issue supporting older migrations
by Bill Burke
In removing UserFederationModel I found that we have generic Migration
objects that use this api to upgrade LDAP. Specifically in
1.3.0
1.4.0
I vote we don't support migration anymore for anything older than 1.9.8
7 years, 4 months
turning import on/off implications
by Bill Burke
When it is finished, you will be able to choose whether LDAP provider
imports users or not. The thing is, if you run with import On (which
will be the default setting for older migrated ldap deployments)...then
you switch it to OFF what should happen? My first thought is that we
remove all imported users when that switch is fllicked off. This would
require:
* an onUpdate(ComponentModel old, ComponentModel new) callback to the
UserStorageProvider so it can trigger deletion.
* A method deleteLinkedUsers(String federationLink) on userLocalStorage()
I'm also wondering if the generic console should have a
DELETE_LINKED_USERS and UNLINK USERS button if the provider supports import.
See any problems with this?
7 years, 4 months
Saml authentication Signature verification Exception when Special Characters is the username
by rony joy
Hi All,
We are getting signature verification exception at the client side after
Idp successfully authenticated the user("RoàåéèíñòøöùüßÅÄÖÜ") when the user
id contains special characters.
*UserName : RoàåéèíñòøöùüßÅÄÖÜ*
*Following are the keycloak settings. *
*Encryption req: false*
*Sign Document : true*
*Please find the below exception at the client side*
05:25:23at
org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.verifyPostBindingSignature(AbstractSamlAuthenticationHandler.java:480)se
signature: org.keycloak.com
mon.Veriat
org.keycloak.adapters.saml.profile.AbstractSamlAuthenticationHandler.validateSamlSignature(AbstractSamlAuthenticationHandler.java:261)
at
org.keycloak.adapters.saml.profile.webbrowsersso.SamlEndpoint.handle(SamlEndpoint.java:44)stractSamlAuthenticationHandler.java:183)
at
org.keycloak.adapters.saml.undertow.AbstractSamlAuthMech.authenticate(AbstractSamlAuthMech.java:115)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:263)
at
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:125)31)
at
io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:92)9)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)(ServletAuthenticationCallHandler.java:55)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)3)
at
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:59)ndler.java:64)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)java:292)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)tupAction.java:48)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.api.LegacyThreadSetupActionWrapper$1.call(LegacyThreadSetupActionWrapper.java:44)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)44)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:805)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
7 years, 4 months
getAuthorizationContext from RefreshableKeycloakSecurityContext with Spring Security
by Ignacio Ocampo
Hello Team,
I've an Spring Boot application with Spring Security Core, everything is
working fine in terms of authentication.
The next step is to setup the authorization with "Authorization enabled" in
the Client.
I've a problem trying to obtain the authorizationContext from
RefreshableKeycloakSecurityContext
KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext)
request.getAttribute(KeycloakSecurityContext.class.getName());
> org.keycloak.adapters.RefreshableKeycloakSecurityContext@69d7e12b
>
AuthorizationContext authzContext =
keycloakSecurityContext.getAuthorizationContext();
> null
>
Could you please help me to understand how I can get the authorization
context?
In my keycloak.json I have:
{
> "realm": "MyRealName",
> "auth-server-url": "http://myendpoint/auth",
> "ssl-required": "none",
> "resource": "serviceName",
> "credentials": {
> "secret": "XXX-XXX-XXX"
> },
> "policy-enforcer": {
> "enforcement-mode" : "ENFORCING"
> }
> }
Thanks
Regards.
--
Ignacio Ocampo Millán
7 years, 4 months
RuntimeException: Cannot find KieModule on example authz/photoz
by Maurício Giacomini Penteado
Hello everybody
I am doing some tests of resources authorization in keycloak but I am having some problems.
If I try run authz/photoz example in a windows 7 station with wildfly 10 and Keycloak 2.3.0 all works fine.
But using windows 10 or ubuntu 16.04 stations I always receive "RuntimeException: Cannot find KieModule".
In all tests I did the same sequence described in https://github.com/keycloak/keycloak/tree/master/examples/authz/photoz/
I do not understanding why just on windows 7 station all works fine.
If someone can help me, please let me know.
Regards,
Mauricio.
*A complete stack of the error:
15:20:52,311 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool -- 65) MSC000001: Failed to start service jboss.undertow.deployment.default-server.default-host./auth: org.jboss.msc.service.StartException in service jboss.undertow.deployment.default-server.default-host./auth: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct public org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
... 6 more
Caused by: java.lang.RuntimeException: Cannot find KieModule: org.keycloak:photoz-authz-policy:2.1.0-SNAPSHOT
at org.drools.compiler.kie.builder.impl.KieServicesImpl.newKieContainer(KieServicesImpl.java:117)
at org.drools.compiler.kie.builder.impl.KieServicesImpl.newKieContainer(KieServicesImpl.java:111)
at org.keycloak.authorization.policy.provider.drools.DroolsPolicy.<init>(DroolsPolicy.java:31)
at org.keycloak.authorization.policy.provider.drools.DroolsPolicyProviderFactory.update(DroolsPolicyProviderFactory.java:95)
at java.util.ArrayList.forEach(ArrayList.java:1249)
at org.keycloak.authorization.policy.provider.drools.DroolsPolicyProviderFactory$1.onEvent(DroolsPolicyProviderFactory.java:75)
at org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:67)
at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:162)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
... 19 more
7 years, 5 months
cluster invalidation tests failing
by Bill Burke
Every travis build is failing with this:
Tests in error:
ClientInvalidationClusterTest>AbstractClusterTest.beforeClusterTest:122->AbstractClusterTest.logFailoverSetup:60->AbstractClusterTest.getCurrentFailNode:49->AbstractClusterTest.backendNode:85 » IndexOutOfBounds
ClientInvalidationClusterTest>AbstractClusterTest.beforeClusterTest:122->AbstractClusterTest.logFailoverSetup:60->AbstractClusterTest.getCurrentFailNode:49->AbstractClusterTest.backendNode:85 » IndexOutOfBounds
GroupInvalidationClusterTest>AbstractClusterTest.beforeClusterTest:122->AbstractClusterTest.logFailoverSetup:60->AbstractClusterTest.getCurrentFailNode:49->AbstractClusterTest.backendNode:85 » IndexOutOfBounds
GroupInvalidationClusterTest>AbstractClusterTest.beforeClusterTest:122->AbstractClusterTest.logFailoverSetup:60->AbstractClusterTest.getCurrentFailNode:49->AbstractClusterTest.backendNode:85 » IndexOutOfBounds
RealmInvalidationClusterTest>AbstractClusterTest.beforeClusterTest:122->AbstractClusterTest.logFailoverSetup:60->AbstractClusterTest.getCurrentFailNode:49->AbstractClusterTest.backendNode:85 » IndexOutOfBounds
RealmInvalidationClusterTest>AbstractClusterTest.beforeClusterTest:122->AbstractClusterTest.logFailoverSetup:60->AbstractClusterTest.getCurrentFailNode:49->AbstractClusterTest.backendNode:85 » IndexOutOfBounds
RoleInvalidationClusterTest>AbstractClusterTest.beforeClusterTest:122->AbstractClusterTest.logFailoverSetup:60->AbstractClusterTest.getCurrentFailNode:49->AbstractClusterTest.backendNode:85 » IndexOutOfBounds
RoleInvalidationClusterTest>AbstractClusterTest.beforeClusterTest:122->AbstractClusterTest.logFailoverSetup:60->AbstractClusterTest.getCurrentFailNode:49->AbstractClusterTest.backendNode:85 » IndexOutOfBounds
SessionFailoverClusterTest>AbstractClusterTest.beforeClusterTest:122->AbstractClusterTest.logFailoverSetup:60->AbstractClusterTest.getCurrentFailNode:49->AbstractClusterTest.backendNode:85 » IndexOutOfBounds
UserInvalidationClusterTest>AbstractClusterTest.beforeClusterTest:122->AbstractClusterTest.logFailoverSetup:60->AbstractClusterTest.getCurrentFailNode:49->AbstractClusterTest.backendNode:85 » IndexOutOfBounds
UserInvalidationClusterTest>AbstractClusterTest.beforeClusterTest:122->AbstractClusterTest.logFailoverSetup:60->AbstractClusterTest.getCurrentFailNode:49->AbstractClusterTest.backendNode:85 » IndexOutOfBounds
7 years, 5 months
User SPI
by Muein Muzamil
Hi all,
We have implemented custom authenticators to integrate with an external
authentication API. After successful authentication, the API returns user
attributes back. Right now we save this user into DB as shown below, which
works well.
user = userFederationManager.addUser(context.getRealm(), username)
user.setEnabled(true);
mapUserAttributesToUserModel(user, userAttributes);
context.setUser(user);
We have some privacy and security related requirements because we which we
don't want to store user information in KeyCloak database for a longer
period. We were thinking to implement some scheduled job to clean up user
data from KeyCloak database but I noticed that in KeyCloak 2.3 new User SPI
is introduced which allows users to be pull in without sync in user into
KeyCloak database.
1. So I was wondering how can I use this SPI to avoid storing user data
in DB.
2. Can I imagine sticking user information in session and returning user
information from User SPI?
3. Do we have any sample implementations or documentation available for
User SPI?
Regards,
Muein
7 years, 5 months
