Publishing events to JMS topic
by Thomas Raehalme
Hi!
We have a need to publish Keycloak events to external systems, for example
when user updates her profile. I was thinking of publishing messages to a
JMS topic by implementing an event listener.
What do you think, would you be interested in such a pull request? I think
the topic should be preconfigured in Keycloak/Wildfly, but the admin would
enable the functionality by adding "jms" to event listeners in the admin
console.
Best regards,
Thomas
10 years
Modules in server marked as private
by Stian Thorgersen
All modules in the server are now marked as private. This caused some
problems due to Keycloak itself using these modules. The fix for that was
to introduce a dependencies module which adds the services module (which in
turn adds most other things). This cause another issue as the
persistence.xml wasn't found. I couldn't find a way to have the jpa module
private as well as loading persistence.xml from it using standard
Persistence.createEntityManagerFactory. The solution to that was found in
the PR we have to allow adding custom entities, which uses a different
mechanism to load the EntityManagerFactory that allows specifying the
ClassLoader.
Changes in
https://github.com/keycloak/keycloak/pull/2511/files#diff-ecd3344fed68cc1...
if anyone is interested.
10 years
Conceptual Questions
by John Dennis
I would appreciate having the following Keycloak concepts
explained. Many thanks in advance!
* What are the predefined clients?
- When, why and where are you supposed to use these predefined
clients?
* What is the difference between realm roles and client roles?
- Why are realm roles and client roles distinct?
- How do they get assigned and for what purpose?
- Why aren't roles always visible in the Web UI? For instance
the available roles drop down box is often unpopulated even
though they seem to be predefined in the source code. Why
aren't they available for assignment in the Web UI?
* How does role mapping work?
- What is being mapped from and being mapped to?
- What is the intended usage for these mappings?
* What does it mean to create a role in the Web UI? What is it
bound to?
- How do roles created in the Web UI relate to the predefined
roles?
- Why does the Web UI allow me to create a new role with the
same name as a predefined role? Are they the same role or is
there a collision?
* What are effective roles?
- How are effective roles computed?
- In the Web UI I see lists for "Available Roles", "Assigned
Roles" and "Effective Roles". Sometimes I see a role in the
"Effective Roles" list which is not in the "Assigned Roles"
list. How and why does this happen?
* What are composite roles?
- How and where are they defined?
- How are composite roles meant to be used?
- When looking at a list of roles in the Web UI how does one
identify a single role from a composite role?
* What is the relationship between a Keycloak role and an OAuth2
scope?
* Are roles related to users in any fashion or is a role bound
exclusively to a client (appearing only in the client's token).
- How do you authenticate as a user and acquire specific roles?
- Is it because a user grants a role via an OAuth scope which
is then conveyed in the client token?)
- If so how is it determined what roles a user is permitted to
grant?
- For example how is an admin user created? How are the fine
grained admin roles bound to a user and how are these roles
then conveyed in the token after an admin user authenticates?
(see next question)
* The ClientRegistrationAuth.requireCreate() method requires the
bearer token from the realm administrator to have the
AdminRoles.MANAGE_CLIENTS or AdminRoles.CREATE_CLIENT roles in
the token, specifically in the resource_access part of the
token, but no matter what I do to add roles in the Web UI to a
realm admin the token roles remain unpopulated. How do these
roles get assigned and propagated in the token?
* How does a client differ from an application?
- They seem to be closely related. How, why and when do you use
one vs. the other?
- The name "application" suggests they are external
applications which might be secured by Keycloak but that
doesn't seem to be the case, rather applications seem to be
internal Keycloak entities. Are applications called
applications because they are implemented as as servlets in
Keycloak?
- If so, is the reason applications are servlets is so their
endpoints can have their own authn and authz?
* What are adapters?
* What is a service account?
- How is a service account supposed to be used and for what
purpose?
- How is a service account created?
- How is a service account authenticated?
* How does OAuth2 client authentication work in Keycloak?
- Are public clients authenticated? The OAuth2 spec talks a lot
about the server authenticating the client but if the client
is a public client it's not clear to me how this is done. How
are public clients authenticated?
--
John
10 years
DB changes now to get ready for 2.0?
by Bill Burke
In 2.0 we want to refactor and merge the User Federation and Model APIs
for users. All references to users, groups, and roles would turn into
longer 255 char URIs. This would require DB schema change right now to.
Remove foreign key constraints and expand reference column to 255
characters on:
* UserRoleMappingEntity
* UserGroupMembershipEntity
* GroupRoleMappingEntity
* UserConsentEntity
* UserConsentRoleEntity
* UserRequiredActionEntity
* UserAttributeEntity
* GroupAttributeEntity
Do we want to make this change now? I have no idea what effect this
would have on migration of removing secondary keys and expanding column
size. Would robably have to drop and recreate indexes too. Do we delay
this until this is speced out? Or do we make the change now?
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years
What to do about Java admin client
by Stian Thorgersen
At least personally I think the admin client needs some TLC. For example
creating a user requires:
UserRepresentation user = new UserRepresentation();
user.setUsername("user");
Response response = keycloak.realm("realm").users().create(user);
// Retrieve created user id
String path = response.getLocation().getPath();
String id = path.substring(path.lastIndexOf('/') + 1);
// Remember to close the response
response.close();
// Set password
CredentialRepresentation credentials = new
CredentialRepresentation();
credentials.setType(CredentialRepresentation.PASSWORD);
credentials.setValue("password");
keycloak.realm("realm").users().get(id).resetPassword(credentials);
// Add role
RoleRepresentation role =
keycloak.realm("realm").roles().get("role").toRepresentation();
keycloak.realm("realm").users().get(id).roles().realmLevel().add(Collections.singletonList(role));
That's pretty rubbish right?
In my opinion a lot of the usability issues is caused by directly exposing
interfaces/proxies from RestEasy Client and it would be much better if we
introduced a wrapper around it.
So my questions are:
1) What do we do with regards to admin client? Do we just wrap what we
have, keep it or create a brand new one from scratch?
2) Is it an issue that we require a specific RestEasy version to use the
admin client? This seems a heavy dependency to me, which could conflict
with other JAX-RS libraries. Using JAX-RS 2 Client would be an improvement
as it should in theory work with any JAX-RS 2 provider.
3) What do we do with current fixes for admin client? Do we merge to master
and 1.9.x or just merge to master?
At least from my POV the answers are:
1) Create wrappers around interfaces/proxies from RestEasy client and not
expose JAX-RS directly through the API as that should be an implementation
detail
2) Use JAX-RS 2 client
3) Merge fixes to both master and 1.9.x (admin client is not supported in
product for now, so it's less risky)
10 years
Added DB indexes
by Marek Posolda
I've did loads of testing for create/load/delete big number of users
into database and I've send PR for add some additional indexes into
database to improve performance of operations with big number of users
in DB - https://github.com/keycloak/keycloak/pull/2456
Note that adding DB indexes is tricky as the performance gain (or loss)
might be highly dependent on underlying database. Some example:
1) PostgreSQL is adding the indexes by default just for primary keys and
unique constraints. But it doesn't add indexes for foreign keys. So when
you have 50K users in DB and 150K role mappings (each user member of 3
roles), then this query take more than 20 ms:
select * from USER_ROLE_MAPPING where USER_ID='123';
2) MySQL is adding the btree indexes by default even for foreign keys.
So the same query like above took less than 1 ms by default.
So to improve the time on postgres, the index for USER_ID column in
USER_ROLE_MAPPING is needed, however for MySQL adding the index doesn't
have any effect as it's already there. In the end, I've explicitly added
the indexes into changelog file by default and I can see very good
performance for both mysql and postgresql and operations are not
dependent on number of users in DB.
However in theory, adding the indexes may have bad effect for some
databases and slow down the time for create new user etc. I personally
don't want to test performance with all supported DBs :) So another
approach might be to not explicitly add the indexes and let DBA to do
that. I've added the possibility to enable logging some overall
statistics from Hibernate, so people can check it by themselves. Let me
know if you rather want to go this way and not add indexes by default.
Marek
10 years
cache fixes/changes
by Bill Burke
FYI:
KEYCLOAK-2669 showed that if you remove a role, Clients and Groups are
not invalidated and you get invalid/stale scope mappings and group/role
mappings. I fixed this by extending the stream query that is already
being done when a role is being removed.
Also, whenever something is invalidated, any Adapter instances
associated with the session are now invalidated automatically. This
solves the problem with a reference being stale in the same tx if the
cache was indirectly invalidated.
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
10 years
