January 2018 - keycloak-dev - Jboss List Archives

by Bill Burke

TLDR; Per client authentication flows? Client can be configured to override realm authentication flows. Background: I'm specing out how we will replace OSIN (openshift oauth server) with Keycloak. One issue is that each oauth client in OSIN can specify the authentication flow they want. Non-browser clients like the 'oc' cmd line tool want a 401, challenge-based protocol...Web console, obviously wants HTML. They All OSIN clients use the OAuth auth-code-grant irregardless if they are non-brwoser or browser clients. Keycloak assumes this oauth grant type is browser based and expects non-browser clients to use Resource Credentials grant or client credential grant. OSIN does not support this and we (keycloak) have to be backward compatible. Solution: I think it would be pretty simple to add the ability to override authentication flows per client. I don't think this would be a one-off for OSIN as we could use it to implement other non-browser input protocols. For example, I wanted to be able to have a text-based auth flow for command line logins. I think this could be a way to implement that. -- Bill Burke Red Hat

5 years, 4 months

3
13
0 / 0

WG: How to generate a token string in a custom keycloak extension?

by Felix Peters

Hi, I'm pretty new to Keycloak development and at the moment I'm trying to develop some demo extensions to learn how SPI's an stuff like that work in Keycloak. My Question is: Is there a util- or helper-class which I can use to generate an secure token string in my extension code (pretty much the same as an oauth access or refresh token)? I was not able to find something In the Keycloak code, but maybe there is something like that. Thank you in advance, Felix Peters

5 years, 4 months

3
3
0 / 0

Authorization Services and UMA 2.0 changes

by Pedro Igor Silva

Hi All, We are about to finish the initial round of changes to make Keycloak Authorization Services compliant with UMA 2.0. One of the main changes is related with a new OAuth2 Grant Type introduced by UMA 2.0 [1] and how it will be used as a replacement for both Entitlement and Authorization API. In UMA 2.0, there is no Authorization API anymore, thus it will be removed on future versions of Keycloak. Regarding Entitlement API, it will also be removed in favor of the new grant type, but in this case we are using some extensions to UMA grant type to provide the same functionality. One of the objectives of this change in particular is to have a single endpoint from where permissions can be obtained. Another important change is also related with UMA where end-users should be able now to manage their own resource and permissions via Account Management Console. Users would be able to access a "Resource" page from where they can: * See the resources they own * Check for pending permission requests (waiting for the owners approval). As well options to grant/deny the request. * Check for all "shared resources" / granted permissions. As well options to revoke permissions * Select an user they want to grant access to a resource and/or scope Other changes are related with the Policy Enforcer, Authorization Client Java API and configuration. For these areas in particular changes are minimal, specially regarding policy enforcer configuration. These changes are targeted to Keycloak v4 and we'll be updating docs accordingly, specially on how to migrate to the new version. Regards. Pedro Igor [1] https://docs.kantarainitiative.org/uma/wg/oauth-uma-grant-2.0-09.html

5 years, 4 months

1
0
0 / 0

Download Link in Blog points to old download page

by Thomas Darimont

Hello, I just noticed that the download link under http://blog.keycloak.org/ points to the old sourceforge download page. The download link should probably point to: http://www.keycloak.org/downloads Cheers, Thomas

5 years, 4 months

2
1
0 / 0

Ignoring self signed cert errors while developing

by Aiden Keating

Hello, I am configuring an OpenShift v3 identity provider on Keycloak using an Ansible playbook. I have created the identity provider successfully. After filling in my OpenShift username and password I see an "Unexpected error when authenticating with identity provider" error from Keycloak. This is due to the self signed certificates of the OpenShift development cluster I am using (using oc cluster up). I am looking for an option to ignore these errors when in a development environment. I have read about the 'disable-trust-manager' option, from what I understand this can be set in development environments to avoid these errors. However, I am not fully clear on how to use it and how to configure it. Can this option be set using the REST API? Any help would be greatly appreciated. Thanks, Aiden Keating

5 years, 4 months

2
2
0 / 0

development image?

by Bill Burke

Do we need a development image that builds from master. A Dockerfile script that: - derives from jdk8 - installs git client - install maven - git clone https://github.com/keycloak/keycloak - mvn clean install -Pdistro -DskipTests=true - unzip distro into /opt/keycloak We have a couple of teams asking for something like this within Red Hat as I'm guessing they don't want to deal with running maven themselves. Does that sort of flow make sense? -- Bill Burke Red Hat

5 years, 4 months

4
13
0 / 0

Possible bug in Keycloak 3.4.3?

by John D. Ament

Hi, We're working on upgrading to Keycloak 3.4.3. We hit a weird issue where it looks like some backwards compatible code isn't working right in the client adapter. We found this block which seems suspect https://github.com/keycloak/keycloak/blob/3.4.3.Final/services/src/main/j... It looks like the values for redirectUri and redirectUriParam are actually backwards. We see the session_state query param in the value of redirectUri not redirectUriParam, and this causes the next check for the values being equal to fail. John

5 years, 4 months

1
2
0 / 0

How to remove the new interstitial list of required actions page

by John D. Ament

Hi, I noticed that in the new version of keycloak there's a landing page that a user receives when they're not logged in (I guess?) for a list of actions to perform. This page doesn't make much sense to me as a user, I just want to see my action since I only have one to do ever. I see this commit introduced it https://github.com/keycloak/keycloak/commit/4583a45e781093d4ba10f23f56323... but I can't see the linked JIRA ticket (i guess it's secure?). I don't see a way to turn off this page. Is that on purpose? John

5 years, 4 months

2
3
0 / 0

Keycloak support

by Kalidindi, Sai Soma Kala

Hi, We are having an issue where we see some of the entries getting deleted from user_entity table when we start our keycloak. After days of debugging we don't know why this is happening. We are planning to buy commercial support for this issue. Looks like only the Red hat versions of keycloak has commercial support. We are using open source verison 1.9.8. Can someone point me in right direction on where we can get commercial support for open source versions. Thanks, Sai.

5 years, 4 months

2
1
0 / 0

User entity entries in database are getting deleted after Keycloak Migration and restart

by Kalidindi, Sai Soma Kala

Hi, We are using offline tokens for our clients, when we login in initially we give tag "offline" which gets us refresh and access tokens . 1) We use 1.9.8 version of keycloak. We have configured our keycloak realm to set revoke refresh tokens, which means refresh tokens are revoked once used for refreshing. 2) We have 2 keycloak clusters. 3) Our client initially pointed to KC1 which is old environment . 4) Now the KC1 database and certs are migrated to KC2 our new environment . 5) Client refresh token which it got from old env works on new env, for some clients where as it does not work for others. 6) What we have found is, we initially stop the keycloka service, migrate data and start it again. Once migration is done, I check all the tables have right data, which looks good but after restart we see that it is synching user_entity table with ldap and 3 of the users are being deleted from user_entity and user_attribute table and hence any tokens associated with these 3 users are being deleted from the Offline_client_session and Offline_user_session . At this point I am not clear why it is deleting even though I see ldap has it. Any suggestions or help is greatly appreciated. Thanks, Sai.

5 years, 4 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev January 2018