Realm key rotation support
by Stian Thorgersen
To be able to gracefully rotate the realm keys periodically a realm needs
to have more than one keypair. One keypair that is active and will be used
to issue new cookies and tokens. Also, one or more keypairs that are
inactive that can be used to verify old cookies and tokens.
I'm going to start work on this soon, but here's some initial thoughts:
* Realm keys will have a list of keypairs rather than just one. Only one
can be active. There will also be an expiration time on the inactive
keypairs. Once expired and inactive keypair is no longer usable.
* There will also be an option to automatically generate a new key every N
days.
* If a session cookie is signed with an inactive pair the cookie will be
refreshed so it's signed with the active keypair
* Token introspect endpoint will allow any token that is signed with any
keypair that is not expired
* If a refresh token is signed with an inactive pair the new tokens
(including refresh token) will be signed with the active keypair
* Secret used to generate client code will be linked to the keypair. I'll
need a way to specify what secret it was signed with so codes are still
valid even if they where signed with an old.
This is only for login cookie and OIDC protocol. Is it even necessary to
have support for multiple certificates for SAML? SAML doesn't have a token
introspection or refresh of the assertions right, so not sure it's needed.
With regards to the applications. Marek has already added support for
clients to fetch new keypairs for the realm. See his email on keycloak-dev
for details around that.
8 years, 3 months
Register custom JAX-RS Providers
by Martin Hardselius
Hi,
What about executing
ResteasyProviderFactory.pushContext(KeycloakApplication.class, this);
before the KeycloakSessionFactory is created? It would be sweet to be able
to install, e.g, custom container filters.
I realise that it might not be the best idea to solve it, since the
Application class might only be partially constructed when #getSingletons
or #getClasses is called, but I think it's useful for plugging in extra
monitoring or whatever.
Maybe an SPI with access to the singletons and classes sets?
8 years, 3 months
Richer error message on login failure - user locked
by Dumitru Sbenghe
Hi,
We are using Keycloak against a LDAP backend which is setup to lock the
user on too many password failures. We want to display a nicer error
message to the user when is locked rather than "Invalid username or
password.".
I looked at a related jira issue -
https://issues.jboss.org/browse/KEYCLOAK-1744, but from my analysis of the
code it seems the suggestion in the jira issue for richer error message was
not implemented and that there isn't any way for the moment to provide
richer error message following a login failure. Am I missing something or
currently is not possible?
Thanks,
Dumitru
8 years, 3 months
java.sql.SQLException: IJ031017: You cannot set autocommit during a managed transaction
by Dmitry Telegin
Hi,
In my custom RealmResourceProviderFactory, I do roughly the following:
@Override public void postInit(KeycloakSessionFactory factory)
{ KeycloakModelUtils.runJobInTransaction(factory,
(KeycloakSession session) -> { List<RealmModel> realms =
session.realms().getRealms(); ... }); });
Full code here: https://github.com/dteleguin/custom-admin-roles
Everything worked fine with 2.1.x, but after upgrade to 2.2.x startup
fails in roughly about 50% cases:
Caused by: java.sql.SQLException: IJ031017: You cannot set autocommit
during a managed transaction at
org.jboss.jca.adapters.jdbc.BaseWrapperManagedConnection.setJdbcAutoCom
mit(BaseWrapperManagedConnection.java:994) at
org.jboss.jca.adapters.jdbc.WrappedConnection.setAutoCommit(WrappedConn
ection.java:787) at
org.hibernate.resource.jdbc.internal.AbstractLogicalConnectionImplement
or.begin(AbstractLogicalConnectionImplementor.java:67) at
org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.begin
(LogicalConnectionManagedImpl.java:238) at
org.hibernate.resource.transaction.backend.jdbc.internal.JdbcResourceLo
calTransactionCoordinatorImpl$TransactionDriverControlImpl.begin(JdbcRe
sourceLocalTransactionCoordinatorImpl.java:214) at
org.hibernate.engine.transaction.internal.TransactionImpl.begin(Transac
tionImpl.java:52) at
org.hibernate.internal.SessionImpl.beginTransaction(SessionImpl.java:15
12) at
org.hibernate.jpa.internal.TransactionImpl.begin(TransactionImpl.java:4
5)
Full stacktrace here: http://pastebin.com/ETtPqXQk
In the other half of cases, everything goes fine just like before, so
it's a kind of heisenbug. Any ideas? Could it be some concurrency issue
when my code is executed in parallel with some other DB-related code?
could it be JTA related?
Dmitry
8 years, 3 months
Running KeyCloak in cluster mode
by Muein Muzamil
Hi all,
I am trying to run KeyCloak in cluster mode with docker containers using
standalone-ha.xml but for me containers are not joining the same infinispan
cluster.
I tried to follow following blog entry but not sure it is still valid.
http://blog.keycloak.org/2015/04/running-keycloak-cluster-with-docker.html
I was trying to follow this to run multiple docker containers in cluster
with the latest images. But when I ran second keycloak container, I didn't
see this container joining the 1st cluster. I was seeing this in the log
for the second container.
[0m[0m12:31:56,385 INFO
[org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service
thread 1-2) ISPN000094: Received new cluster view for channel keycloak:
[saskeycloak-fbtit|0] (1) [saskeycloak-fbtit]
To get it working I had to update private interface in standalone-ha.xml to
use docker container's IP.
<interface name="private">
<!--<inet-address value="${jboss.bind.address.private:127.0.0.1}"/>-->
<inet-address value="172.17.0.3" />
</interface>
Is that really needed or do we have a better way to get it working?
Regards,
Muein
8 years, 3 months
Accessing SAML Request attributes in Authenticaors
by Muein Muzamil
Hi all,
We are trying to integrate with an SP which sends Subject/NameID in the
Saml Request (copying example below). I have couple of questions in this
regard
1. In our custom authenticator, we want to access this NameId and want
to pre-fill username field based on this. Can you please guide me how can I
do that.
2. Secondly, I am currently using KeyCloak JBoss Adapter for my sample
SP, does the SAML Adapter supports sending nameId in SAML request?
<samlp:AuthnRequest Destination="https://idp.com/
idp/profile/SAML2/Redirect/SSO" Version="2.0" IssueInstant="2016-02-24T15:
45:55.325Z"
ID="ID112bf5b0e4169930b663f2d89e62c521fc2f1b8133598fa2ff"
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://
pingone.com/xxx/640d3755-e080-4a87-8f7f-91795e78c08d</saml:Issuer>
<saml:Subject xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
jdoe(a)mysecureauthentication.com</saml:NameID>
</saml:Subject>
</samlp:AuthnRequest>
Regards,
Muein
8 years, 3 months
Reg impersonation
by Kamal Jagadevan
Hello Keycloak Team, Is there a way to use impersonation feature to view/log into applications (protected by Keycloak) instead of viewing impersonated user’s User Account Management page?If not, is there a plan in road map to support them in future?
BestKamal
8 years, 3 months
migrate-json
by Vlasta Ramik
Hi all,
I've tried a migration of keycloak-server.json to keycloak-server
subsystem following [1].
I had to remove the default content of keycloak-server subsystem to make
it work.
<subsystem xmlns="urn:jboss:domain:keycloak-server:1.1">
<web-context>auth</web-context>
</subsystem>
When I left the content unchanged I got
[standalone@embedded /] /subsystem=keycloak-server/:migrate-json
{
"outcome" => "failed",
"failure-description" => "WFLYCTL0212: Duplicate resource [
(\"subsystem\" => \"keycloak-server\"),
(\"theme\" => \"defaults\")
]",
"rolled-back" => true
}
The question is if it is required step. If so it should be added to the
docs [1], if not I'll create a jira.
Vlasta
[1]
https://keycloak.gitbooks.io/server-adminstration-guide/content/v/2.2/top...
8 years, 3 months
(no subject)
by Returned mail
The original message was received at Wed, 21 Sep 2016 16:51:41 +0530
from lists.jboss.org [109.176.2.179]
----- The following addresses had permanent fatal errors -----
keycloak-dev(a)lists.jboss.org
----- Transcript of session follows -----
... while talking to 215.76.14.53:
554 5.0.0 Service unavailable; [193.101.159.36] blocked using bl.spamcop.net
Session aborted, reason: lost connection
8 years, 3 months
Spurious logouts in AdminConsole with 2.2.0.Final (current master)
by Thomas Darimont
Hello group,
since I upgraded to our Keycloak instance to 2.2.0.Final I see spourious
logouts form the
admin-console while browsing the UI and editing stuff...
I experience the same with the current master.
I couldn't yet narrow it down but having to login every ~ 5 mins is really
unpleasant - I
also got logged out within 30sec after login when I wanted to add a new
protocol mapper to a client.
Has anyone experienced the same?
Cheers,
Thomas
8 years, 3 months
