ARQ testsuite error
by Marko Strukelj
Using latest master I'm getting a test failure in arquillian testsuite. Is
that expected?
Tests run: 5, Failures: 1, Errors: 0, Skipped: 1, Time elapsed: 56.349 sec
<<< FAILURE! - in org.keycloak.testsuite.admin.test.user.AddNewUserTest
addDuplicatedUser(org.keycloak.testsuite.admin.test.user.AddNewUserTest)
Time elapsed: 15.204 sec <<< FAILURE!
java.lang.AssertionError: null
at org.junit.Assert.fail(Assert.java:86)
at org.junit.Assert.assertTrue(Assert.java:41)
at org.junit.Assert.assertNotNull(Assert.java:712)
at org.junit.Assert.assertNotNull(Assert.java:722)
at
org.keycloak.testsuite.admin.test.user.AddNewUserTest.addDuplicatedUser(AddNewUserTest.java:88)
...
Results :
Failed tests:
AddNewUserTest.addDuplicatedUser:88 null
Tests run: 26, Failures: 1, Errors: 0, Skipped: 4
- marko
10 years, 4 months
Loading message bundles from themes
by Stian Thorgersen
You should load message bundles from themes not directly from the file system. That's how login pages and account management loads messages bundles so it should be consistent, but more importantly doing it through themes gives the following:
* Support for loading from file or classpath - we also have an SPI for theme loaders so they can in the future load resources from other sources as well, for example the database
* Supports overriding messages from themes - users can define custom themes that are used on a per-realm basis that can override messages. Themes even inherit messages from the theme it extends, so can choose to override only some messages
Themes expects the message bundle to be named "messages_<locale>.properties". I'd prefer it to be consistent between the 3 different things we have internationalized and such admin messages should be loaded from themes and the message bundles should have the same names.
We can then discuss with the translation team if they are happy with 3 separate message bundles or if they'd like a single message bundle for everything. We can also query about whether or not we can divide the message bundles up further. Dividing message bundles up would require adding support for that to themes as well. With classloaders and such it would be hard to implement a list available bundles so that's another reason for going with a single message bundle for now.
10 years, 4 months
Cancel button options for clients
by Stian Thorgersen
Currently the cancel button always redirects to the redirect_uri with error=access_denied. This is fine if the application wants to handle the rejected login. However, it does require the application to add logic/error handling to display a suitable error message to the user instead of just a generic 400 error page.
I propose we add a configuration option to clients for how the cancel button is handled. Options would be:
* None - don't display cancel button, this is useful when login is mandatory (for example our admin console)
* Error redirect - redirect to redirect_uri with error=access_denied
* Return to app - redirect to base_url of client (if this is set base_url would be required)
10 years, 4 months
Keycloak Realm Admin Services SPI
by Pedro Igor Silva
Hi,
Based on the discussion from our last meeting, we would need to provide SPIs for these two major areas:
- Admin Services
- Admin UI
I would like to start discussing about the first area, in other words, how to provide custom services to Keycloak Admin RESTFul API.
My initial requirements is all about providing a new API based on the following path:
* /admin/realms/{realm}/authz
I was thinking about using something like following method on RealmAdminResource:
@Path("{custom_resource}")
public Object getCustomResource(@PathParam("custom_resource") String customResource) {
return // load resource from SPI
}
So here we could obtain some user-defined resource using a SPI based on a path param. That would allow us to support custom admin services for realms or even for a specific realm only.
Any thoughts ?
Regards.
Pedro Igor
10 years, 4 months
Issues with Infinispan local cache on EAP 6.4
by Stian Thorgersen
I recently removed the memory user session provider and replaced it with Infinispan local caches. There's an issue with that on EAP though. Infinispan didn't support map reduce tasks on local caches until 5.3 and EAP 6.4 is on 5.2.
As a work around the Infinispan user session provider will fallback to the old deprecated memory user session provider if Infinispan is older than 5.3 and the cache is a local cache. The memory user session provider is not available as a standalone provider, just used internally by the Infinispan user session provider in this particular case.
Once we move to EAP 7 we can remove this work around.
10 years, 4 months
refactored admin reset email and required actions
by Bill Burke
Admin console can send a reset password email to the user. Originally
it just executed update password. I changed this so that it sets an
Update Password required action on the User. The email link click runs
all required actions set for the user, then displays a message that the
Account has been updated.
When I get back, I'm also going to change the admin console behavior and
look too. Instead of a "Reset Password Email" button on Credentials
tab, there will be a button next to the Required Actions selection box
on user detail, something like "Email Required Actions" (I need a
better name). Clicking on this button will send an email to user
"Your adminstrator has requested that you update and/or reset some of
your account settings. Please click the link below to perform these
actions."
We do it this way because there may be multiple credentials the admin
wants the user to reset. These credentials may be custom authenticators.
Also I refactored the CONFIG_TOTP, UPDATE_PROFILE, and UPDATE_PASSWORD
required actions. They are now fully encapsulated under the required
actions SPI and are not hardcoded with any special cases. I still need
to refactor verify email. Ran out of time.
Finally, I need to add a check to user-initiated Reset Credentials. I
haven't put back in the cookie check to make sure not to log in the user
if its not the same browser.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years, 4 months
UserSession creation/removal notification/event?
by Hermann Hill
Hi all,
as a follow-up to my previous question: Is there an event or a notification interface for the creation and removal of sessions? I already found LOGIN and LOGOUT, but if a user session expires or the user is forcibly logged out by an admin it seems there is no LOGOUT event.
Best regards,
Hermann Josef Hill
Software Architect
optile GmbH
Ganghoferstraße 39 | 80339 München
Mobil +49 (151) 5385 0784
hermann.hill(a)optile.net | www.optile.net
USt.Id.-Nr. DE268847980
Geschäftsführer: Daniel Smeds, Stefan Reinhardt
Handelsregister München HRB 183178
+++ Besuchen Sie uns auf der dmexco 2015 am 16. & 17. September, Köln, Halle 7.1 Stand F013 +++
10 years, 4 months
AD Role Mapping
by Andrzej Goławski
Hi,
I'm trying to deploy keycloak in my company as primary SSO solution with AD
underneath.
In our company AD groups contain other groups as members.
e.g.:
Let assume that we have Group1, Group1.1. and TestUser.
Group1 has Group1.1 as a member and Group 1.1 contains user TestUser.
In that configuration after importing AD users to Keycloak, TestUser should
have two roles: Group1 has Group1.1. But unfortunately it has only Group1.1.
I'm not an AD expert but I hope I've managed to explain the problem well
enough.
This is very important feature for my company and I wonder to know if you
are to solve this problem in the nearest feature?
Best Regards,
Andrzej
10 years, 4 months
Implementation of SCIM with Keycloak
by Kuznetsov, Mike
Hello,
My team is currently investigating Keycloak. We also have an interest in using System for Cross-domain Identity Management (SCIM) for provisioning (http://www.simplecloud.info ).
I did not see any documentation about SCIM support in Keycloak, and I have not seen any references to SCIM in the code.
Could you please tell me if there are any plans to add SCIM support to Keycloak?
Thank You,
Mikhail Kuznetsov
Software Engineer
Hewlett Packard Enterprise
10 years, 4 months
