Admin events questions
by Marek Posolda
* Currently we support admin events just for 'success' cases. We don't
log any error situations or missing permissions. Is it sufficient?
* Some minor usability issues:
** For both classic events and admin events, there is filtering by Date
(from or to). Couldn't we add some "nice" component for easily select
date? Also the "from" date is included, but "to" date is excluded. This
may not be obvious. Shouldn't we somehow mention it in tooltips?
** In "Auth details" for admin events, there is filtering by "Realm" ,
"Client" or "User". It may not be obvious, that this points to IDs. To
be even more confusing, in "classic" events there is "Client" too, but
that points to clientId (not database ID). Also in many situations,
admins don't know the UserID or client database ID, so there is
additional action required from them that they need to lookup ID it
first. For clients, the client database ID is not even visible in admin
console, so they need to decode either from URL or from some existing
event. I wonder if we should add possibility to filter by "username" or
"clientId"? For users maybe even filtering by email? In case that
"username" or "email" or "clientId" is filled, admin will need to fill
the "realm" too.
8 years, 8 months
Enable JDK8 for testsuite
by Stian Thorgersen
I've changed source/target to 1.8 for testsuite/integration-arquillian.
This is so I can use lambdas for testing permissions (otherwise I end up
with extremely messy tests with loads of anonymous inner classes).
Anyone have any issues with that?
In 2.x we can look at setting 1.8 as default for everything except adapters
and shared modules.
8 years, 8 months
Remove realms after tests in AbstractKeycloakTest
by Stian Thorgersen
Removing test realms was commented out in AbstractKeycloakTest. I'm removed
the comment and tests realms are now removed after the tests.
Test need to cleanup after themselves and should leave the server as they
found it.
8 years, 8 months
Thinking about step-up authentication and token timeouts
by Stian Thorgersen
Clients should be able to obtain tokens with reduced scope and longer or
shorter expiration, then later request new tokens with increased scope and
different expiration. They should also be able to require different levels
of authentication and also require re-authentication.
An application may for example:
* At first only need users email - this would allow showing the name +
email. In this situation a long expiration access token in combination with
implicit flow would do. It's also not necessary to re-authenticate the user
and a user that has been logged-in for months or even a year is fine.
* When a user clicks on orders it would require the password and extend
scope to be able to view orders. Now you'll want to switch to short
expiration access tokens and authorization code grant. You'll also want to
make sure the user logged-in fairly recently, max 30 days could be sensible.
* When a user tries to purchase something the user now has to provide the
OTP to be able to purchase with saved credit card details. You'll also want
to make sure the user logged-in very recently, max a day could be required.
There may also be cases where you always want the user to re-authenticate,
for example when trying to purchase something over a certain price level.
8 years, 8 months
Failed to verify token: org.keycloak.common.VerificationException: Realm URL is null.
by Corinne Krych
Hello Keycloak team,
I'm trying to move my OAuth2 demo app from Keyclaok 1.5 to Keyclaok 1.9.1.
I've change the OAuth2 endpoints for the access token. I manage the Oauth2
dansc ok but when trying to access a protected resource I hit the error:
22:00:13,501 ERROR [org.keycloak.adapters.BearerTokenRequestAuthenticator]
(default task-101) Failed to verify token:
org.keycloak.common.VerificationException: Realm URL is null. Make sure to
add auth-server-url to the configuration of your adapter!
at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:46)
at org.keycloak.RSATokenVerifier.verifyToken(RSATokenVerifier.java:35)
at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticateToken(BearerTokenRequestAuthenticator.java:87)
at
org.keycloak.adapters.BearerTokenRequestAuthenticator.authenticate(BearerTokenRequestAuthenticator.java:82)
at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:65)
at
org.keycloak.adapters.undertow.AbstractUndertowKeycloakAuthMech.keycloakAuthenticate(AbstractUndertowKeycloakAuthMech.java:110)
at
org.keycloak.adapters.undertow.ServletKeycloakAuthMech.authenticate(ServletKeycloakAuthMech.java:92)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:233)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.transition(SecurityContextImpl.java:250)
at
io.undertow.security.impl.SecurityContextImpl$AuthAttempter.access$100(SecurityContextImpl.java:219)
at
io.undertow.security.impl.SecurityContextImpl.attemptAuthentication(SecurityContextImpl.java:121)
at
io.undertow.security.impl.SecurityContextImpl.authTransition(SecurityContextImpl.java:96)
at
io.undertow.security.impl.SecurityContextImpl.authenticate(SecurityContextImpl.java:89)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:55)
at
io.undertow.server.handlers.DisableCacheHandler.handleRequest(DisableCacheHandler.java:33)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.keycloak.adapters.undertow.ServletPreAuthActionsHandler.handleRequest(ServletPreAuthActionsHandler.java:69)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
My realm setup is here:
https://github.com/aerogear/aerogear-backend-cookbook/blob/master/Shoot/c...
The keycloak.json used for the protected endpoint is:
https://github.com/aerogear/aerogear-backend-cookbook/blob/master/Shoot/s...
Is there some specific settings I should add to work with Keycloak 1.9.x?
Your help would be welcome.
++
Corinne
8 years, 8 months
