1.0.x series
by Bruno Oliveira
Good morning, after banging my head against the wall I decided to ask for help. We started the
tests with Keycloak 1.1.0.Beta1 and Beta2, although after deploying it we get NPE on UPS.
What I identified was that after the commit 94de88ef3b305ad971f81d8610e98a5297f97cd0 the DefaultKeycloakSession
will raise the NPE at:
public <T extends Provider> T getProvider(Class<T> clazz) {
Integer hash = clazz.hashCode();
T provider = (T) providers.get(hash);
if (provider == null) {
ProviderFactory<T> providerFactory = factory.getProviderFactory(clazz);
if (providerFactory != null) {
provider = providerFactory.create(this);
providers.put(hash, provider);
}
}
return provider; //Provider will return null here
}
Maybe is some misconfiguration at https://github.com/keycloak/keycloak/blob/master/project-integrations/aer..., but after dig into KC sources I couldn't find anything weird.
To reproduce the issues with WildFly 8.2.0.final just go to keycloak/project-integrations and run: mvn -Pwildfly clean install wildfly:deploy.
Thanks in advance.
--
abstractj
PGP: 0x84DC9914
10 years
release very soon?
by Bill Burke
Are we gonna release very soon? I'm nervous about conflicting with
Pedro's work and want 1.1 released so I can start on new stuff.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years
keycloak/resteasy problem
by Stan Silvert
I'm trying to call the keycloak rest API using the keycloak admin
client. The call works fine from a web app but when I try to do the
same thing from the keycloak subsystem I get this:
14:01:51,918 ERROR [org.jboss.msc.service.fail] (MSC service thread
1-15) MSC000001: Failed to start service
jboss.deployment.unit."VanillaWAR.war".REGISTER: org.jboss.ms
c.service.StartException in service
jboss.deployment.unit."VanillaWAR.war".REGISTER: JBAS018733: Failed to
process phase REGISTER of deployment "VanillaWAR.war"
at
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:166)
[wildfly-server-8.1.0.Final.jar:8.1.0.Final]
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
[jboss-msc-1.2.2.Final.jar:1.2.2.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown
Source) [rt.jar:1.7.0_51]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown
Source) [rt.jar:1.7.0_51]
at java.lang.Thread.run(Unknown Source) [rt.jar:1.7.0_51]
Caused by: javax.ws.rs.ProcessingException: Unable to invoke request
at
org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:287)
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:407)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102)
at
org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:62)
at com.sun.proxy.$Proxy20.grantToken(Unknown Source)
at
org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:56)
at
org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:33)
at
org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:28)
at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:28)
at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:36)
at
org.keycloak.subsystem.extension.SeamlessSecurityDeploymentProcessor.addDeploymentToAuthServer(SeamlessSecurityDeploymentProcessor.java:117)
at
org.keycloak.subsystem.extension.SeamlessSecurityDeploymentProcessor.deploy(SeamlessSecurityDeploymentProcessor.java:104)
at
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:159)
[wildfly-server-8.1.0.Final.jar:8.1.0.Final]
... 5 more
Caused by: javax.ws.rs.ProcessingException: could not find writer for
content-type application/x-www-form-urlencoded type: javax.ws.rs.core.Form$1
at
org.jboss.resteasy.core.interception.ClientWriterInterceptorContext.throwWriterNotFoundException(ClientWriterInterceptorContext.java:40)
at
org.jboss.resteasy.core.interception.AbstractWriterInterceptorContext.getWriter(AbstractWriterInterceptorContext.java:138)
at
org.jboss.resteasy.core.interception.AbstractWriterInterceptorContext.proceed(AbstractWriterInterceptorContext.java:117)
at
org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.writeRequestBody(ClientInvocation.java:341)
at
org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.writeRequestBodyToOutputStream(ApacheHttpClient4Engine.java:558)
at
org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.buildEntity(ApacheHttpClient4Engine.java:524)
at
org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.loadHttpMethod(ApacheHttpClient4Engine.java:423)
at
org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:281)
... 17 more
Any ideas?
10 years
