Keycloak 2.2.0.CR1 Released
by Stian Thorgersen
Keycloak 2.2.0.CR1 has just been released. The final release will follow
next week if no major issues are reported. Few highlights of this release:
- *OpenID Connect certification* - We've continued to work on our OpenID
Connect implementation and we're now passing the basic, implicit, hybrid
and config profiles. We'll get the dynamic profile sorted in the 2.3
release.
- *Server config moved to standalone/domain.xml* - In the past some
server configuration was done in keycloak-server.json and some in
standalone/domain.xml. We've now moved all config to standalone/domain.xml
and keycloak-server.json is now deprecated. This brings the option to use
jboss-cli including offline scripts to automate configuration.
- *Manual DB migration* - We've had automatic migration of the database
for a long time, but we now have an option to have Keycloak write a SQL
migration file instead of applying the changes directly.
- *Fuse adapter download* - There is now a Fuse adapter download that
makes it possible to install Keycloak support in Fuse without access to
external Maven repository.
- *Hot deployment of providers* - It's now possible to hot deploy custom
providers from within a JEE deployment. We've not had the chance to write
documentation around this yet and it could do with a bit more testing so
consider it a preview feature. Take a look at the user-storage-jpa provider
example though, it's great stuff!
- *Identity Provider Authenticator* - In the past redirecting to
identity providers was hardcoded in the Keycloak code, we've now refactored
this into a new authenticator.
- *Norwegian, Japanese and Lituanian translations* - Keycloak now comes
with 11 translations. 10 of them contributed and maintained by our
excellent community.
For the full list of issues resolved check out JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...>
and
to download the release go to the Keycloak homepage
<http://blog.keycloak.org/www.keycloak.org/downloads>.
8 years, 3 months
Re: [keycloak-dev] Class is not visible from class loader exception
by Scott Rossillo
Happy to help and glad it worked! Adding the group back in case this would help someone else searching the list.
Best,
Scott
Scott Rossillo
Smartling | Senior Software Engineer
srossillo(a)smartling.com
> On Sep 6, 2016, at 8:42 PM, Crafton Williams <crafton.williams(a)qut.edu.au> wrote:
>
> Hi Scott, this works perfectly! Thanks for your response.
> From: Scott Rossillo <srossillo(a)smartling.com>
> Sent: 07 September 2016 10:32:30
> To: Crafton Williams; keycloak-dev(a)lists.jboss.org
> Subject: Re: [keycloak-dev] Class is not visible from class loader exception
>
> We had to specify the class loader of the interface we wanted to make into a client.
>
> Take a look at this code:
> github.com/Smartling/keycloak-user-migration-provider/blob/master/user-mi... <http://github.com/Smartling/keycloak-user-migration-provider/blob/master/...>
> On Tue, Sep 6, 2016 at 7:45 PM Crafton Williams <crafton.williams(a)qut.edu.au <mailto:crafton.williams@qut.edu.au>> wrote:
> Hi all:
>
> I'm in the process of developing a web service-based User Federation SPI. I've gone through the properties SPI example and had a look at the ldap and kerberos SPIs. They seem pretty straightforward and at first glance I think I've implemented things properly. For my service requests, I'm using the Resteasy client through the proxy interface with a few simple calls to test things out. When I package and deploy, Keycloak doesn't seem to complain, however when I search for a user, i get the following trace:
> 09:20:20,956 ERROR [io.undertow.request] (default task-15) UT005023: Exception handling request to /auth/admin/realms/master/users: org.jboss.resteasy.spi.UnhandledException: java.lang.IllegalArgumentException: interface org.keycloak.federation.ws.client.WsServiceClient is not visible from class loader
> at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
> at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
> at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
> at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
> at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
> at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
> at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
> at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
> at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
> at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
> at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
> at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
> at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
> at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
> at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
> at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
> at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
> at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
> at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
> at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
> at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
> at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
> at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
> at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
> at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
> at java.lang.Thread.run(Thread.java:745)
>
> Some details about my environment:
> Keycloak version: 2.1.0.Final, running in standalone mode
> Java version: 1.8.0_101
>
> Project structure:
> or.keycloak.federation.ws <http://or.keycloak.federation.ws/>
> -client
> --WsServiceClient.java
> -ServiceModel.java
> -WsFederationProvider.java
> -WsFederationProviderFactory.java
>
> -resources
> --META-INF.services
> ---org.keycloak.models.UserFederationProviderFactory
>
>
> My getInstance for the factory class looks like this:
> @Override
> public WsFederationProvider getInstance(KeycloakSession session, UserFederationProviderModel model) {
> ResteasyClient client = new ResteasyClientBuilder().build();
> ResteasyWebTarget target = client.target(BASE_URL);
> WsClientService serviceClient = target.proxy(WsClientService.class);
>
> return new WsFederationProvider(session, model, serviceClient);
> }
> All dependencies in my POM are 'provided', so i've already ensured that the libraries aren't duplicated.
>
> Based on my research so far, this seems to be the preferred way to instantiate the RestClient to ensure the classloader picks it up on boot, however I'm still getting the exception. Can anybody provide any clues?
>
>
>
> Regards,
>
> Crafton
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/keycloak-dev <https://lists.jboss.org/mailman/listinfo/keycloak-dev>
8 years, 3 months
Fwd: Adding Shibboleth IdP to KeyCloak
by sai prashanth
Hi,
I am trying to add Shibboleth IdP to KeyCloak, but couldn't find any
resource on how this could be done.
I tried adding a new Identity Provider through KeyCloak admin console with
following steps.
1. Login into KeyCloak's admin console.
2. Selecting required realm.
3. Selecting "SAML v2.0" from "Add Providers" dropdown in the "Identity
providers" tab.
4. In create-Identity-Provider window, I used "Import External IDP
configuration" by providing URL ( https://<hostname>/idp/shibboleth ) in
"Import from URL" field.
But this didn't work. I shall be grateful if someone could provide some
resources on how this can be achieved and guide me.
Thanks,
Regards,
Prashanth
8 years, 3 months
jta, emf, db migration
by Bill Burke
Currently there is some issues with master since I added JTA
transactions to the mix
* KeycloakDS datasource config now requires jta=false. This breaks
backward compatibility and has migration issues. This was done because
both RESOURCE_LOCAL EntityManagers and Liquibase (using raw JDBC) cannot
function within a JTA transaction.
* Our EntityManager implementation is not controlled by JTA. This is not
great as the db connection cannot be involved with XA, especially if
another external transaction resource is involved when doing events
and/or user federation.
To do this I had to do some things that may be a little weird.
* Entity Manager is now JTA managed if JTA exists in the environment
keycloak is running in. The side effect of this is that all
interactions with the EntityManager need to happen within a JTA
transaction (or you get an exception).
* jta=false is reverted in server distribution
* All DBLock and Liquibase operations now suspend any existing JTA
transaction before executing. You cannot call commit/rollback on a JDBC
connection if you are getting a connection from a JTA aware db
connection pool and there is a JTA connection active. DBLock calls a
rollback() for some reason...if running in JTA, this marks the
connection as rolled back and you can't use the connection after that.
So basically for DBLock and Liquibase there's a lot of issues with
running inside a JTA transaction.
Honestly, this code can and should be refactored into different
providers (i.e. a DBMigrationProvider), but I've got so many other
things I need to refactor right now I'm going to put this on the back
burner.
Bill
8 years, 3 months
Edit value contained in NameID field of SAML response
by Rashmi Singh
I have a keycloak app that calls an external TokenValidator for
authentication. This TokenValidator returns a SP specific username value. I
want my SAML response to contain this value in the NameID field. My
question is how do I edit the SAML response to change the value in NameID
field to this value?
Any insight into how to edit the NameID field in the SAML response?
8 years, 3 months
Rate Limiting Logins
by Cory Snyder
Hey guys,
We ran into an issue recently where a customer didn’t have a great understanding of the OAuth2 authorization process and was submitting many direct grant login requests per second. They were successfully authenticating each time, so the brute force protection features don’t apply. It basically ended up being a DOS issue. We also ended up having OOM issues when trying to query the events for this customer during a scheduled job that we use to build reports on login events. We’re still running 1.8.2 at the moment, so I’m wondering if you guys have implemented any kind of rate limiting / DOS prevention that could have prevented this in one of the later releases? If not, I'm proposing that it might be worth considering, I could try to contribute something if you like. What do you guys think?
Thanks,
Cory Snyder
8 years, 3 months
