JTA issues
by Bill Burke
I hooked in JTA on my branch. When KeycloakSessionFactory.create() is
executed this happens:
* the code will check the JTA TransactionManager to see if a transaction
is currently active
* If there is an active transaction, it is suspended
(TransactionManager.suspend()). A new one is created and associated
with the thread TransactionManager.begin()
* A wrapper for the JTA transaction is created and registered with the
KeycloakTransactionManager
* At transaction completion if there was a suspended JTA transaction it
is resumed.
There are some issues with this though. You have to modify the
KeycloakDS <datasource> declaration and put in a flag jta="false". If
you don't do this then you get errors at boot time with Liquibase. So,
that change to KeycloakDS is the actual issue here. Migrating apps will
have to set the jta flag before they will be able to run with the latest
keycloak version. We may be able to specify a warning at boot time.
Bill
7 years, 8 months
Brute force lock out and password reset error
by Joakim Löfgren
Hey,
I noticed that if you get your account temporarily locked due to the brute
force detection then you cannot reset your password until the temporary
locked has been lifted.
Is this behaviour intended ?
We've gotten a few users that become confused when they do not receive a
reset password email, and thus contact us asking for help.
Sincerely,
Joakim
7 years, 8 months
Handling X509 client certificates in integration test suite
by Peter Nalyvayko
Hello,
Can anyone suggest a way to set up the integration test suite to test mutual SSL? I'd like to configure the embedded keycloak server to request a client certificate, and be able to either automatically select a certificate or programmatically configure the outgoing HTTPS connection with one. Is this something that can be done using the selenium web browser automation?Regards,Peetr
7 years, 8 months
Fwd: Authenticated base on roles
by gambol
Hiya
Assuming you have a realm with x client defined and each have a APP-USER
role. Is there a way to authenticate a user only if the user have the role
associated? ...
Obviously I can check the check the access token, or place a proxy in-front
which does that for me, but is there a native way of saying ask for this
scope and if you don't have it you are denied
Best Regards ..
7 years, 8 months
How to set default value of a boolean ProviderConfigProperty to true
by Rashmi Singh
In my AuthenticatorFactory class, I have the following configuration added:
ProviderConfigProperty property;
property= new ProviderConfigProperty();
property.setName("propname");
property.setLabel("Property Name");
property.setDefaultValue(true);
property.setType(ProviderConfigProperty.BOOLEAN_TYPE);
configProperties.add(identityFirstproperty);
I wanted to keep a default value as true and at first it seemed like the
following line would do it:
property.setDefaultValue(true);
But that does not seem to work. The default is still false. How can I set
the default to true?
7 years, 8 months
changes to KeycloakTransaction and KeycloakTransactionManager API
by Bill Burke
I want to simplify KeycloakTransaction interface a bit and remove the
getRolbackOnly, setRollbackOnly, and isActive and only have them within
KeycloakTransationManager. I may have to refactor existing components
to handle this. See any issues? All this is the continuous process of
simplying our SPIs to make them easier to implement.
Bill
7 years, 8 months
Read-only attributes for UserFederation providers
by Bruno Oliveira
Good morning,
I was working on this issue[1] this week and thinking about how
to tell our interface that the federation provider has read-only
attributes.
For example, today for the LDAPFederationProvider[2], we
provide server side validations telling our user that they cannot edit
those attributes. But still, input fields are editable and user
will only know after hit the submit button.
Not sure if makes sense, but very maybe if we provide a method
at UserFederation like:
boolean isReadOnly(); //defaults to false or override it and return true
And later expose it to the interface, we could bring the
text field properties set to read-only.
Does it make any sense?
[1] - https://issues.jboss.org/browse/KEYCLOAK-3060
[2] - https://github.com/keycloak/keycloak/blob/c7a8742a368bd8d76301145b08bb1e4...
--
abstractj
PGP: 0x84DC9914
7 years, 8 months
Readonly UserModel
by Bruno Oliveira
Ahoy, after exploring some ideas I implemented the initial draft[1] for KEYCLOAK-3060[2]. Before submitting any changes, I would like some feedback.
- Motivation
Disable input fields when read-only federation providers like SSSD or LDAP (read-only mode) are enabled.
Another alternative would be just hide sections which people are not supposed to edit. For example: account, OTP and password section.
To be honest, I'm 50/50 about it, because hiding sections could be confusing to users.
- Pros
* Users won't get frustrated trying to update their profile, to later find out that's not possible.
* Input fields will truly represent what our user is, into other words, read-only
- Cons
* UserModel from my perspective is the only possible place to introduce this change[3] (I can be wrong). The drawback is that the change will affect all the implementing classes.
- Options
1. If you are fine with the changes here[1]. I could do some clean up, write the proper integration tests and work to get it merged.
2. Do nothing and leave it as is.
Thoughts?
[1] - https://github.com/abstractj/keycloak/tree/KEYCLOAK-3060
[2] - https://issues.jboss.org/browse/KEYCLOAK-3060
[3] - https://github.com/abstractj/keycloak/blob/af30b4da101fd7f7775e74b93c6da2...
--
abstractj
PGP: 0x84DC9914
7 years, 8 months
