April 2016 - keycloak-dev - Jboss List Archives

missing SingleSignOnService SOAP binding; ECP won't work

by John Dennis

Using keycloak-1.9.0.Final only the HTTP-POST and HTTP-Redirect bindings are advertised in the IdP Metadata for SingleSignOnService. The SOAP SingleSignOnService was added when it was discovered to be missing in the 1.8 cycle, or so I thought. Did it get added in a different release or did it get lost somehow? Anyway, it's really important. SAML ECP won't work unless you advertise support for it. -- John

8 years, 8 months

2
4
0 / 0

Login modules in different package in 1.9.x and master

by Marek Posolda

Currently the JAAS classes (DirectAccessGrantsLoginModule, BearerTokenLoginModule etc) are in different package in 1.9.x and in master. Previously they were in package "org.keycloak.adapters.jass" and they are still there in 1.9.x branch. However in master they were moved to package "org.keycloak.adapters" . Were they moved by accident or by purpose? IMO we should have unified package in both branches to avoid future issues with backwards compatibility between Keycloak 1.X and 2.X. My vote is to keep the old package "org.keycloak.adapters.jaas" in both places to keep backwards compatibility with older versions than 1.9.2 . WDYT? Marek

8 years, 8 months

2
2
0 / 0

Refresh Token Revoke Endpoint

by gambol

Hiya I've been searching around but haven't come across anything yet. Does Keycloak support a revoke endpoint? for revoking refresh tokens ... i.e. curl https://accounts.google.com/o/oauth2/revoke?token={token} .. Rohith

8 years, 8 months

2
2
0 / 0

silent ssl error in debug level

by Jukka Sirviö

Hello, Anybody have any clue what could be causing this "silent exception" when DEBUG level logging is used, to SP's log. IOException is written to log all the time. Thus SAML authentication is working ok / normally. Using SSL (https) public addresses both with IDP and SP, along with signed & encrypted SAML assertions. Public certificates are good and ok! 2016-04-19 13:25:26,441 DEBUG [io.undertow.request.io] (default I/O-8) UT005013: An IOException occurred: java.io.IOException: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:577) at io.undertow.protocols.ssl.SslConduit.terminateReads(SslConduit.java:178) at org.xnio.conduits.ConduitStreamSourceChannel.close(ConduitStreamSourceChannel.java:168) at org.xnio.IoUtils.safeClose(IoUtils.java:134) at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.forceTermination(ReadReadyHandler.java:58) at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.forceTermination(SslConduit.java:1091) at org.xnio.nio.NioSocketConduit.forceTermination(NioSocketConduit.java:105) at org.xnio.nio.WorkerThread.run(WorkerThread.java:492) Caused by: javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? at sun.security.ssl.Alerts.getSSLException(Alerts.java:208) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666) at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634) at sun.security.ssl.SSLEngineImpl.closeInbound(SSLEngineImpl.java:1561) at io.undertow.protocols.ssl.SslConduit.notifyReadClosed(SslConduit.java:575) ... 7 more ________________________________ Tämä sähköpostiviesti (liitteineen) saattaa sisältää luottamuksellista tietoa, joka on tarkoitettu vain vastaanottajalleen. Jos et ole oikea vastaanottaja, ilmoita viestin lähettäjälle tapahtuneesta virheestä ja tuhoa viesti välittömästi. Viestin luvaton julkaiseminen, kopioiminen, jakelu tai muu käyttö tai toimenpiteisiin ryhtyminen sen perusteella on ehdottomasti kielletty. This message (including any attachments) may contain confidential information intended for the person or entity to which it is addressed. If you are not the intended recipient, notify the sender and delete this message immediately. Notice that disclosing, copying, distributing or any other use of the message and its information, or taking any action based on it, is strictly prohibited. ________________________________

8 years, 8 months

1
0
0 / 0

java.net.ConnectException: Connection timed out

by Paa Kojo Konduah Amos

Hello, Any leads on how to resolve this? ; This is happening only when you try to access the application from a public IP. NOTE: - Everything works as expected within the LAN. - I have not obtained a CERTIFICATE yet; I am still using the self-generated one. ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2) failed to turn code into token: java.net.ConnectException: Connection timed out.

8 years, 8 months

2
1
0 / 0

Accessing Application from public IP

by Paa Kojo Konduah Amos

Hello All, I have successfully tested an application using Keycloak 1.9.0.CR1. I have also deployed same on a public IP. It works fine within the LAN, but once you try to access it from the public the connetion times out. Please find below the logs; 20:43:06,191 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2) failed to turn code into token: java.net.ConnectException: Connection timed out at java.net.PlainSocketImpl.socketConnect(Native Method) [rt.jar:1.8.0_65] at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) [rt.jar:1.8.0_65] at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.ja va:206) [rt.jar:1.8.0_65] at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) [rt.jar:1.8.0_65] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) [rt.jar:1.8.0_65] at java.net.Socket.connect(Socket.java:589) [rt.jar:1.8.0_65] at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(PlainSocketFact ory.java:117) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(Def aultClientConnectionOperator.java:177) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnA dapter.java:131) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequest Director.java:611) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDir ector.java:446) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient. java:863) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient. java:82) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient. java:106) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient. java:57) [httpclient-4.5.1.jar:4.5.1] at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.ja va:107) [keycloak-adapter-core-1.9.0.CR1.jar:1.9.0.CR1] at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuth enticator.java:314) [keycloak-adapter-core-1.9.0.CR1.jar:1.9.0.CR1] at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAut henticator.java:260) [keycloak-adapter-core-1.9.0.CR1.jar:1.9.0.CR1] at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator .java:112) [keycloak-adapter-core-1.9.0.CR1.jar:1.9.0.CR1] at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuth enticate(AbstractUndertowKeycloakAuthMech.java:110) [keycloak-undertow-adapter-1.9.0.CR1.jar:1.9.0.CR1] at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletK eycloakAuthMech.java:92) [keycloak-undertow-adapter-1.9.0.CR1.jar:1.9.0.CR1] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(Secur ityContextImpl.java:283) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(Secur ityContextImpl.java:300) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(Secur ityContextImpl.java:270) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(Security ContextImpl.java:133) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContext Impl.java:108) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextIm pl.java:101) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handl eRequest(ServletAuthenticationCallHandler.java:55) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHa ndler.java:33) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler. java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest( AuthenticationConstraintHandler.java:51) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(A bstractConfidentialityHandler.java:46) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandle r.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handl eRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest( AuthenticationMechanismsHandler.java:58) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.hand leRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityI nitialHandler.java:76) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler. java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequ est(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler. java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(Se rvletPreAuthActionsHandler.java:69) [keycloak-undertow-adapter-1.9.0.CR1.jar:1.9.0.CR1] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler. java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(Servle tInitialHandler.java:261) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletIn itialHandler.java:248) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitial Handler.java:77) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletIn itialHandler.java:167) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:761) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:11 42) [rt.jar:1.8.0_65] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:6 17) [rt.jar:1.8.0_65] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_65] 21:00:44,500 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-5) failed to turn code into token: java.net.ConnectException: Connection timed out at java.net.PlainSocketImpl.socketConnect(Native Method) [rt.jar:1.8.0_65] at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) [rt.jar:1.8.0_65] at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.ja va:206) [rt.jar:1.8.0_65] at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) [rt.jar:1.8.0_65] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) [rt.jar:1.8.0_65] at java.net.Socket.connect(Socket.java:589) [rt.jar:1.8.0_65] at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(PlainSocketFact ory.java:117) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(Def aultClientConnectionOperator.java:177) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnA dapter.java:131) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequest Director.java:611) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDir ector.java:446) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient. java:863) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient. java:82) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient. java:106) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient. java:57) [httpclient-4.5.1.jar:4.5.1] at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.ja va:107) [keycloak-adapter-core-1.9.0.CR1.jar:1.9.0.CR1] at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuth enticator.java:314) [keycloak-adapter-core-1.9.0.CR1.jar:1.9.0.CR1] at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAut henticator.java:260) [keycloak-adapter-core-1.9.0.CR1.jar:1.9.0.CR1] at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator .java:112) [keycloak-adapter-core-1.9.0.CR1.jar:1.9.0.CR1] at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuth enticate(AbstractUndertowKeycloakAuthMech.java:110) [keycloak-undertow-adapter-1.9.0.CR1.jar:1.9.0.CR1] at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletK eycloakAuthMech.java:92) [keycloak-undertow-adapter-1.9.0.CR1.jar:1.9.0.CR1] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(Secur ityContextImpl.java:283) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(Secur ityContextImpl.java:300) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(Secur ityContextImpl.java:270) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(Security ContextImpl.java:133) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContext Impl.java:108) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextIm pl.java:101) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handl eRequest(ServletAuthenticationCallHandler.java:55) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHa ndler.java:33) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler. java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest( AuthenticationConstraintHandler.java:51) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(A bstractConfidentialityHandler.java:46) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandle r.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handl eRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest( AuthenticationMechanismsHandler.java:58) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.hand leRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityI nitialHandler.java:76) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler. java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequ est(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler. java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(Se rvletPreAuthActionsHandler.java:69) [keycloak-undertow-adapter-1.9.0.CR1.jar:1.9.0.CR1] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler. java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(Servle tInitialHandler.java:261) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletIn itialHandler.java:248) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitial Handler.java:77) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletIn itialHandler.java:167) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:761) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:11 42) [rt.jar:1.8.0_65] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:6 17) [rt.jar:1.8.0_65] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_65]

8 years, 8 months

1
0
0 / 0

Re: [keycloak-dev] Migrate testsuite

by Stan Silvert

OAuthClient is now migrated to the new testsuite and merged to master. PR for 1.9.x is pending. Also new is an abstract base class that should be helpful for migrating tests. org.keycloak.testsuite.TestRealmKeycloakTest provides a method called configureTestRealm(RealmRepresentation testRealm). Override this method to do the same kind of configuration performed in the old testsuite. (Note: "testRealm" was referred to as "appRealm" in the old testsuite.) OLD TESTSUITE: https://github.com/keycloak/keycloak/blob/1.8.x/testsuite/integration/src... EQUIVALENT CODE IN NEW TESTSUITE: https://github.com/keycloak/keycloak/blob/master/testsuite/integration-ar... On 4/12/2016 3:11 PM, Bruno Oliveira wrote: > Nice! Meanwhile answering my own question, seems like > transforAccessToken is required for that test case work. > > On Tue, Apr 12, 2016 at 3:48 PM, Stan Silvert <ssilvert(a)redhat.com> wrote: >> On 4/12/2016 12:16 PM, Stan Silvert wrote: >>> On 4/12/2016 10:38 AM, Bruno Oliveira wrote: >>>> Good morning, >>>> >>>> I'm looking at this test case >>>> >>>> https://gist.github.com/abstractj/8d3f1ca74a0dfb4f58f7810c519c6272#file-a... >>>> >>>> Although, it fails here >>>> >>>> https://gist.github.com/abstractj/8d3f1ca74a0dfb4f58f7810c519c6272#file-a... >>>> >>>> My feeling is the fact that I don't have this method >>>> >>>> https://github.com/keycloak/keycloak/blob/c7a8742a368bd8d76301145b08bb1e4... >>>> >>>> My question is: Is this something that could be solved with >>>> OAuthClient or is just the matter of migrate transformAccessToken? >>> I don't know the answer, but I can tell you where I am with OAuthClient. >>> It appears to be all working now. >>> >>> I've migrated TokenIntrospectionTest and ClientTest, which use several, >>> but not all, of the OAuthClient methods. All of the tests in those classes >>> will pass. >>> >>> However, TokenIntrospectionTest will only pass if you run each test >>> individually. The reason they won't run as a group is because >>> AssertEvents.clear() is not working. It took awhile but I finally figured >>> out why. The problem is that AssertEvents.clear() is trying to call >>> realmResource.clearEvents(). But there is a servlet filter installed and >>> that is where the events are actually read from. So >>> realmResource.clearEvents() doesn't have any effect on the event cache being >>> read during the test. >>> >>> There are two ways we could fix this. One is to get rid of the filter and >>> make AssertEvents completely rely on the adminClient. The other way is to >>> add a clear() method to EventListenerProvider. That way, all event listeners >>> will be notified to clear out their event caches. >> Actually, there is a third option. I added a second "command" to the >> AssertEventsServletFilter. Now it can respond to both /event-queue and >> /clear-event-queue. Updated AssertEvents to use clear-event-queue and >> everything now works. PR coming soon. >> >> >>> Bruno, for now just be aware that AssertEvents.clear() isn't working. >>>> >>>> On Thu, Apr 7, 2016 at 2:32 PM, Stian Thorgersen <sthorger(a)redhat.com> >>>> wrote: >>>>> >>>>> On 7 April 2016 at 19:27, Stan Silvert <ssilvert(a)redhat.com> wrote: >>>>>> On 4/7/2016 10:52 AM, Stian Thorgersen wrote: >>>>>> >>>>>> The testsuite before calls the model to change config as required. This >>>>>> should just be changed to use admin endpoints. Isn't that all that's >>>>>> required? >>>>>> >>>>>> I'm not sure. The test-app displays a link to account management. >>>>>> Presumably, one or more tests are relying on that particular link. >>>>>> Plus, >>>>>> since tests would then be relying on a different app (admin console), >>>>>> there >>>>>> would be cascading changes to the realm configuration and probably the >>>>>> tests >>>>>> themselves. >>>>>> >>>>>> See below. >>>>>> >>>>>> >>>>>> On 7 April 2016 at 16:40, Bruno Oliveira <abstractj(a)redhat.com> wrote: >>>>>>> Sorry about the lack of details. I'm looking more precisely at >>>>>>> AccessTokenTest and migrating this method[1] which does not depends on >>>>>>> OAuthClient. >>>>>>> >>>>>>> The "test-app" that I mentioned is this one[2]. >>>>>> Rather than refactoring OAuthClient and possibly any code that uses it, >>>>>> I'm proposing to move forward and just deploy the little test-app when >>>>>> the >>>>>> server starts up. >>>>>> >>>>>> I'm worried about breaking these tests in unknown and possibly >>>>>> undetectable ways. Stian, if you've got time to look it all over then >>>>>> we >>>>>> can do something different, but I don't think Bruno and I know these >>>>>> tests >>>>>> well enough to change it safely. >>>>>> >>>>>> I'd rather make sure we can port the tests as-is without changes. It >>>>>> won't be hard to let the Keycloak server deploy the little servlet. >>>>>> That >>>>>> will at least let us move forward. We can always change it later. >>>>>> >>>>>> Sound ok? >>>>> >>>>> Oki, but instead of deploying a WAR to Keycloak, something which is not >>>>> supported, so may not work in the future, add a custom REST endpoint >>>>> like >>>>> what I did for the TimeOffset >>>>> >>>>>>> [1] - >>>>>>> >>>>>>> https://github.com/keycloak/keycloak/blob/c7a8742a368bd8d76301145b08bb1e4... >>>>>>> [2] - >>>>>>> >>>>>>> https://github.com/keycloak/keycloak/blob/master/testsuite/integration-ar... >>>>>>> >>>>>>> On Thu, Apr 7, 2016 at 11:32 AM, Stian Thorgersen >>>>>>> <sthorger(a)redhat.com> >>>>>>> wrote: >>>>>>>> >>>>>>>> On 7 April 2016 at 16:28, Bruno Oliveira <abstractj(a)redhat.com> >>>>>>>> wrote: >>>>>>>>> I will also try to take a look later today. I have more questions of >>>>>>>>> course, actually I have to enable direct access grant for my >>>>>>>>> "test-app". >>>>>>>> >>>>>>>> What's your "test-app"? >>>>>>>> >>>>>>>>> My question is: to not mess with other tests, should I just add a >>>>>>>>> new >>>>>>>>> client to testrealm.json or it's ok to do some changes as long as it >>>>>>>>> does not break other tests? >>>>>>>> >>>>>>>> Depends on what your "test-app" is ;) >>>>>>>> >>>>>>>>> On Thu, Apr 7, 2016 at 7:56 AM, Stan Silvert <ssilvert(a)redhat.com> >>>>>>>>> wrote: >>>>>>>>>> On 4/7/2016 12:36 AM, Stian Thorgersen wrote: >>>>>>>>>> >>>>>>>>>> It can probably fairly easily be converted to not requiring >>>>>>>>>> anything >>>>>>>>>> to >>>>>>>>>> be >>>>>>>>>> deployed and instead just send to an invalid url. I can take a look >>>>>>>>>> at >>>>>>>>>> that >>>>>>>>>> if you want? >>>>>>>>>> >>>>>>>>>> Yes, take a look and let me know what you think about that. It >>>>>>>>>> would >>>>>>>>>> improve the design of it. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 6 April 2016 at 21:20, Stan Silvert <ssilvert(a)redhat.com> wrote: >>>>>>>>>>> On 4/6/2016 9:26 AM, Stian Thorgersen wrote: >>>>>>>>>>> >>>>>>>>>>> The new one is just a simple method so I don't see the issue in >>>>>>>>>>> merging >>>>>>>>>>> the two (once the old is working that is) >>>>>>>>>>> >>>>>>>>>>> I over-simplified my question, which is why I was wanting to chat. >>>>>>>>>>> But, >>>>>>>>>>> I'm too far in the weeds to talk right now. >>>>>>>>>>> >>>>>>>>>>> This is getting a bit hairy because the old OAuthClient relies on >>>>>>>>>>> the >>>>>>>>>>> fact >>>>>>>>>>> that there is a little application deployed with context >>>>>>>>>>> http://localhost:8081/app. So apparently, I've got to convert the >>>>>>>>>>> undertow >>>>>>>>>>> DeploymentInfo into a Shirkwrap WebArchive and let arquillian >>>>>>>>>>> deploy >>>>>>>>>>> the >>>>>>>>>>> little app. >>>>>>>>>>> >>>>>>>>>>> But unless you guys can think of an easier solution I've got quite >>>>>>>>>>> a >>>>>>>>>>> bit >>>>>>>>>>> of work to do before we discuss unification. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On 6 April 2016 at 15:09, Stan Silvert <ssilvert(a)redhat.com> >>>>>>>>>>> wrote: >>>>>>>>>>>> I've found a problem with the migrated OAuth client and I've been >>>>>>>>>>>> trying >>>>>>>>>>>> to work on that. >>>>>>>>>>>> >>>>>>>>>>>> The thing I wanted to discuss yesterday was about unification of >>>>>>>>>>>> the >>>>>>>>>>>> old >>>>>>>>>>>> and new OAuth clients. But that's a moot point as long as the >>>>>>>>>>>> old >>>>>>>>>>>> one >>>>>>>>>>>> isn't >>>>>>>>>>>> fully working with the new testsuite. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On 4/6/2016 8:03 AM, Stian Thorgersen wrote: >>>>>>>>>>>> >>>>>>>>>>>> Do you and Stan still want a chat? If so I can do it now >>>>>>>>>>>> >>>>>>>>>>>> On 6 Apr 2016 13:46, "Bruno Oliveira" <abstractj(a)redhat.com> >>>>>>>>>>>> wrote: >>>>>>>>>>>>> Great news! >>>>>>>>>>>>> >>>>>>>>>>>>> On Wed, Apr 6, 2016 at 6:24 AM, Stian Thorgersen >>>>>>>>>>>>> <sthorger(a)redhat.com> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> Bruno and Stan, thanks to Pedro we now have the ability to add >>>>>>>>>>>>>> custom >>>>>>>>>>>>>> REST endpoints to Keycloak [1]. Also, thanks to Marko we can >>>>>>>>>>>>>> add >>>>>>>>>>>>>> already add >>>>>>>>>>>>>> custom providers to the Arquillian testsuite. Once [2] is >>>>>>>>>>>>>> merged >>>>>>>>>>>>>> (in >>>>>>>>>>>>>> an hour >>>>>>>>>>>>>> or so) tests can easily set the time offset on the server. I >>>>>>>>>>>>>> added a >>>>>>>>>>>>>> temporary test that does exactly that [3]. >>>>>>>>>>>>>> >>>>>>>>>>>>>> There's a bit of clean-up to do with assert events and the >>>>>>>>>>>>>> custom >>>>>>>>>>>>>> testsuite providers, but Marko can do that when he gets back >>>>>>>>>>>>>> [4]. >>>>>>>>>>>>>> >>>>>>>>>>>>>> [1] https://issues.jboss.org/browse/KEYCLOAK-2262 >>>>>>>>>>>>>> [2] https://issues.jboss.org/browse/KEYCLOAK-2590 >>>>>>>>>>>>>> [3] org.keycloak.testsuite.TempSetTimeOffsetTest >>>>>>>>>>>>>> [4] https://issues.jboss.org/browse/KEYCLOAK-2755 >>>>>>>>>>>>>> >>>>>>>>>>>>>> On 4 April 2016 at 14:30, Bruno Oliveira <abstractj(a)redhat.com> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>> Perfect and yes for Drone. That already helps with my n00bish >>>>>>>>>>>>>>> about >>>>>>>>>>>>>>> the test suite. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Mon, Apr 4, 2016 at 9:26 AM, Stian Thorgersen >>>>>>>>>>>>>>> <sthorger(a)redhat.com> >>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>> KeycloakRule should be removed and replaced with extending >>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>> AbstractKeycloakTest. OAuthClient should be ported, but Drone >>>>>>>>>>>>>>>> uses >>>>>>>>>>>>>>>> WebDriver >>>>>>>>>>>>>>>> under the covers right? So it's just about changing how it's >>>>>>>>>>>>>>>> injected. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On 4 April 2016 at 14:19, Bruno Oliveira >>>>>>>>>>>>>>>> <abstractj(a)redhat.com> >>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>> I know we have a meeting about it today, but I have a >>>>>>>>>>>>>>>>> question — >>>>>>>>>>>>>>>>> thinking about AccessTokenTest[1]. Should we keep the >>>>>>>>>>>>>>>>> testing >>>>>>>>>>>>>>>>> structure as >>>>>>>>>>>>>>>>> is and just replace WebDriver by Drone? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> For example, from my poor understanding KeycloakRule, >>>>>>>>>>>>>>>>> WebRule, >>>>>>>>>>>>>>>>> OAuthClient should be migrated to the new test suite and the >>>>>>>>>>>>>>>>> bits >>>>>>>>>>>>>>>>> refering >>>>>>>>>>>>>>>>> to WebDriver ported to Drone[2]. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Am I totally wrong? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> [1] - >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> https://github.com/keycloak/keycloak/blob/c7a8742a368bd8d76301145b08bb1e4... >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> [2] - https://docs.jboss.org/author/display/ARQ/Drone >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Mon, Apr 4, 2016 at 8:55 AM, Bruno Oliveira >>>>>>>>>>>>>>>>> <abstractj(a)redhat.com> wrote: >>>>>>>>>>>>>>>>>> Thank you Stan, will give it a try >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On Mon, Apr 4, 2016 at 8:46 AM, Stan Silvert >>>>>>>>>>>>>>>>>> <ssilvert(a)redhat.com> >>>>>>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>>>>>>> Bruno, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Here is what I've done so far. Still have 9 migrated tests >>>>>>>>>>>>>>>>>>> in >>>>>>>>>>>>>>>>>>> this package that don't pass. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> https://github.com/ssilvert/keycloak/tree/migrate-admin/testsuite/integra... >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> AbstractClientTest is where most of the adaptation to the >>>>>>>>>>>>>>>>>>> new >>>>>>>>>>>>>>>>>>> test >>>>>>>>>>>>>>>>>>> suite happens. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Stan >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On 4/1/2016 11:04 AM, Bruno Oliveira wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> That makes sense. I will check your commits and try to >>>>>>>>>>>>>>>>>>> adapt to >>>>>>>>>>>>>>>>>>> my >>>>>>>>>>>>>>>>>>> tests. >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Thanks Stan >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On Fri, Apr 1, 2016 at 10:24 AM, Stan Silvert >>>>>>>>>>>>>>>>>>> <ssilvert(a)redhat.com> wrote: >>>>>>>>>>>>>>>>>>>> Having never done this before, we don't have any >>>>>>>>>>>>>>>>>>>> guidelines. >>>>>>>>>>>>>>>>>>>> But >>>>>>>>>>>>>>>>>>>> I can tell you how I am approaching this at the moment. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> I don't want to touch the actual test code if possible. >>>>>>>>>>>>>>>>>>>> The >>>>>>>>>>>>>>>>>>>> reason is that there is no way I could fully understand >>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>> intent of the >>>>>>>>>>>>>>>>>>>> original author. Changes to the test code could yield >>>>>>>>>>>>>>>>>>>> false >>>>>>>>>>>>>>>>>>>> positives and >>>>>>>>>>>>>>>>>>>> we would end up with code that doesn't actually test what >>>>>>>>>>>>>>>>>>>> it >>>>>>>>>>>>>>>>>>>> was intended to >>>>>>>>>>>>>>>>>>>> test. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> So I copy over the original test class and get rid of the >>>>>>>>>>>>>>>>>>>> annotations that pertain to the old environment. Then I >>>>>>>>>>>>>>>>>>>> write adapter code >>>>>>>>>>>>>>>>>>>> that lets the test code remain unchanged while calling >>>>>>>>>>>>>>>>>>>> into >>>>>>>>>>>>>>>>>>>> the new >>>>>>>>>>>>>>>>>>>> environment. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Of course, there is risk in that approach as well, but it >>>>>>>>>>>>>>>>>>>> seems >>>>>>>>>>>>>>>>>>>> less than if I tried to modify the original test methods. >>>>>>>>>>>>>>>>>>>> And >>>>>>>>>>>>>>>>>>>> it seems to >>>>>>>>>>>>>>>>>>>> be working well as about 75% of my tests are passing >>>>>>>>>>>>>>>>>>>> unchanged >>>>>>>>>>>>>>>>>>>> with only a >>>>>>>>>>>>>>>>>>>> minimal bit of adapter code written so far. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> For this reason, I rejected extending AbstractAuthTest in >>>>>>>>>>>>>>>>>>>> favor >>>>>>>>>>>>>>>>>>>> of my own abstract class that just extends >>>>>>>>>>>>>>>>>>>> AbstractKeycloakTest. That new >>>>>>>>>>>>>>>>>>>> abstract class is where the adapter code lives. I also >>>>>>>>>>>>>>>>>>>> have >>>>>>>>>>>>>>>>>>>> concerns about >>>>>>>>>>>>>>>>>>>> duplication of effort so hopefully at some point I can >>>>>>>>>>>>>>>>>>>> provide >>>>>>>>>>>>>>>>>>>> generic code >>>>>>>>>>>>>>>>>>>> that applies to all the migrated tests instead of just >>>>>>>>>>>>>>>>>>>> the >>>>>>>>>>>>>>>>>>>> ones I'm working >>>>>>>>>>>>>>>>>>>> on. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> But by then, we might be all done anyway... >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On 4/1/2016 6:23 AM, Bruno Oliveira wrote: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Good morning, I have a question to prevent duplicated >>>>>>>>>>>>>>>>>>>> work. >>>>>>>>>>>>>>>>>>>> Taking as an example AccessTokenTest[1]. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> In order to execute the tests we have an user >>>>>>>>>>>>>>>>>>>> "no-permissions" >>>>>>>>>>>>>>>>>>>> with the role "user". Add an user is easy if I extend >>>>>>>>>>>>>>>>>>>> AbstractAuthTest[2], >>>>>>>>>>>>>>>>>>>> at the same time we don't have any method to assign the >>>>>>>>>>>>>>>>>>>> role >>>>>>>>>>>>>>>>>>>> "user". >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> To follow the correct guidelines. Should I extend >>>>>>>>>>>>>>>>>>>> AbstractAuthTest and add the proper method to assign >>>>>>>>>>>>>>>>>>>> roles >>>>>>>>>>>>>>>>>>>> in >>>>>>>>>>>>>>>>>>>> the same >>>>>>>>>>>>>>>>>>>> class? Or this is definitely wrong? >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> [1] - >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> https://github.com/keycloak/keycloak/blob/c7a8742a368bd8d76301145b08bb1e4... >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> [2] - >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> https://github.com/keycloak/keycloak/blob/7c64ab228b7c95646c54caa4e156251... >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On Tue, Mar 29, 2016 at 3:26 PM, Stian Thorgersen >>>>>>>>>>>>>>>>>>>> <sthorger(a)redhat.com> wrote: >>>>>>>>>>>>>>>>>>>>> We need to co-ordinate who migrate which tests. I'm not >>>>>>>>>>>>>>>>>>>>> quite >>>>>>>>>>>>>>>>>>>>> so >>>>>>>>>>>>>>>>>>>>> available this week, but will be checking email at least >>>>>>>>>>>>>>>>>>>>> once >>>>>>>>>>>>>>>>>>>>> a day. I will >>>>>>>>>>>>>>>>>>>>> be fully operational next week. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Prerequisites to migrating tests are: >>>>>>>>>>>>>>>>>>>>> * Port assert events (there's a PR from Marko on this >>>>>>>>>>>>>>>>>>>>> and >>>>>>>>>>>>>>>>>>>>> I >>>>>>>>>>>>>>>>>>>>> need >>>>>>>>>>>>>>>>>>>>> to review and merge it) >>>>>>>>>>>>>>>>>>>>> * Ability to set time offset through admin endpoints >>>>>>>>>>>>>>>>>>>>> (only >>>>>>>>>>>>>>>>>>>>> required for expirations or other time sensitive tests) >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Once those are done we can start migrating tests. To >>>>>>>>>>>>>>>>>>>>> prevent >>>>>>>>>>>>>>>>>>>>> multiple folks porting the same tests, here's your >>>>>>>>>>>>>>>>>>>>> initial >>>>>>>>>>>>>>>>>>>>> list to port >>>>>>>>>>>>>>>>>>>>> (packages in >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> https://github.com/keycloak/keycloak/tree/master/testsuite/integration/sr...): >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> * Stan - admin (these may be duplicates in the new admin >>>>>>>>>>>>>>>>>>>>> endpoints tests), actions >>>>>>>>>>>>>>>>>>>>> * Bruno - oauth, forms >>>>>>>>>>>>>>>>>>>>> * Bolek - account >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> That's right, we're so behind with tests that even the >>>>>>>>>>>>>>>>>>>>> engineering manager has to start coding. >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Let's use this thread as a place to discuss progress and >>>>>>>>>>>>>>>>>>>>> issues >>>>>>>>>>>>>>>>>>>>> around migrating the tests. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>>> abstractj >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>>> abstractj >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>>> abstractj >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> - >>>>>>>>>>>>>>>>> abstractj >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> - >>>>>>>>>>>>>>> abstractj >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> -- >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> - >>>>>>>>>>>>> abstractj >>>>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> >>>>>>>>> - >>>>>>>>> abstractj >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> >>>>>>> - >>>>>>> abstractj >>>>>> >>>>>> >>>> > >

8 years, 8 months

1
0
0 / 0

Keycloak 1.9.2.Final released

by Stian Thorgersen

The team has done an awesome job this time around and we've spent the last few weeks polishing and fixing! With 141 issues resolved this release takes us one step closer to having a supported version of Keycloak. For the next release we will focus on extending our testsuite as well as improving documentation. If you haven't already upgraded to 1.9.x now is the time! For the full list of resolved issues check out JIRA <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...> and to download the release go to the Keycloak homepage. <http://www.keycloak.org/downloads>

8 years, 8 months

5
4
0 / 0

Connection Timming out.

by Paa Kojo Konduah Amos

Hello All, I have successfully tested an application using Keycloak 1.9.0.CR1. I have also deployed same on a public IP. It works fine within the LAN, but once you try to access it from the public the connetion times out. Please find below the logs; 20:43:06,191 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-2) failed to turn code into token: java.net.ConnectException: Connection timed out at java.net.PlainSocketImpl.socketConnect(Native Method) [rt.jar:1.8.0_65] at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) [rt.jar:1.8.0_65] at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.ja va:206) [rt.jar:1.8.0_65] at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) [rt.jar:1.8.0_65] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) [rt.jar:1.8.0_65] at java.net.Socket.connect(Socket.java:589) [rt.jar:1.8.0_65] at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(PlainSocketFact ory.java:117) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(Def aultClientConnectionOperator.java:177) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnA dapter.java:131) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequest Director.java:611) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDir ector.java:446) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient. java:863) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient. java:82) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient. java:106) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient. java:57) [httpclient-4.5.1.jar:4.5.1] at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.ja va:107) [keycloak-adapter-core-1.9.0.CR1.jar:1.9.0.CR1] at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuth enticator.java:314) [keycloak-adapter-core-1.9.0.CR1.jar:1.9.0.CR1] at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAut henticator.java:260) [keycloak-adapter-core-1.9.0.CR1.jar:1.9.0.CR1] at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator .java:112) [keycloak-adapter-core-1.9.0.CR1.jar:1.9.0.CR1] at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuth enticate(AbstractUndertowKeycloakAuthMech.java:110) [keycloak-undertow-adapter-1.9.0.CR1.jar:1.9.0.CR1] at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletK eycloakAuthMech.java:92) [keycloak-undertow-adapter-1.9.0.CR1.jar:1.9.0.CR1] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(Secur ityContextImpl.java:283) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(Secur ityContextImpl.java:300) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(Secur ityContextImpl.java:270) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(Security ContextImpl.java:133) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContext Impl.java:108) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextIm pl.java:101) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handl eRequest(ServletAuthenticationCallHandler.java:55) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHa ndler.java:33) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler. java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest( AuthenticationConstraintHandler.java:51) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(A bstractConfidentialityHandler.java:46) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandle r.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handl eRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest( AuthenticationMechanismsHandler.java:58) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.hand leRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityI nitialHandler.java:76) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler. java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequ est(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler. java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(Se rvletPreAuthActionsHandler.java:69) [keycloak-undertow-adapter-1.9.0.CR1.jar:1.9.0.CR1] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler. java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(Servle tInitialHandler.java:261) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletIn itialHandler.java:248) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitial Handler.java:77) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletIn itialHandler.java:167) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:761) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:11 42) [rt.jar:1.8.0_65] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:6 17) [rt.jar:1.8.0_65] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_65] 21:00:44,500 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (default task-5) failed to turn code into token: java.net.ConnectException: Connection timed out at java.net.PlainSocketImpl.socketConnect(Native Method) [rt.jar:1.8.0_65] at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) [rt.jar:1.8.0_65] at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.ja va:206) [rt.jar:1.8.0_65] at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) [rt.jar:1.8.0_65] at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) [rt.jar:1.8.0_65] at java.net.Socket.connect(Socket.java:589) [rt.jar:1.8.0_65] at org.apache.http.conn.scheme.PlainSocketFactory.connectSocket(PlainSocketFact ory.java:117) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(Def aultClientConnectionOperator.java:177) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnA dapter.java:131) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequest Director.java:611) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDir ector.java:446) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient. java:863) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient. java:82) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient. java:106) [httpclient-4.5.1.jar:4.5.1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient. java:57) [httpclient-4.5.1.jar:4.5.1] at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.ja va:107) [keycloak-adapter-core-1.9.0.CR1.jar:1.9.0.CR1] at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuth enticator.java:314) [keycloak-adapter-core-1.9.0.CR1.jar:1.9.0.CR1] at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAut henticator.java:260) [keycloak-adapter-core-1.9.0.CR1.jar:1.9.0.CR1] at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator .java:112) [keycloak-adapter-core-1.9.0.CR1.jar:1.9.0.CR1] at org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuth enticate(AbstractUndertowKeycloakAuthMech.java:110) [keycloak-undertow-adapter-1.9.0.CR1.jar:1.9.0.CR1] at org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletK eycloakAuthMech.java:92) [keycloak-undertow-adapter-1.9.0.CR1.jar:1.9.0.CR1] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(Secur ityContextImpl.java:283) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(Secur ityContextImpl.java:300) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(Secur ityContextImpl.java:270) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(Security ContextImpl.java:133) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContext Impl.java:108) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextIm pl.java:101) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handl eRequest(ServletAuthenticationCallHandler.java:55) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHa ndler.java:33) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler. java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest( AuthenticationConstraintHandler.java:51) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(A bstractConfidentialityHandler.java:46) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandle r.handleRequest(ServletConfidentialityConstraintHandler.java:64) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handl eRequest(ServletSecurityConstraintHandler.java:56) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest( AuthenticationMechanismsHandler.java:58) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.hand leRequest(CachedAuthenticatedSessionHandler.java:70) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityI nitialHandler.java:76) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler. java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequ est(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler. java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(Se rvletPreAuthActionsHandler.java:69) [keycloak-undertow-adapter-1.9.0.CR1.jar:1.9.0.CR1] at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler. java:43) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(Servle tInitialHandler.java:261) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletIn itialHandler.java:248) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitial Handler.java:77) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletIn itialHandler.java:167) [undertow-servlet-1.1.8.Final.jar:1.1.8.Final] at io.undertow.server.Connectors.executeRootHandler(Connectors.java:199) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:761) [undertow-core-1.1.8.Final.jar:1.1.8.Final] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:11 42) [rt.jar:1.8.0_65] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:6 17) [rt.jar:1.8.0_65] at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_65]

8 years, 8 months

1
0
0 / 0

Re: [keycloak-dev] Adapter Versioning

by Stian Thorgersen

Adding list back On 13 April 2016 at 21:27, Lance Ball <lball(a)redhat.com> wrote: > Some comments inline... > > On Wed, Apr 13, 2016 at 12:36 AM, Stian Thorgersen <sthorger(a)redhat.com> > wrote: > >> >> >> On 12 April 2016 at 19:25, Lance Ball <lball(a)redhat.com> wrote: >> >>> >>> 1) There is a security flaw in some 3rd party dependency of the adapter, >>> discovered the day of a Keycloak core release. This renders the "latest" >>> version of an adapter useless until a new Keycloak server is released. I >>> understand that the release cadence is anticipated to be approximately >>> every 6 weeks (which is laudable), but still that's > 1 month that users >>> have to wait for a security fix. >>> >> >> Non-issue as we will push out a release for a critical security fix as >> soon as possible. Having a single release makes it actually easier to do. >> > > I'll take your word for it, but I honestly don't see how pushing a new > release of _everything_ can possibly be easier than, for example `npm > publish` for a single artifact. > Releasing everything is going to be a "single" button click. Having the ability to release micro releases of adapters may be something to consider in the future if it does indeed become a problem. > > >> >> >>> 2) There is no change in the adapter between releases of Keycloak >>> server. In this case, it's not necessarily a problem to release a new >>> adapter version, but it seems noisy and pointless if the bits are exactly >>> the same. >>> >> >> The plan is to have release notes that cover which adapters have changed >> and which are required to upgrade (either because backwards compatibility >> is broken with the server or due to a security fix) >> > > But how is "Keycloak 2.7.0 works with foo-adapter 1.9.1 and greater" any > better than "foo-adapter 1.9.1 works with Keycloak 1.9.1 and greater"? The > first scenario is what will happen if adapters march in lockstep with > Keycloak server, and the second is what will happen if they are released > only when necessary. In either case, it is possible to be running different > version numbers for foo-adapter and Keycloak server and still be functional. > Being able to grab same version of everything is nice. Being able to not have to upgrade everything is nice. Having to figure out what version belongs to what as a first time adapter or when adding a new adapter is not so nice. Having to figure out what the version is going to be for each individual bit when we are doing a collective release is not so nice. Having different release cycles, etc, etc.. is not so nice. We are a small team with a large amount of work so we can afford to do this as it's additional time spent doing releases, which we will be doing every 6 weeks!! so we want to reduce the pain of doing a release as much as possible. > > >> >> >>> When we look at version numbers, they are typically MAJOR.MINOR.PATCH >>> with possibly a pre-release suffix like -Alpha1. I would like to discuss >>> the possibility for adapters to issue patch level releases independent of a >>> server release. This would allow for MAJOR.MINOR versions to remain >>> consistent so to communicate compatibility with a given Keycloak server >>> version. But would provide flexibility for adapters to deal with both >>> issues noted above. >>> >> >>> And just for the sake of argument, let's look at a hypothetical >>> situation where Keycloak is baptized a Product, and the release cadence >>> slows down significantly to every 12-18 months. What if a major security >>> flaw is discovered in an adapter? Should this trigger a new release of >>> Keycloak server itself? Would it not be better to allow the adapter to >>> issue a patch level release instead? >>> >> >> It won't and Keycloak is already becoming a product. Release cadence is 6 >> weeks in community. >> > > To be clear, by "hypothetical situation", I didn't mean that Keycloak > becoming a product was hypothetical. :) I'm saying that product releases > are much slower, typically, than community releases. Will adapters be > prevented from publishing an independent security fix in this scenario, > where the product release cadence has slowed down? If not, we're going to > hit version mismatches then anyway. > Product is different as here you actually have patches that are sent out to customers. It would not be released as a release until the next micro of the product as a whole. At least that's my understanding. > > Lance > >

8 years, 8 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev April 2016