new deployer in master
by Bill Burke
Ok,
New provider deployer exists in master. You can package components in
any type of deployment. i.e. within a EAR or WAR. Hot deploy works as
well. The deployers/ directory and deployment-scanner subsystem is now
back in the server. Also added JTA transactions. So, now when a
KeycloakSession is created a new JTA transaction is associated with the
KeycloakTransactionManager. If there was an existing JTA transactionn,
that transaction is suspended and resumed after the keycloak session
completes. JTA TransactionManager lookup has an SPI now which you can
enable/disable in keycloaks-server.json. If no transaciton manager
exists i.e. within the testsuite, JTA is not used at all.
I'll be documenting all this eventually. Still have some work to do on
the new user federation spi before that though.
Bill
8 years, 5 months
Claims from UserInfo endpoint are not getting mapped by OIDC identity broker
by Peter Nalyvayko
Hello,It seems that there is no way to map the claims returned by the /userinfo endpoint to user attributes. I set up an OIDC identity broker to enable external identity broker authentication in keycloak. Some of the relevant information about the user, such as language, locale, etc. are available only by calling the /userinfo point, so I wanted to map the claims returned by the endpoint to the user attributes using the available mappers.Unfortunately, it seems that the Attribute Mapper can maps ID token or Access token claims (User Attribute Mapper), and completely ignores the userInfo claims. Searching through the codebase, I've found that OIDC identity broker calls AbstractJsonUserAttributeMapper.storeUserProfileForMapper to store the user profilereturned by the call to /userinfo endpoint in the user's context data. However, there seems to be no way (without modifying the code that is) to map that data to the attributes of the federated user created by the OIDC identity broker.
Am I missing something here or this functionality is not available out of the box for OIDC identity broker?
I am using keycloak version 2.1.0
Thank you,--Peter
8 years, 5 months
Dynamic client registrations without initial-access-token
by Marek Posolda
According to the specification
http://openid.net/specs/openid-connect-registration-1_0.html#ClientRegist...
there is this:
"To support open Dynamic Registration, the Client Registration Endpoint
SHOULD accept registration requests without OAuth 2.0 Access Tokens.
These requests MAY be rate-limited or otherwise limited to prevent a
denial-of-service attack on the Client Registration Endpoint."
So it looks we need to have a way to allow dynamic client registrations
even without Initial Access Token. Without supporting it, we are not
able to move forward with OIDC conformance testsuite with "Dynamic"
profile as it seems there is not a way to retrieve initialAccessToken
from Keycloak and "inject" it to conformance testsuite.
So I've added the possibility to define trusted hosts under "Initial
Access Tokens" tab. Client registration requests from those hosts are
permitted even without initial-access-token . It's possible to limit the
count of registrations for each host similarly like is for "Initial
Access Tokens".
This approach allows to move forward with OIDC Conformance testsuite
with "Dynamic" profile.
If you agree and we move forward with this approach, then we should
consider to rename "Initial Access Tokens" tab to "Client Registration"
or "Dynamic Client Registration" ? As Initial Access Tokens are anyway
related just to dynamic client registrations.
WDYT?
Marek
8 years, 5 months
Demo dist broken
by Stan Silvert
I did a clean build from head. Unzipped demo dist and started up. Got this:
2016-08-17 12:16:08,126 INFO [org.keycloak.services] (ServerService
Thread Pool -- 67) KC-SERVICES0001: Loading config from
c:\kctemp\keycloak-demo-2.2.0-SNAPSHOT\keycloak\standalone\configuration\keycloak-server.json
2016-08-17 12:16:08,717 INFO [org.jboss.ws.common.management] (MSC
service thread 1-1) JBWS022052: Starting JBossWS 5.1.3.Final (Apache CXF
3.1.4)
2016-08-17 12:16:12,615 WARN
[org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider]
(ServerService Thread Pool -- 67) Failed to rollback connection after
error: java.sql.SQLException: IJ031021: You cannot rollback during a
managed transaction
at
org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.jdbcRollback(BaseWrapperManagedConnection.java:1122)
at
org.jboss.jca.adapters.jdbc.WrappedConnection.rollback(WrappedConnection.java:863)
at
org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.safeRollbackConnection(LiquibaseDBLockProvider.java:159)
at
org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:109)
at
org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:104)
at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:287)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:97)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
2016-08-17 12:16:12,623 ERROR [org.jboss.as.txn] (ServerService Thread
Pool -- 67) WFLYTX0003: APPLICATION ERROR: transaction still active in
request with status 4
2016-08-17 12:16:12,624 WARN [com.arjuna.ats.arjuna] (ServerService
Thread Pool -- 67) ARJUNA012077: Abort called on already aborted atomic
action 0:ffff0a0a3838:-30eee89c:57b48dc5:b
2016-08-17 12:16:12,625 ERROR [org.jboss.msc.service.fail]
(ServerService Thread Pool -- 67) MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./auth:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./auth:
java.lang.RuntimeException: RESTEASY003325: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to
construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
... 6 more
Caused by: java.lang.IllegalStateException: Failed to retrieve lock
at
org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService.acquireLock(CustomLockService.java:157)
at
org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService.waitForLock(CustomLockService.java:123)
at
org.keycloak.connections.jpa.updater.liquibase.lock.LiquibaseDBLockProvider.waitForLock(LiquibaseDBLockProvider.java:99)
at
org.keycloak.services.resources.KeycloakApplication$1.run(KeycloakApplication.java:104)
at
org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:287)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:97)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:422)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
... 19 more
Caused by: liquibase.exception.DatabaseException:
liquibase.exception.DatabaseException: java.sql.SQLException: IJ031021:
You cannot rollback during a managed transaction
at
liquibase.database.AbstractJdbcDatabase.rollback(AbstractJdbcDatabase.java:1139)
at
org.keycloak.connections.jpa.updater.liquibase.lock.CustomLockService.acquireLock(CustomLockService.java:152)
... 29 more
Caused by: liquibase.exception.DatabaseException: java.sql.SQLException:
IJ031021: You cannot rollback during a managed transaction
at
liquibase.database.jvm.JdbcConnection.rollback(JdbcConnection.java:340)
at
liquibase.database.AbstractJdbcDatabase.rollback(AbstractJdbcDatabase.java:1137)
... 30 more
Caused by: java.sql.SQLException: IJ031021: You cannot rollback during a
managed transaction
at
org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.jdbcRollback(BaseWrapperManagedConnection.java:1122)
at
org.jboss.jca.adapters.jdbc.WrappedConnection.rollback(WrappedConnection.java:863)
at
liquibase.database.jvm.JdbcConnection.rollback(JdbcConnection.java:337)
... 31 more
2016-08-17 12:16:12,635 ERROR
[org.jboss.as.controller.management-operation] (Controller Boot Thread)
WFLYCTL0013: Operation ("add") failed - address: ([("deployment" =>
"keycloak-server.war")]) - failure description: {"WFLYCTL0080: Failed
services" =>
{"jboss.undertow.deployment.default-server.default-host./auth" =>
"org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./auth:
java.lang.RuntimeException: RESTEASY003325: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to
construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
Caused by: java.lang.IllegalStateException: Failed to retrieve lock
Caused by: liquibase.exception.DatabaseException:
liquibase.exception.DatabaseException: java.sql.SQLException: IJ031021:
You cannot rollback during a managed transaction
Caused by: liquibase.exception.DatabaseException:
java.sql.SQLException: IJ031021: You cannot rollback during a managed
transaction
Caused by: java.sql.SQLException: IJ031021: You cannot rollback
during a managed transaction"}}
2016-08-17 12:16:12,661 INFO [org.jboss.as.server] (ServerService
Thread Pool -- 61) WFLYSRV0010: Deployed "keycloak-server.war"
(runtime-name : "keycloak-server.war")
2016-08-17 12:16:12,663 INFO [org.jboss.as.controller] (Controller Boot
Thread) WFLYCTL0183: Service status report
WFLYCTL0186: Services which failed to start: service
jboss.undertow.deployment.default-server.default-host./auth:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./auth:
java.lang.RuntimeException: RESTEASY003325: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
2016-08-17 12:16:12,745 INFO [org.jboss.as] (Controller Boot Thread)
WFLYSRV0060: Http management interface listening on
http://127.0.0.1:9990/management
2016-08-17 12:16:12,746 INFO [org.jboss.as] (Controller Boot Thread)
WFLYSRV0051: Admin console listening on http://127.0.0.1:9990
2016-08-17 12:16:12,746 ERROR [org.jboss.as] (Controller Boot Thread)
WFLYSRV0026: WildFly Full 10.0.0.Final (WildFly Core 2.0.10.Final)
started (with errors) in 24670ms - Started 429 of 785 services (2
services failed or missing dependencies, 513 services are lazy, passive
or on-demand)
2016-08-17 12:19:32,948 INFO [org.jboss.as.server] (Thread-2)
WFLYSRV0220: Server shutdown has been requested.
2016-08-17 12:19:32,977 INFO
[org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-1)
WFLYJCA0010: Unbound data source [java:jboss/datasources/KeycloakDS]
2016-08-17 12:19:32,984 INFO [org.wildfly.extension.undertow] (MSC
service thread 1-3) WFLYUT0019: Host default-host stopping
2016-08-17 12:19:32,994 INFO
[org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-8)
WFLYJCA0010: Unbound data source [java:jboss/datasources/ExampleDS]
2016-08-17 12:19:32,999 INFO [org.jboss.as.connector.deployers.jdbc]
(MSC service thread 1-8) WFLYJCA0019: Stopped Driver service with
driver-name = h2
2016-08-17 12:19:33,005 INFO [org.wildfly.extension.undertow] (MSC
service thread 1-8) WFLYUT0008: Undertow HTTP listener default suspending
2016-08-17 12:19:33,006 INFO [org.wildfly.extension.undertow] (MSC
service thread 1-8) WFLYUT0007: Undertow HTTP listener default stopped,
was bound to 127.0.0.1:8080
2016-08-17 12:19:33,007 INFO [org.jboss.as.clustering.infinispan]
(ServerService Thread Pool -- 76) WFLYCLINF0003: Stopped offlineSessions
cache from keycloak container
2016-08-17 12:19:33,007 INFO [org.jboss.as.clustering.infinispan]
(ServerService Thread Pool -- 73) WFLYCLINF0003: Stopped sessions cache
from keycloak container
2016-08-17 12:19:33,013 INFO [org.jboss.as.clustering.infinispan]
(ServerService Thread Pool -- 77) WFLYCLINF0003: Stopped authorization
cache from keycloak container
2016-08-17 12:19:33,014 INFO [org.jboss.as.clustering.infinispan]
(ServerService Thread Pool -- 78) WFLYCLINF0003: Stopped realms cache
from keycloak container
2016-08-17 12:19:33,015 INFO [org.jboss.as.clustering.infinispan]
(ServerService Thread Pool -- 74) WFLYCLINF0003: Stopped loginFailures
cache from keycloak container
2016-08-17 12:19:33,016 INFO [org.jboss.as.clustering.infinispan]
(ServerService Thread Pool -- 79) WFLYCLINF0003: Stopped work cache from
keycloak container
2016-08-17 12:19:33,016 INFO [org.jboss.as.clustering.infinispan]
(ServerService Thread Pool -- 75) WFLYCLINF0003: Stopped users cache
from keycloak container
2016-08-17 12:19:33,024 INFO [org.wildfly.extension.undertow] (MSC
service thread 1-8) WFLYUT0004: Undertow 1.3.15.Final stopping
2016-08-17 12:19:33,029 INFO
[org.hibernate.validator.internal.util.Version] (MSC service thread 1-2)
HV000001: Hibernate Validator 5.2.3.Final
2016-08-17 12:19:33,083 INFO [org.jboss.as.server.deployment] (MSC
service thread 1-7) WFLYSRV0028: Stopped deployment keycloak-server.war
(runtime-name: keycloak-server.war) in 126ms
2016-08-17 12:19:33,086 INFO [org.jboss.as] (MSC service thread 1-6)
WFLYSRV0050: WildFly Full 10.0.0.Final (WildFly Core 2.0.10.Final)
stopped in 115ms
8 years, 5 months
combine proxy and keycloak server
by Bill Burke
I think we should combine Keycloak Proxy with the keycloak server. When
creating a client, you would have an option to declare it as a proxied
client. This is way better than what we currently have as we woudln't
have to do SAML or OIDC so it would be more performant and it would
require no additional setup.
8 years, 5 months
Japanese Localization
by Hiroyuki Wada
Hello all,
I am translating all base theme messages to Japanaese language now.
(I think I can do it by the end of the week.)
I'd like to contribute the message resources, How do you think?
If it's ok, I'll create a JIRA issue and create a pull request.
Regards,
--
Hiroyuki Wada
wadahiro(a)gmail.com
8 years, 6 months
PAM Conversations - Custom login form
by Bruno Oliveira
Good morning,
Today to authentication against PAM with just simple username/password I
implemented UserFederationProvider and added the proper PAM login to
validCredentials[1]. This covers the most basic scenario.
Now I would like to cover a more complex scenario like OTP and change
the flow a little bit like this:
1. User providers her username
2. The next screen asks to provide how many factor our user has(For
example: OTP, password). We just don't know, PAM will tell what's next.
3. We authenticate against it
To see in practice against FreeIPA server, I just recorded it
for a practical example[2].
What would be the best approach to implement this flow? I was considering to
move my authentication logic out of SSSD federation provider and create a PAM
authenticator.
Does it make sense?
[1] - http://www.keycloak.org/docs/javadocs/org/keycloak/models/UserFederationP...
[2] - https://asciinema.org/a/atwnfbu0kqfasjl65weyoiz7a
--
abstractj
PGP: 0x84DC9914
8 years, 6 months
caching custom per-user objects
by Bill Burke
I've run into a few places where I need to cache custom things per-user
that are evicted along with the user. I also need some fine grain
control of things that get cached with a user. Here are the scenarios
* UserStorageProvider SPI needs to cache something that doesn't fit with
the current UserModel metadata
* Certain credential types like HOTP need to be updated per login. We
don't want to cache these things, and we do not want to evict users in
the cache that use these credential types
* It should be possible to cache credentials that are validated by an
external provider. For example, password and LDAP. JBoss has
supported caching successfully validated credentials since forever.
I'm going to expose a new interface via KeycloakSession: UserCache
interface UserCache extends UserProvider {
boolean isCached(UserModel user);
void cacheWith(UserMode userl, Object key, Object value);
}
I'm also going to add a callback interface
interface OnUserCache {
void cacheUser(RealmModel realm, UserModel user, Map cache);
}
I originally thought about having a ProviderEvent for OnUserCache, but
this callback needs to be targeted to specific objects rather than
everything. i.e. a specific User Storage Provider rather than being
sent to every storage provider.
Bill
8 years, 6 months
creating JPA user storage provider difficult
by Bill Burke
I wrote an JPA example for the new User Storage Provider SPI [1]. It
was very difficult to figure out how to wire in JPA. I'm going to take
a guess that very very few users have actually tried to implement a
JPA-based User Federation Provider. They would have run into a ton of
hurdles.
* Putting just a jar within the "providers/" directory is unusable. JPA
classes and other dependencies will not be visible.
* So, you have to craft a *CORRECT* module.xml file and know exactly
which dependencies to bring in. [2]
* javax.persistence.Persistence.createEntityManagerFactory() did not
work, so I had to call Hibernate APIs directly. Not only that, but
non-simple Hibernate APIs. [3]
* When configuring JPA I also had to know what classloader to use so
that persistence.xml was visible.
* Had to use JpaKeycloakTransaction to enlist EntityManager with
keycloak transactions. This means using EJBs is out of the question.
This is unacceptable. Keycloak is supposed to be simple and this is
extremely difficult. When Keycloak was an exploded WAR you could use
every Java EE component type as you could just plop your extensions
within META-INF/lib. Classloading was simple as it was all the same
classloader.
Going forward we need to write an actual deployer for Keycloak
extensions that allow you to define Keycloak providers within EE jars,
ears, etc. Writing an extension to Keycloak should be as easy as
writing a Java EE application. Extension developers should be able to
leverage the entire JBoss/Wildfly platform. Minimally, we also need to
begin and commit/rollback a UserTransaction within a Keycloak request
flow so that transaction EE and Spring component layers can function.
Finally, we should just remove the "providers/" directory as I don't
think it is very usable for actual extension writing. What I didn't try
was adding all jars needed (Hibernate etc.) within the providers
directory. Would that have worked?
[1]
https://github.com/patriot1burke/keycloak/tree/master/examples/providers/...
[2]
https://github.com/patriot1burke/keycloak/blob/master/examples/providers/...
[3]
https://github.com/patriot1burke/keycloak/blob/master/examples/providers/...
8 years, 6 months
renaming transaction interfaces
by Bill Burke
I am also renaming KeycloakTransaction to
KeycloakTransactionSynchronization and KeycloakTransactionManager to
KeycloakTransaction.
8 years, 6 months