identity broker changes
by Bill Burke
SPI has changed to support logout and multiple callback endpoints (i.e.
keycloak oidc chaining will require a logout callback). This SPI is
quite complex, so I don't think we want to expose this to users. I'm
not very happy with it, but I'm not sure how to improve it yet.
What works now:
* If logged in via a SAML broker, a keycloak initiated browser logout
will log out of the SAML broker too.
What do I still need to do:
* Make "UPdate profile" false by default.
* Improve saml admin console page.
* Implement OIDC broker keycloak initiated browser logout.
* Implement OIDC logout endpoint so that I can test OIDC brokering with
Keycloak as a parent.
* Implement SAML backchannel logout where the parent IDP sends a
backchannel logout request.
* Create a new "Keycloak OIDC" provider which extends OIDC and adds
keycloak extensions like logout.
* Review to make sure error handling is correct.
So, still a lot to do, but I'm at a milestone.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 11 months
Authentication and Required Actions SPI
by Stian Thorgersen
I'd like to start on an Authentication SPI soon. At the same time I want to add a Required Actions SPI as it should be very related and work in a similar way.
10 years, 11 months
Java 8?
by Stan Silvert
Java 7 is end of life next month. Elytron requires Java 8.
Any opinion on when we should start using it? If I keep Elytron tests
in the testsuite then the testsuite would need to run with Java 8.
Stan
10 years, 11 months
Invalid value for iss
by Stian Thorgersen
According to the spec 'iss' should be:
REQUIRED. Issuer Identifier for the Issuer of the response. The iss value is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components
However, we only use realm name. As that's invalid according to the spec (and also the same iss used for multiple KC servers) I propose we change it to:
<AUTH URL>/realms/<REALM-NAME>
For example:
http://localhost:8080/realms/master
10 years, 11 months
usersession-based UserModels
by Bill Burke
I'm thinking more and more we need UserSession based UserModels. This
would be the case where nothing is imported for a user with either
brokering or federation, but rather stored in memory for the duration of
the UserSession.
If user metadata (role mappings, etc.) is all obtained from external
sources, there really is no need to import the data and import is just a
huge performance hit.
I ran into this with "transient" nameid format and SAML brokering. In
this scenario the parent IDP generates a new userid each and every
login. This is to define an anonymous user. So, every time a user logs
in would create a brand new user in the keycloak database.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 11 months
Restrict admins to only allow granting roles they are privileged to
by Stian Thorgersen
I propose we add a check when an admin wants to grant a role. For a admin to be allowed to grant a role the admin either has to have the admin/realm-admin role or have the role itself. This prevents admins from adding more privileges to themselves than they already have and would also be a way to allow admins that can only manage roles for specific applications.
This should be a simple fix. In the future I think we may need to re-design how we map permissions for Keycloak. I'm really not that happy with the realm apps and such, it's messy and not flexible enough.
10 years, 11 months
Cannot login to fresh KC + Postgres setup
by Libor Krzyžanek
Hi,
I have the latest 1.2.0-Beta1 installation and I cannot login via admin/admin to master realm after fresh installation.
I see tables in postgres but cannot login.
Deployment is EAP 6.3 with proper modules + Postgres 9.2.8 (everything on Openshift, in keycloak-server.json I uses Openshift’s Postgres datasource defined in standalone.xml)
I’m checking tables and I see
keycloak=# select * from USER_ENTITY;
id | email | email_constraint | email_verified | enabled | federation_link | first_name | last_name | realm_id | totp | username
--------------------------------------+-------+--------------------------------------+----------------+---------+-----------------+------------+-----------+----------+------+----------
e8620950-494a-422a-9430-bf8a001b64b6 | | 05634ab8-5856-4587-a42b-9dadb1eef591 | f | t | | | | master | f | admin
(1 row)
keycloak=# select * from credential where user_id='e8620950-494a-422a-9430-bf8a001b64b6';
id | device | hash_iterations | salt | type | value | user_id
--------------------------------------+--------+-----------------+------------------------------------+----------+------------------------------------------------------------------------------------------+--------------------------------------
675d7483-746e-4195-a544-327027890492 | | 1 | \xa1a0aa3ca2e4ef65e26794805ed1248c | password | b8Ue+oLgrvdUWp4bzKAXoFfSli90ENUSPp439uIqks8iOMcMypjetKYbwZI8Qu1sTwXVZwdEJ6hVf/9hGa66FQ== | e8620950-494a-422a-9430-bf8a001b64b6
(1 row)
However USERNAME_LOGIN_FAILURE is empty.
rhdssodev2=# select * from USERNAME_LOGIN_FAILURE;
realm_id | username | failed_login_not_before | last_failure | last_ip_failure | num_failures
----------+----------+-------------------------+--------------+-----------------+--------------
(0 rows)
Is it known issue?
Here is snippet from log:
2015/03/25 06:02:34,378 WARN [org.jboss.resteasy.core.ResourceLocator] (http-/127.5.255.129:8080-3) Field uriInfo of subresource org.keycloak.services.resources.LoginActionsService will not be injected according to spec
2015/03/25 06:02:34,378 WARN [org.jboss.resteasy.core.ResourceLocator] (http-/127.5.255.129:8080-3) Field clientConnection of subresource org.keycloak.services.resources.LoginActionsService will not be injected according to spec
2015/03/25 06:02:34,378 WARN [org.jboss.resteasy.core.ResourceLocator] (http-/127.5.255.129:8080-3) Field providers of subresource org.keycloak.services.resources.LoginActionsService will not be injected according to spec
2015/03/25 06:02:34,378 WARN [org.jboss.resteasy.core.ResourceLocator] (http-/127.5.255.129:8080-3) Field session of subresource org.keycloak.services.resources.LoginActionsService will not be injected according to spec
2015/03/25 06:02:34,423 DEBUG [org.keycloak.services.managers.AuthenticationManager] (http-/127.5.255.129:8080-3) validating password for user: admin
2015/03/25 06:02:34,424 DEBUG [org.keycloak.services.managers.AuthenticationManager] (http-/127.5.255.129:8080-3) Expiring remember me cookie
2015/03/25 06:02:34,425 DEBUG [org.keycloak.services.managers.AuthenticationManager] (http-/127.5.255.129:8080-3) Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/master
2015/03/25 06:02:34,431 DEBUG [freemarker.cache] (http-/127.5.255.129:8080-3) "template.ftl"["en_US",UTF-8,parsed] using cached since vfs:/content/ROOT.war/WEB-INF/lib/keycloak-forms-common-themes-1.2.0.Beta1-SNAPSHOT.jar/theme/base/login/template.ftl didn't change.
Thanks,
Libor Krzyžanek
jboss.org Development Team
10 years, 11 months
