Unifying applications and oauth clients
by Stian Thorgersen
I'm starting work on combining applications and oauth clients into a single client type.
For now there will be a single toggle to enable/disable grant page, but in the future we can consider having finer grained control of this. For example an application can get role-a without consent screen, but consent screen would be displayed for role-b.
Depending on how long it takes I may add some sort of filtering option on the admin console to make it easier to find a client.
9 years
How to handle empty strings returned by Social login providers in user info - KEYCLOAK-1182
by Vlastimil Elias
Hi,
during latest testing I find problem with empty string returned in email
field from GitHub social provider, which causes http 500 error in later
processing (but seems under some other circumstances only, not for all
cases), see https://issues.jboss.org/browse/KEYCLOAK-1182
When I look into the code used to take used profile informations (email,
name, id) from Social provider REST responses, it simply takes what is
returned and do not care too much what is here.
But other Keycloak code (eg search user by email etc) typically only
check for null values when testing "existence" of information. If value
is not null then it takes it as existing one, so empty strings may bring
problems here as it is used as valid email later.
I believe KC should look at what is returned from Social providers and
convert empty strings to null values.
It is only small change at one place -
AbstractOAuth2IdentityProvider.getJsonProperty() which resolves this
problem.
What do you think about this solution?
I have patch prepared and it works, I can post it as pull request after
some additional testing.
Vl.
--
Vlastimil Elias
Principal Software Engineer
jboss.org Development Team
9 years
broker mappers
by Bill Burke
I'm working on broker mappers now. IDP chaining isn't very useful, IMO,
if role information can't be imported.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9 years
initial PL SAML fork
by Bill Burke
I forked picketlink-federation and some of picketlink common into the
keyclaok-saml-core project. I did not refactor really anything, but I
did gut tons of stuff, sts, XACML, and all the WS-*/SOAP stuff,
handlers. I tried to keep it solely focused on just a parsing library.
I also renamed, consolidated and moved packages.
It looks like we still have a few dependencies left, but we're getting
closer to Picketlink-less Keycloak.
Bill
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
9 years
Keycloak 1.2.0.Beta1 Released
by Stian Thorgersen
We're proud to announce the release of Keycloak 1.2.0.Beta1. This is a great release, especially if you're after enterprise capabilities.
The major new features in this release includes:
* Protocol mapping - With protocol mapping it's easy to define what claims are added to the token an application receives.
* Kerberos - It's now possible to authenticate with a Keycloak realm using Kerberos tickets through SPNEGO.
* Identity Brokering - As well as Kerberos you can also authenticate with Keycloak with an external SAML 2.0 or OpenID Connect Identity Provider.
* OpenID Connect improvements - We've made several improvements to comply with the OpenID Connect specification and we've also introduced new features such as Discovery, Session Management and UserInfo endpoint.
* Internationalization support for login and account management Thanks to Michael Gerber the login and account management pages now have internationalization support. We have built in support for English, German and Brazilian Portuguese. We've also made it easy to add your own and if you'd like to contribute a translation let us know.
* Deploy providers as modules - It's now possible to deploy custom providers as modules. This gives you full control of the classloader for your provider.
* Deploy themes as modules - We've made it much simpler to package themes and they can also be deployed as a module. This makes it simpler to distribute themes as well as using custom themes in a cluster.
* Login with Stackoverflow and LinkedIn - Thanks to Vlastimil Eliáš we now have built-in support to login with Stackoverflow and LinkedIn.
* SysLog event listener - Thanks to Giriraj Sharma we now have a syslog event listener.
* Version control on cached resources - A common issue in the past was that the admin console didn't work after upgrading Keycloak. This was caused by the browser caching old html and javascript. We've solved this issue by including a version number in the resource urls, so upgrading should be even simpler now!
To get the release go to www.keycloak.org. For the full lists of issues resolved for this release check https://issues.jboss.org/browse/KEYCLOAK.
Remember to read the migration guide before upgrading as it contains vital information about what's changed and how to upgrade.
9 years
User data propagation when keycloak deployed in Wildfly cluster
by Nguyen, Dinh
Hi,
Could someone help me with this question.
I have Keycloak deployed in multiple Wildfly instances in a Wildfly cluster of 3 nodes. If I connect to Keycloak in one WF instance and creates a user, does the user information automatically propagated to other Keycloak in other Wildlfy instance. Or I have to connect to the other Wildfly instance and create the same user?
Thanks.
9 years
WildFly 9 adapter support
by Leonardo Loch Zanivan
I'm trying to deploy a keycloak secured application in WildFly 9.0.0-Beta2,
but I got a NPE.
It's working fine with WildFly 8.1.0-Final.
17:41:19,764 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-2)
MSC000001: Failed to start service
jboss.deployment.unit."app.war".POST_MODULE:
org.jboss.msc.service.StartException in service
jboss.deployment.unit."app.war".POST_MODULE: WFLYSRV0153: Failed to process
phase POST_MODULE of deployment "app.war"
at
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:163)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948)
at
org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
*Caused by: java.lang.NullPointerException at
org.keycloak.subsystem.extension.KeycloakAdapterConfigDeploymentProcessor.deploy(KeycloakAdapterConfigDeploymentProcessor.java:73)*
at
org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:156)
... 5 more
17:41:19,770 ERROR [org.jboss.as.controller.management-operation]
(management-handler-thread - 1) WFLYCTL0013: Operation ("deploy") failed -
address: ([("deployment" => "app.war")]) - failure description:
{"WFLYCTL0080: Failed services" =>
{"jboss.deployment.unit.\"app.war\".POST_MODULE" =>
"org.jboss.msc.service.StartException in service
jboss.deployment.unit.\"app.war\".POST_MODULE: WFLYSRV0153: Failed to
process phase POST_MODULE of deployment \"app.war\"
Caused by: java.lang.NullPointerException"}}
17:41:19,771 ERROR [org.jboss.as.server] (management-handler-thread - 1)
WFLYSRV0021: Deploy of deployment "app.war" was rolled back with the
following failure message:
{"WFLYCTL0080: Failed services" =>
{"jboss.deployment.unit.\"app.war\".POST_MODULE" =>
"org.jboss.msc.service.StartException in service
jboss.deployment.unit.\"app.war\".POST_MODULE: WFLYSRV0153: Failed to
process phase POST_MODULE of deployment \"app.war\"
Caused by: java.lang.NullPointerException"}}
9 years
