January 2016 - keycloak-dev - Jboss List Archives

Allow to search for users by exact attribute match.

by Thomas Darimont

Hi, I was looking for a way to query users based on their exact username but it turned out, that org.keycloak.admin.client.resource.UsersResource.search(String, String, String, String, Integer, Integer) @GET @Produces(MediaType.APPLICATION_JSON) List<UserRepresentation> search(@QueryParam("username") String username, @QueryParam("firstName") String firstName, @QueryParam("lastName") String lastName, @QueryParam("email") String email, @QueryParam("first") Integer firstResult, @QueryParam("max") Integer maxResults); ... usersResource.search("exactusername",null,null, null, null, email, 0, 10) generates a like %..% query in JpaUserProvider.searchForUserByAttributes(...). Since usernames are unique per realm I think it would make sense to be able to perform a query for the exact username (or perhaps the combination of other attributes as well). Was this omitted by design, or may I create a JIRA for this? Cheers, Thomas

10 years, 1 month

2
9
0 / 0

Keycloak Docker Image with Postgres HA with 1.8.CR1 doesn't work.

by Thomas Darimont

Hello, I just tried the server-ha-postgres Docker image and I wasn't able to run it. https://github.com/jboss-dockerfiles/keycloak/tree/master/server-ha-postgres The other images (server, server-postgres) work. When I try to run the "server-ha-postgres" example I see: 14:54:35,888 INFO [org.jboss.modules] (main) JBoss Modules version 1.5.0.Final WFLYSRV0073: Invalid option '/opt/jboss/keycloak/bin/start.sh' It seems that this command: https://github.com/jboss-dockerfiles/keycloak/blob/bfbbde898e4aba3b3ee517... is not properly passed to the start script. Building the image locally with that line commented seems to work... Cheers, Thomas

10 years, 1 month

2
1
0 / 0

Social login provider for Microsoft Live

by Vlastimil Elias

Hi, I need Social login provider for Microsoft Live account. I can implement it as I did few other social login providers already. Problem is that I need it in Keycloak 1.8. Any chance to add it to 1.8 if I will be quick enough (PR today or tomorrow)? It is OAuth2 based provider so impl should be easy. If not in KC 1.8 release, is it possible to add social provider as customization to my KC instance only? It is common provider factory so it should be possible I hope, but it also requires some template in admin theme, so I'm not sure (probably I have to create my customized admin theme in this case). I definitely prefer to have it in upstream if possible. Vlastimil -- Vlastimil Elias Principal Software Engineer Developer Portal Engineering Team

10 years, 1 month

2
8
0 / 0

Fwd: [keycloak-user] Spring Boot REST Service Example(s)

by Scott Rossillo

Those are a fork of my examples. Before product, I think the Spring Boot adapter needs an update to be based on the Spring adapter. I can do this if if you give me an ETA on how long before code is frozen. ---------- Forwarded message --------- From: Jeremy Simon <jeremy(a)jeremysimon.com> Date: Mon, Jan 18, 2016 at 12:11 PM Subject: Re: [keycloak-user] Spring Boot REST Service Example(s) To: <keycloak-user(a)lists.jboss.org> Thanks! These make a lot more sense. Looks Springy. ;) Based on how these examples are configured, why would the Keycloak documentation even mention in section 8.9.2 "You also need to specify the J2EE security config that would normally go in the web.xml"? Just trying to get an understanding. jeremy jeremy(a)jeremysimon.com www.JeremySimon.com On Thu, Jan 14, 2016 at 6:56 PM, Bill Burke <bburke(a)redhat.com> wrote: > Andrzej already replied to this earlier: > > take a look at these examples: > https://github.com/agolPL/keycloak-spring-demo > > > > On 1/14/2016 6:44 PM, Jeremy Simon wrote: >> Hi, >> >> Would anyone be willing to point me to some good working examples that >> are REST services built with Spring Boot but can leverage Keycloak for >> authentication? I had no trouble integrating a webapp with the SAML >> protocol, but this OpenID Connect (/Oauth2?) area of things is really >> confusing. >> >> All I'm trying to do is security the REST endpoints I made and then >> when I actually hit a controller, also be able to pull some role or >> attribute information off the Authentication token. >> >> I tried to cobble together something using the reference guide and the >> adaptors sections, but to no avail. In particular I followed the 8.9 >> Spring Boot Adaptor but I get 302s and a this in the response if i try >> a rest client... >> >> ---- >> 302 Found >> >> form >> >> HEADERS >> Content-Length:0 Bytes >> Date: >> 2016 Jan 14 18:41:13 >> Location: http://localhost:11080/auth/realms/jeremy/protocol/openid-connect/auth?re... >> S >> >> ---- >> >> At any rate, I tried some extra spring security and other mentions >> down further in the guide, but I'm definitely digging myself into a >> little hole! Any help would be greatly appreciated! >> >> Possibly uneducated guess with this subject, can Spring Security OAuth >> be used with this? Probably can't with the OpenID JWT responses? >> >> jeremy >> jeremy(a)jeremysimon.com >> www.JeremySimon.com >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

10 years, 1 month

1
0
0 / 0

i18n for Logging

by Stan Silvert

I've completed a first stab at this using the JBoss logging tools. Once merged we will have the ability to do i18n/l10n on our log messages and also use message numbers. Here is the commit to show you how it turns out converting the log messages in KeycloakApplication: https://github.com/ssilvert/keycloak/commit/54faba37cb4797fc337569899d8ac... So, now a message coming from the KeycloakApplication class in the services module looks like this: 15:29:31,515 INFO [*org.keycloak.services*] (ServerService Thread Pool -- 50)*KC-SERVICES0001*: Loading config from c:\GitHub\keycloak\distribution\server-dist\target\keycloak-1.9.0.CR1-SNAPSHOT\standalone\configuration\keycloak-server.json We need to decide how we want to structure this. In WildFly, we typically have one logger per maven module. If you want to have one logger per package then you would need to create a new interface in each package, which gets hairy. I do suggest that we prefix all of our messages with "KC-" or something else that is unique across products. Also, we should standardize the "padding" for the message numbers. Another possibility is to have all keycloak messages start with "KEYCLOAK". This would mean that we would need for each module to reserve a number range. There are annotations to enforce this if we want to go that route. The downside is that somewhere we need to maintain a registry. I think WildFly did this but eventually abandoned it. Notice that WildFly messages are like "WFLYUT" for Undertow or "WFLYJSF" for JSF. BTW, localization works nicely. Just add a bundle for a new language. The tool even creates a skeleton properties file for you. If you want more details on the i18n framework, see https://developer.jboss.org/wiki/JBossLoggingTooling. Stan

10 years, 1 month

2
7
0 / 0

unsupported media type error

by John Dennis

I'm trying to test Openstack ECP with Keycloak. When Openstack posts the SAML AuthnRequest wrapped in SOAP to the /auth/realms/master/protocol/saml endpoint keycloak responds with an HTTP 415 unsupported media type error. The HTTP Content-Type in the post is text/xml. What are you expecting? This is with the 1.8.0.CR1 version of keycloak. Thanks! -- John

10 years, 1 month

3
4
0 / 0

direct grant cookies, and SSO

by Bill Burke

I was thinking that using direct grant from Browser Javascript would work with SSO if direct grant created and returned an SSO cookie and also checked to see if an SSO cookie was set. This way all the people wanting to completely bypass our login screens can do that. Why they would want to, I don't know. We maybe should extend the direct grant protocol to tell the client when required actions must be filled out before authentication, stuff like that. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

10 years, 1 month

2
1
0 / 0

patching effected by module re-org?

by Bill Burke

Do we need to think about how patching will work in EAP? If we move to a more coarse grain module system, then the modules we patch might be quite large. We fine with that? -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

10 years, 1 month

2
1
0 / 0

User federation to Active Directory/LDAP and password policies

by Edgar Vonk - Info.nl

Hi all, We use Keycloak’s user federation to integrate with a (Windows 2012) Active Directory (AD) server. We want to store all users and groups in AD and also want to manage the password policies from AD so we do not have any password policies in Keycloak set up. We also want to use Keycloak for all user management functionality. We have set up the password policies in AD at the domain level where we connect to from Keycloak. Our password policies in AD are as follows: - password complexity (min length + special chars) - account lock out after 3 attempts - password history (not allowed to use previous 5 passwords) Users and admins can set and change passwords in AD from Keycloak fine. However the password policies do not quite do what we want them to: - Password complexity policy seems to work fine. - Account is indeed locked in AD after three failed attempts. However the ‘Unlock users’ functionality in Keycloak does not unlock the users in AD. Users can only be unlocked in AD itself it seems. We would like to be able to do this from Keycloak however (and really per user and not for all users in one go). Should this work in Keycloak or is this a new feature request? - The password history policy does not seem to work at all. Users can currently set their password to a previous password without a problem. Does anyone have an idea why this policy in AD does not work from Keycloak? cheers Edgar

10 years, 1 month

2
10
0 / 0

1st pass module re-org, Brute Force, and AuthenticationManager

by Bill Burke

PR sent, probably will be commited once you read this: This is a first pass at the module re-org. Wanted to get most of it done on Friday, but I screwed up and lost 3 hours of work cuz I forgot to merge Stian's big jackson change and the conflicts were too much :) I hope to do more next week. * top level server-spi module was created * These modules were removed and rolled into server-spi - model-api - events-api - export-import-api - timer-api * These modules were moved into keycloak-services - exportimport single file and dir - some utility classes from exportimport api - timer-basic * These SPIs were moved to server-spi - LoginProtocol - ProtocolMapper - ClientInstallationProvider * BruteForceDetector is now a Provider and is looked up via KeycloakSession. Previously we were stuffing it with AuthenticationManager and passing that around everywhere. This cleaned up a bit of code. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

10 years, 1 month

1
1
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev January 2016