Alternative flows on Browser refresh
by Bruno Oliveira
Good morning,
For alternative flows like X509 browser, if something goes wrong
it will fall back to username/password form, as we already know.
But the flow is not executed again until the browser is closed.
Based on what Stian commented[1], seems like the same applies to
Kerberos. To fix this, we need to change the way how it works today,
by going through the list of all alternative flows on refresh,
executing them again.
Does it make sense? Should we have Jira as "enhancement" for this?
[1] - https://issues.jboss.org/browse/KEYCLOAK-5466
--
abstractj
6 years, 8 months
Scripts to generate X.509 certificates
by Bruno Oliveira
Ahoy,
I'm adding X509 authentication tests for *Key Usage* and *Extended Key
Usage*. Now I got stuck looking for the scripts that generate these files
https://github.com/keycloak/keycloak/tree/b2f10359c8c33dd0a843c3ee28e0c8e....
Do we have them?
The reason why I'm asking, is because I need to flag *Extended Key Usage*
as critical for testing purposes. Also, I couldn't find the CA key, to sign
another client certificate.
Of course is possible to recreate everything from scratch, but that would
take a considerable time making sure that everything is in the right place.
6 years, 8 months
ProviderFactory::postDeploy?
by Dmitry
Hi,
At the moment, the ProviderFactory::postInit() method is not called
during hot (re)deployment of providers, only during server startup.
This is considered a bug (see discussion in keycloak-user, KEYCLOAK-
5131 and PR #4282).
Meanwhile, Marek and I have been discussing the problem of accessing
data model from postInit (see the keycloak-user post). Turns out that
the semantics should be significantly different depending on whether
postInit() is called during server startup or hot deploy. In the first
case, one should listen for PostMigrationEvent. In the second case, the
event is not available and thus shouldn't be listened for. However, the
provider should be able to somehow distinguish the cases. There are
some hacks like analyzing current thread name, querying JNDI or
Resteasy, but maybe we can come up with something more clean and
simple?
Marek has suggested that the new method should be introduced on the
ProviderFactory interface, with empty default implementation (in order
not to break the code). What do you think?
Dmitry
6 years, 8 months
cannot run keycloak authz examples working correctly - unresolved dependency - Cannot find KieModule: org.keycloak:photoz-authz-policy:${project.version}
by Olivier Rivat
Hi,
I am using RH-SSO 7.1 with Keycloack examples 2.5.X (2.5.11.Final-SNAPSHOT)
I have been able to ciompiel and upload the both photoz war:
-photoz-html5-client.war
-photoz-restful-api.war
1) on UI uinterface
=============
I have an issue when I am running the example.
When click on "Entitlement" or "Delete" I am getting Error 500.
I have screened it, and the reason is that:
angular.min.js:77 GET http://localhost:8080/photoz-restful-api/album 401
(Unauthorized)
GET
http://localhost:8180/auth/realms/photoz/authz/entitlement/photoz-restful...
500 (Internal Server Error)
:8080/photoz-html5-client/#/:1 Failed to load
http://localhost:8180/auth/realms/photoz/authz/entitlement/photoz-restful...:
No 'Access-Control-Allow-Origin' header is present on the requested
resource. Origin 'http://localhost:8080' is therefore not allowed access.
The response had HTTP status code 500.
2) in logs -of RH-SSO
=============
Meanwhile, I have had also a look at RH-SSO log, and it is displaying:
21:49:22,210 ERROR [org.jboss.resteasy.resteasy_jaxrs.i18n] (default
task-79) RESTEASY002020: Unhandled asynchronous exception, sending back
500: org.jboss.resteasy.spi.UnhandledException:
java.lang.RuntimeException: Cannot find KieModule:
org.keycloak:photoz-authz-policy:${project.version}
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:255)
3) ${project.version} in photoz examples
========================
it can be foudn at:
3.1) examples/authz/photoz/photoz-restful-api/pom.xml
<dependency>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-authz-client</artifactId>
<version>${project.version}</version>
<scope>provided</scope>
</dependency>
3.2)
examples/authz/photoz/photoz-restful-api/src/main/resources/photoz-restful-api-authz-service.json
"policies": [
{
"name": "Only Owner Policy",
"description": "Defines that only the resource owner is allowed
to do something",
"type": "rules",
"logic": "POSITIVE",
"decisionStrategy": "UNANIMOUS",
"config": {
"mavenArtifactVersion": "${project.version}",
"mavenArtifactId": "photoz-authz-policy",
"sessionName": "MainOwnerSession",
"mavenArtifactGroupId": "org.keycloak",
"moduleName": "PhotozAuthzOwnerPolicy",
"scannerPeriod": "1",
"scannerPeriodUnit": "Hours"
}
},
and for info:
we also have:
examples/authz/photoz/photoz-authz-policy/pom.xml
<parent>
<groupId>org.keycloak</groupId>
<artifactId>keycloak-authz-photoz-parent</artifactId>
<version>2.5.11.Final-SNAPSHOT</version>
<relativePath>../pom.xml</relativePath>
</parent>
4) My analysis
=========
The error seen in RH-SSO server (Cannot find KieModule:
org.keycloak:photoz-authz-policy:${project.version}) comes certainly
from the fact that
${project.version} is not resolved at all, although being defined in
pom.xml of examples/authz/photoz/photoz-authz-policy.
It could be great if someone could help to resolve those unresolved
dependency which are preventing to run the example successfully.
Regards,
Olivier
6 years, 8 months
thoughts on file migration?
by Bill Burke
Need input on this JIRA:
https://issues.jboss.org/browse/KEYCLOAK-4715
The problem is that our json exports do not have a version assigned to
them and we may have org.keycloak.migration.migrators.Migration
objects that need to run.
Should we force people doing upgrades in this way to add a version tag
somewhere in the json? We should then add a "fromJson" MIgration
method to be invoked for each appropriate migrator.
That sound like a plan?
--
Bill Burke
Red Hat
6 years, 8 months
Merging PRs
by Stian Thorgersen
When merging PRs always use the "Rebase and merge" option.
This option puts the commits on the top of the history without a merge
commit.
6 years, 8 months
Keycloak email setup "the easy way"
by Stan Silvert
I just came across what I think is the probably easiest possible way to
set up Keycloak's SMTP for testing. So I thought I should share.
If you want/need to test things like password recovery and "verify
email", here is the tip:
In Admin Console:
1) Go to Realm Settings-->Email
2) Set host to aspmx.l.google.com
3) Set port to 25
4) Use whatever you want for the other fields
5) Note that Enable SSL, Enable StartTLS, and Enable Authentication can
be left "OFF".
6) Create a new test user with a gmail email address.
This only works for gmail users, so your test user needs a gmail account
of some kind. It doesn't need to be "@gmail.com", but it must be a
gmail account.
For reference:
https://support.google.com/a/answer/176600?hl=en
6 years, 8 months
