Introduction and Opening Discussion about [KEYCLOAK-7043] Certificate Expiration Notification Feature
by Benjamin Berg
Hi Keycloak Developers,
I'm Benjamin Berg, I'm an Associate Software Applications Engineer, have
recently joined a team that utilizes Keycloak and just about a week ago, I
submitted a pull request introducing a new feature into Keycloak. Inside
that pull request on GitHub, I had received a comment from "stainst" to
come onto this mailing list and open a discussion. So I thought I'd
introduce myself and send you some information about the feature (info down
below) I had developed. I appreciate getting any feedback and I hope you
all like this new addition!
==========================================
*-Problem-*
Certificates in the realm(s) and client(s) expire quietly.
*-Solution-*
Certificates in the realm(s) and client(s) need to send out an email
notification if they are about to expire (or have already expired).
*-Pull Request https://github.com/keycloak/keycloak/pull/5121
<https://github.com/keycloak/keycloak/pull/5121>-*
You can now setup email notifications for when certificates in the realm(s)
and client(s) that are about to expire (or have already expired).
*-Description from the Pull Request-'''Description:You can now setup email
notifications for when certificates in the realm(s) and client(s) are about
to expire (or have already expired).High Level Overview of
Changes:Front-End: Incorporated a field to the "Realm Settings" tab "Email"
called "Certificate Notification Email Address" where you enter an email
address that you want to have certificate expiration notifications sent
to.Back-End: Created classes that are scheduled to check both the realm(s)
and client(s) for certificates that have or are about to
expire.Testing:Created unit tests for added code and Travis-CI tests
pass.JIRALink: *
*KEYCLOAK-7043 <https://issues.jboss.org/browse/KEYCLOAK-7043>Description:
Certificates in the realm(s) and client(s) need to send out an email
notification if they are about to expire (or have already expired).'''*
==========================================
Cheers!
--
Benjamin Jacob Berg
Associate Software Applications Engineer
Red Hat Inc
100 East Davie Street
Raleigh NC, 27601
Email: benjamin.berg(a)redhat.com
Phone: +19197490752
IRC: benjamin
6 years
Buffered InputStream in HttpFacade
by Pedro Igor Silva
I would like to add a new method to HttpFacade.Request interface in order
to be able to obtain a buffered input stream.
The requirement is that I need to read the inputstream before passing it to
the application.
This will not change current behavior for those using
HttpFacade.Request.getInputStream.
Any objection ?
Regards.
Pedro Igor
6 years
Must clear cookies
by Stan Silvert
I just rebuilt Keycloak from scratch. I created my admin user with
add-user-keycloak.bat.
On first login, it wouldn't let me in and put this error in the log
several times:
14:43:23,735 WARN [org.keycloak.events] (default task-7)
type=LOGIN_ERROR, realmId=master, clientId=null, userId=null,
ipAddress=127.0.0.1, error=expired_code, restart_after_timeout=true
In order to login I had to clear my cookies.
Not sure what caused that but I've never had to do it before. Anybody
have insight?
Stan
6 years
Hardcoded Group Mapper for the broker authentication
by Michael Furman
Hi all,
I want to develop and to contribute Hardcoded Group Mapper for the broker authentication.
The behavior will be similar to org.keycloak.broker.provider.HardcodedRoleMapper.
What is the best approach to do it?
To open Jira and then to submit a patch?
Will you agree to add it to 3.4.x version?
Best regards,
Michael
6 years
Re: [keycloak-dev] https://github.com/keycloak/keycloak/pull/4952
by Bill Burke
Including keycloak-dev
Anybody have a link to the old email thread? IIRC, there was a JIRA
that stated how it easy it was for an actual user (not an attacker) to
become locked out forever.
1. set max retries to 3
2. user enters in wrong password 3 times
3. user gets temporarily locked out
4. user tries to login again before the timeout is expired
5. Login fails even if user enters in right password as the account is
locked out
6. brute force wait time is incremented because there was a failure.
7. Loop to 4
Can't break the loop.
In reality it should work the same as your iphone. Where the wait
time is only incremented if you enter in invalid credentials.
On Fri, Apr 6, 2018 at 3:11 AM, Stian Thorgersen <sthorger(a)redhat.com> wrote:
> What's going on with this one? We never reached a conclusion I believe if
> the current behaviour is what we want and we just need to add some
> clarification to docs or if we should change the behaviour.
--
Bill Burke
Red Hat
6 years
Token validator endpoint (for humans)
by Stian Thorgersen
I added an example token validator endpoint that I needed for some
demonstration purposes. Question would this be useful to add directly to
Keycloak?
It provides a simple form where you can paste in the base64 token. It will
then output the header, claims and whether or not the token is valid. It
uses realm keys to verify the signature so you don't have to paste that in
manually (like you do on jwt.io).
For those to lazy to try it out I've attached a screenshot.
6 years
wildfly pkg manager changes everything
by Bill Burke
Had a long talk with Jason Greene today and one of the things that
came up was the Wildfly Package Manager that is being developed.
You'll be able to pull in the exact subsystems, modules, you want,
even as fine grain as saying "I don't want EJB remoting". You'll be
able to update, at will, all or parts of the install. This
completely changes patch management for all of us. You'll be able to
easily create and extend distros and service packs. Service packs
that depend on service packs. A lot of interesting combinations. They
are also looking into various ways to organize an image hierarchy so
even how we build images for keycloak may change. It is all maven
artifact based, which means that a service pack definitions,
distributions, images, installations are measured in kilobytes rather
than hundreds of megabytes as these definitions point into maven
repos. Its not limited to Java either and will be able to really
package manage anything...cross platform as its written in Java.
This brings a smile to my face as we can ditch this whole monolithic
distribution approach we currently have with bare metal and
docker/openshift. Keycloak, IMO, has always been more of an
integration platform than a black box appliance and this will be a big
boon to developers that want to optimize their distribution, memory
consumption, image size, etc.
--
Bill Burke
Red Hat
6 years
