December 2017 - keycloak-dev - Jboss List Archives

Wildcard for Valid Redirect URI Hostname

by Josh Cain

Per KEYCLOAK-3585: <https://issues.jboss.org/browse/KEYCLOAK-3585> Currently, valid redirect URI hostnames allow for wildcards at the end like so: http://www.redhat.com/* I'm managing several environments where clients need 'n' number of available redirect URI's with different hostnames, I.E. http://developer1.env.redhat.com http://developer2.env.redhat.com http://developer3.env.redhat.com Would really help to have the ability to wildcard hostnames too, I.E.: http://*.env.redhat.com I've submitted #3241 <https://github.com/keycloak/keycloak/pull/3241> to address this issue, but there seem to be some concerns about allowing wildcards in other parts of the URL. See the PR for a more fleshed out discussion, but wanted to start a thread here on the mailing list. Particularly with respect to: - Does anyone have need of this feature or would find it useful? - Should this kind of wildcard be allowed as a configuration option by Keycloak? Josh Cain | Software Applications Engineer *Identity and Access Management* *Red Hat* +1 256-452-0150

6 years, 1 month

5
13
0 / 0

keycloak-documentation translation

by Hiroyuki Wada

Hello, We have a plan to translate keycloak-documentation to Japanese for the community at our company. Because there is no place to manage the translation resources in keycloak-documentation repository, we are planning to put the resources into own repository and publish the built documents to our corporate site. Do you have any concerns? Of course, we can contribute it if there are any plans to translate it officially. Best Regards, -- Hiroyuki Wada, Nomura Research Institute, Ltd.

6 years, 8 months

3
4
0 / 0

make sending a request object mandatory for certain clients

by Aron Bustya

Hi! I have a use case where the server must accept authorization requests only when they contain a signed request object (should be configurable per client). I have found a way to make the signing of the request object mandatory by specifying a 'request.object.signature.alg' attribute on the client, but this only applies if a request object exists in the first place. I would like to propose a pull request: It defines a new client attribute 'request.object.required'. If this is set to 'true', the client must send a request object when initiating an authorization request. Current code can be checked here: https://github.com/abustya/keycloak/commit/476912906a3ad0d290220a1f54abee... What do you think? Regards, Áron Bustya

6 years, 10 months

2
10
0 / 0

Hot or Rolling upgrade

by Brian Towles

Howdy all, I was wondering if there is any advice on how to do a rolling upgrade of Keycloak, or any mechanism to maintain a running instance while upgrading? Ive seen the docs here (http://www.keycloak.org/docs/latest/upgrading/index.html) and they all ha type installs say that "all instances must be upgraded at the same time." Any hints or pointers would be great. Thanks -=Brian -- *Brian Towles* | Software Engineer t. (512) 415- <0000000000>8105 e. btowles(a)cloudera.com <jond(a)cloudera.com> cloudera.com <http://www.cloudera.com/> [image: Cloudera] <http://www.cloudera.com/> [image: Cloudera on Twitter] <https://twitter.com/cloudera> [image: Cloudera on Facebook] <https://www.facebook.com/cloudera> [image: Cloudera on LinkedIn] <https://www.linkedin.com/company/cloudera> ------------------------------

7 years

3
3
0 / 0

Authenticating Desktop Applications with Keycloak and the keycloak-installed adapter

by Thomas Darimont

Hello folks, I played a bit with the undocumented? [0] keycloak-installed adapter [1] for integrating desktop applications with Keycloak SSO and found some issues with it, which I'd like to share. Small explanation for those who are reading the list but don't know the adapter... [2] First some general notes / suggestions: Is the keycloak-installed adapter something that will stay in keycloak or was this just a PoC? In the former case I think there are some things that could be improved or extended a bit: - Allow users to customize the locale used for the login pages opened by the adapter - Provide customizable response templates (perhaps by leveraging a provided ResourceBundle) - Allow to customize pages shown after login / logout served by the keycloak-installed adapter - Add support for TLS (with custom certificates) for https:// with localhost I noticed that some browsers (e.g. Chrome) show an error page when trying to redirect to the local mini-webserver after a successful login since the mini-webserver (...server-socket) embedded in the adapter doesn't respond with a valid HTTP response. With that fixed, it worked with all browsers I tested (IE, Firefox, Chrome). My current modifications of the keycloak-installed adapter (with HTTP response fixes and response customizations) are here: https://github.com/thomasdarimont/keycloak/commit/b8ee52a946e73503b1737f5... An extended example (using the the modified keycloak-installed adapter) can be found here: https://gist.github.com/thomasdarimont/c59c14f45ea2ee00d7b6fbe2c013c5f1 WDYT? Cheers, Thomas [0] Not mentioned here: https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java... [1] https://github.com/keycloak/keycloak/tree/master/adapters/oidc/installed [2] For those that haven't seen the adapter yet, it allows to authenticate against Keycloak from a desktop app (e.g. swing, javafx) by opening a desktop browser window where a user uses the regular keycloak login pages to login. The trick is now that login page is opened with redirect URL that points to a small local "web server" (server-socket) on a free ephemeral port which is started by the adapter. After logging in the mini web-server receives performs the authenorization code flow and eventually receives the tokens (access_token, refresh_token, id_token) which can then be used to call backend services from the client or retrieve new tokens A nice side effect of this is, that the desktop application never sees a users password and one can leverage existing SSO sessions. Btw. the google cloud cli uses the same approach to authenticate with gcp. The Keycloak repo contains a small example for this: https://github.com/keycloak/keycloak/blob/master/examples/demo-template/c...

7 years

4
13
0 / 0

Admin Fine Grained Permissions

by Pedro Igor Silva

Right now, when you enable fine-grained permissions to users you must grant to a specific user the "manage-users" roles. Otherwise, you will not be able to see the "Add User" button even though you have a permission granting the "manage" scope. It is quite weird actually, because you can delete users. This is because in UI we are checking only for "manage-users" when deciding if this button should be shown or not. One thing we could do here is change admin console to query for current user permissions using the Entitlement API and use the permissions returned in the RPT to decide whether or not something in the UI should be displayed. I did some tests here and this approach seems to work fine and I think it will improve a lot how we are handling permissions in admin console. Regards. Pedro Igor

7 years

1
0
0 / 0

Keycloak 3.4.2.Final Released

by Stian Thorgersen

We've just released Keycloak 3.4.2.Final. To download the release go to the Keycloak homepage <http://www.keycloak.org/downloads>. The full list of resolved issues is available in JIRA <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...> . Before you upgrade remember to backup your database and check the upgrade guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for anything that may have changed.

7 years

1
0
0 / 0

Is TestingResource token protected?

by Bill Burke

I'm getting a 401 error when invoking on the AssertEvents.clear() method in one of my tests. Make zero sense other than that I set the time offset to sometime in the future before invoking it. Is Testing Resource protected by Keycloak? Its the only reason I can think that the token is expired or something. I can't seem to find the information anywhere. This is driving me crazy because locally tests pass 100%, but I'm getting this problem in the CI build. -- Bill Burke Red Hat

7 years

2
1
0 / 0

KEYCLOAK-4853

by John D. Ament

I'm planning to start to submit some PRs for https://issues.jboss.org/browse/KEYCLOAK-4853 . If I start to get them to you in the next few days, what would release would they target. Some of the items I'm looking to immediately leverage are: - Create User - Create Group - Create IDP These are the important ones since fetching the data a second go around requires that unique ID in the URL. John

7 years

2
3
0 / 0

Ability to confirm that a realm was created

by John D. Ament

I had raised a PR ( https://github.com/keycloak/keycloak/pull/4850 ) for KEYCLOAK-4852. It seems like there may be some disagreement on whether this is needed, but I was confused by the fact that the ticket was in the "BacklogBacklog" without any comments, questions or concerns. Here's the problem I face. The resteasy proxy code only throws exceptions for 4xx and higher responses. I want to confirm on realm creation that I received a 201 Created header back from keycloak. The admin client doesn't support this today. To do that, and without breaking other consumers, I introduced a new method that will return the response. The void method remains and doesn't change any behavior. The new method allows me to read the response status and location headers correctly. John

7 years

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev December 2017