Optional mappers due to privacy legislation
by Caroline Sofie Olsen
Hi all,
Given that you have a client that has consent required turned on in the
admin panel. And in the mappers tab you have chosen specific mappers that
needs to be consented by the end user.
However, due to privacy related legislation, we need to make mappers that
are not crucial for the application optional for the end user (Crucial
meaning that the application will not work without those particular
mapper(s)).
Is this functionality supported in Keycloak? I’ve seen this functionality
in the OpenID Connect documentation (
http://connect2id.com/learn/openid-connect#example-auth-code-flow). I´ve
added a screenshot of the OpenID Connect example.
If it is supported, where do I go from here?
Also, is it possible to add timestamps for when the user gives consent?
[if !supportLineBreakNewLine]
Lastly, for legislative reasons, we also need to know in which scenario the
user gives consent. Is it on the first sign in, or is it when updating
consent that the client requires etc. Is this possible?
Kind regards
Caroline Olsen
8 years, 5 months
Cache policies and cache clearing
by Bill Burke
I found out that if you call cache.clear() with a invalidation cache, it
only clears locally and not the entire cluster. I was thinking that we
could set a realm attribute of "not-valid-before" with a timestamp.
When something is accessed, check the timestamp vs. the time the thing
was inserted into the cache.
This is also important for the fine-grain cache policies I want to
implement for users. I want cache policies for users. Scheduled
evictions and/or max time in the cache. There could be realm-level
policies for all users everywhere, and per storage provider. I also
want the ability to clear the cache for a specific provider manually.
Using the Infinispan stream() api, IMO, is just not feasible. We don't
want to be iterating over thousands of users in the cache to see if they
should be invalidated or not. There's also the issue of making sure
this happens cluster-wide. So instead, just do a simple timestamp check
when the user is accessed.
Bill
8 years, 5 months
Norwegian Localization
by Caroline Sofie Olsen
Hi!
I´ve translated all base theme messages to Norwegian for our project, and I
would like to contribute the message resources.
Is it okay if I create a JIRA issue and a PR?
Kind regards,
Caroline Sofie Olsen
8 years, 5 months
Re: [keycloak-dev] Issue with single sign out using salesforce SP with keycloak IDP and also customizing the logout page
by Rashmi Singh
On keycloak logs, I only see this error:
2016-08-23 00:49:24,648 WARN [org.keycloak.events] (default task-6)
type=LOGIN_ERROR, realmId=saml-demo, clientId=null, userId=null,
ipAddress=192.168.99.1, error=invalid_token
This is a generic error and does not give any clue.
I used SAML tracer with firefox and there I see the following request in
RED:
GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
Here are the contents for this request from SAML tracer (but its not giving
me any clue on what is wrong):
GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
HTTP/1.1
Host: rashmiidp.cloud.com:9990
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101
Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,en;q=0.8,nl-BE;q=0.7,es;q=0.5,es-ES;q=0.3,en-US;q=0.2
Accept-Encoding: gzip, deflate
Cookie: KEYCLOAK_SESSION=saml-demo/6d25a0c6-7bb8-4cfc-b918-
e3384f9dfe72/1e3911dc-3237-4aee-ba56-07de530e00f7; KC_RESTART=
eyJhbGciOiJIUzI1NiJ9.eyJjcyI6ImI1M2QxOGJiLWQ3ODItND
ZhNS04YjY5LWQxM2IxMDVhMTc4NSIsImNpZCI6Imh0dHBzOi8vc2FtbC5zYW
xlc2ZvcmNlLmNvbSIsInB0eSI6InNhbWwiLCJydXJpIjoiaHR0cHM6Ly9yYX
NobWk3ODktZGV2LWVkLm15LnNhbGVzZm9yY2UuY29tP3NvPTAwRDQxMDAwMD
AwNUwxNCIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7ImFjdGlvbl
9rZXkiOiJmNDBmYTJmYi01YTM0LTRmZDQtYTc2NC0xZDI5NWVlZDFmODIiLC
JSZWxheVN0YXRlIjoiLyIsIlNBTUxfUkVRVUVTVF9JRCI6Il8yQ0FBQUFWZE
ZCal9tTUU4d05ERXdNREF3TURBMFF6azJBQUFBeWszaE1mODBfdTJ5cGVpSX
pjVWNkQUtJWUFkeF9vNmN2Y0ZoMTE4QkcxWnFVRVQtREZJY29Wb1BqLUNheW
ZFV2FHLXRCLUo3YXhHUEhGaWdWbmV3MEREQUVlTTdJR21KcURuMmpUOUlPOD
VfT2pYTlVNQzlrbmV0cmRDcmpweDZCWTJjcWVCVWV0cldsb0JVaWhpMHBKMW
0tb2dBSmM1T1NDTXhIUkxpclNNR2FYRVhEeFpLVldadENfQTUwTFl6S1o2bm
o3XzZ1ekhIak9qa01kYnpoY2RTZlVZS0Q2bVRhNmtCRjlweTRwQTB4bHg1eG
RpN1M5OWc1d0xnSklmeVJ3Iiwic2FtbF9iaW5kaW5nIjoicG9zdCJ9fQ.
E4kYw1y2Z3sOdXaa8eqNQ9Ca7r6t-7PFtY7JKNOLd-U; KEYCLOAK_IDENTITY=
eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmNTQyYjY0Yy1iYTNhLT
RiY2ItYmE2OC0xZGEyZTY0ZGRjMTQiLCJleHAiOjE0NzE5NDg2NjAsIm5iZi
I6MCwiaWF0IjoxNDcxOTEyNjYwLCJpc3MiOiJodHRwOi8vcmFzaG1paWRwLm
Nsb3VkLmNvbTo5OTkwL2F1dGgvcmVhbG1zL3NhbWwtZGVtbyIsInN1YiI6Ij
ZkMjVhMGM2LTdiYjgtNGNmYy1iOTE4LWUzMzg0ZjlkZmU3MiIsInNlc3Npb2
5fc3RhdGUiOiIxZTM5MTFkYy0zMjM3LTRhZWUtYmE1Ni0wN2RlNTMwZTAwZj
ciLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.IfnQezJi5hCMHac2K3B9QnjWdx4SR7
F1TGV2JlbPxF0lOAqLzK5XaQgOO8p8z9XY-u0hN4DLFePXjzLOl0UwYaZ0ySxm-l-
gUsCkveVzTPRMS98ekuTMlc-1fPI4h1tCRrVawW5zOgH7zc-
a03KK0WZJ6b3iuU49PGsDXmeiNb6aqG-BIrmSkfsjfXr4zB69PcY0EF3sse0jl
OkZXYBcmbH46b_fWm-p4hpyt6QnGvxanKOc2jtavkUPSo5UrQxmQ3-
ahfxqZOFAvRbeHys5RdUUHs5BBefjkE4p8teCeG0nNzpgJfgPHgMNsnjELrTSafTcq1AM-yV2UOWrYeh0sA;
testusergrid={}
HTTP/?.? 500 Internal Server Error
Cache-Control: no-store, must-revalidate, max-age=0
X-Powered-By: Undertow/1
Server: WildFly/10
X-Frame-Options: SAMEORIGIN
content-security-policy: frame-src 'self'
Date: Tue, 23 Aug 2016 00:37:56 GMT
Connection: keep-alive
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=utf-8
Content-Length: 2906
Does this give you any idea? Do you have any more suggestions?
On Mon, Aug 22, 2016 at 7:54 PM, Rashmi Singh <singhrasster(a)gmail.com>
wrote:
> John, On keycloak logs, I only see this error:
>
> 2016-08-23 00:49:24,648 WARN [org.keycloak.events] (default task-6)
> type=LOGIN_ERROR, realmId=saml-demo, clientId=null, userId=null,
> ipAddress=192.168.99.1, error=invalid_token
>
> This is a generic error and does not give any clue.
>
> I used SAML tracer with firefox and there I see the following request in
> RED:
>
> GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
> Here are the contents for this request from SAML tracer (but its not
> giving me any clue on what is wrong):
>
> GET http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
> HTTP/1.1
> Host: rashmiidp.cloud.com:9990
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101
> Firefox/47.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: fr,en;q=0.8,nl-BE;q=0.7,es;q=0.5,es-ES;q=0.3,en-US;q=0.2
> Accept-Encoding: gzip, deflate
> Cookie: KEYCLOAK_SESSION=saml-demo/6d25a0c6-7bb8-4cfc-b918-
> e3384f9dfe72/1e3911dc-3237-4aee-ba56-07de530e00f7; KC_RESTART=
> eyJhbGciOiJIUzI1NiJ9.eyJjcyI6ImI1M2QxOGJiLWQ3ODItND
> ZhNS04YjY5LWQxM2IxMDVhMTc4NSIsImNpZCI6Imh0dHBzOi8vc2FtbC5zYW
> xlc2ZvcmNlLmNvbSIsInB0eSI6InNhbWwiLCJydXJpIjoiaHR0cHM6Ly9yYX
> NobWk3ODktZGV2LWVkLm15LnNhbGVzZm9yY2UuY29tP3NvPTAwRDQxMDAwMD
> AwNUwxNCIsImFjdCI6IkFVVEhFTlRJQ0FURSIsIm5vdGVzIjp7ImFjdGlvbl
> 9rZXkiOiJmNDBmYTJmYi01YTM0LTRmZDQtYTc2NC0xZDI5NWVlZDFmODIiLC
> JSZWxheVN0YXRlIjoiLyIsIlNBTUxfUkVRVUVTVF9JRCI6Il8yQ0FBQUFWZE
> ZCal9tTUU4d05ERXdNREF3TURBMFF6azJBQUFBeWszaE1mODBfdTJ5cGVpSX
> pjVWNkQUtJWUFkeF9vNmN2Y0ZoMTE4QkcxWnFVRVQtREZJY29Wb1BqLUNheW
> ZFV2FHLXRCLUo3YXhHUEhGaWdWbmV3MEREQUVlTTdJR21KcURuMmpUOUlPOD
> VfT2pYTlVNQzlrbmV0cmRDcmpweDZCWTJjcWVCVWV0cldsb0JVaWhpMHBKMW
> 0tb2dBSmM1T1NDTXhIUkxpclNNR2FYRVhEeFpLVldadENfQTUwTFl6S1o2bm
> o3XzZ1ekhIak9qa01kYnpoY2RTZlVZS0Q2bVRhNmtCRjlweTRwQTB4bHg1eG
> RpN1M5OWc1d0xnSklmeVJ3Iiwic2FtbF9iaW5kaW5nIjoicG9zdCJ9fQ.
> E4kYw1y2Z3sOdXaa8eqNQ9Ca7r6t-7PFtY7JKNOLd-U; KEYCLOAK_IDENTITY=
> eyJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJmNTQyYjY0Yy1iYTNhLT
> RiY2ItYmE2OC0xZGEyZTY0ZGRjMTQiLCJleHAiOjE0NzE5NDg2NjAsIm5iZi
> I6MCwiaWF0IjoxNDcxOTEyNjYwLCJpc3MiOiJodHRwOi8vcmFzaG1paWRwLm
> Nsb3VkLmNvbTo5OTkwL2F1dGgvcmVhbG1zL3NhbWwtZGVtbyIsInN1YiI6Ij
> ZkMjVhMGM2LTdiYjgtNGNmYy1iOTE4LWUzMzg0ZjlkZmU3MiIsInNlc3Npb2
> 5fc3RhdGUiOiIxZTM5MTFkYy0zMjM3LTRhZWUtYmE1Ni0wN2RlNTMwZTAwZj
> ciLCJyZXNvdXJjZV9hY2Nlc3MiOnt9fQ.IfnQezJi5hCMHac2K3B9QnjWdx4SR7
> F1TGV2JlbPxF0lOAqLzK5XaQgOO8p8z9XY-u0hN4DLFePXjzLOl0UwYaZ0ySxm-l-
> gUsCkveVzTPRMS98ekuTMlc-1fPI4h1tCRrVawW5zOgH7zc-
> a03KK0WZJ6b3iuU49PGsDXmeiNb6aqG-BIrmSkfsjfXr4zB69PcY0EF3sse0jl
> OkZXYBcmbH46b_fWm-p4hpyt6QnGvxanKOc2jtavkUPSo5UrQxmQ3-
> ahfxqZOFAvRbeHys5RdUUHs5BBefjkE4p8teCeG0nNzpgJfgPHgMNsnjELrTSafTcq1AM-yV2UOWrYeh0sA;
> testusergrid={}
>
> HTTP/?.? 500 Internal Server Error
> Cache-Control: no-store, must-revalidate, max-age=0
> X-Powered-By: Undertow/1
> Server: WildFly/10
> X-Frame-Options: SAMEORIGIN
> content-security-policy: frame-src 'self'
> Date: Tue, 23 Aug 2016 00:37:56 GMT
> Connection: keep-alive
> X-Content-Type-Options: nosniff
> Content-Type: text/html;charset=utf-8
> Content-Length: 2906
>
>
> Does this give you any idea? Do you have any more suggestions?
>
>
> On Fri, Aug 19, 2016 at 7:52 AM, John Dennis <jdennis(a)redhat.com> wrote:
>
>> On 08/18/2016 10:06 PM, Rashmi Singh wrote:
>>
>>> Hi,
>>>
>>> I have setup a Salesforce Saml SP in keycloak. So, I basically created a
>>> new client from keycloak admin console for salesforce. This is how my SP
>>> url looks like:
>>>
>>> rashmi789-dev-ed.my.salesforce.com
>>> <http://rashmi789-dev-ed.my.salesforce.com>
>>>
>>> I edited the salesforce configuration settings to point it to the
>>> keycloak IDP. So, when I access the SP:
>>> http://rashmi789-dev-ed.my.salesforce.com
>>>
>>> I am successfully taken to the keycloak IDP page (where I have
>>> configured my Authenticator). I enter my credentials there and am able
>>> to login. But, now when I try to logout, I get the following error on
>>> the web page:
>>>
>>> We're sorry ...
>>> Invalid Request
>>>
>>
>> Is logout supported on both ends (i.e. SP and IdP)? The definition of
>> support is in the metadata of each entity. Is there a SingleLogoutService
>> binding with a valid location URL in each metadata? The vast majority of
>> SAML problems are directly attributable to the metadata because that is
>> what drives the conversation between the SP and IdP. You have access to
>> both metadata because it was necessary to load the metadata in each party.
>>
>> If the problem is not the absence of SingleLogoutService then I would try
>> tracing the flow. That is easy with the Firefox browser and the SAMLTracer
>> add-on. That will let you see the exchange of messages and identify who the
>> offending party is.
>>
>> So, single sign out does not seem to be working for me. What is the
>>> issue? Is it a problem with the IDP logout url that I have configured?
>>> What I have is:
>>>
>>> http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
>>>
>>>
>>> my IDP Login URL is:
>>> http://rashmiidp.cloud.com:9990/auth/realms/saml-demo/protocol/saml
>>>
>>> and that seem to be perfectly fine as I am able to login without any
>>> issue. what is the issue with the logout I am seeing above when using a
>>> Salesforce SP with keycloak? Please let me know if you need me to
>>> provide more details.
>>>
>>
>> This suggests the problem is not with the IdP. Keycloak uses the same URL
>> for all services (don't assume this is always the case, it's just one
>> implementation choice). If login to the same URL works a valid
>> LogoutRequest to the same URL should also work, provided of course it a
>> valid SAML Request. Are there any errors in the Keycloak log concerning
>> invalid requests.
>>
>> Once again. using SAMLTracer will help nail down who is generating the
>> error and what the content of the message was that induced it.
>>
>>
>> Also, once this issue is resolved and I am able to logout successfully,
>>> could you give some insights on how to customize the logout page?
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>>
>>
>> --
>> John
>>
>
>
8 years, 5 months
rethinking credentials
by Bill Burke
The credential API for users needs to change. Here are the types of
credentials and how system interacts:
1. Creds stored, gathered, and validated by Keycloak OOTB code.
2. Creds stored in external store, but gathered and validated by
Keycloak OOTB code. (i.e. User Storage SPI returns the credentials
directly)
3. Creds gathered by built-in Keycloak OOTB code, but stored and
validated externally (i.e. LDAP).
4. Creds gathered by custom Authenticators, stored and validated externally.
5. Creds gathered by custom authenticators, stored by keycloak,
validated by custom code.
There's other combinations as well:
a. Keycloak stored User, custom credential store
b. User Storage Provider, keycloak stored creds
c. User Storage Provider, custom credential store
Credentials that are validated by Keycloak are currently cached along
with the user. What sucks about this that some credential types require
a database update, i.e. HOTP which needs to update a counter. So HOTP
invalidates the user cache every single login. We also want to allow
custom credential stores to be able to cache themselves along with the user.
What's interesting about #4 is that there really doesn't need to be any
special SPI. The custom authenticator can lookup the factory and
typecast it to any interface it wants to to validate the credential.
Since our caching layer is a local-only (invalidation cache), cachable
custom externally stored credentials just need a simple.
Given all this, gonna put some iterations in on a new credential API.
Any other thoughts?
8 years, 5 months
Re: [keycloak-dev] [keycloak-user] Review Japanese translations
by Stian Thorgersen
Great, thanks.
On 24 August 2016 at 04:51, Hisanobu Okuda <hokuda(a)redhat.com> wrote:
> Stian,
>
> I can do that.
>
> Regards,
> Hisanobu
>
> On Tue, 2016-08-23 at 13:01 +0200, Stian Thorgersen wrote:
> > We have a PR for Japanese translations, but I would like someone to
> > review it prior to merging it. Is there any Japanese speakers out
> > there that could review it for me?
> > _______________________________________________
> > keycloak-user mailing list
> > keycloak-user(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>
8 years, 5 months
JDK or JRE for running Keycloak
by Adrian Mitev
Hi all! Is JDK required for Keycloack or pure JRE can be used. I'm trying
to create the smallest possible docker image for the purpose. If JDK is
required, what JDK tools does Keycloack use?
8 years, 5 months
new credential SPI
by Bill Burke
I'm currently working on a new credential SPI that will replace existing
methods on UserProvider and UserModel, as well as replacing
UserCredentialModel, etc. This is a work in progress where we may see
multiple iterations in master. I hope to remain backward compatible,
but can't guarentee I won't break existing User Federation Providers.
Here's an initial writeup to explain things. Credentials revolve around
these 4 events that are initiated by authentication flows, the admin
console, and the account service.
* Is the user configured for a specific credential type
* Is a credential valid
* What required actions must be taken for an unconfigured credential type
* update a credential
How each of these events is resolved will depend on the configuration of
the system and these interfaces:
public interface CredentialInput {
String getType();
}
public interface CredentialInputValidator {
boolean supportsCredentialType(String credentialType);
boolean isConfiguredFor(RealmModel realm, UserModel user, String credentialType);
boolean isValid(RealmModel realm, UserModel user, CredentialInput input);
}
public interface CredentialInputUpdater {
boolean supportsCredentialType(String credentialType);
Set<String> requiredActionsFor(RealmModel realm, UserModel user, String credentialType);
void updateCredential(RealmModel realm, UserModel user, CredentialInput input);
}
Two different types of components will be able to implement these
interfaces. UserStorageProviders (user federation) and
CredentialProviders. CredentialProviders are components configured at
the realm level. CredentialProviders are responsible for managing one
or more types of credential types and are the bridge between
CredentialInput and where the credential is stored. UserStorageProvider
is always asked first whether it can complete the requested action, then
CredentialProviders are queried in order of their priority.
Each UserStorageProvider and/or CredentialProvider can implement the
OnUserCache callback interface discussed in my previous custom caching
email. This allows each credential type to decide whether it will be
cached or not along with the user. For example, HOTP cannot be cached.
So, for example, there will be a KeycloakMobileOTPProvider. This deals
with Google Authenticator and FreeOTP as well as storing these things
within Keycloak storage, it also looks at the OTP policy of the realm to
determine how to update and store the OTP secret and stuff. There is
also a KeycloakPasswordProvider which hooks into Keycloak storage and
the PasswordPolicies set up by the realm. When a user is cached, the
KeycloakPasswordProvider will add the hashed password to the user cache,
the KeycloakMobileOTPProvider will add the OTP secret to cache if its
not HOTP and needs to maintain a counter.
Let's walk through an authentication flow, specificaly for OTP.
1. Authenticator calls KeycloakSession.users().isConfiguredFor(realm,
user, "OTP"). If the user was loaded by a UserStorageProvider and that
provider implements the CredentialInputValidator interface,
isConfiguredFor() is called on that. If that returns false, each
CredentialProvider is iterated on to call isConfiguredFor().
2. If OTP is required and not configured for the user, the Authenticator
then calls KeycloakSession.users().requiredActionsFor(...). Again,
UserStorageProvider is queried first, then the CredneitalProviders. The
first provider that returns a non-empty set will end the query and the
set of required actions will be returned.
3a. Let's say that in this particular example, the generic OTP Requried
Action screen is invoked. In that case, this required action provider
callsKeycloakSession.users().updateCredential. The first
UserStorageProvider or CredentialProvider that can handle this
credential type will save the credential.
3b. If OTP is configured for user, the OTP is obtained by the
Authenticator and KeycloakSession.users().isValid() method is called.
Again, UserStorageProvider first, then each CredentialProvider. Each
provider is queried until one returns true or the list is exhausted.
FYI, This algorithm allows for multiple OTP authenticators per user.
** Admin console and Account Service UIs **
Like we do for other components, the UserStorageProvider or
CredentialProvider can optionally provide a list of
ProviderConfigProperties for the admin console and/or account serviceso
that it can create a credential for a specific user. There will be
separate property lists for admin console and account service. If a
specific custom screen is desired, I'm pretty sure we can just allow the
develoepr to plug in their own $routeProvider for the admin console. We
don't have a pluggable mechanism for the account service yet (or a way
to generic render either). This will need to be developed eventually.
8 years, 5 months
Re: [keycloak-dev] Customize logout page on keycloak
by Rashmi Singh
This page seems to be just a documentation on themes etc. My question is
when I do a logout from a SAML SP, how do I get an IDP logout page and how
do I then customize it? Currently, I am not even getting a logout page. Can
you explain how to get an IDP logout page?
On Mon, Aug 22, 2016 at 4:44 PM, Rashmi Singh <singhrasster(a)gmail.com>
wrote:
> Bruno, This page seems to be just a documentation on themes etc. My
> question is when I do a logout from a SAML SP, how do I get an IDP logout
> page and how do I then customize it? Currently, I am not even getting a
> logout page. Can you explain how to get an IDP logout page?
>
> On Mon, Aug 22, 2016 at 7:00 AM, Bruno Oliveira <bruno(a)abstractj.org>
> wrote:
>
>> Please, look at the docs[1].
>>
>> [1] - https://keycloak.gitbooks.io/server-developer-guide/
>>
>> On 2016-08-21, Rashmi Singh wrote:
>> > I would like to customize the logout page for the IDP on keycloak. Could
>> > you provide some insights/pointers on how to do this?
>>
>> > _______________________________________________
>> > keycloak-dev mailing list
>> > keycloak-dev(a)lists.jboss.org
>> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>
>> --
>>
>> abstractj
>> PGP: 0x84DC9914
>>
>
>
8 years, 5 months