[keycloak-gatekeeper][KEYCLOAK-7175] upgrade from coreos/go-oidc.v1
by BIDON Frederic
Relying on a stale package such as `github.com/coreos/go-oidc.v1` is really annoying for a security product.
Moreover, this library has no support for tokens with an EC signature.
I've tried a bit to remove this but I felt like the choice of a proper library should be discussed.
Here is my two cents:
- coreos/go-oidc.v2 does not add much compared to stdlib `x/oauth2`: there is remote JWKS fetcher which might be useful, although this is in fact `square/go-jose` that does the heavy lifting here
- I found `square/go-jose` good enough for JWK and JWKS, but rather unpractical for JWT. I found `dgrijalva/jwt-go` much handier when it comes to manipulate JWT
Any ideas / challenges around for a proper choice of dependencies here?
Cheers,
Frédéric
frederic.bidon(a)yahoo.com
5 years, 11 months
Make theme properties available in email templates
by Guilhem Lucas
Hello,
I need to have theme properties available in Freemarker email templates
(like in login and account theme).
I overrided FreeMarkerEmailTemplateProvider to add them in a new attribute
"properties", but I think it could be useful to have it by default in
Keycloak.
Is it possible to do it? If necessary I can create a pull request.
Thank you.
Guilhem Lucas
5 years, 11 months
Deputy for users
by JCoder
Hello,
I kindly ask to implement the deputy feature in keycloak.
Example: Before a user leaves for vacation, for a dedicated period of
time she can assign her groups to another user (the deputy). The
deputy then has access to that groups - but only for the specified
period of time. Tough after the vacation the information about the
deputy regulation will remain in the database and can only be
explicitly deleted by the user.
Validations:
- The begin date for the deputy regulation is today or in the future
- The end date for the deputy regulation is not before the begin date
I'm excited about your opinion.
Cheers,
Yusuf
5 years, 11 months
Hardcoded port 8443
by Tim Hedlund
Hi All,
I noticed that when I tried to set the OpenID java adapter configuration parameter "ssl-required" to "all" I started to get port 8443 in the redirect_uri:
response_type=code&client_id=skf.com&redirect_uri=https%3A%2F%2Flocalhost%3A8443%2Fgroup%2index.html&state=ee8e8b59-f10a-4d13-b2d6-ff8b507850b2&login=true&scope=opened
I was curious to why I got the port 8443 and I found it being hardcoded here: https://github.com/keycloak/keycloak/blob/c3fa471223e102e740425f166415eb1...
Is this intentionally?
Regards
Tim
5 years, 11 months
Fwd: Realm Custom Attributes
by Hari Prasad
Hi All,
Can we add realm level custom attributes.
Regards
Hari Prasad N.
---------- Forwarded message ---------
From: Hari Prasad <nhariprasad2018.2(a)gmail.com>
Date: Wed, Jan 2, 2019 at 7:01 PM
Subject: Realm Custom Attributes
To: <keycloak-user(a)lists.jboss.org>
Hi All,
Can we add realm level custom attributes.
Regards
Hari Prasad N.
5 years, 11 months
Fwd: Authorization in Angular
by Hari Prasad
Hi All,
I am using keycloak-angular to integrate our Angular App to keycloak.
Authentication is working fine but authorization not working with angular.
Authorization working fine with spring boot and normal java webapps.
Please help to resolve authorization problem with angular.
Regards
Hari Prasad N
---------- Forwarded message ---------
From: Hari Prasad <nhariprasad2018.2(a)gmail.com>
Date: Wed, Jan 2, 2019 at 7:11 PM
Subject: Authorization in Angular
To: <keycloak-user(a)lists.jboss.org>
Hi All,
I am using keycloak-angular to integrate our Angular App to keycloak.
Authentication is working fine but authorization not working with angular.
Authorization working fine with spring boot and normal java webapps.
Please help to resolve authorization problem with angular.
Regards
Hari Prasad N
5 years, 11 months
Fwd: Dynamic realm choose for REST API.
by Hari Prasad
Hi All,
I have bearer-only client for one of out Rest API Application. I am able to
get Bearer token from UI app and pass to Rest API and consume services.
The backend Rest API takes config data from keycloak.json, but i want to
change realm name dynamically because the Bearer tokens may be of different
relam dynamically.
Regards
Hari Prasad N.
---------- Forwarded message ---------
From: Hari Prasad <nhariprasad2018.2(a)gmail.com>
Date: Wed, Jan 2, 2019 at 8:54 PM
Subject: Re: Dynamic realm choose for REST API.
To: <keycloak-user(a)lists.jboss.org>
Hi All,
I have bearer-only client for one of out Rest API Application. I am able to
get Bearer token from UI app and pass to Rest API and consume services.
The backend Rest API takes config data from keycloak.json, but i want to
change realm name dynamically because the Bearer tokens may be of different
relam dynamically.
Regards
Hari Prasad N.
On Wed, Jan 2, 2019 at 7:16 PM Hari Prasad <nhariprasad2018.2(a)gmail.com>
wrote:
> Hi All,
>
> I have bearer-only client for one of out Rest API Application. I am able
> to get Bearer token from UI app and pass to Rest API and consume services.
> The backend Rest API takes config data from keycloak.json, but i want to
> change realm name dynamically because the Bearer tokens may be of different
> relam dynamically.
>
> Regards
> Hari Prasad N.
>
>
5 years, 11 months
Questions about adding new identity providers
by Wladislaw Mitzel
Hi all,
How is the addition of new identity providers handled in this project? I'd love to have a vk.com integration in keycloak. After some search, I've found this pull request [1] which adds PayPal as a new IdP. I think it's a pretty good "blueprint" of how to add a new IdP. I plan to give it a try and implement vk.com. This raises the following questions:
1) Is this implementation of a vk.com IdP something the project is interested in?
2) Does the answer to 1) apply to all IdPs? I mean vk.com is a quite large social network. What about some less known websites providing OAuth2 authentication. Would *any* IdP be added to the project? Are there certain criteria from which you can decide?
3) What do you think about a feature which would enable to "configure" arbitrary OAuth2 Providers as IdP using the Admin Console? To me most of the implementations of org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider look pretty similar. The main differences are how to interpret the responses of the IdP: I wonder whether this could be generalised.
I look forward to your answers,
Kind Regards,
Wladislaw
[1] https://github.com/keycloak/keycloak/pull/4449
5 years, 12 months
Re: [keycloak-dev] [keycloak-user] Keycloak 4.8.0.Final released
by Stian Thorgersen
In the past we didn't disable preview features (or make it obvious that
they where preview) in the Keycloak releases. In RH-SSO releases we did
make all these preview. To make it consistent and also to better
communicate with the community what may not be fully production ready we
decided to make it consistent.
Preview doesn't mean it is buggy, but rather that the feature may be
incomplete and may be drastically changed in the future (even completely
removed) and that there are no guarantees for a seamless upgrade between
releases if you use tech preview features.
On Mon, 17 Dec 2018 at 13:21, Geoffrey Cleaves <geoff(a)opticks.io> wrote:
> Thanks for the update. I see more and more features being labeled as tech
> preview and disabled by default. I guess that this means the features have
> bugs or negatively impact performance? Any further insight would be
> appreciated.
>
> On Mon, 17 Dec 2018 at 12:59, Stian Thorgersen <sthorger(a)redhat.com>
> wrote:
>
>> To download the release go to the Keycloak homepage
>> <http://www.keycloak.org/downloads>.
>>
>> For details on what is included in the release check out the Release notes
>> <https://www.keycloak.org/docs/latest/release_notes/index.html>
>>
>> The full list of resolved issues is available in JIRA
>> <
>> https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...
>> >
>> .
>>
>> Before you upgrade remember to backup your database and check the upgrade
>> guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for
>> anything that may have changed.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
> --
>
> Regards,
> Geoffrey Cleaves
>
>
>
>
>
>
5 years, 12 months