January 2015 - keycloak-dev - Jboss List Archives

by Bill Burke

http://intothesymmetry.blogspot.ch/2015/01/top-5-oauth-2-implementation.html I think we're pretty good, the ones I worry about is relative urls in redirect URI checks i.e. "http://cloud.com/provisioned/good-site/../hacker-site" I'll log a bug for this if you agree that relative redirect URLs shouldn't be allowed. (Those containing "." and "..") Another really dangerous thing that we do is have full-scope-allowed set to true by default. If a rogue client gets registered, they pretty much have access to every single application the user can access with all of their privileges. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

10 years, 11 months

3
7
0 / 0

Why do I have to enter the OTP?

by Bill Burke

Why does a user have to enter in the OTP generated by their mobile device? Wouldn't it be cooler if the steps were: 1. Enter in username password in the browser 2. Browser blocks and wait for... 3. Press a button on your OTP iphone app 4. iphone app sends an HTTP message to Keycloak with username and generated OTP (in background) 5. Keycloak sees if a browser app is waiting for OTP verification, then verifies OTP if so. 6. Browser unblocks and lets user in. Now, the user doesn't ever have to enter the OTP (and mess it up like I do all the time). They just need their mobile device. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

10 years, 11 months

6
15
0 / 0

logout by redirect

by Bill Burke

* Adding a flag to ClientModel "backchannelLogout" * Adding a method to LoginProtocol "Response redirectLogout(UserSessionModel, ClientSessionModel)" * Adding a flag to ClientSessionModel "loggedOut" ... or ... rename the Action attribute to State and add a "LOGGED_OUT" state. * Adding a redirectLogout REST endpoint for OIDC. * Adding a redirectLogout REST endpoint for adapters. Algorithm will be: 1. do all backchannel logouts 2. Find a logged in client 3. Redirect based on protocol 4. Receive logout success from a redirection, goto 2 -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

10 years, 11 months

2
1
0 / 0

Device registration and verification

by Pedro Igor Silva

Hi, I was wondering if we can support device registration and verification during login as follows: 1) Users can enable/disable behavior in admin console for a specific realm. 2) After a successful login, KC checks if the user's device is known. For instance, Browser and Operating System. 3) If not recognized, KC shows a page asking user if he wants to enable the device. 4) KC sends an email to user with a code. 5) When trying to login again, user must provide the code to register the new device and get authenticated. 6) For now on, users can authenticate without asking for permission if using the same device. Any thoughts ? Regards. Pedro Igor

10 years, 11 months

5
22
0 / 0

Deploying keycloak in non jboss containers

by coolmind182006 .

I have documented my findings here <https://reachmnadeem.wordpress.com/2015/01/14/deploying-keycloak-in-tomcat/> https://reachmnadeem.wordpress.com/2015/01/14/deploying-keycloak-in-tomcat/ Not sure if it can help the community.

10 years, 11 months

1
0
0 / 0

Keycloak Wildfly adapter question

by Nguyen, Dinh

Hi all, I already have Wildfly 8.1.0.Final installed, and try to install Keycloak war distribtion 1.1.0.Beta2. When deploying the client Keycload Wildfly adapter dist 1.1.0.Beta2 to Wildfly, I notice that the adapter overrides the some Wildfly module file to use different jar file than the one provided by Wildfly. In particular, 1. the file ../modules/system/layers/base/org/jboss/as/cli/main/module.xml is replaced to use wildfly-cli-1.0.0.Alpha12.jar instead of the provided file wildfly-cli-8.1.0.Final.jar. 2. The file ../modules/system/layers/base/org/jboss/aesh/main/module.xml is replaced to use aesh-0.33.12.jar instead of the Wildfly provided file ash-0.33.11.jar My question are: 1. What is the difference of the Wildfly provided jar files and the Keycloak ones? 2. Why Keycloak uses a different files than the one provided by the Wildfly distribution? 3. Is there any impact if I uses the Wildfly provided jar files instead of the Keycloak one? Thanks.

10 years, 11 months

1
0
0 / 0

NPE after migrate to 1.1.0.x series

by Bruno Oliveira

Good morning, after banging my head against the wall I decided to ask for help. We started the tests with Keycloak 1.1.0.Beta1 and Beta2, although after deploying it we get NPE on UPS. What I identified was that after the commit 94de88ef3b305ad971f81d8610e98a5297f97cd0 the DefaultKeycloakSession will raise the NPE at: public <T extends Provider> T getProvider(Class<T> clazz) { Integer hash = clazz.hashCode(); T provider = (T) providers.get(hash); if (provider == null) { ProviderFactory<T> providerFactory = factory.getProviderFactory(clazz); if (providerFactory != null) { provider = providerFactory.create(this); providers.put(hash, provider); } } return provider; //Provider will return null here } Maybe is some misconfiguration at https://github.com/keycloak/keycloak/blob/master/project-integrations/aer..., but after dig into KC sources I couldn't find anything weird. To reproduce the issues with WildFly 8.2.0.final just go to keycloak/project-integrations and run: mvn -Pwildfly clean install wildfly:deploy. Thanks in advance. -- abstractj PGP: 0x84DC9914

10 years, 11 months

2
1
0 / 0

release very soon?

by Bill Burke

Are we gonna release very soon? I'm nervous about conflicting with Pedro's work and want 1.1 released so I can start on new stuff. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

10 years, 11 months

3
2
0 / 0

keycloak/resteasy problem

by Stan Silvert

I'm trying to call the keycloak rest API using the keycloak admin client. The call works fine from a web app but when I try to do the same thing from the keycloak subsystem I get this: 14:01:51,918 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-15) MSC000001: Failed to start service jboss.deployment.unit."VanillaWAR.war".REGISTER: org.jboss.ms c.service.StartException in service jboss.deployment.unit."VanillaWAR.war".REGISTER: JBAS018733: Failed to process phase REGISTER of deployment "VanillaWAR.war" at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:166) [wildfly-server-8.1.0.Final.jar:8.1.0.Final] at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.2.Final.jar:1.2.2.Final] at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.2.Final.jar:1.2.2.Final] at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [rt.jar:1.7.0_51] at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [rt.jar:1.7.0_51] at java.lang.Thread.run(Unknown Source) [rt.jar:1.7.0_51] Caused by: javax.ws.rs.ProcessingException: Unable to invoke request at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:287) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.invoke(ClientInvocation.java:407) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker.invoke(ClientInvoker.java:102) at org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy.invoke(ClientProxy.java:62) at com.sun.proxy.$Proxy20.grantToken(Unknown Source) at org.keycloak.admin.client.token.TokenManager.grantToken(TokenManager.java:56) at org.keycloak.admin.client.token.TokenManager.getAccessToken(TokenManager.java:33) at org.keycloak.admin.client.token.TokenManager.getAccessTokenString(TokenManager.java:28) at org.keycloak.admin.client.Keycloak.<init>(Keycloak.java:28) at org.keycloak.admin.client.Keycloak.getInstance(Keycloak.java:36) at org.keycloak.subsystem.extension.SeamlessSecurityDeploymentProcessor.addDeploymentToAuthServer(SeamlessSecurityDeploymentProcessor.java:117) at org.keycloak.subsystem.extension.SeamlessSecurityDeploymentProcessor.deploy(SeamlessSecurityDeploymentProcessor.java:104) at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:159) [wildfly-server-8.1.0.Final.jar:8.1.0.Final] ... 5 more Caused by: javax.ws.rs.ProcessingException: could not find writer for content-type application/x-www-form-urlencoded type: javax.ws.rs.core.Form$1 at org.jboss.resteasy.core.interception.ClientWriterInterceptorContext.throwWriterNotFoundException(ClientWriterInterceptorContext.java:40) at org.jboss.resteasy.core.interception.AbstractWriterInterceptorContext.getWriter(AbstractWriterInterceptorContext.java:138) at org.jboss.resteasy.core.interception.AbstractWriterInterceptorContext.proceed(AbstractWriterInterceptorContext.java:117) at org.jboss.resteasy.client.jaxrs.internal.ClientInvocation.writeRequestBody(ClientInvocation.java:341) at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.writeRequestBodyToOutputStream(ApacheHttpClient4Engine.java:558) at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.buildEntity(ApacheHttpClient4Engine.java:524) at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.loadHttpMethod(ApacheHttpClient4Engine.java:423) at org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient4Engine.invoke(ApacheHttpClient4Engine.java:281) ... 17 more Any ideas?

10 years, 11 months

1
0
0 / 0

Poll - should we replace the Keycloak logo?

by Stian Thorgersen

If we want to replace the Keycloak logo we can get the jboss.org design team to come up with one for us. This doesn't guarantee that we'll get anything better than we already have, but in that case we'll just stick with what we got. So! Do we want a new one or not? Please vote https://doodle.com/vqqtfi3gvrkmsy48

10 years, 11 months

3
3
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev January 2015