Renaming testsuite/integration to testsuite/integration-deprecated
by Stian Thorgersen
I would like to rename testsuite/integration to
testsuite/integration-deprecated. This is to make it clear to external
contributors that the testsuite is deprecated and new tests should be added
to testsuite/integration-arquillian.
I would also like to rename testsuite/integration-arquillian
to testsuite/integration.
6 years, 11 months
Cookie token storage for Spring Security
by Sjoerd Cranen
Hi all,
It seems that "token-store: cookie" is not implemented for the Spring
Security adapter. I would be happy to have a go at it, if nobody objects.
One thing I'm wondering is why the cookie path for the adapter state cookie
is always set to the context root in CookieTokenStore. In particular, it
would seem that if I change the Spring Security adapter in a
straightforward way to store the cookies, the cookie would always be set on
"/sso", which would not be very useful.
A second question I had is about the redirect after login. Currently the
redirect location is stored in the HTTP session. Since you would typically
enable "token-store: cookie" to get rid of HTTP sessions, that would also
have to change. I couldn't really figure out how other adapters were doing
this, and I don't have the time at the moment to experiment with the other
adapters to see what happens; if someone could give me some pointers then
that would be very helpful.
Best regards,
Sjoerd Cranen
7 years
Keycloak 3.2.0.CR2 released
by Stian Thorgersen
We've just released Keycloak 3.2.0.CR1.
To download the release go to the Keycloak homepage
<http://www.keycloak.org/downloads>.
HighlightsFine grained admin permissions
This is something that we've wanted to add for a long time! Through our
authorization services it's now possible to finely tune permissions for
admins. This makes it possible to limit what clients, users, roles, etc.
admins have access to. Documentation is missing for this at the moment, but
will be added in time for 3.2.0.Final.
Docker Registry support
It's not possible to secure a Docker Registry with a standard OAuth or
OpenID Connect provider. For some strange reason they have only partially
followed the specifications and the Docker Registry maintainers refuse to
fix this! Fear not, thanks to cainj13 <https://github.com/cainj13> who
contributed this we now have a special Docker Registry protocol that can be
enabled in Keycloak.
Authentication sessions and access tokens
In the effort to provide support for running Keycloak in multiple data
centers we've done a large amount of work around user sessions. We've
introduced authentication sessions that are special sessions used primarily
during the authentication flows. There are two main reasons for this.
Authentication flows can fairly easily be fixed to a specific node within a
specific data center and there is no need to replicate this to other data
centers. They are also more write heavy than the user sessions. The
introduction of access tokens makes it possible to detach actions (for
example verify email) from a user session, which has a number of benefits.
More will come in future 3.x releases and by the end of the year we aim to
fully support replicating Keycloak cross multiple data centers.
Authorization Service improvements
There's been a lot of work done to the authorization services in this
release. Way to many to list here so check out JIRA
<https://issues.jboss.org/browse/KEYCLOAK-5072?jql=project%20%3D%20keycloa...>
for
details.
QuickStarts
We've introduced new QuickStarts with the aim to make it even simpler for
you to get started securing your applications and services with Keycloak.
The QuickStarts have proper tests as well, which can serve as a reference
on how to tests your own applications and services secured with Keycloak.
Check out the new QuickStarts in the keycloak-quickstarts GitHub repository
<https://github.com/keycloak/keycloak-quickstarts>.
Upgraded AngularJS and JQuery
We've upgraded the versions we use of AngularJS and JQuery as there where a
number of known vulnerabilities. We're fairly certain neither of the known
vulnerabilities affect Keycloak, but to be on the safe side we decided to
upgrade.
Updated Password Hashing Algorithms
We're still using PBKDF2, but we've added support for SHA256 and SHA512.
PBKDF2 is SHA256 is now used by default.
Spring Boot QuickStarter
We've added a new Spring Boot QuickStarter that makes it super simple to
get started securing your Spring Boot applications. For more details check
out the blog post about it
<http://blog.keycloak.org/2017/05/easily-secure-your-spring-boot.html>.
Loads more..
- Partial export of realms in the admin console
- Redirect URI rewrite rules for adapters
- Test email settings in the admin console
- Initial access tokens now persisted to the db
The full list of resolved issues is available in JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...>
.
Upgrading
Before you upgrade remember to backup your database and check the migration
guide
<https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationF...>.
Release candidates are not recommended in production and we do not support
upgrading from release candidates.
7 years
Potential database connection leak in current master (3.3.0) in permissions tab
by Thomas Darimont
Hello guys,
I just noticed that there seem to be connection leak somewhere triggered
by using the authorization / permissions tab in the admin console in the
current master.
It's a bit hard to trigger but I can reproduce the problem with the
following steps:
login as admin
goto the realm-management client
goto authorizations tab -> Authorization Scopes
click show details...
click hide details...
:view_and_edit_client_permissions
goto a client -> select the permissions tab
enable permissions (if not enabled)
on any permission click edit
Click the authorization in the breadcrumb
select the Authorization Scopes sub tab
click show details...
click hide details...
GOTO view_and_edit_client_permissions (2, or 3 times)
I ran the embedded org.keycloak.testsuite.KeycloakServer (from the soon to
be gone testsuite...)
with the following vm-options:
-Dkeycloak.bind.address=0.0.0.0
-Djava.net.preferIPv4Stack=true
-Dkeycloak.connectionsJpa.url=jdbc:postgresql://localhost:5432/idm_keycloak_3_3_0_master
-Dkeycloak.connectionsJpa.driver=org.postgresql.Driver
-Dkeycloak.connectionsJpa.driverDialect=org.hibernate.dialect.PostgreSQLDialect
-Dkeycloak.connectionsJpa.user=keycloak
-Dkeycloak.connectionsJpa.password=keycloak
-Dkeycloak.connectionsJpa.showSql=true
-Dkeycloak.connectionsJpa.formatSql=true
Before the PersistenceException I see a bunch of SQL statements executed
via hibernate:
...
Hibernate:
select
resourcese0_.ID as col_0_0_
from
RESOURCE_SERVER resourcese0_
where
resourcese0_.CLIENT_ID=?
Hibernate:
select
realmentit0_.ID as col_0_0_
from
REALM realmentit0_
Hibernate:
select
realmentit0_.ID as col_0_0_
from
REALM realmentit0_
Hibernate:
select
resourceen0_.ID as col_0_0_
from
RESOURCE_SERVER_RESOURCE resourceen0_
where
resourceen0_.RESOURCE_SERVER_ID=?
and (
resourceen0_.ID in (
?
)
)
order by
resourceen0_.NAME asc limit ?
StackTrace:
20:41:28,406 ERROR XNIO-1 task-55 [io.undertow.request] UT005023: Exception
handling request to
/auth/admin/realms/godemo/clients/04db0bbf-6417-41bf-99ed-e33f305e1d8e/authz/resource-server/scope/34f30b87-063b-4b04-9191-d9a8af321604/permissions
org.jboss.resteasy.spi.UnhandledException:
javax.persistence.PersistenceException:
org.hibernate.exception.GenericJDBCException: Error calling Driver#connect
at
org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:247)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:471)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:415)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:211)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:809)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.persistence.PersistenceException:
org.hibernate.exception.GenericJDBCException: Error calling Driver#connect
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1692)
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.convert(AbstractEntityManagerImpl.java:1602)
at
org.hibernate.jpa.spi.AbstractEntityManagerImpl.throwPersistenceException(AbstractEntityManagerImpl.java:1700)
at
org.hibernate.jpa.internal.TransactionImpl.begin(TransactionImpl.java:48)
at
org.keycloak.connections.jpa.JpaKeycloakTransaction.begin(JpaKeycloakTransaction.java:39)
at
org.keycloak.services.DefaultKeycloakTransactionManager.enlist(DefaultKeycloakTransactionManager.java:52)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:89)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:56)
at
org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:163)
at
org.keycloak.authorization.jpa.store.JPAAuthorizationStoreFactory.getEntityManager(JPAAuthorizationStoreFactory.java:56)
at
org.keycloak.authorization.jpa.store.JPAAuthorizationStoreFactory.create(JPAAuthorizationStoreFactory.java:37)
at
org.keycloak.authorization.jpa.store.JPAAuthorizationStoreFactory.create(JPAAuthorizationStoreFactory.java:33)
at
org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:163)
at
org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheSession.getDelegate(StoreFactoryCacheSession.java:344)
at
org.keycloak.models.cache.infinispan.authorization.StoreFactoryCacheSession$2.commit(StoreFactoryCacheSession.java:175)
at
org.keycloak.services.DefaultKeycloakTransactionManager.commit(DefaultKeycloakTransactionManager.java:136)
at
org.keycloak.services.filters.KeycloakTransactionCommitter.filter(KeycloakTransactionCommitter.java:43)
at
org.jboss.resteasy.core.ServerResponseWriter.executeFilters(ServerResponseWriter.java:121)
at
org.jboss.resteasy.core.ServerResponseWriter.writeNomapResponse(ServerResponseWriter.java:48)
at
org.jboss.resteasy.core.SynchronousDispatcher.writeResponse(SynchronousDispatcher.java:466)
... 38 more
Caused by: org.hibernate.exception.GenericJDBCException: Error calling
Driver#connect
at
org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47)
at
org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:109)
at
org.hibernate.engine.jdbc.connections.internal.BasicConnectionCreator.convertSqlException(BasicConnectionCreator.java:118)
at
org.hibernate.engine.jdbc.connections.internal.DriverConnectionCreator.makeConnection(DriverConnectionCreator.java:41)
at
org.hibernate.engine.jdbc.connections.internal.BasicConnectionCreator.createConnection(BasicConnectionCreator.java:58)
at
org.hibernate.engine.jdbc.connections.internal.DriverManagerConnectionProviderImpl.getConnection(DriverManagerConnectionProviderImpl.java:189)
at
org.hibernate.internal.AbstractSessionImpl$NonContextualJdbcConnectionAccess.obtainConnection(AbstractSessionImpl.java:386)
at
org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.acquireConnectionIfNeeded(LogicalConnectionManagedImpl.java:87)
at
org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.getPhysicalConnection(LogicalConnectionManagedImpl.java:112)
at
org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.getConnectionForTransactionManagement(LogicalConnectionManagedImpl.java:230)
at
org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.begin(LogicalConnectionManagedImpl.java:237)
at
org.hibernate.resource.transaction.backend.jdbc.internal.JdbcResourceLocalTransactionCoordinatorImpl$TransactionDriverControlImpl.begin(JdbcResourceLocalTransactionCoordinatorImpl.java:214)
at
org.hibernate.engine.transaction.internal.TransactionImpl.begin(TransactionImpl.java:52)
at
org.hibernate.internal.SessionImpl.beginTransaction(SessionImpl.java:1512)
at
org.hibernate.jpa.internal.TransactionImpl.begin(TransactionImpl.java:45)
... 54 more
Caused by: org.postgresql.util.PSQLException: FATAL: remaining connection
slots are reserved for non-replication superuser connections
at
org.postgresql.core.v3.ConnectionFactoryImpl.readStartupMessages(ConnectionFactoryImpl.java:572)
at
org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:177)
at
org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:64)
at
org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:136)
at
org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:29)
at
org.postgresql.jdbc3g.AbstractJdbc3gConnection.<init>(AbstractJdbc3gConnection.java:21)
at
org.postgresql.jdbc4.AbstractJdbc4Connection.<init>(AbstractJdbc4Connection.java:31)
at org.postgresql.jdbc4.Jdbc4Connection.<init>(Jdbc4Connection.java:24)
at org.postgresql.Driver.makeConnection(Driver.java:410)
at org.postgresql.Driver.connect(Driver.java:280)
at
org.hibernate.engine.jdbc.connections.internal.DriverConnectionCreator.makeConnection(DriverConnectionCreator.java:38)
... 65 more
7 years
Re: [keycloak-dev] Spring boot 2 adapter?
by Ryan Dawson
Hi All,
I’m looking to use key cloak with spring boot 2 (which is currently at 2.0.0M2). I realised that there wasn’t an adapter so I’ve written up a ticket and then submitted a PR (https://issues.jboss.org/browse/KEYCLOAK-5098). Apologies for not emailing the list first but better late than never. Presently it’s only working with the embedded jetty and undertow and not the embedded tomcat (the redirectUri fails to get decoded) but I don’t think that’s a problem with the adapter as such as the tomcat config does get applied. If anyone has any thoughts please let me know.
Ryan
7 years
Community extensions and examples
by Stian Thorgersen
At times there are extensions and examples that we don't want to include in
the main repository. This could be for several reasons, including:
* We don't have the resources to maintain and support it
* We don't believe it's generic enough
* Examples that are to complex
However, these can still be useful for some people. So I'm thinking about
how we can provide community maintained extensions and examples.
A very simple idea would be to add a page on our website that links to the
relevant repository and documentation. To contribute you would setup your
own Github repository, documentation and also a download if you want. Then
you'd send a PR to the website to add your extension or example.
Thoughts?
7 years
