Evaluation of i18n/i10n tools
by Stan Silvert
I've been evaluating tools to help us localize Keycloak. The tools I
looked at were angular-translate, angular-localization, and
angular-gettext. All use the MIT license.
I took a static version of our login page and localized with
angular-translate. Then I did the same thing using
angular-localization. Both worked well and it was pretty cool to see
the language change between English and French with the click of a
button. Both use ordinary JSON files for the translations.
In doing this, I was able to explore the features, strengths, and
weaknesses of each library. Of the two, I prefer angular-translate.
The reason mostly has to do with a greater feature set, maturity, and a
larger community. I can go into much greater detail if anyone is
interested.
For angular-gettext, it seems to be somewhat popular, but it takes a
very different approach. I'm rejecting it based on the fact that it
relies a great deal on tools and automation. I don't think that
translators and developers want to learn new tools and a new file format
for the translations (.po files vs. JSON). Plus, angular-gettext
automatically uses the English version of the word or phrase to generate
keys in the .po files. The whole process looks error-prone.
If you have any experience using these or other packages please let me
know. In researching this topic, I've found that some people even roll
their own angular translation tools. So let me know if you have
experience with that as well.
Stan
8 years, 8 months
Keep client private keys in Keycloak DB?
by Marek Posolda
For the client authentication with signed JWT, I am wondering if we
should keep client private key in Keycloak DB?
TBH I am more keen to not keep the copies, but just the certificate with
public key, so the private key is owned exclusively by client and saved
just on client side. Looks better to me from security perspective and
that's how Google is doing it -
https://developers.google.com/identity/protocols/OAuth2ServiceAccount .
But now I notice that for the SAML clients, we keep the private keys in
Keycloak DB (the private key for sign SAML requests or the private key,
which client needs to verify SAML assertions encrypted by it's public
key). Is it ok from the security perspective?
Marek
8 years, 8 months
Fwd: Concept structure in the VCS?
by Lennart Jörelid
Ah - by mistake, I replied only to Bill. Cross-posting to the list as well.
Sorry for the spam.
======
Hello there,
First - I found the current screencasts massively helpful in getting
started, to be honest. They are something I really have not seen in most
projects, and they contributed a lot to me making sense of the Keycloak
codebase and usage scenarios. Kudos.
Sedond - I think it would be quite helpful to add additional modularization
and also harmonize some configuration to make it more evident in how it is
interpreted. Let me clarify the last bit here (I'll take themes as an
example, but I believe that the same conclusion stands for other parts of
the Keycloak codebase):
# Import and extend definitions
parent=base
import=common/keycloak
styles=lib/patternfly/css/patternfly.css lib/zocial/zocial.css
stylesheets/login.css stylesheets/yourOwn.css
1. The documentation and examples provides something roughly similar to
the above.
2. Turning the attention to the "import" parameter, one could jump to
the conclusion that there would be directory called "common/keycloak" and
that this directory should contain a lib directory containing the styles
css documents from the "styles" configuration.
3. Reading the codebase, it seems that the semantics of the "import"
property is something completetly different. From the
ExtendingThemeManager::loadTheme, I can see that the '/' is instead used as
a list separator implying that we should attempt loading resources from
several sources. (Snippet pasted below).
if (theme.getImportName() != null) {
String[] s = theme.getImportName().split("/");
themes.add(findTheme(s[1], Theme.Type.valueOf(s[0].toUpperCase())));
}
So ... I would believe that the configuration in this case would be clearer
on a Java Object, JSON or XML form, where one can provide somewhat better
semantics than what is possible in a properties file (one could use a List
of theme names instead of a single string value to be parsed and
interpreted, for example).
Mind if I take a stab at implementing a suggestion here?
2015-08-09 17:25 GMT+02:00 Bill Burke <bburke(a)redhat.com>:
> Only plans right now are to separate our public SPIs and APIs from our
> private ones. This is a requirement by Red hat before we go into product.
>
> Also, a massive backlog of requirements and feature requests has made us
> rush documentation. The screencast videos haven't been updated since
> January. It is what it is. Over the next 3-6 months we will catch up
> on this stuff becuase we are required to before we go into Product.
>
> FYI, we already autogenerate REST docs.
>
> On 8/9/2015 7:38 AM, Lennart Jörelid wrote:
> > Hello all,
> >
> > A month or so ago, I got curious about Keycloak. Downloaded, set up in a
> > dev environment, created some custom themes and took a look at the
> > codebase. I have a few questions, likely because I have missed some
> > developer documentation:
> >
> > * *Codebase concepts*: I frequently try to structure codebases to
> > highlight its big concepts. For example, if we consider 'themes' to
> > be such a concept in KeyCloak we might create a folder called
> > 'themes", with some project wihtin it: (themes-model, themes-spi,
> > themes-impl-jpa, themes-impl-freemarker, ....). Is there a
> > description of the codebase structure or concepts currently?
> > ("mini-SAD")
> > * *Codebase javadoc:* Do we have a policy for JavaDoc'ing the
> > Model/API/SPI but perhaps not the implementation classes, other than
> > with implementation details?
> > * *Configuration:* Some of the descriptions in the docbook are really
> > good, and some are more shallow. If we create a standard way of
> > configuring the parts of keycloak, we could likely generate standard
> > setup/configuration documentation (somewhat similar to maven plugins
> > where certain parts of a site documentation is generated from
> > annotations or JavaDocs). Are there such plans?
> >
> >
> > --
> >
> > --
> > +==============================+
> > | Bästa hälsningar,
> > | [sw. "Best regards"]
> > |
> > | Lennart Jörelid
> > | EAI Architect & Integrator
> > |
> > | jGuru Europe AB
> > | Mölnlycke - Kista
> > |
> > | Email:lj@jguru.se <mailto:lj@jguru.se>
> > | URL:www.jguru.se <http://www.jguru.se>
> > | Phone
> > | (skype): jgurueurope
> > | (intl): +46 708 507 603
> > | (domestic): 0708 - 507 603
> > +==============================+
> >
> >
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
--
--
+==============================+
| Bästa hälsningar,
| [sw. "Best regards"]
|
| Lennart Jörelid
| EAI Architect & Integrator
|
| jGuru Europe AB
| Mölnlycke - Kista
|
| Email: lj(a)jguru.se
| URL: www.jguru.se
| Phone
| (skype): jgurueurope
| (intl): +46 708 507 603
| (domestic): 0708 - 507 603
+==============================+
8 years, 8 months
Concept structure in the VCS?
by Lennart Jörelid
Hello all,
A month or so ago, I got curious about Keycloak. Downloaded, set up in a
dev environment, created some custom themes and took a look at the
codebase. I have a few questions, likely because I have missed some
developer documentation:
- *Codebase concepts*: I frequently try to structure codebases to
highlight its big concepts. For example, if we consider 'themes' to be such
a concept in KeyCloak we might create a folder called 'themes", with some
project wihtin it: (themes-model, themes-spi, themes-impl-jpa,
themes-impl-freemarker, ....). Is there a description of the codebase
structure or concepts currently? ("mini-SAD")
- *Codebase javadoc:* Do we have a policy for JavaDoc'ing the
Model/API/SPI but perhaps not the implementation classes, other than with
implementation details?
- *Configuration:* Some of the descriptions in the docbook are really
good, and some are more shallow. If we create a standard way of configuring
the parts of keycloak, we could likely generate standard
setup/configuration documentation (somewhat similar to maven plugins where
certain parts of a site documentation is generated from annotations or
JavaDocs). Are there such plans?
--
--
+==============================+
| Bästa hälsningar,
| [sw. "Best regards"]
|
| Lennart Jörelid
| EAI Architect & Integrator
|
| jGuru Europe AB
| Mölnlycke - Kista
|
| Email: lj(a)jguru.se
| URL: www.jguru.se
| Phone
| (skype): jgurueurope
| (intl): +46 708 507 603
| (domestic): 0708 - 507 603
+==============================+
8 years, 8 months
Blocker bug in KC 1.4 -> next release plans?
by Vlastimil Elias
Hi KC team,
we started work to update Red Hat Developers KC instance from 1.2 to
1.4, but I found one regression blocker (at least for us)
https://issues.jboss.org/browse/KEYCLOAK-1739 unfortunately.
There are also few smaller bugs like
https://issues.jboss.org/browse/KEYCLOAK-1741 and
https://issues.jboss.org/browse/KEYCLOAK-1731 but they are not blocking.
Any chance this should be patched in some 1.4.1 minor bugfix release or
should we wait for 1.5? What is expected/raw release date for 1.5? We
would like to upgrade ASAP as 1.3 and 1.4 brought bunch of features we
are waiting for and we do not want to stay too much behind latest release.
I can try to help and prepare PR for KEYCLOAK-1739 and others, but need
to know what to use as a base (master or 1.4.x branch).
Thanks in advance
Vlastimil
--
Vlastimil Elias
Principal Software Engineer
jboss.org Development Team
8 years, 8 months
Queries on Custom Authorization
by Satyajit Das
Hi Team,
Kindly explain the below query:
I want to have custom authorization, i.e a user can view certain pages but
not some other pages. Certain components on a screen should be invisible and
navigation to certain screens to be restricted.
Does key cloak provide any such custom authorization api. I went through the
document but could not find any explanation on this topic.
Any help will be highly appreciated.
Regards,
Satya.
8 years, 8 months
Queries on Keycloak
by Satyajit Das
Hi Team,
Kindly respond to the below queries.
1)What is the limit to the number of realms, roles per realm, and users per
realm or users per role in key cloak.
2)what is the expire time of a token id generated in key cloak.(
session.getTokenString()).
3) is there any authentication done after successfull login ,if I visit
subsequent pages.
Regards,
Satya.
8 years, 8 months
groups vs. organizations
by Bill Burke
Scott,
I'm trying to wrap my head around how your concept of an organization is
different than a group. Wouldn't an organization just be a more
stricter form of a group? A group could have any arbitrary roles and
attributes associated with it. An organization could too.
Is the difference that the organization has a specific common set of
attributes? i.e. what's in saml organization descriptors.
My thinking is that we'd have both organizations and groups. They would
work the same exact way except organization would have some pre-defined
attribute types.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 8 months
Would like to deprecate/remove JPA/Mongo UserSessions
by Bill Burke
Hi all,
Keycloak team would like to deprecate and remove the JPA and Mongo
stores for UserSessions and just provide an Infinispan one. It is a
pain to maintain these, and in our opinion, users really shouldn't be
using JPA or Mongo to store User Sessions. Infinispan has a wide
variety of configuration options for internal, external, and cloud networks.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 8 months
Re: [keycloak-dev] Kerberos with IE does not work
by Michael Gerber
Hi Marek,
Your proposed patch works perfectly fine.
IE only overwrites the header for the keycloak REST services, the other REST services work fine.
Thank you for your help.
Michael
Am 03. August 2015 um 13:36 schrieb Marek Posolda <mposolda(a)redhat.com>:
On 29.7.2015 16:37, Michael Gerber wrote:
The ClearAuthenticationCache command deletes the following data:
- Session cookies
- sessionStorage
- HTTP Authentication (e.g. Digest or Basic HTTP credentials)
- HTTPS Client Certificates (e.g. sites that use certificates or SmartCards)
But keycloak needs the session cookie, otherwise the user has to relogin after each page reload.
Isn't the clientSecret anyway public if it is send in the Authorization header?
Yes, it is for JS clients. That's why it's better to not use clientSecret with javascript based clients, but instead mark those clients as "public" in keycloak admin console. In this case keycloak.js will use client_id parameter instead of Authorization header. Can this work for you?
Thing is, that currently AuthorizeClientUtil will likely automatically send 401 if it found "Authorization: Negotiate ..." header even if you have public client and you want to use client_id (I did not test it, but guessing from looking at the code). So I've created the simple patch to avoid it: https://github.com/mposolda/keycloak/commit/858882a306cfc66567dedfcb40454...
So if you do the steps like:
1) make your client as public
2) Apply my patch
will it help?
I am still seeing potential issues if your javascript client needs to send REST requests authorized by "Authorization: Bearer" header with accessToken. Not sure if IE doesn't again overwrite the header with "Authorization: Negotiate". In this case REST request would fail. But hopefully not... If you have opportunity to try it, it will be cool.
Thanks,
Marek
Am 29. Juli 2015 um 14:27 schrieb Bill Burke <bburke(a)redhat.com>:
The trick you found earlier doesn't work?
http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces...
Also, what if in keycloak.js if kc.clientSecret is null? Just remove
the client secret IMO. You shouldn't be exposing the client secret as
it is now public to everybody in the world....
On 7/29/2015 8:05 AM, Michael Gerber wrote:
I could find a solution for my IE problem.
IE overwrites the Authorization header in the XMLHttpRequest
(/protocol/openid-connect/token) with "Authorization: Negotiate".
To solve this problem, I added on the client the client_id
and client_secret to the form and changed the authorizeClient method, so
it checks first the form data instead of the authorization http header.
Have a look at my code:
https://github.com/gerbermichi/keycloak/commit/32880b210ed27f782a2f9fcd01...
Should I create a pull request for the changes or do you have a better
solution?
cheers
Michael
Am 22. Juli 2015 um 11:46 schrieb Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>>:
Hi Michael,
No idea if there is other solution, I've never tried SPNEGO with
Internet explorer TBH :(
Could you please create JIRA for this?
Thanks,
Marek
On 22.7.2015 10:07, Michael Gerber wrote:
Hi all
My kerberos configuration works fine with FireFox and Chrome, but it
does not work with IE.
It shows a prompt where the user has to enter a username and password.
I can successfully get an access code, but I can not get an access
token, because IE overwrites the Authorization header in the AJAX
request. (see
http://stackoverflow.com/questions/28615850/internet-explorer-11-replaces...)
I can fix this by adding
document.execCommand('ClearAuthenticationCache', 'false');
above of
var req = new XMLHttpRequest();
approximately at the line 374 in the keycloack.js file.
Is there another solution for this problem?
cheers
Michael
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8 years, 8 months