Removing providers directory
by Stian Thorgersen
I'm planning on removing the providers directory. Any objections?
At the moment we have 3 approaches to deploy custom providers:
* 'deployments' dir
* 'providers' dir
* module
The deployments and providers are similar, but deployments is much nicer
and more powerful. So we should just remove the providers directory.
Modules needs to stay at least for now as that is the only way to deploy
custom SPIs.
7 years, 11 months
NullPointerException with empty attribute
by Rains, Chris
Hi,
I’m seeing Keycloak throw a NullPointerException whenever an access token is being generated for a user with an empty attribute value. Here’s a snippet of the stack trace:
Caused By: java.lang.NullPointerException
at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.convertToType(OIDCAttributeMapperHelper.java:103)
at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.mapAttributeValue(OIDCAttributeMapperHelper.java:77)
at org.keycloak.protocol.oidc.mappers.OIDCAttributeMapperHelper.mapClaim(OIDCAttributeMapperHelper.java:147)
at org.keycloak.protocol.oidc.mappers.UserAttributeMapper.setClaim(UserAttributeMapper.java:98)
at org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper.transformAccessToken(AbstractOIDCProtocolMapper.java:81)
at org.keycloak.protocol.oidc.TokenManager.transformAccessToken(TokenManager.java:520)
at org.keycloak.protocol.oidc.TokenManager.createClientAccessToken(TokenManager.java:324)
at org.keycloak.protocol.oidc.TokenManager$AccessTokenResponseBuilder.generateAccessToken(TokenManager.java:674)
Looking at OIDCAttributeMapperHelper.java, this seems to be happening because no null check is being performed on attributeValue in convertToType. Therefore, I think we would just need to add a null check at the beginning of convertToType:
if (attributeValue == null) return null;
Would this be a reasonable solution?
Thanks!
- Chris Rains
7 years, 11 months
Use openid Scope to limit the roles included in Offline Token and/or to enforce separation of duties?
by Peter K. Boucher
Sorry if this came through twice. I think there was an error the first time
I sent it.
Suppose there are some limited families of APIs to which we would want users
to explicitly delegate access. We were thinking we could assign a role to
the user that allows the use of each of the families of APIs (say for
example that with the "quantum_singularity" role, they can use the
"tetrion_emission" APIs, and with the "borg_cube" role, they can use the
"culture_assimilation" APIs).
Can we (and if so, how best would we) use openid scope to
* Offline refresh tokens - Allow the user to delegate a 3rd-party app
to act on their behalf in an offline fashion that is limited to one, the
other, or both of the quantum_singularity and/or borg_cube roles?
* Separation of duties - (only partially-related question) Allow an
app to enforce separation of duties such that an online, logged-in user can
only have one or the other, but not both of the quantum_singularity and/or
borg_cube roles for the duration of a session?
I think I gathered from this thread
(http://lists.jboss.org/pipermail/keycloak-dev/2016-July/007550.html) that
these things should be possible, but I was hoping to confirm and to get
pointers and/or practical guidance for how best to do these two things.
Thanks!
7 years, 11 months
Running keycloak behind web proxy
by Plank Martin
Hi all!
We're using Keycloak in a corporate environment where all external requests are blocked and must be sent via web proxy.
Therefore the ReCAPTCHA and social identity providers (from version 3.0.0.CR1) do not work correctly. It can be fixed by configuring proxy host on Apache HttpClient, e.g. [1].
I would be interested in contributing this. But I'm new to Keycloak development, so I will appreciate any information that could help, specifically:
- What kind of automated tests do you expect to develop?
- Where shoud be the proxy configuration stored?
I have also submitted a Feature request with more information: https://issues.jboss.org/browse/KEYCLOAK-4743
Thanks
Martin Plank
[1] https://hc.apache.org/httpcomponents-client-ga/httpclient/examples/org/ap...
7 years, 11 months
Generated standalone-ha.xml seems to be wrong
by Thomas Darimont
Hello group,
I just build a keycloak distribution from current master (last commit
e54c1d7de)
and got an error when I tried to run the standalone-ha.xml variant via
bin/standalone.sh -c standalone-ha.xml.
It seems that the infinispan configuration is not generated correctly -
error shown below.
The standalone.xml variants works though.
Cheers,
Thomas
$ bin/standalone.sh -c standalone-ha.xml
=========================================================================
JBoss Bootstrap Environment
JBOSS_HOME: /home/tom/dev/playground/keycloak/keycloak-3.1.0.CR1-SNAPSHOT
JAVA: /usr/lib/jvm/java-8-oracle/bin/java
JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M
-XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true
-Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true
=========================================================================
16:50:24,683 INFO [org.jboss.modules] (main) JBoss Modules version
1.5.1.Final
16:50:24,866 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.6.Final
16:50:24,928 INFO [org.jboss.as] (MSC service thread 1-6) WFLYSRV0049:
Keycloak 3.1.0.CR1-SNAPSHOT (WildFly Core 2.0.10.Final) starting
16:50:25,473 ERROR [org.jboss.as.server] (Controller Boot Thread)
WFLYSRV0055: Caught exception during boot:
org.jboss.as.controller.persistence.ConfigurationPersistenceException:
WFLYCTL0085: Failed to parse configuration
at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:131)
[wildfly-controller-2.0.10.Final.jar:2.0.10.Final]
at org.jboss.as.server.ServerService.boot(ServerService.java:356)
[wildfly-server-2.0.10.Final.jar:2.0.10.Final]
at
org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:299)
[wildfly-controller-2.0.10.Final.jar:2.0.10.Final]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_121]
Caused by: javax.xml.stream.XMLStreamException: ParseError at
[row,col]:[229,17]
Message: WFLYCTL0133: Missing required attribute(s): MODE
at
org.jboss.as.controller.parsing.ParseUtils.missingRequired(ParseUtils.java:161)
[wildfly-controller-2.0.10.Final.jar:2.0.10.Final]
at
org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsystemXMLReader.parseReplicatedCache(InfinispanSubsystemXMLReader.java:366)
at
org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsystemXMLReader.parseContainer(InfinispanSubsystemXMLReader.java:195)
at
org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsystemXMLReader.readElement(InfinispanSubsystemXMLReader.java:75)
at
org.jboss.as.clustering.infinispan.subsystem.InfinispanSubsystemXMLReader.readElement(InfinispanSubsystemXMLReader.java:53)
at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110)
[staxmapper-1.2.0.Final.jar:1.2.0.Final]
at
org.jboss.staxmapper.XMLExtendedStreamReaderImpl.handleAny(XMLExtendedStreamReaderImpl.java:69)
[staxmapper-1.2.0.Final.jar:1.2.0.Final]
at
org.jboss.as.server.parsing.StandaloneXml_4.parseServerProfile(StandaloneXml_4.java:546)
[wildfly-server-2.0.10.Final.jar:2.0.10.Final]
at
org.jboss.as.server.parsing.StandaloneXml_4.readServerElement(StandaloneXml_4.java:242)
[wildfly-server-2.0.10.Final.jar:2.0.10.Final]
at
org.jboss.as.server.parsing.StandaloneXml_4.readElement(StandaloneXml_4.java:141)
[wildfly-server-2.0.10.Final.jar:2.0.10.Final]
at
org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:103)
[wildfly-server-2.0.10.Final.jar:2.0.10.Final]
at
org.jboss.as.server.parsing.StandaloneXml.readElement(StandaloneXml.java:49)
[wildfly-server-2.0.10.Final.jar:2.0.10.Final]
at org.jboss.staxmapper.XMLMapperImpl.processNested(XMLMapperImpl.java:110)
[staxmapper-1.2.0.Final.jar:1.2.0.Final]
at org.jboss.staxmapper.XMLMapperImpl.parseDocument(XMLMapperImpl.java:69)
[staxmapper-1.2.0.Final.jar:1.2.0.Final]
at
org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:123)
[wildfly-controller-2.0.10.Final.jar:2.0.10.Final]
... 3 more
16:50:25,475 FATAL [org.jboss.as.server] (Controller Boot Thread)
WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting.
See previous messages for details.
16:50:25,477 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server
shutdown has been requested.
16:50:25,492 INFO [org.jboss.as] (MSC service thread 1-4) WFLYSRV0050:
Keycloak 3.1.0.CR1-SNAPSHOT (WildFly Core 2.0.10.Final) stopped in 11ms
7 years, 11 months
Accessing javascript and css files from an iframe.
by Shankar_Bhaskaran
Hi ,
We have secured our jbpm application behind keycloak using keycloakloginmodule. We have a requirement where we get a link to an html page as response to a rest call. This link is put inside an iframe to load. Even though the html is rendered we are getting a http 302 response for all the calls to the css and javascript files.
Just to be more clear , we are calling a rest service getting the response and getting the form url from the response. We are packaging that in an iframe and populating a div in the html page.
Now the entire html page is inside another iframe. On loading the page , all the requests to css and js stop with http 302 status.
f (status == 'SUCCESS') {
var formURL = xmlDoc.getElementsByTagName("formUrl");
if (formURL && formURL.length > 0 && formURL[0].childNodes.length > 0) {
this.formURL = formURL[0].childNodes[0].nodeValue;
var iFrameFormUrl = this.formURL + "&packageName=" + params[0] + "&taskName=" + params[1] + "&processDefinitionId=" + params[2] + "&processInstanceId=" + params[3] + "&userId=" + params[4];
var html = "<iframe id='" + this.containerId + "_form' src='" + iFrameFormUrl + "' frameborder='0' style='width:100%; height:100%'></iframe>";
var targetDiv = document.getElementById(this.containerId);
targetDiv.innerHTML = html;
if (successCallback) successCallback(responseText);
return;
}
Is there any solution for this ?
Regards,
Shankar
7 years, 11 months
Keycloak 1.9.1: Theme: pass eventtype to eventlistener?
by christian.polzer@kaufland.com
Hello,
I have implemented a custom EventListenerProvider to use with a custom
registration form template ("login/register.ftl").
Now I am having problems distinguishing incoming events from the login.ftl,
register.ftl and so on templates. as I understand it in my
EventListenerProvider the entry point is the implemented onEvent(Event
event)method.
Unfortunatelly the events that get passed through from the template to the
keycloak backend into my EventListenerProvider seem to be missing event
type information:
Incoming Event is:{
"clientId": "internet-master-client",
"details": {
"auth_method": "openid-connect",
"auth_type": "code",
"code_id": "5ba2de19-e7f4-4274-9054-d71343c21c96",
"email": "test(a)test.com",
"redirect_uri": "https://www.test.com/",
"username": "test(a)test.com"
},
"ipAddress": "...",
"realmId": "users",
"time": 1492001884000,
"type": {"saveByDefault": true}, // type is not set?
"userId": "b...."
}
This makes it impossible for me to distinguish between EventTypes and send
Mail accordingly.
What am I missing (apart from beeing new to keycloak development)?
Regards,
Christian Polzer
Mit freundlichen Grüßen
Christian Polzer
Anwendungsentwicklung NonSAP
+49 7132 94 920383
Kaufland Informationssysteme GmbH & Co. KG
Postfach 12 53 - 74172 Neckarsulm
Kommanditgesellschaft
Sitz: Neckarsulm
Registergericht: Stuttgart HRA 104163
7 years, 11 months
Arabic Locale
by Adam Williams
Are there any plans to support the Arabic Locale setting?
Thanks,
Adam
7 years, 11 months
