Run keycloak client with annotations
by Michal Hajas
Hi,
I tried to run keycloak client with annotations $SecurityDomain, @RolesAllowed etc. ( https://github.com/mhajas/keycloak_annotations )
Maybe It is just my mistake, I am not an expert in RestFul services and EJB, but I tried lot of configurations and always ends up with some error, mostly with:
failed to execute: javax.ws.rs.ForbiddenException: HTTP 403 Forbidden
at org.jboss.resteasy.plugins.interceptors.RoleBasedSecurityFilter.filter(RoleBasedSecurityFilter.java:45)
I have configured my keycloak adapter correctly according to http://keycloak.github.io/docs/userguide/html/ch08.html#jboss-adapter but I don't know how to configure web.xml. What can be replaced with annotations and what should be preserved.
I tried both relative and un-relative scenario.
So question is what is wrong with my client?
P.S. I think there might be an example with annotation.
8 years, 7 months
dba's will hate liquibase?
by Bill Burke
An interesting suggestion from a user
On 9/24/2015 2:58 PM, Walker, Charles wrote:
> * move away from liquibase to manage the database schema. it's a nice
> tool but i haven't ran into many dba's that allow an application to
> "alter" the database. that meant i just had to go figure out another
> technology just to tease the sql out of it
I'm not sure how we could move away from liquibase. We would have to
provide a set of SQL scripts (cross-platform too) that would have to be
run on your database to upgrade keycloak. Then there is the Java-based
migrators that run after this to message the data with any new
transformations.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 7 months
travis build failing
by Bill Burke
Travis build is failing in the QE arquillian tests as there is a new
adapter module. The base tests pass. So, I merged. QE can figure out
what's up.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
8 years, 7 months
Offline tokens - step 1
by Marek Posolda
I've sent the PR . Right now it works like this:
- ClientModel has flag "offlineTokensEnabled" . It's possible to
retrieve offline tokens just if flag is enabled
- Offline token is classic refresh token with 2 differences. It has type
"OFFLINE" when normal refresh token has type "REFRESH" . And for offline
token, the expiration value is 0, so it never expires.
- Offline token is generated by auth-server when client sends
"scope=offline_access" . It's supported for classic browser flow, but
also for Direct Grant flow or Service account flow.
- I've added OfflineClientSessionModel and OfflineUserSessionModel with
CRUD methods on UserModel. So when new offline token is generated by
Keycloak, some info about current UserSession and ClientSession is
persisted on UserModel. This means that offline token can be used to
create new access token even if "normal" UserSession and ClientSession
are already invalid or logged out.
- When refreshing access token with offline token, the auth-server won't
send back another refresh token. It will send just accessToken +
IDToken. This is to avoid writes to user database for each token refresh.
- In account management applications tab, there is new table column
"Additional grants" where is shown if client has offline token for user.
The click on "Revoke" button will remove offline tokens and granted
consents as well - no separate actions for revoke consents and offline
tokens.
Still TODO:
- Properly handle consents (see "Questions" below)
- More tests, example, export/import , docs
- More things/refactoring based on your feedback
Questions:
- The specs mentions that consent should be displayed when offline token
is requested. See
http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess .
Right now, I am not doing that. So when Client has "isConsentRequired"
as false, the consent screen is not displayed. Now we also don't have
support for "prompt=consent" (not sure if we need this) . Is it ok to
keep it like this?
- I am thinking about adding new builtin client role "offline_access",
which will be created for client when admin enables "offline tokens"
switch. It will be used also as default role. This will allow that just
some users are allowed to obtain offline-token (those which have this
role). The role will be also displayed on consent screen for the
clients, which needs consent.
But that raises another question. IMO it will be good if role is
requested and displayed on consent screen just if offline token is
requested, but not when classic refresh token is requested.
Hence I was thinking about adding the flag "scopeParamMode" to
RoleModel. The value true means that role will be requested and used in
accessToken/refreshToken just if scope parameter contains it's value.
This will be the setup for "offline_access" role, so it's used just for
the offline token requests. Another thing is format of scope parameter
with respect to realm roles and application roles. We can use "//" as
delimiter, so realm role will have just "my-role" but client role will
have "my-client//my-role" . The disadvantage is that for requesting
offline_access you will then need to use scope like:
"scope=customer-portal//offline_access" as it's client role.
WDYT? Any better idea?
Marek
8 years, 7 months
Customize KeycloakPrincipal
by alex orl
In my rest service i can obtain the principal information after authentication using KeycloakPrincipal kcPrincipal = (KeycloakPrincipal) servletRequest.getUserPrincipal() statement.Keycloak principal does'nt cotain all the information i need about the authenticated user.Is it possibile to customize my own principal type?On the keycloak end i ve developed a user federation provider. Is it possibile to insert my custom principal in that code? What is the way?Thanks to all and regards.Alessio
8 years, 7 months
extend keycloak principal
by alex orl
I'm working on SSO using jboss keycloak.
I m developing a user federation provider working with my custom user database and ldap authentication.
i m able to do the authentication process but now i need to retrieve to my webapplications a Principal extending the keycloak one.
I mean that my rest service could have to access a principal object holding other information besides those covered by keycloakPrincipal (i.e. company group, company and others).
i was planning to write my own MyProjectPrincipal extending keycloakPrincipal but then...
is it the right way?
how can i retrieve this principal to my custom webapplication? (i.e. REST service)?
Best regards and thanks a lot for your attention.
AlessioInviato da Yahoo Mail su Android
8 years, 7 months
Picketlink Service provider
by Arulkumar Ponnusamy
Hi all,
Currently we are using picketlink service provider for SAML authentication.
After keycloak merge, can we still use the picketlink lib for SP or we have
to consume the keycloak. our current use case is make our application as
SAML service provider which interact with external IDP for authentication.
Thanks,
Arulkumar
8 years, 7 months
