Productized Keycloak now available from Red Hat
by Stian Thorgersen
For nearly 4 years ago Bill Burke and myself started two individual proof
of concepts, both focusing on making it easier for developers to securing
applications and services. Keycloak was born out of combining these two
proof of concepts. There was barely any overlap and the two perfectly
complemented each other.
Fast forward to today and we now have a huge community with over 100
contributors and over 400 forks of our Github repository. It's no longer
just myself and Bill working on Keycloak, we now have a strong team working
on it and I'm very exited about the future of the project.
You may have noticed that lately we've stopped adding new features and
focused on improvements and testing. There's a good reason behind that!
We've been working on creating a productized and supported version of
Keycloak.
I'm extremely pleased to announce that Red Hat now offers a productized and
supported version of Keycloak!
For more details on how to get support for Keycloak check out the product
pages at:
https://access.redhat.com/products/red-hat-single-sign-on
Finally, I'd like to thank everyone that's been involved. All the core
developers, quality engineers, others at Red Hat and last but not least our
community!
8 years, 1 month
Using Keycloak to secure a Spring Security based application deployed under Tomcat 8.
by Stephen Merchant
Hello,
I have a need to SSO secure a web application using Keycloak. The application is Spring Security (annotation) based, and will be deployed under Tomcat 8 (either via Spring Boot or conventionally).
I was intending to use the Keycloak "Spring Security" and "Tomcat 6,7,8" Keycloak adapters to do this.
I have read articles that it is not possible to run two adapters successfully together in the same project?
Can anyone confirm this please? Any alternative suggestions on how to achieve this coverage would also be welcome.
Thanks in anticipation,
Stephen Merchant
Developer
Gandlake Limited
Crown Commercial Service Supplier
BSI ISO/IEC 27001 certification number IS 585161
Gandlake Limited, a Limited Liability Company registered in England and Wales under number 4667925. Registered Office: Gandlake House, London Road, Newbury, Berkshire. RG14 1LA. VAT Registration Number 809 7164 11
8 years, 1 month
Customizing UserEntity to encrypt personally identifiable information
by Aaron Harnly
Hi there,
I'm on Day 1 of looking at Keycloak, although some colleagues have been
using it successfully. Please forgive the naiveté of the question, but I'd
love confirmation that I'm on the right track.
I'd like to ensure that user email addresses, names, and usernames are
encrypted by the KeyCloak application before persisting to a relational
store.
org.keycloak.models.jpa.entities.UserEntity is pretty obviously the place
to do that – the natural question is, what is the best way for me to
provide a slightly customized UserEntity.java in which I can do my desired
encryption/decryption?
My initial scan of docs and repo suggests one of the following:
1) Create a UserProvider analogous to the JpaUserProvider, but with my own
UserEntity subclass.
2) If needed, follow the approach described in this thread[1] from November
to implement a custom Hibernate EntityManager, but I don't think that's
necessary for my case, and don't yet fully understand that.
3) Something else.
[1] http://lists.jboss.org/pipermail/keycloak-dev/2015-November/005745.html
Thoughts or advice appreciated!
Aaron
8 years, 1 month
Thinking about a change to providers
by Stian Thorgersen
Currently it's expected that the factory is application scoped, while
provider instances are request scoped. Factories can if they want return
the same instance for provider to make it application scoped.
This works as long as config is server-wide, but not if there are config
per-realm or even multiple different instances per-realm. This applies to
for example User Federation SPI (multiple per-realm), Password Hashing SPI
(one per-realm), etc.
Currently the User Federation SPI creates and manages instances outside of
the session factory and session, which results in multiple instances
created per-request, not all being closed properly, etc..
With that in mind I'd like to change the provider factories so that there
can be multiple provider factory instances. It's not completely figured
out, but I wanted to discuss it before I start a POC around it.
We'd have the following methods on KeycloakSession:
* getProvider(Class<T> clazz, Provider.class) - returns default provider
* getProvider(Class<T> clazz, Provider.class, String providerId) - returns
a specific provider, with the default config
* getProvider(Class<T> clazz, Provider.class, String providerId, String
instanceId) - returns a specific provider, with the specific config
We'd also add a method:
* invalidateProvider(Class<T> clazz, Provider.class, String providerId,
String instanceId) - this would be called when the config for a specific
provider instance is updated
Behind the covers the instances would be maintained. Each provider factory
would internally be responsible to retrieve config and cache config for
instances.
Does this sound like an idea worth pursuing? I'd like to try it out on the
PasswordPolicy SPI first.
8 years, 1 month
Does setRequiredActions method need to be invoked explicitly?
by Rashmi Singh
I have an authenticator where I have the following method:
public void setRequiredActions(KeycloakSession session, RealmModel realm,
UserModel user) {
user.addRequiredAction(NewRequiredAction.PROVIDER_ID);
}
Is this method invoked automatically by keycloak when authentication is
performed or we need to explicitly call this when we want to add the
RequiredAction? For me, it is not being invoked automatically by keycloak
which I first thought was the case. Could you please explain this in more
detail on how this exactly works?
8 years, 1 month
Remove/unregister a registered RequiredAction from RequiredActions tab
by Rashmi Singh
I have a question on the RequiredActions. On the keycloak admin console, I
go to Authentication - > Required Actions tab and register a new
RequiredAction. It then displays under the list of required actions. Now, I
don't see an option to remove this requiredAction. Is there a way to
remove/unregister this from here?
8 years, 1 month
server start up errors
by John Dennis
[Note: you may get 2 copies of this email, I sent one previously from my
private email account and it was held for moderator approval, re-sending
this under my redhat account which is subscribed to this list.]
Using the latest release candidate
/devel/candidates/jboss/sso/RHSSO-7.0.0 built on 6/13
the server will not initialize, server.log has a number of errors the
following being the significant one I believe.
Failed to start service
jboss.undertow.deployment.default-server.default-host./auth
For a while now we've seen errors related to database operations in the
log, those errors are also present in the attached log but even with
those database errors the server had seemed to start OK.
Would someone be kind enough to look at the attached log and suggest why
the server won't start and what errors in the log should be concerning?
Many thanks,
--
John
8 years, 1 month
Authorization JS adapter, where should I put it ?
by Pedro Igor Silva
Would like to make available a JS adapter for authorization. It's purpose is to make life easier for those using JS when interacting with an resource server which resources are being protected by a policy enforcer.
The idea is that you can use the adapter for some very common scenarios. For instance, suppose you are using AngularJS and you want to handle 403 from the resource server so you can obtain a RPT with the necessary permissions to retry the
request:
var Authorization = new KeycloakAuthorization();
// our adapters return a WWW-Authenticate header with the necessary information to build an authorization request to a Keycloak Server
Authorization.authorize(response.headers('WWW-Authenticate')).then(function (rpt) {
// onGrant callback function. If granted you'll get a RPT which you can use as bearer token to get access to protected resources
}, function () {
// onDeny callback function
}, function () {
// onError callback function
});
The above code is particular useful because the JS adapter will automatically identify how the resource server is being protected (if using UMA or our entitlements protocol) and act accordingly.
Or you can just obtain the entitlements using our Entitlements API:
authorization.entitlement('my-resource-server-id').then(function (rpt) {
// onGrant callback function. If granted you'll get a RPT which you can use as bearer token to get access to protected resources
})
In the future, I would like to introduce more methods such as:
if (authorization.hasPermission('Main Page', 'Action 1')) {
// do something if current user has permissions to click a button on a page
}
Should I put that stuff into keycloak.js or provide it separately ?
Regards.
Pedro Igor
8 years, 1 month
