Am I doing this right?
by Stan Silvert
Temporary home for Keycloak/Elytron integration is here:
https://github.com/ssilvert/keycloak-elytron-temp
In looking back over it, I realize I need to ask some general questions.
The way the initial realm implementation works is that I implement the
Elytron realm interface. Whenever Elytron asks for a user
authentication, it calls out to a Keycloak server to validate credentials.
The way I'm doing that right now is to use a Direct Access Grant. I
adapted some of Bill's code for this purpose:
https://github.com/ssilvert/keycloak-elytron-temp/blob/master/realm-impl/...
On the Keycloak side, this requires allowing direct access grants on the
realm and defining a direct access client. Is there any reason why
someone would not want to do this? If so, should I provide some
alternate means of authentication?
Stan
5 years, 9 months
New Keycloak repo in GitHub
by Stan Silvert
Can someone please create a new "elytron" repo under keycloak and give
me full rights?
This project will contain the new Keycloak/Elytron subsystem, along with
Keycloak implementations of Elytron API's, and associated feature packs.
Thanks,
Stan
5 years, 9 months
Update admin rest api to always use ids in paths
by Stian Thorgersen
Currently we use a mix between name and ids in paths for admin rest api. For consistency we should always use ids in paths.
This is required by admin events (otherwise we require a lot of work-around to set the resource path).
5 years, 9 months
Do we really want to keep support for Wildfly 8.2.0.Final
by Marko Strukelj
In recent weeks I upgraded Wildfly version we use for server distro to 9.0.0.CR1 in order to be up to date with latest subsystem APIs. That was accompanied by server / adapter subsystem split, and code cleanup that fixed deprecated uses of Wildfly subsystems APIs. It also resulted in dropped support for EAP6 within keycloak-wildfly-adapter-susbsystem.
I've been working on putting EAP6 support into keycloak-as7-subsystem, and that seems to work fine.
We thus have adapter support for WF9, and EAP7 via wildfly-adapter-subsystem, and adapter support for AS7, and EAP6 via as7-subsystem.
That leaves out WF8. Since it uses undertow, it makes no sense to try put it into as7-subsystem, and since it uses APIs deprecated in WF9 it makes no sense to put it into wildfly-adapter-subsystem as that would require again messing up the just-cleaned-up subsystems code.
There's another issue that's specific to WF8 - org.apache.httpcomponents slot=4.3. That complicates the modules build, and the examples build. Manually testing AS7, EAP6, WF9 using unconfigured-demo I was constantly bumping into mismatches between jboss-deployment-structure.xml in demos and the modules in the server.
It makes no sense to bundle org.apache.httpcomponents slot=4.3 with WF9, but we have to bundle them with WF8. Current build does not solve this issue yet. I have a solution in the works, but maybe we want to decide not to support WF 8 at all. For all practical purposes WF 9.0.0.CR1 is equivalent and better than 8.2.0.Final so I see no reason why people couldn't upgrade other then maybe emotional attachment to .Final in the version.
What do the rest of you think? Am I missing something?
5 years, 9 months
Re: [keycloak-dev] [keycloak-user] Keycloak documentation
by Marek Posolda
Hi,
Keycloak implements OpenID Connect and SAML specifications from both
client and server perspective. You can find some diagrams related to
those specs on the web.
Client (adapters) code is inside "integration" module and it's
submodules. Then in "core" module is some shared code for both adapters
and server. The rest of the code are mainly server parts. For the
server, you can start to look at KeycloakApplication class, which is
entry point where are registered REST resources and
KeycloakSessionFactory, which registers SPIs. That's for the start. For
the rest, I would suggest to dig into code, debug and see how it works :-)
ah, and some startup docs for developers is also in readme files under
"misc" directory (you can take a look at least to HackingOnKeycloak.md
and Testsuite.md ). Good luck:-)
Marek
On 15.5.2015 06:41, Carlos Feria wrote:
>
> Hello. I'm using keycloak in my projects, it is a great solution.
>
> I'd would like to find some documentation of the structure or
> architecture of keycloak, something like uml diagrams or any
> documentation for developers not only for users...
>
> i'm trying to review the code for learn how keycloak works internally.
> Please, anybody could tell me if exists anything like.
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
5 years, 9 months
Import Realm when running Keycloak server from Maven
by Scott Rossillo
Hi,
We’re trying to run Keycloak from Maven using:
mvn -f testsuite/integration/pom.xml exec:java -Pkeycloak-server -Dkeycloak.port=8080
For development purposes. We saw in the code that you can specify a realm to import. It seems either:
mvn -f testsuite/integration/pom.xml exec:java -Pkeycloak-server -Dkeycloak.port=8080 -Dimport=/path/to/realm.json
should work. However, we get an exception:
21:58:22,028 DEBUG [org.keycloak.models.utils.RepresentationToModel] Create client: {0}security-admin-console
[WARNING]
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.codehaus.mojo.exec.ExecJavaMojo$1.run(ExecJavaMojo.java:293)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.keycloak.models.ModelDuplicateException: javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: Unique index or primary key violation: "UK_B71CJLBENV945RB6GCON438AT_INDEX_4 ON PUBLIC.CLIENT(REALM_ID, CLIENT_ID)"; SQL statement:
insert into CLIENT (BASE_URL, BEARER_ONLY, CLIENT_ID, CONSENT_REQUIRED, DIRECT_GRANTS_ONLY, ENABLED, FRONTCHANNEL_LOGOUT, FULL_SCOPE_ALLOWED, MANAGEMENT_URL, NAME, NODE_REREG_TIMEOUT, NOT_BEFORE, PROTOCOL, PUBLIC_CLIENT, REALM_ID, SECRET, SURROGATE_AUTH_REQUIRED, ID) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) [23505-168]
at org.keycloak.connections.jpa.PersistenceExceptionConverter.convert(PersistenceExceptionConverter.java:40)
at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:34)
at com.sun.proxy.$Proxy61.flush(Unknown Source)
at org.keycloak.models.jpa.RealmAdapter.addClient(RealmAdapter.java:643)
at org.keycloak.models.utils.RepresentationToModel.createClient(RepresentationToModel.java:525)
at org.keycloak.models.utils.RepresentationToModel.createClients(RepresentationToModel.java:509)
at org.keycloak.models.utils.RepresentationToModel.importRealm(RepresentationToModel.java:136)
at org.keycloak.services.managers.RealmManager.importRealm(RealmManager.java:252)
at org.keycloak.testsuite.KeycloakServer.importRealm(KeycloakServer.java:250)
at org.keycloak.testsuite.KeycloakServer.importRealm(KeycloakServer.java:230)
at org.keycloak.testsuite.KeycloakServer.bootstrapKeycloakServer(KeycloakServer.java:189)
at org.keycloak.testsuite.KeycloakServer.main(KeycloakServer.java:108)
... 6 more
Caused by: javax.persistence.PersistenceException: org.hibernate.exception.ConstraintViolationException: Unique index or primary key violation: "UK_B71CJLBENV945RB6GCON438AT_INDEX_4 ON PUBLIC.CLIENT(REALM_ID, CLIENT_ID)"; SQL statement:
insert into CLIENT (BASE_URL, BEARER_ONLY, CLIENT_ID, CONSENT_REQUIRED, DIRECT_GRANTS_ONLY, ENABLED, FRONTCHANNEL_LOGOUT, FULL_SCOPE_ALLOWED, MANAGEMENT_URL, NAME, NODE_REREG_TIMEOUT, NOT_BEFORE, PROTOCOL, PUBLIC_CLIENT, REALM_ID, SECRET, SURROGATE_AUTH_REQUIRED, ID) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) [23505-168]
at org.hibernate.ejb.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1361)
at org.hibernate.ejb.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1289)
at org.hibernate.ejb.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1295)
at org.hibernate.ejb.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:976)
at sun.reflect.GeneratedMethodAccessor273.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.keycloak.connections.jpa.PersistenceExceptionConverter.invoke(PersistenceExceptionConverter.java:32)
... 16 more
Caused by: org.hibernate.exception.ConstraintViolationException: Unique index or primary key violation: "UK_B71CJLBENV945RB6GCON438AT_INDEX_4 ON PUBLIC.CLIENT(REALM_ID, CLIENT_ID)"; SQL statement:
insert into CLIENT (BASE_URL, BEARER_ONLY, CLIENT_ID, CONSENT_REQUIRED, DIRECT_GRANTS_ONLY, ENABLED, FRONTCHANNEL_LOGOUT, FULL_SCOPE_ALLOWED, MANAGEMENT_URL, NAME, NODE_REREG_TIMEOUT, NOT_BEFORE, PROTOCOL, PUBLIC_CLIENT, REALM_ID, SECRET, SURROGATE_AUTH_REQUIRED, ID) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) [23505-168]
at org.hibernate.exception.internal.SQLStateConversionDelegate.convert(SQLStateConversionDelegate.java:128)
at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47)
at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:125)
at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:110)
at org.hibernate.engine.jdbc.internal.proxy.AbstractStatementProxyHandler.continueInvocation(AbstractStatementProxyHandler.java:129)
at org.hibernate.engine.jdbc.internal.proxy.AbstractProxyHandler.invoke(AbstractProxyHandler.java:81)
at com.sun.proxy.$Proxy63.executeUpdate(Unknown Source)
at org.hibernate.engine.jdbc.batch.internal.NonBatchingBatch.addToBatch(NonBatchingBatch.java:56)
at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:2849)
at org.hibernate.persister.entity.AbstractEntityPersister.insert(AbstractEntityPersister.java:3290)
at org.hibernate.action.internal.EntityInsertAction.execute(EntityInsertAction.java:80)
at org.hibernate.engine.spi.ActionQueue.execute(ActionQueue.java:272)
at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:264)
at org.hibernate.engine.spi.ActionQueue.executeActions(ActionQueue.java:186)
at org.hibernate.event.internal.AbstractFlushingEventListener.performExecutions(AbstractFlushingEventListener.java:326)
at org.hibernate.event.internal.DefaultFlushEventListener.onFlush(DefaultFlushEventListener.java:52)
at org.hibernate.internal.SessionImpl.flush(SessionImpl.java:1081)
at org.hibernate.ejb.AbstractEntityManagerImpl.flush(AbstractEntityManagerImpl.java:973)
... 20 more
Caused by: org.h2.jdbc.JdbcSQLException: Unique index or primary key violation: "UK_B71CJLBENV945RB6GCON438AT_INDEX_4 ON PUBLIC.CLIENT(REALM_ID, CLIENT_ID)"; SQL statement:
insert into CLIENT (BASE_URL, BEARER_ONLY, CLIENT_ID, CONSENT_REQUIRED, DIRECT_GRANTS_ONLY, ENABLED, FRONTCHANNEL_LOGOUT, FULL_SCOPE_ALLOWED, MANAGEMENT_URL, NAME, NODE_REREG_TIMEOUT, NOT_BEFORE, PROTOCOL, PUBLIC_CLIENT, REALM_ID, SECRET, SURROGATE_AUTH_REQUIRED, ID) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) [23505-168]
at org.h2.message.DbException.getJdbcSQLException(DbException.java:329)
at org.h2.message.DbException.get(DbException.java:169)
at org.h2.message.DbException.get(DbException.java:146)
at org.h2.index.BaseIndex.getDuplicateKeyException(BaseIndex.java:81)
at org.h2.index.TreeIndex.add(TreeIndex.java:62)
at org.h2.table.RegularTable.addRow(RegularTable.java:121)
at org.h2.command.dml.Insert.insertRows(Insert.java:124)
at org.h2.command.dml.Insert.update(Insert.java:84)
at org.h2.command.CommandContainer.update(CommandContainer.java:75)
at org.h2.command.Command.executeUpdate(Command.java:230)
at org.h2.jdbc.JdbcPreparedStatement.executeUpdateInternal(JdbcPreparedStatement.java:156)
at org.h2.jdbc.JdbcPreparedStatement.executeUpdate(JdbcPreparedStatement.java:142)
at sun.reflect.GeneratedMethodAccessor271.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.hibernate.engine.jdbc.internal.proxy.AbstractStatementProxyHandler.continueInvocation(AbstractStatementProxyHandler.java:122)
... 33 more
5 years, 9 months
Private/public SPIs
by Stian Thorgersen
To make it easy to identify which SPIs are public I've added isPrivate method to SPI.
The list below is all the SPIs we currently have, any objections to which are marked as private?
SPI Private
-------------------------------------
account true
client-import true
connectionsFile true
connectionsHttpClient true
connectionsInfinispan true
connectionsJpa true
connectionsJpaUpdater true
connectionsMongo true
connectionsMongoUpdater true
email true
eventsListener false
eventsStore true
export true
identity-provider-mapper false
identity_provider false
import true
login true
login-protocol true
migration true
protocol-mapper false
realm true
realmCache true
social false
theme true
timer true
user true
userCache true
userFederation false
userSessions true
well-known true
5 years, 9 months
auth spi design requirements and initial steps
by Bill Burke
Some generic requirements that will effect the design.
1. Authenticator should be able to be optional per user. i.e. OTP can be
optionally set up by the user
2. Multiple authenticators should be resolvable per form. i.e. password,
terms and conditions, captcha, and otp could be entered in on one page.
3. Non form based authenticators should be able to bypass any screens if
they are the only authenticators. i.e. CLIENT_CERT and KERBEROS.
4. Autheticators need to be able to send challenges after initial
request, i.e. Kerberos
5. Clients should be able to specify which Authenticators they require
6. You should be able to attach policies to an Authenticator which
allows you to do things like, don't do OTP if you are coming from IP
address where you last logged in.
7. Authenticators should be able to plugin in a JAX-RS service that can
handle requests for them.
8. Authenticators should be able to specify their display/input page
9. Authenticators can have a "user setup" pages. One for
login/registration, one for account service, and one for admin console.
Yuck!
Design implications:
* I think we need to have a AuthenticatorForm as well as an
Authenticator interface.
* Authenticators would be associated with a AuthenticatorForm. This
allows support for multiple Authenticators for one form post.
* AuthentictorForms would have an action URL that accepts form input.
This form input URL would be referenced by the form name
/auth/realms/{realm}/authenticate/forms/{form-name}
* AuthenticatorForms would have a name and input/display page. The
display page URI can be a relative uri pointing to a theme template, a
relative uri that points to an Authenticators JAX-RS service, or an
external URI.
* A User, per authenticator can be in a SETUP_REQUIRED state. This
allows the user to bypass the authenticator and go straight to
authenticator setup.
* CredentialModel will need generic attributes.
Steps?
I'm gonna get some abstraction working first with Kerberos, OTP, and
Password.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
5 years, 9 months
Node Registration
by Scott Rossillo
org.keycloak.adapters.NodesRegistrationManagement doesn’t sent a port when it registers a node. Additionally, the KC server assumes the cluster node is using port 8080. So even if you manually register a node, as say localhost:9092, when you press “Test Cluster Availability” the KC server appends port 8080 to the request:
http://localhost:9092:8080/customer-portal/ <http://localhost:9092:8080/customer-portal/>
I think there are two bugs, I can open JIRAs if you like:
1. org.keycloak.adapters.NodesRegistrationManagement should send the port the server is on
2. KC server should not assume port 8080
Best,
Scott
5 years, 9 months
