Re: [keycloak-dev] Node.js adapter releases
by Stian Thorgersen
We discussed this at the f2f and I believe we should keep it consistent
across all adapters.
The decision was to have all adapters released when the server is released
and they will have the same version numbers. We will also make sure release
notes mark which adapters have changed and also which are required to
update (either due to compatibility changes or security related fixes).
So I'd like the ability to release nodejs adapters at the same time I do
the release of the server.
We can certainly discuss changes to the above, but it should be consistent
for all our adapters.
On 11 Apr 2016 17:09, "Bruno Oliveira" <bruno(a)abstractj.org> wrote:
Good morning,
Today I was chatting with Lance about the release cadence for Node.js
adapters.
My initial idea was to release the adapters at exactly the same release
dates as the official Keycloak release in order to guarantee compatibility.
For critical/urgent patches, we just release those modules based on our
judgment.
Lance would like more flexibility between those releases. For example,
release npm modules before the official release for situations where a user
wants some new capability that is perhaps unrelated to changes in KC itself
e.g. a move to promises.
I don't have any problems on keeping Node.js adapters' release independent
from official KC release, but would like to hear more opinions about it.
--
-
abstractj
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
8 years, 8 months
Social media Login using keycloak
by JAYAPRIYA ATHEESAN
Hi Team,
We have angular js integrated with keycloak services. When the person logins
to our application, we enable social media login also.
But after login, we would like to know which social media the user used for
login.
Is it possible by anyways? Waiting on ur reply.. It is little urgent for us.
Thanks,
Jayapriya Atheesan
8 years, 8 months
Re: [keycloak-dev] [keycloak-user] Logouts / how to disable keycloak "user session" cache?
by Scott Rossillo
Hi!
We completed the final steps to getting this working on Amazon AWS with Docker using Keycloak 1.9.x. Since we already have a database, we used JDBC_PING not to add S3 as yet another dependency.
The changes are here[0] for now. Would Keycloak devs be interested in adding a running Keycloak on AWS section or another sample docker image?
There are 3 steps / files:
1. configureCache.xsl sets up Infinispan correctly
2. start.sh - Uses Amazon APIs via HTTP to get the correct instance IP information
3. 30_docker_ports.config - if using Docker, this shell script runs on deploy to expose the cluster port to the EC2 interface. Needed with Beanstalk, maybe not with ECS
[0]: https://gist.github.com/foo4u/ad2fa7251ac5b4d4fd318f668f50f7ac
Best,
Scott
Scott Rossillo
Smartling | Senior Software Engineer
srossillo(a)smartling.com
> On Apr 7, 2016, at 6:44 AM, Thomas Darimont <thomas.darimont(a)googlemail.com> wrote:
>
> Hello,
>
> have a look at this thread: http://lists.jboss.org/pipermail/keycloak-user/2016-February/004935.html <http://lists.jboss.org/pipermail/keycloak-user/2016-February/004935.html>
>
> Cheers,
> Thomas
>
> 2016-04-07 12:40 GMT+02:00 Stian Thorgersen <sthorger(a)redhat.com <mailto:sthorger@redhat.com>>:
> It is not currently possible to run multiple nodes without clustering. However, it's possible to configure JGroups to work on AWS. I can't remember the configuration required though, but if you search the user mailing list you'll find instructions or google for JGroups and AWS.
>
> On 7 April 2016 at 10:22, Christian Schwarz <christian(a)datek.no <mailto:christian@datek.no>> wrote:
> Hi!
>
> I'm trying to setup a keycloak cluster on AWS, which does not support UDP multicast. IP addresses of the nodes are also not known in advance (I'm using docker-cloud), so Infinispan/JGroups ("keycloak-ha-posgres" docker image) for user session replication will not work (seems that it requires either UDP multicast or IP addresses known in advance).
>
> The main problem I have is that logout is not working propertly. I only get logged out from one of the two keycloak nodes.
>
> I have tried to disable the user cache (by setting userCache.default.enabled = false) and to disable infinispan (by using “keycloak-postgres” docker image), but to no avail. The “other” keycloak node still thinks that the user is logged in, it’s not refreshing the user session from the database even if user cache and infinispan cluster cache is disbled.
>
> => Is there a possibility of using the database as a synchronization point between keycloak nodes? (i.e. each node always checks logout status in the database)
> Or is there another way of getting a keycloak cluster up and running on AWS when IP addresses are not known in advance?
>
> I hope there is a way… :)
>
> Kind regards,
> Christian
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-user <https://lists.jboss.org/mailman/listinfo/keycloak-user>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
8 years, 8 months
Node.js adapter releases
by Bruno Oliveira
Good morning,
Today I was chatting with Lance about the release cadence for Node.js
adapters.
My initial idea was to release the adapters at exactly the same release
dates as the official Keycloak release in order to guarantee compatibility.
For critical/urgent patches, we just release those modules based on our
judgment.
Lance would like more flexibility between those releases. For example,
release npm modules before the official release for situations where a user
wants some new capability that is perhaps unrelated to changes in KC itself
e.g. a move to promises.
I don't have any problems on keeping Node.js adapters' release independent
from official KC release, but would like to hear more opinions about it.
--
-
abstractj
8 years, 8 months
Attribute-based Access Control
by Duarte
Hi,
My name is Duarte, and this is the first post on this dev-list.
My question is regarding Attribute-based Access Control. Is there any
usable feature for Attribute based decision for resource access? Or do I
have to make my own?
Basically what I want to do is a PEP (Policy Enforcement Point) and a PDP
(Policy Decision Point) on Keycloak with external attributes (Federated).
e.g: User has attribute of X can only access files A<->B and User with
attribute Y can only access B<->L.
Thank you.
--
8 years, 8 months
Adding ProxyPeerAddressHandler to Keycloak Proxy
by Chris Pitman
Hey everyone,
I've run into an issue where the Keycloak Proxy is building an incorrect redirect_url when it is behind an SSL terminating reverse-proxy/load balancer. The redirect_url ends up with an "http" scheme, even with a x-forwarded-proto of "https". I'm new to undertow, but it looks like what needs to change is adding a configuration like "behind-reverse-proxy" that when true adds the ProxyPeerAddressHandler.
First, does that sound correct? And any objection to me adding this capability?
Chris Pitman
Architect, Red Hat Consulting
8 years, 8 months
Better error message for login timeouts
by Stian Thorgersen
I suggest we change the error message when a login times out or a code is
not valid to:
"This page is no longer valid, please retry login from the application" and
also include a link to the application if available.
I think that's more user friendly than "You took to long" and "We're
sorry...".
8 years, 8 months
