Handling exceptions thrown from user storage providers
by Tomas Kyjovsky
Currently there isn't much handling of exceptions which may be thrown from User Storage SPI methods.
For example:
- when `UserStorageProvider.preRemove` throws an exception it's not possible to remove a group/role or realm in which the offending provider is registered
- when `UserLookupProvider.getUserByUsername` throws an exception this blocks all lower priority providers from looking up users
- exception from `UserStorageProviderFactory.create` blocks all providers from lookup, credential validation/updates, etc.
I can't decide whether this "fail fast" behavior is bug or feature. On one hand it lets the developer know there's a problem with the provider. On the other hand it destabilizes the other providers in the realm.
WDYT?
Tomas
7 years, 2 months
Internationalization support for angular notifications and default values.
by Gustavo Alvarez
HI all.
I need to change all language of keycloak, almost all the information in
pages of console is in properties files except two things:
1. Notifications from angular: there is code as the next:
Notifications.success ("Role mappings updated.");
2. Default values in java services, for example the service that creates
client uses default values in DefaultAuthenticationFlows.java:
public static final String REGISTRATION_FLOW = "registration";
public static final String REGISTRATION_FORM_FLOW = "registration form";
public static final String BROWSER_FLOW = "browser";
public static final String DIRECT_GRANT_FLOW = "direct grant";
public static final String RESET_CREDENTIALS_FLOW = "reset credentials";
public static final String LOGIN_FORMS_FLOW = "forms";
public static final String SAML_ECP_FLOW = "saml ecp";
Someone is working on this now or or can you help me find a solution for
this situation?
Thanks for you help.
gaalvarez.
7 years, 2 months
LDAP No Import in Master
by Bill Burke
LDAP No Import in master. I ended up creating a UserModel in-memory
pojo, and passing it to the import command and that worked for most of
situations. There were some other minor fixes to get it to work. The
only issue I have now is that if there is no mapping for an update, no
exception is thrown and the changes are just lost with no warning.
Runtime should throw an error in this situation. Not sure the best way
to handle it for the moment, so I'm going to let it stew in my brain for
a little while.
Also added "remoteImportedUsers" and "unlinkUsers" operations. This will
allow people to migrate from import mode to no import mode.
Cheers,
Bill
7 years, 2 months
Auth SPI being refactored in 3.0
by Bill Burke
The Authentication SPI is being refactored in 3.0. Like what happened
in Keycloak 2.x and the User Storage SPI, the Authentication SPI will be
refactored and improved through various 3.x releases. We'll clean up
areas, rewrite certain areas, and get the SPI ready so that it can be
stable and supportable for the foreseeable future. We are also doing
this work so that we can support things like step-up authentication and
FIDO etc. although the latter is for much later down the road.
The first area that will be tackled will be the Form SPI.
Regards,
Bill
7 years, 2 months
Removing Mongo support
by Stian Thorgersen
At times you have to make hard decisions and this has been one of those. We
have decided to remove Mongo support from Keycloak. The primary motivation
behind this decision is that we simply don't have the resources to maintain
and further develop the back-end for both relational databases and Mongo.
Further, there are some fundamental issues with our current use of Mongo
that would require a large amount of work to become fully production ready.
This primarily boils down to the lack of ACID transactions in Mongo.
We hope that this decision won't result in too much trouble for those of
you that are currently using Mongo as the back-end for Keycloak. It should
be relatively painless to migrate to a relational database with our
export/import feature. If you do run into issues with this please let us
know on the mailing list and we will do whatever we can to help make the
transition as smooth as possible.
If anyone from the community would like to take over the Mongo support and
maintain it as a separate extension please let us know. We can help with
extracting the code and work together in making it easy to install it as an
extension.
Migrating from Mongo to relational database
First step is to export the full database. You can do this by stopping the
Keycloak server and running:
bin/standalone.sh -Dkeycloak.migration.action=export
-Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=backup
This will export all data from Mongo to JSON files within the directory
backup. For full details refer to the Server Administration Guide
<https://keycloak.gitbooks.io/server-adminstration-guide/content/topics/ex...>
.
Next step is to install a relational database and configure it in Keycloak.
Take your pick we support quite a few. For full details refer to the Server
Installation Guide
<https://keycloak.gitbooks.io/server-installation-and-configuration/conten...>
.
Once you have the relational database ready and configured, you can start
Keycloak and import the data exported from Mongo. To do this run Keycloak
with:
bin/standalone.sh -Dkeycloak.migration.action=import
-Dkeycloak.migration.provider=dir -Dkeycloak.migration.dir=backup
Hopefully you're now up and running with all your realms and users migrated
to the relational database. If not, let us know on the user mailing list
and we'll help you out as soon as possible.
7 years, 2 months
Re: [keycloak-dev] Proposal of RFC7636 (PKCE) support
by 乗松隆志 / NORIMATSU,TAKASHI
Thank you very much.
I'm now writing tests for the new testsuite(testsuite/integration-arquillian), refining documents and codes for a PR.
After completing these tasks, hopefully in this week, I'd like to post mail to ask you whether I can send a PR.
Best Regards
Takashi Norimatsu
Hitachi, Ltd.
> We'd welcome a contribution.
>
> Tests would need to be written and added to the new testsuite
> (testsuite/integration-arquillian). If you are able to send updates to
> documentation as well that'd be good.
>
> On 13 January 2017 at 11:59, 乗松隆志 / NORIMATSU,TAKASHI <
>takashi.norimatsu.ws at hitachi.com> wrote:
>
>> Hello.
>>
>> I've been using keycloak 2.4.0.FINAL.
>> I've implemented codes for RFC 7636 for Proof Key Code Exchange
>> experimentally.
>> (https://tools.ietf.org/html/rfc7636)
>>
>> [Background: Why RFC7636 is necessary]
>> RFC 7636 is important for industries where high level security is
>> required because it can prevent Authorization Code Interception and
>> Substitution attacks for OAuth2.0. For example, it is required for both
>> confidential and public clients in draft specification of Financial API of
>> OpenID foundation. By implementing RFC 7636, keycloak will be used more
>> widely.
>>
>> [Description of the implementation]
>> My implementation is about 90steps for Authorization Server, 90steps for
>> Client(only Servlet-OAuth), both excluded debug log codes in step counts.
>> Please see the detail in below links.
>> * The implementation:
>> https://github.com/keycloak/keycloak/commit/
>> 9e3d2d1e5e8c3b30ddc9ccd5083ba18adcb4c564
>> It is based on 2.4.0.FINAL. Hope we'll refine and rebase it onto master
>> branch for PR if you accept our implementation proposal.
>> * Design document:
>> https://github.com/Hitachi/contributions/wiki/Description-of-RFC7636-for-
>> keycloak
>> * PoC test:
>> I've validated my implementation and found worked well in following
>> scenarios.
>> [1]
>> Flow: Authorization Code Flow
>> Client: RFC 7636 not supported
>> [2]
>> Flow: Authorization Code Flow
>> Client: RFC 7636 supported and operate properly
>> [3]
>> Flow: Authorization Code Flow
>> Client: RFC 7636 supported but operate illegally
>> (send invalid code_verifier to Token Endpoint)
>> For detail of PoC test, please see:
>> https://github.com/Hitachi/contributions/wiki/PoC-Test-Result-of-RFC7636
>>
>> I am also willing to add tests to community’s testsuites according to the
>> process as described in “Hacking on Keycloak”.
>>
>> I've known that related ticket had already been issued as KEYCLOAK-2604.
>> https://issues.jboss.org/browse/KEYCLOAK-2604
>>
>> Would you mind if I contribute this RFC 7636 support to Keycloak related
>> with KEYCLOAK-2604 ticket ?
>>
>> Best Regards
>> Takashi Norimatsu
>> Hitachi, Ltd.
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
7 years, 2 months
SAML 2.0 AttributeValue AnyType
by frelibert@yahoo.com
Hi,
I need to integrate my keycloak server with a SAML 2.0 identity provider which, for some attributes, returns values with complex content (AnyType, without specifying the type of the Element).
e.g.
<saml2:Attribute Name="attr:notype:element" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Name xml:lang="nl" xmlns="urn:be:fgov:complextype:v1">Hospitaal x</Name> </saml2:AttributeValue> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <Name xml:lang="fr" xmlns="urn:be:fgov:complextype:v1">hopital x</Name> </saml2:AttributeValue> </saml2:Attribute>
KeyCloak throws an exception when parsing such an AttributeValue in a received Assertion.That's not very friendly.It would be better to give a warning and just skip the AttributeValue so it doesn't block the whole process.But even better would be to actually support complex values, as the SAML 2.0 specs do so.There is actually an easy fix to this.I allready implemented this last year when I integrated that same Identity Provider using PicketLink, which had the same flaw.As PicketLink has become deprecated in favor of KeyCloak, we are trying to move on to KeyCloak.Are you prepared to add support for complex values?The infected class is actually completely the same (I suppose you integrated the code of PicketLink):
org.keycloak.saml.processing.core.parsers.util.SAMLParserUtil.parseAttributeValue(XMLEventReader)
My fix is to use the existing process flow if possible but to go for a default behaviour where now an exception is thrown:parse the content of the AttributeValue as a String, including the xmltags.For non-xml values, this will end up as a simple string, for complex xml values, this will end up as a string with xml tags in it.This prevents impact in other parts of the code as it is nothing more then a string.
I allready tested it in my local keycloak server and KeyCloak has no problems with it further down the road.
If the SAML attribute is mapped to a User attribute, it shows the xmlstring in the user attribute value.If the User Attribute is used in a response, the xmlstring is escaped in the resulting Assertion, which is ok.
I can create a pull request for this, it's actually one extra method in SAMLParserUtil.You can find the updated class in attachment.There are no other differences between the branch 2.5.x and the master.
7 years, 2 months
Keycloak+dogtag or Keycloak+freeIPA
by Gorazd
Hi to all,
still doing some decision making...could anyone know to recommend me if for
example KeyCloak (as identity and acces managment solution)+DogTag (as a
PKI infrastructure) be great solution also to cover or integrate with
enterprise scenarios, where possible AD is behind RADIUS server, or is it
better to go with combination of Keycloak and FreeIPA (IdM)? Is Keycloak
real IdM, does it have it's own LDAP base or is it dependent on external
users/roles database and has just a simple internal database/storage to
safe user/passs?
Thank you in advance,
Gorazd
7 years, 2 months
keycloak.json in directory "config" in quickstarts
by Marek Posolda
In quickstart examples, we want people to put keycloak.json into the
"config" directory of particular quickstart. Then during build,
keycloak.json is copyied to src/main/webapp/WEB-INF.
Is it good pattern to do it like this? Can't we just instruct people
directly to put it into "WEB-INF" folder directly?
I personally found it a bit confusing as the adapter expects config in
"WEB-INF" folder by default. People may do their own apps and create the
"config/keycloak.json", but they they may forget to add the profile
"json" to their pom.xml to copy the file at build time. Then they can
see issues like "I have folder config and file keycloak.json in it. Why
Keycloak doesn't secure my app?" etc.
But maybe it's just me?
Marek
7 years, 2 months
