June 2016 - keycloak-dev - Jboss List Archives

by Stian Thorgersen

Keycloak 2.0.0.Final has just been released. This release only contains some minor fixes since 2.0.0.CR1. For the full list of resolved issues check out JIRA <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...> and to download the release go to the Keycloak homepage <http://www.keycloak.org/downloads>. Before you upgrade refer to the migration guide <https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.0/top...> .

8 years

1
0
0 / 0

Code cleanup

by Thomas Darimont

Hello group, I just ran findbugs [1] with the find-sec-bugs [0] and found quite a bunch of rather suspicious places in the Keycloak codebase. Note that I don't wont to blame anyone but rather try to improve the codebase :) For instance there are some quite prominent (and sensitive) non-final public static fields that could be easily changed to something else (in case they aren't inlined). https://github.com/keycloak/keycloak/blob/3c0f7e2ee2140a9e69e4e95eb24d5a1... Further more there seem to be some dead code left-overs from merges spread over the codebase e.g: https://github.com/keycloak/keycloak/blob/3a669ad7d5b4a72a8eb2bbb23e91083... Question is how to deal with that? I could send PRs for those issues - they would contain quite a bunch of files with minor changes. Would you be open to such contributions and if so, what JIRA issue should one reference here? Cheers, Thomas [0] http://find-sec-bugs.github.io/ [1] https://github.com/find-sec-bugs/find-sec-bugs/wiki/Maven-configuration

8 years

3
3
0 / 0

UserFederationProvider.close() not being called

by Brian Watson

Hi all, I have set a breakpoint in the close() method of my UserFederationProvider instance, which is never invoked. I set a breakpoint in the getInstance() method of my factory, and traced the call to this line: https://github.com/keycloak/keycloak/blob/master/server-spi/src/main/java... No where in the stack trace between this line and line 422 of KeycloakModelUtils (where getInstance() is called) do I see the provider being stored for later use, such as calling the close() method. Is this a bug or intended behavior?

8 years

1
0
0 / 0

User updates not reflected in validateAndProxy()

by Brian Watson

I think I just answered my question: I should return a delegate from validateAndProxy() that updates my data store when the delegate receives updates. Does this sound like the appropriate approach?

8 years

2
1
0 / 0

PAM integration with FreeIPA

by Bruno Oliveira

Good morning, One of the use case scenarios described for FreeIPA, is the integration via PAM and SSSD, which "automagically" handles the authentication against the IdM. This first step requires pretty much an IPA setup, but works with libpam4j[1]. Now, thinking about Keycloak, I would like to have an Authenticator for PAM[2], which is pretty much our UsernamePasswordForm + PAM. Does it make sense? Current flow: * User logs into Web application with username/password * PAM authenticator collects data and authenticate against PAM * SSSD authenticates against IdM * Authentication is complete After the last step, should we propagate that user to our database? Maybe, like Marek already mentioned, have a SSSDFederationProvider? [1] - http://search.maven.org/#artifactdetails%7Corg.abstractj%7Clibpam4j%7C1.9... [2] - https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-s... -- abstractj PGP: 0x84DC9914

8 years

4
25
0 / 0

User updates not reflected in validateAndProxy()

by Brian Watson

Hi all, I am creating a custom user federation provider as a temporary bridge to sync users between our old, custom auth solution's database and Keycloak. I noticed an issue, and was looking for some clarification: When I update a user via the administration UI, the validateAndProxy() method of my UserFederationProvider instance is called, as expected. However, the user passed into the method call contains the _old_ information for the user, not the _updated_ information. I set a breakpoint in my code, and at the time that validateAndProxy() is called, the data store still contains the _old_ information. Is this expected behavior? Is there another SPI I should be using to see the updated information for the user so that I can sync it with my data store? Thank you in advance.

8 years

1
0
0 / 0

KEYCLOAK-2684 / support Jetty 9.3

by Alexander Schwartz

8 years

1
0
0 / 0

Re: [keycloak-dev] User Federation Provider Cache

by Ariel Carrera

There is not problem! :) One more thing, I solved the problem of multiple "federation provider" instances, adding this code to the DefaultKeycloakSession (and the method definition in KeycloakSession interface): > public <T extends Provider> void registerProvider(Class<T> clazz, Provider > provider, String id) { > Integer hash = clazz.hashCode() + id.hashCode(); > providers.put(hash, provider); > } And into MyUserFederationProviderFactory.getInstance(session, model) something like this: public UserFederationProvider getInstance(KeycloakSession session, > UserFederationProviderModel model){ > UserFederationProvider provider = (UserFederationProvider) > session.getProvider(UserFederationProvider.class, model.getId()); > if (provider == null){ > lazyInit(session); > provider = new MyUserFederationProvider(session, model, > config, ......); > > ((KeycloakSession)session).registerProvider(UserFederationProvider.class, > provider, model.getId()); > }; > return provider; > } After a few tests and debug it seems to work... creating, catching, and closing provider instances as expected. In future versions as you said, maybe would be better include a way to instantiate a complex object/provider instead of doing > ProviderFactory.create(KeycloakSession session) > some kind of method like > ProviderFactory.create(KeycloakSession session, Object... obj); and the appropriate method into the KeycloakSession > <T extends Provider> T getProvider(Class<T> clazz, Object... obj); > <T extends Provider> T getProvider(Class<T> clazz, String id, Object... > obj); And why not a map into the keycloakSession to store some additional context data to share between providers during same request? It's only a vague idea Regards! 2016-06-09 17:14 GMT-03:00 Bill Burke <bburke(a)redhat.com>: > Its gonna be awhile. Its going to be difficult to make everything both > backward compatible and cover all the current and future use cases we need > to cover. Listen on the dev list. I should post some info soon on what > the new impl will look like. > > On 6/9/16 3:57 PM, Ariel Carrera wrote: > > Yes Bill, exactly! I will waiting to test it Thanks! > > 2016-06-09 16:29 GMT-03:00 Bill Burke <bburke(a)redhat.com>: > >> >> >> On 6/9/16 2:52 PM, Ariel Carrera wrote: >> >>> Hi Bill, is a little expensive for me because I am creating a new entity >>> manager to connect with a legacy database, and creating/enlisting a >>> transaction per instance. >>> For example in a simple flow case where a user needs to click "I forgot >>> my password" link to recover the password, there is more than nine or ten >>> instances created to do this. It's really not a big problem but I think >>> that is not necessary and can be implemented like others spi providers >>> catched into the keycloak session. >>> >>> This is good feedback. We need a way to associate a provider, by name, >> to the KeycloakSession. Maybe we just need a way to associate anything >> with the KeycloakSession period. >> >> In my case, another difficulty is synchronization between an old >>> authentication system and keycloak implemented on demand (there is no >>> full/partial syncrhonization because the legacy system is still working and >>> need to work together for a while). Also I implemented synchronization >>> support but at this moment it not used. >>> Every time that keycloak needs to validate a user (isValid) recovered >>> from the user storage or cache, a query to the legacy system is made. Added >>> to this... I need to recover some attributes and roles changes produced on >>> the legacy system.... so I decided to implement a "user federation cache" >>> with a short term expiration to improve the performance with certain >>> synchronization delay tolerance. >>> >>> In a few words I have: a custom User Federation Provider + on deman >>> synchronization + a user Federation Provider Cache (my own cache SPI). >>> >>> Maybe an optional spi to obtain a custom container from infinispan could >>> be a good choice to add to the new implementation and provide another one >>> tool to do things with better performance. >>> >>> I think the new model might solve your caching needs. There will be no >> importing by default. This means no synching, etc. Keycloak will only >> store metadata that your user store can't provide. User Federation >> Providers will work just as the default Keycloak user store and user cache. >> >> > > > -- > Tatú > > > -- Tatú

8 years, 1 month

4
26
0 / 0

Re: [keycloak-dev] [keycloak-user] Productized Keycloak now available from Red Hat

by Stian Thorgersen

Yes, it's 1.9.8.Final On 25 June 2016 at 18:12, James Falkner <jfalkner(a)redhat.com> wrote: > Looks like 1.9.8 <https://access.redhat.com/articles/2342881>. > > -James > > Scott Rossillo <srossillo(a)smartling.com> > June 24, 2016 at 3:01 PM > Well done, guys! Great work and congratulations. Looking forward to > continuing to work with the entire team. > > PS - what Keycloak version is RH SSO based? > > Best, > Scott > > Scott Rossillo > Smartling | Senior Software Engineer > srossillo(a)smartling.com > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > Thomas Darimont <thomas.darimont(a)googlemail.com> > June 24, 2016 at 4:17 AM > Congratulations to everyone involved! Well done! > > Cheers, > Thomas > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > Thomas Raehalme <thomas.raehalme(a)aitiofinland.com> > June 24, 2016 at 4:14 AM > > Congrats to both of you for creating such a great open source product! > > Best regards, > Thomas > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > Stian Thorgersen <sthorger(a)redhat.com> > June 23, 2016 at 3:58 PM > For nearly 4 years ago Bill Burke and myself started two individual proof > of concepts, both focusing on making it easier for developers to securing > applications and services. Keycloak was born out of combining these two > proof of concepts. There was barely any overlap and the two perfectly > complemented each other. > > Fast forward to today and we now have a huge community with over 100 > contributors and over 400 forks of our Github repository. It's no longer > just myself and Bill working on Keycloak, we now have a strong team working > on it and I'm very exited about the future of the project. > > You may have noticed that lately we've stopped adding new features and > focused on improvements and testing. There's a good reason behind that! > We've been working on creating a productized and supported version of > Keycloak. > > I'm extremely pleased to announce that Red Hat now offers a productized > and supported version of Keycloak! > > For more details on how to get support for Keycloak check out the product > pages at: > https://access.redhat.com/products/red-hat-single-sign-on > > Finally, I'd like to thank everyone that's been involved. All the core > developers, quality engineers, others at Red Hat and last but not least our > community! > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user >

8 years, 1 month

1
0
0 / 0

How to set configs for RequiredAction in keycloak-server.json file

by Rashmi Singh

In keycloak-server.json, if we add the following "authenticator": { "test-authenticator": { "config1": "xxxx" } } the value of config1 can be retrieved in the factory class init method as: config.get("config1") Now, in the same way, if I want to get configs in the init method of a RequiredAction class instead of an authenticator, how do I set it in keyclock-server.json? What will be the exact syntax? Is it possible?

8 years, 1 month

2
3
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev June 2016