Keycloak master Docker image
by Stian Thorgersen
If you ever wanted to try something in Keycloak master without building it
yourself you can now use the jboss/keycloak:master tag. It is automatically
rebuilt every time there is a merge to master.
6 years, 4 months
Keycloak 4.3 error column resourceen0_.uri does not exist
by Gary Schulte
We recently upgraded from 4.1.0.Final to 4.3.0.Final, and have been getting
this exception in various operations:
... 102 more
Caused by: org.postgresql.util.PSQLException: ERROR: column
resourceen0_.uri does not exist
Position: 336
at
org.postgresql.core.v3.QueryExecutorImpl.receiveErrorResponse(QueryExecutorImpl.java:2433)
at
org.postgresql.core.v3.QueryExecutorImpl.processResults(QueryExecutorImpl.java:2178)
at
org.postgresql.core.v3.QueryExecutorImpl.execute(QueryExecutorImpl.java:306)
at org.postgresql.jdbc.PgStatement.executeInternal(PgStatement.java:441)
at org.postgresql.jdbc.PgStatement.execute(PgStatement.java:365)
at
org.postgresql.jdbc.PgPreparedStatement.executeWithFlags(PgPreparedStatement.java:155)
at
org.postgresql.jdbc.PgPreparedStatement.executeQuery(PgPreparedStatement.java:118)
at
org.jboss.jca.adapters.jdbc.WrappedPreparedStatement.executeQuery(WrappedPreparedStatement.java:504)
at
org.hibernate.engine.jdbc.internal.ResultSetReturnImpl.extract(ResultSetReturnImpl.java:70)
... 120 more
I first encountered this trying to export the configuration
via `keycloak.migration.action=export` , but am now encountering it in a
number of operations such as impersonating a user from the admin console.
We aborted an upgrade to 4.2.1 due to a failed db migration, but 4.3.0
worked fine. Presumably there is a problem with the ddl migration.
Any speculation on root cause and/or a fix? Is there a DDL published
FYI we have keycloak deployed to k8s using an Amazon RDS postgres instance
for the backing store.
TIA
Gary S
6 years, 4 months
Re: [keycloak-dev] [keycloak-user] Keycloak Proxy Rename
by Stian Thorgersen
Sure, proxy is the obvious name, but for reasons already mentioned by Bruno
it's not really an option for us.
It comes from the Keycloak team, so it should have the Keycloak name in it.
I agree that doesn't automatically state it's a generic OIDC adapter, but
I'd like to keep our name in there.
>From the suggestions so far there are two I like:
* Keycloak Gatekeeper - suggested by Thomas on the poll. I really like this
and it fits nicely with Keycloak. It's also so much cooler than
proxy/standalone/etc.
* Keycloak Standalone Adapter
On Tue, 21 Aug 2018 at 04:27, Fox, Kevin M <Kevin.Fox(a)pnnl.gov> wrote:
> Coming from the outside world, I mostly searched for oidc and proxy as
> thats what I needed. I found oauth2_proxy after a little searching, but
> have been disappointed in how slow its releases are. Bugs aren't getting
> fixed quickly. When I looked at keycloak-proxy initially, I didn't look
> closer for a while as i thought is was keycloak specific.
>
> So, something like oidc-proxy might get you more successful hits.
>
> Thanks,
> Kevin
> ________________________________________
> From: keycloak-user-bounces(a)lists.jboss.org [
> keycloak-user-bounces(a)lists.jboss.org] on behalf of Alex Szczuczko [
> aszczucz(a)redhat.com]
> Sent: Monday, August 20, 2018 2:04 PM
> To: Bruno Oliveira; Hynek Mlnarik
> Cc: keycloak-dev; keycloak-user
> Subject: Re: [keycloak-user] Keycloak Proxy Rename
>
> In thinking a new name, I tried to look hard at these things:
>
> 1. what this software actually does.
>
> 2. what makes this software desirable to a user.
>
> 3. what "adapter" has meant for keycloak in the past.
>
> I'm not the best person to answer these questions, but here's what I've
> dug up:
>
> 1. Accepts HTTP requests and talks with Keycloak via OIDC to see if
> the client it serves should treat the requests as authenticated
> and/or authorized.
>
> 2. It avoids the need to install a bit of Keycloak software into the
> users' applications.
>
> 3. According to the docs[1]: Keycloak client adapters are libraries
> that makes it very easy to secure applications and services with
> Keycloak ... our adapters easy to use and they require less
> boilerplate code than what is typically required by a library.
>
> #1 is what we've been focusing on with names like "proxy". The reasons
> such names are dissatisfying is there is nothing unique about sitting in
> between two endpoints and doing stuff. So, we need to look at what that
> "stuff" means for Keycloak.
>
> #3 in combination with #2 tells us what this "stuff" means for Keycloak.
> This new software is clearly not an adapter. Actually, this new software
> accomplishes the mission of an adapter better than adapters themselves!
>
> Following that logic, Superadapter is my main proposal for a new name.
> Maybe throw in OIDC (oidc-superadapter) if there's ever going to be a
> saml-superadapter.
>
> Alternatively, we could focus on the lack of an adapter, with names
> based on terms like Adapterless:
>
> - AKI: Adapterless Keycloak Integrator
> - KOSA: Keycloak OIDC Sans-Adapter
> - AKOS: Adapterless Keycloak OIDC Server
> - KOAF: Keycloak OIDC Adapter-Free
> - etc...
>
> Alex
>
> [1]
> https://www.keycloak.org/docs/latest/securing_apps/index.html#what-are-cl...
>
> Quoting Bruno Oliveira (2018-08-20 09:54:42)
> > Only to give a brief context for people not aware of it. Keycloak
> > Generic Adapter was not well accepted, because the naming is too
> > vague. So we have to reopen this discussion and think about a better
> > naming.
> >
> > During our team call today I suggested just "keycloak-adapter", which
> > would cover the apps which don't have its own specific adapter
> > solution.
> >
> > That said, maybe we should open a new poll? I just created a new one
> > where people can vote/suggest:
> >
> > https://poll.ly/#/Lbww4ebG
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
6 years, 4 months
Keycloak Proxy Rename
by Bruno Oliveira
Good afternoon,
We are considering to transfer or fork the keycloak-proxy[1] to Keycloak
organization. In order to accomplish that, I've been working with Rohith
updating some of its dependencies[2].
While discussing with our team, we reached the conclusion that call it a
proxy could potentially increase the scope of the project and also give
people the wrong idea. Because would be expected things like load balancing,
rate limiting, and other features. That's not what we want right now.
I would like to gather some feedback from the community before we move forward.
So please vote on the following Doodle:
https://doodle.com/poll/gux626ktscgpr96t
Also, feel free to suggest other names and it will be included.
[1] - https://github.com/gambol99/keycloak-proxy
[2] - https://issues.jboss.org/browse/KEYCLOAK-7265
--
abstractj
6 years, 4 months
Default Locale
by Vaclav Muzikar
Hi!
Before I file a bug, I'd like to discuss one thing.
How's the Default Locale (in realm's theme settings) supposed to work? It
seems to have no effect at all because the realm settings is always
overridden by "Accept-Language" HTTP header that's sent by browser.
Shouldn't have the Default Locale higher priority than the HTTP header?
Thanks!
V.
--
Václav Muzikář
Quality Engineer
Keycloak / Red Hat Single Sign-On
Red Hat Czech s.r.o.
6 years, 4 months
Keycloak Node.js adapter integration tests on Travis
by Bruno Oliveira
Good morning,
Last week Pedro submitted a PR to the Node.js adapter, but the build is
failing because it depends on the changes from Keycloak server master
branch.
Today we download the latest stable release from Keycloak to run the
integration tests for this adapter. I would like to change it and follow
the same approach from the Quickstarts, which means clone/build/run
Keycloak server from master. In this way, we can always it test against
the latest changes.
Thoughts?
--
abstractj
6 years, 4 months
Recent changes breaking keycloak..
by Warren Weeder
It appears that breaking changes were in the 'latest' version released
about 6 hours ago. Container based on latest image fails with 'hostname not
set'.
Using version 4.2.1.final instead of latest, everything works fine.
Note: I am using mssql jdbc driver. This is a working build which only
recently breaks as of the most recent 'latest' update. Prior to that, it
worked fine building off latest, and it works fine now that I have forced
version '4.2.1.Final'.
thanks
Warren
6 years, 4 months
Fine-grained permissions along hierarchy paths
by Thomas Darimont
Hello,
I have a realm with nested groups that denotes a hierarchical corporate
structure.
/corp
-/org
--/branch1
---/divsion1
----/team1
----/team2
---/divsion2
----/team3
----/team4
--/branch2
-/infra
...
Users belong to one particular group along the /corp/org subtree, but might
also be members of one or more groups from a different subtree, e.g.,
/corp/infra.
Is it possible to have dedicated admin users at /corp, /branchX, /divisionX
level who can only view and manage the users from their group or subtree
with an admin-console scoped to a fixed realm?
admin-console scoped to group-hierarchy-demo realm:
http://localhost:8080/auth/admin/group-hierarchy-demo/console/#/realms/gr...
If a user logs in as divsion1-admin-user, he should only be able to see and
manage the users beneath the path (/corp/org/branch1/division1/*).
Does the fine-grained permission system already support use cases like this?
Cheers,
Thomas
6 years, 4 months
