"mvn install" fails on a fresh clone of Keycloak
by carl-kristian.eriksen@telia.no
The build works fine without the tests: mvn install -Dmaven.test.skip=true
But when running with the tests: mvn install
I get the following errors:
Failed tests:
JaxrsFilterTest.testCors:285 expected:<200> but was:<403>
JaxrsFilterTest.testRelativeUriAndPublicKey:171 expected:<500> but was:<401>
Tests in error:
JaxrsBasicAuthTest.testBasic:140 » ClientError HTTP 403 Forbidden
JaxrsFilterTest.testBasic:140 » ClientError HTTP 403 Forbidden
JaxrsFilterTest.testResourceRoleMappings:235 » ClientError HTTP 403 Forbidden
Tests run: 462, Failures: 2, Errors: 3, Skipped: 35
According to https://github.com/keycloak/keycloak/ this is supposed to work.
Am I missing something here?
Carl Kristian Eriksen
6 years, 6 months
Single-use cache for OAuth code, Code changed to be JWE
by Marek Posolda
I've sent PR https://github.com/keycloak/keycloak/pull/4512, which
implements first part of
https://docs.google.com/document/d/1C1vFhyGPBOnN3pprw6XPZnK08azyTm-HVIqO9...
Some details:
- Partially implemented support for JWE, so we can use encrypted JWT.
- OAuth code is changed to be JWT. It's encrypted and
integrity-protected with AES128-CBC-HMAC-SHA256 algorithm. Code is
encrypted with realm AES key (new symmetric key generated by default for
every realm similar to HMAC key) and signed with HMAC key.
- I've added support for AES keys, so we now have RSA, HMAC and AES keys.
- Code JWT doesn't yet contain much at this moment. There is just unique
ID, userSession ID, client UUID and expiration (60 seconds). Next step
is to add more into it, especially notes as mentioned in the docs.
- Single-use cache is used to track which codes were already used. For
now, it's reusing existing "actionTokens" infinispan cache. It's using
"putIfAbsent" to add codes into the cache, hence now we are sure that
the particular code is really used just once. The previous approach with
the note on userSession didn't allow this. I've added new testcase to
ConcurrentLoginTest for check that code is used just once. It's passing
for cross-dc as well, however we may allow people to save some
performance with the small possibility that same code will pass on both
datacenters.
- Now we also pass the scenario when SSO login with same client is
opened on 2 browser tabs concurrently. Also added test to
ConcurrentLoginTest and it's passing for cross-dc too. Previously this
scenario may not work correctly as the "code" in the clientSession note
may be generated concurrently by both requests and one of them will then
fail to verify.
Next steps:
- Continue with the stuff described in the docs
https://docs.google.com/document/d/1C1vFhyGPBOnN3pprw6XPZnK08azyTm-HVIqO9...
(Remove protocolMappers and roles from clientSession etc).
- It should be easy to use same stuff for refreshTokens . From what I
see, the performance of AES128-CBC-HMAC-SHA256 is much better than RSA
and provides the encryption too.
Any comments?
Marek
6 years, 6 months
JSON document as claim JSON type on mapper configuration page
by Muehlburger, Herbert
?Hello,
What is the best way to map a JSON document to a Token Claim? Currently I can only define "?String" in Claim JSON Type at the Mapper Configuration page. But this causes Keycloak to treat the value of my custom user attribute field field as string. The value is indeed a JSON document and it would be great if there is also a claim JSON type of "JSON Object" which is not treated as string and not escaped as happens now.
?Kind regards,
Herbert
Herbert Mühlburger
Senior System Engineer
[http://signature.bearingpoint.com/BrP_Logo.png]
T +43 316 8003
F +43 316 8003 1080
BearingPoint Technology GmbH
Seering 6, Block B
8141 Premstätten
Austria
herbert.muehlburger(a)bearingpoint.com <mailto:herbert.muehlburger@bearingpoint.com>
www.bearingpoint.com<http://www.bearingpoint.com/>
________________________________
BearingPoint Technology GmbH
Sitz: Premstätten bei Graz
Firmenbuchgericht: Landesgericht für ZRS Graz
Firmenbuchnummer: FN 44354b
The information in this email is confidential and may be legally privileged. If you are not the intended recipient of this message, any review, disclosure, copying, distribution, retention, or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you are not the intended recipient, please reply to or forward a copy of this message to the sender and delete the message, any attachments, and any copies thereof from your system.
6 years, 6 months
Keycloak deadlines 3.x
by Stian Thorgersen
RH-SSO 7.2 release date is coming up quickly so wanted to remind everyone
about the following dates:
11th October - Feature freeze / 3.4.0.CR1
15th November - Last enhancements and bug fixes / 3.4.1.Final
If you have feature work that you don't think is going to be ready for 11th
October let me know asap.
Once 3.4.0.CR1 is out we'll focus on bug fixing for 3.4.1. Let's try to see
how many bugs we can squash! If folks from the community wants to help out
that would be great :)
6 years, 6 months
Login UI Mockups
by Stian Thorgersen
We leverage PatternFly for UI patterns both in the login screens as well as
the admin console. One problem with the login screens is that the
pattern/recommendations from PatternFly only has simple username/password
and doesn't cover the more use-cases we have.
The PatternFly team is currently working on extending and improving the
login screen patterns to cover more of our use-cases.
Please review and comment on their mockups at
https://redhat.invisionapp.com/share/59DNSUUZT#/screens/255230613_1
6 years, 6 months
Javascript client mobile review
by Wojciech Trocki
Hi
I recently made couple integrations with Keycloak on Android and IOS.
During testing some problems were found around cordova adapter.
Created minor fix to resolve IOS issue I have found:
https://github.com/keycloak/keycloak/pull/4514
After reviewing source code I think that it will be good to allow
developers to provide their own adapters. This way we will be able to made
some tweaks for platforms like nativescript or react native. If you think
that's good idea?
I can create ticket and contribute to provide this mechanisms.
Regards
--
WOJCIECH TROCKI
Red Hat Mobile <https://www.redhat.com/>
IM: wtrocki
<https://red.ht/sig>
6 years, 6 months