porting LDAP to new model
by Bill Burke
Was looking at LDAPFederationProvider today and thinking about how it
would be ported to new model.
* I think it may be possible to re-use most of the code. The code
currently assumes that the UserModel is imported into keycloak local
storage. What I think we can do is have an in-memory implementation of
UserModel. If import is disabled, we create an instance of this pojo.
This becomes a delegate, and we execute the import logic for mappers.
Proxy would also be called and just proxy the pojo instance.
* we get rid of the "always read from LDAP" option. For the new model,
users will be cached. If the cache is hit, then the provider is never
hit. Since we now have cache policies per UserStorageProvider, I don't
think its an issue to remove this feature.
Devil is in the details, but I don't think this will be that bad. Its
just a matter of converting things to use the ComponentModel
8 years, 1 month
2.3.0.Final error when refreshing half-way into browser auth flow
by Martin Hardselius
There seems to be a problem with refreshing in the middle of browser auth
flow with more than one authenticators configured. The problem also appears
when refreshing the consent view.
ClientSessionCode#verifyCode() fails.
This was not an issue pre 2.3.0.Final to my knowledge.
Steps to reproduce the error.
1. Create a user
2. Log into the account client
3. Configure OTP
4. Logout
5. Login username/password
6. Refresh the page asking for OTP
or
1. Tick 'require consent' for the account client
2. Try to log in to the account client
3. Refresh consent view
Is this intended behaviour as of now, or is it an actual bug introduced in
the latest build?
8 years, 1 month
Memory leak fix merge to 1.9.x releases
by Kamal Jagadevan
Hello Stian, Currently we have Keycloak 1.9.2 in production and recently we observed memory leak issue with lots of users logging in and creating sessions simultaneously.Further noticed this has been taken care as part of [KEYCLOAK-3202] Creating users causes memory leak - JBoss Issue TrackerBut unfortunately those fixes didnt get merged to 1.9.x releases.
Are there any plans for merging those fixes to 1.9.x releases? Hope there is nothing blocking for this to be merged.If there are no plans, would you accept a PR from the DEV community to do so ....of course after testing...
Please let us know at your earliest!!
***** Happy Halloween *****
BestKamal
|
|
|
| | |
|
|
|
| |
[KEYCLOAK-3202] Creating users causes memory leak - JBoss Issue Tracker
| |
|
|
8 years, 1 month
Jenkins discloses email list on notifications
by Konstantin Gribov
Hi, folks.
Jenkins should use BCC instead of To for sending mass emails to avoid
emails disclosure. I'd say that it's not a big issue: these emails are
present in somewhere in commit history or interacted with Keycloak
development some way with high probability. But it's still not a good style
of mass email notifications.
RedHat guys, could you please bring this issue to attention of your infra
team which manages Jenkins?
--
Best regards,
Konstantin Gribov
8 years, 2 months
Remember to close responses using admin client
by Stian Thorgersen
For methods on the admin client that return a Response it's important to
remember to close it. Failing to do this causes:
* Not freeing up connections
* Tests can fail intermittently as the tx may not be completed before you
move on
Ideal would be to find a way to prevent this and have the admin client
close the responses, but I don't think that's possible.
8 years, 2 months
Keycloak 2.3.0.CR1 is out
by Stian Thorgersen
We've just released Keycloak 2.3.0.CR1. This release brings a number of new
existing features!
Highlights of the release includes:
- *OpenID Connect certification* - We've now completed the work on
making our OpenID Connect implementation pass the OpenID Connect
certification and we're currently passing all 5 profiles!
- *User SPI* - We now have a new simpler User SPI. This will make it
easier to implement a custom user provider to pull in users from any
external user store. In the next release we'll port our LDAP provider to
this SPI, which will make it possible to pull in users from LDAP without
syncing data to the Keycloak database. Once this work is completed we'll
remove the old User Federation SPI.
- *Realm Key Rotation* - We now support multiple keys in a realm. This
makes it possible to seamlessly rotate keys without any impact to
applications and users.
- *Client Registration CLI* - A while back we added dynamic client
registration capabilities, we've now created a CLI that makes it easy to
register and update clients from the command-line.
- *Dynamic Client Registration Policies* - We've introduced a mechanism
to control what clients can be dynamically created. This includes the
ability to define policies to allow clients to register without the need to
authenticate.
- *Node.js Adapter* - We've had a Node.js adapter a while, but we've now
polished it a lot and made it a first class citizen.
For the full list of issues resolved check out JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...>
and
to download the release go to the Keycloak homepage
<http://blog.keycloak.org/www.keycloak.org/downloads>.
8 years, 2 months
Setting fixed max results on REST endpoints
by Stian Thorgersen
Would it make sense to set a fixed max results on REST endpoints for all
endpoints that are paginated?
I propose we set it to fetch maximum 100 entries by default. To fetch
everything ?max=-1 or alternatively we could use ?all.
8 years, 2 months
