June 2017 - keycloak-dev - Jboss List Archives

Add support for creating user with credentials in admin endpoints

by Stian Thorgersen

Currently the admin endpoints ignores credentials when creating the user and a second post is needed to add credentials. I don't see any reason why it has to be this way and we should be able to change it? We already have a PR for it https://issues.jboss.org/browse/KEYCLOAK-5026.

7 years, 6 months

4
6
0 / 0

Group Based Policy

by Pedro Igor Silva

Hi All, I'm adding a Group Based Policy to our set of supported policies. Basically, this policy allows you to define the group(s) you want to give access to some resource or scope. Would like to share my initial scope with you and see if you guys have anything else to add: * Users can select one or more groups * Users can define groups using paths (e.g.: /Group A/Group B/*, /Group A, /Group A/Group B) * Users can decide whether or not access is granted if the identity is a member of all or any of the selected groups * Users can decide whether or not access extends to sub-groups of a parent group Please, let me know your thoughts. Regards. Pedro Igor

7 years, 6 months

4
16
0 / 0

arquillian testsuite still eating exceptions

by Bill Burke

I'm getting an error during AbstractKeycloakTest.afterAbstractKeycloakTest() when cleanup is executed. The problem is that the log only shows NullPointerException with no stack trace. Even worse, the failure only occurs during a full maven build. I can't duplicate the problem in IDE. Why does arquillian not display stack traces?

7 years, 6 months

2
3
0 / 0

Htmlunit vs PhantomJS vs Chrome

by Stian Thorgersen

We've picked Htmlunit as the default browser to run tests with due to it being the fastest. Downside is that it simply doesn't work very well for all tests, especially those heavy on the javascript side of things like testing the JavaScript adapter and admin console. Just saw that Chrome is actually bringing a headless option to Chrome 59 [1]. This is really nice as it allows headless testing with a real browser, not just an emulated browser. Ideally if this is fast we could use it as the default browser instead of htmlunit. Obviously waiting until it's released on all platforms. If it's not as fast as htmlunit then maybe there is a compromise. The default browser would still be htmlunit. Then individual tests could be marked (with an annotation on the class or on the WebDriver field). Those marked would use Chrome in headless mode instead of htmlunit. Obviously -Dbrowser would continue to override the browser in either case. Thoughts? Anyone interested in giving the new headless Chrome option a spin and evaluating how fast it is compared to htmlunit? [1] https://developers.google.com/web/updates/2017/04/headless-chrome

7 years, 6 months

4
6
0 / 0

Re: [keycloak-dev] SpringBoot multi-tenancy

by Ankit Gupta

Hi Team, Woukd it be possible for you guys to guide me on how to implement Multi-tenant SSO in a spring boot application. I had gone through the example of multi-tenancy in the github library, but i am not sure how could I implement the similar feature for the SpringBoot application. Any help would be appreciated, as I am trying to weigh the keycloak for our new application for the clients. As our application is going to SpringBoot microservice based application, the feature of multi-tenancy is necessary for us. Awaiting for response. Thanks & Regards, Ankit Gupta

7 years, 6 months

1
0
0 / 0

Importing credentials via API

by Machiel Groeneveld

Hi, I’m currently migrating a legacy database to Keycloak. I’m importing the users via the REST API. Now I’ve run into the issue that credentials are not stored when the user is created. The code doesn’t seem to invoke any calls related to credentials. The code does exist but is only invoked during the file import (or partial import). Is it an option to add the credential processing to the UsersResource.createUser() ? I’ve also created an issue https://issues.jboss.org/browse/KEYCLOAK-5026 <https://issues.jboss.org/browse/KEYCLOAK-5026>

7 years, 6 months

2
1
0 / 0

Inconsistency in handling null User attribute values: IdentityProviderMapper versus UserRepresentation

by Alex Szczuczko

Hi, My work on KEYCLOAK-4778 highlighted an inconsistency in User attribute value handling. When a IdentityProviderMapper accepts a user attribute, it seems (I haven't looked at all of them) they will drop (not import/store) those that have a null value. However, the REST API does something different. UserRepresentation (through StringListMapDeserializer) will convert null values to a String of "null". Any objections to changing StringListMapDeserializer to also ignore null valued attributes? UserRepresentation is the only user of StringListMapDeserializer. Alex

7 years, 6 months

1
0
0 / 0

JavaScript adapter & caching of session status iframe

by Iván Perdomo

Hi all, We have found an issue when using the JavaScript Adapter [1] and upgrading from Keycloak 2.5.1 Final to 3.1.0.Final [2] > By default, the JavaScript adapter creates a hidden iframe that is > used to detect if a Single-Sign Out has occurred. Using default settings, Keycloak will send a cache-control header to the browser and will cache the iframe status page for 30 days. [3] If you happen to upgrade Keycloak within those 30 days, there is a out-of-sync interaction between the adapter and Keycloak. The browser won't even make the HTTP request before those 30 days, and the upgraded adapter code will attempt to use code from a page that is oudated. A potential solution is that we use the Keycloak version as cache busting via query parameters [4], e.g. when injecting the iframe it will append the Keycloak version: https://kc-host/realms/realm/protocol/openid-connect/login-status-iframe.... Another 'easier' solution is to not cache the status iframe at all. This is easier because the JS Adapter is *not* version aware. To include the version as cache busting, we'll need to include it as part of the Keycloak object, that means touching this file on every release, even if the code itself has not changed. Do you consider this a bug? Should i log it in JIRA? We're happy to contribute the change. [1] http://www.keycloak.org/docs/3.1/securing_apps/topics/oidc/javascript-ada... [2] https://github.com/akvo/akvo-lumen/issues/801 [3] https://github.com/keycloak/keycloak/blob/3.1.0.Final/services/src/main/j... [4] https://stackoverflow.com/questions/9692665/cache-busting-via-params -- Iván

7 years, 6 months

2
2
0 / 0

Re: [keycloak-dev] The browser property and the org.keycloak.testsuite.console.* UI tests

by Vaclav Muzikar

The UI tests are not supposed to work with "artificial" browsers - only the real-life ones are supported. UI tests are high-demanding on JS interpreter (PhantomJS nor HtmlUnit can satisfy such demands) and moreover UI needs to be anyway tested with all supported browsers (due to some differences between them). So it wouldn't make much sense to run them with e.g. HtmlUnit. Please see our HOW-TO-RUN [1] where are the instructions on some special tests (like UI or adapters). However, good point that we should add some check for supported browsers before running the tests. I'll look into it. [1] https://github.com/keycloak/keycloak/blob/master/testsuite/integration-ar... V. On Wed, May 31, 2017 at 8:41 AM, Pavel Drozd <pdrozd(a)redhat.com> wrote: > Dne 31.5.2017 v 08:31 Stian Thorgersen napsal(a): > > Ideally the console tests should work with HtmlUnit, but failing that they > certainly need to work with PhantomJS. > > Pavel - any chance we can get the console tests working with HtmlUnit? If > not I guess we need to set the default for the console tests to PhantomJS. > > > We were focusing to run the tests mainly with real browsers. Vasek did you > try to run the UI tests with HtmlUnit? > > > On 30 May 2017 at 17:37, Alex Szczuczko <aszczucz(a)redhat.com> wrote: > >> Hi, >> >> I just lost a couple days to a really simple mistake when running the UI >> tests. I didn't set -Dbrowser=firefox, so the headless WebDriver was used, >> which produces a lot of impossible errors that I couldn't figure out at >> all. To save the next person the same agony, I think there are two possible >> solutions: >> >> 1. Define a default browser=firefox property in >> testsuite/integration-arquillian/tests/other/console/pom.xml >> >> 2. Use a plugin to fail the build if the user has not defined the browser >> property on the command line. >> >> Note that you need to enable a profile to run these tests >> (-Pconsole-ui-tests), so this doesn't impact the project's normal mvn clean >> install. >> >> Opinions on either of these options? >> >> Thanks, >> Alex >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> > > > -- Václav Muzikář Quality Engineer Keycloak / Red Hat Single Sign-On Red Hat Czech s.r.o.

7 years, 6 months

3
3
0 / 0

Multiple tenants in a single realm

by Shanon Levenherz

Hi there, I’m looking to leverage Keycloak as the primary IdP for our SaaS platform. We have many tenants, each with their own sub-tenants ( their customers ) and would like to provide them with the ability to administer themselves (and enable sub-tenant users to admin the sub-tenant, etc). Based on my current research, which includes the multi-tenant example in the GitHub repo, it appears that multiple tenants are supported via separate realms. My current thinking is that I’d like to use a single realm as I’d like for a platform administrator (like myself) to be able to manage all users in a single place, use a group hierarchy to support multiple tenants, and apply roles to specific users in a group to eg. administer the users or create a sub group for a new tenant. Something like this: REALM | |- User 1 (user-admin role) | |- Tenant 1 Group | | | |- User 1.1 (user-admin role) | |- User 1.2 | |- … | |- User 1.n | |- Tenant 2 Group | | | |- User 2.1 (user-admin role) | |- User 2.1 | |- … | |- User 2.n | | | |- Tenant 3 Group | | | |- User 3.1 (user-admin role) | |- User 3.2 | |- … | |- User 3.n From the above we’re looking for: * User 1 is the realm/platform administrator and has full control over all groups/users * User 1.1 is the administrator for Tenant 1 * User 2.1 is the administrator for Tenants 2 and 3 * User 3.1 is the administrator for Tenant 3 I came across this thread <http://lists.jboss.org/pipermail/keycloak-user/2015-October/003359.html> and specifically this comment from Bill Burke: >I like that idea. A better alternative might be that each group has an >"user-admin" role. If a user has the "user-admin" role of the group, it >can administer users in that group and assign roles defined in that >group. One thing to really think about is, what about sub-groups. Can >an admin of the parent group administer sub groups? This post is from October 2015, so I’m curious if the ability to grant specific roles to specific users in a specific group has been implemented at all? I can’t find anything about it in the docs. I also just noticed this JIRA issue <https://issues.jboss.org/browse/KEYCLOAK-3168> but am not sure if it’s the same thing. Disclaimer: I’m new to Keycloak so maybe am misunderstanding and/or going about this incorrectly… please let me know if I can provide more information; I can provide a more complete description of my goals / requirements if that would help. Thank you! Best, Shanon

7 years, 7 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev June 2017