User updates not reflected in validateAndProxy()
by Brian Watson
I think I just answered my question: I should return a delegate from
validateAndProxy() that updates my data store when the delegate receives
updates.
Does this sound like the appropriate approach?
8 years, 8 months
PAM integration with FreeIPA
by Bruno Oliveira
Good morning,
One of the use case scenarios described for FreeIPA, is the integration via PAM
and SSSD, which "automagically" handles the authentication against the IdM.
This first step requires pretty much an IPA setup, but
works with libpam4j[1]. Now, thinking about Keycloak, I
would like to have an Authenticator for PAM[2], which is pretty much our
UsernamePasswordForm + PAM. Does it make sense?
Current flow:
* User logs into Web application with username/password
* PAM authenticator collects data and authenticate against PAM
* SSSD authenticates against IdM
* Authentication is complete
After the last step, should we propagate that user to our database?
Maybe, like Marek already mentioned, have a SSSDFederationProvider?
[1] -
http://search.maven.org/#artifactdetails%7Corg.abstractj%7Clibpam4j%7C1.9...
[2] - https://keycloak.gitbooks.io/server-developer-guide/content/topics/auth-s...
--
abstractj
PGP: 0x84DC9914
8 years, 8 months
User updates not reflected in validateAndProxy()
by Brian Watson
Hi all,
I am creating a custom user federation provider as a temporary bridge to
sync users between our old, custom auth solution's database and Keycloak. I
noticed an issue, and was looking for some clarification:
When I update a user via the administration UI, the validateAndProxy()
method of my UserFederationProvider instance is called, as expected.
However, the user passed into the method call contains the _old_
information for the user, not the _updated_ information. I set a breakpoint
in my code, and at the time that validateAndProxy() is called, the data
store still contains the _old_ information. Is this expected behavior? Is
there another SPI I should be using to see the updated information for the
user so that I can sync it with my data store?
Thank you in advance.
8 years, 8 months
Re: [keycloak-dev] User Federation Provider Cache
by Ariel Carrera
There is not problem! :)
One more thing, I solved the problem of multiple "federation provider"
instances, adding this code to the DefaultKeycloakSession (and the method
definition in KeycloakSession interface):
> public <T extends Provider> void registerProvider(Class<T> clazz, Provider
> provider, String id) {
> Integer hash = clazz.hashCode() + id.hashCode();
> providers.put(hash, provider);
> }
And into MyUserFederationProviderFactory.getInstance(session, model)
something like this:
public UserFederationProvider getInstance(KeycloakSession session,
> UserFederationProviderModel model){
> UserFederationProvider provider = (UserFederationProvider)
> session.getProvider(UserFederationProvider.class, model.getId());
> if (provider == null){
> lazyInit(session);
> provider = new MyUserFederationProvider(session, model,
> config, ......);
>
> ((KeycloakSession)session).registerProvider(UserFederationProvider.class,
> provider, model.getId());
> };
> return provider;
> }
After a few tests and debug it seems to work... creating, catching, and
closing provider instances as expected.
In future versions as you said, maybe would be better include a way to
instantiate a complex object/provider instead of doing
> ProviderFactory.create(KeycloakSession session)
> some kind of method like
> ProviderFactory.create(KeycloakSession session, Object... obj);
and the appropriate method into the KeycloakSession
> <T extends Provider> T getProvider(Class<T> clazz, Object... obj);
> <T extends Provider> T getProvider(Class<T> clazz, String id, Object...
> obj);
And why not a map into the keycloakSession to store some additional context
data to share between providers during same request? It's only a vague idea
Regards!
2016-06-09 17:14 GMT-03:00 Bill Burke <bburke(a)redhat.com>:
> Its gonna be awhile. Its going to be difficult to make everything both
> backward compatible and cover all the current and future use cases we need
> to cover. Listen on the dev list. I should post some info soon on what
> the new impl will look like.
>
> On 6/9/16 3:57 PM, Ariel Carrera wrote:
>
> Yes Bill, exactly! I will waiting to test it Thanks!
>
> 2016-06-09 16:29 GMT-03:00 Bill Burke <bburke(a)redhat.com>:
>
>>
>>
>> On 6/9/16 2:52 PM, Ariel Carrera wrote:
>>
>>> Hi Bill, is a little expensive for me because I am creating a new entity
>>> manager to connect with a legacy database, and creating/enlisting a
>>> transaction per instance.
>>> For example in a simple flow case where a user needs to click "I forgot
>>> my password" link to recover the password, there is more than nine or ten
>>> instances created to do this. It's really not a big problem but I think
>>> that is not necessary and can be implemented like others spi providers
>>> catched into the keycloak session.
>>>
>>> This is good feedback. We need a way to associate a provider, by name,
>> to the KeycloakSession. Maybe we just need a way to associate anything
>> with the KeycloakSession period.
>>
>> In my case, another difficulty is synchronization between an old
>>> authentication system and keycloak implemented on demand (there is no
>>> full/partial syncrhonization because the legacy system is still working and
>>> need to work together for a while). Also I implemented synchronization
>>> support but at this moment it not used.
>>> Every time that keycloak needs to validate a user (isValid) recovered
>>> from the user storage or cache, a query to the legacy system is made. Added
>>> to this... I need to recover some attributes and roles changes produced on
>>> the legacy system.... so I decided to implement a "user federation cache"
>>> with a short term expiration to improve the performance with certain
>>> synchronization delay tolerance.
>>>
>>> In a few words I have: a custom User Federation Provider + on deman
>>> synchronization + a user Federation Provider Cache (my own cache SPI).
>>>
>>> Maybe an optional spi to obtain a custom container from infinispan could
>>> be a good choice to add to the new implementation and provide another one
>>> tool to do things with better performance.
>>>
>>> I think the new model might solve your caching needs. There will be no
>> importing by default. This means no synching, etc. Keycloak will only
>> store metadata that your user store can't provide. User Federation
>> Providers will work just as the default Keycloak user store and user cache.
>>
>>
>
>
> --
> Tatú
>
>
>
--
Tatú
8 years, 8 months
Re: [keycloak-dev] [keycloak-user] Productized Keycloak now available from Red Hat
by Stian Thorgersen
Yes, it's 1.9.8.Final
On 25 June 2016 at 18:12, James Falkner <jfalkner(a)redhat.com> wrote:
> Looks like 1.9.8 <https://access.redhat.com/articles/2342881>.
>
> -James
>
> Scott Rossillo <srossillo(a)smartling.com>
> June 24, 2016 at 3:01 PM
> Well done, guys! Great work and congratulations. Looking forward to
> continuing to work with the entire team.
>
> PS - what Keycloak version is RH SSO based?
>
> Best,
> Scott
>
> Scott Rossillo
> Smartling | Senior Software Engineer
> srossillo(a)smartling.com
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> Thomas Darimont <thomas.darimont(a)googlemail.com>
> June 24, 2016 at 4:17 AM
> Congratulations to everyone involved! Well done!
>
> Cheers,
> Thomas
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> Thomas Raehalme <thomas.raehalme(a)aitiofinland.com>
> June 24, 2016 at 4:14 AM
>
> Congrats to both of you for creating such a great open source product!
>
> Best regards,
> Thomas
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
> Stian Thorgersen <sthorger(a)redhat.com>
> June 23, 2016 at 3:58 PM
> For nearly 4 years ago Bill Burke and myself started two individual proof
> of concepts, both focusing on making it easier for developers to securing
> applications and services. Keycloak was born out of combining these two
> proof of concepts. There was barely any overlap and the two perfectly
> complemented each other.
>
> Fast forward to today and we now have a huge community with over 100
> contributors and over 400 forks of our Github repository. It's no longer
> just myself and Bill working on Keycloak, we now have a strong team working
> on it and I'm very exited about the future of the project.
>
> You may have noticed that lately we've stopped adding new features and
> focused on improvements and testing. There's a good reason behind that!
> We've been working on creating a productized and supported version of
> Keycloak.
>
> I'm extremely pleased to announce that Red Hat now offers a productized
> and supported version of Keycloak!
>
> For more details on how to get support for Keycloak check out the product
> pages at:
> https://access.redhat.com/products/red-hat-single-sign-on
>
> Finally, I'd like to thank everyone that's been involved. All the core
> developers, quality engineers, others at Red Hat and last but not least our
> community!
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
8 years, 8 months
How to set configs for RequiredAction in keycloak-server.json file
by Rashmi Singh
In keycloak-server.json, if we add the following
"authenticator": {
"test-authenticator": {
"config1": "xxxx"
}
}
the value of config1 can be retrieved in the factory class init method as:
config.get("config1")
Now, in the same way, if I want to get configs in the init method of a
RequiredAction class instead of an authenticator, how do I set it in
keyclock-server.json? What will be the exact syntax? Is it possible?
8 years, 8 months