Extract Javascript Adapter into separate keycloak-js repository
by Armin Roșu
Hello,
We were having a discussion about unit testing keycloak-js in this PR:
https://github.com/keycloak/keycloak/pull/5946 (closed).
An easy way would be to extract it into a separate repository and write
unit tests there.This would bring further benefits:
- keycloak.js can be refactored to Typescript
- file can be split in multiple modules
- independent versioning from keycloak/keycloak would enable deprecating
legacy Promises by enabling developers to use the keycloak-js version that
works for them
- keycloak-js-bower could also be deprecated.
Guillaume Vincent previously proposed rewriting the Javascript Adapter (
https://lists.jboss.org/pipermail/keycloak-dev/2019-September/012457.html).
Extracting it, writing tests for it and rewriting it afterwords is an
option less prone to breaking changes.
I have some free time and could start work on this.
What do you think? Should I set up a repo so we can talk over code?
Cheers,
Armin
5 years, 3 months
Re: [keycloak-dev] Extract Javascript Adapter into separate keycloak-js repository
by Armin Roșu
On Tue, Nov 26, 2019 at 4:15 PM Stian Thorgersen <sthorger at redhat.com>
wrote:
> With regards to a new version of keycloak.js the question comes up if
> AppAuth-JS [1] can be used instead.
>
> [1] https://github.com/openid/AppAuth-JS
This sounds like a good approach long-term. Less code to maintain.
Interestingly, AppAuth-JS is 10x less installed than Keycloak-JS:
- https://www.npmjs.com/package/@openid/appauth
- https://www.npmjs.com/package/keycloak-js
What do you think about oidc-client-js, the official openID-connect JS client?
However, the impact would be large. Tests, examples and UIs need to be
updated and I don't see how that can be done progressively.
Do you have an idea how we can break this down? e.g. Implement AppAuth
in the admin console first, then deprecate keycloak-js and update the
tests?
We should also consider the impact to keycloak-js users. This will be
a major breaking change and adoption will be slow, unless there are
clear benefits.
I think we should clear up if a public client would suit us better
than keycloak-js before addressing the repository & rewrite
discussion.
What do you think?
5 years, 3 months
Keycloak IE11 Support?
by Stan Silvert
Hi Keycloak Community,
We are trying to make decisions around the future of the Account Console
on IE11 and we really need your feedback.
As we move to modern UI development frameworks like PatternFly 4, IE11
support becomes more and more difficult.
Do you or your customers require support for IE11 today?
Do you believe that you will require support for IE11 in the next two to
three years?
Thanks for your help,
Stan Silvert
5 years, 3 months
Re: [keycloak-dev] Custom Policy Enforcer
by Pedro Igor Silva
Thanks, Sushil. I'll check it out until the week ends.
On Thu, Nov 28, 2019 at 5:40 AM Sushil Singh <Sushil.Singh(a)thalesgroup.com>
wrote:
> Hi ,
>
> I have tried to create a custom-enforcer-quick-start
>
>
> https://github.com/sushil-singh-guavus/keycloak-quickstarts/tree/keycloak...
>
> https://github.com/sushil-singh-guavus/keycloak/tree/keycloak-11300
>
> @Pedro Igor Silva <psilva(a)redhat.com>, I have made some changes from
> https://github.com/pedroigor/keycloak/tree/KEYCLOAK-11300 as pathconfig
> was always coming null if resource is independent of URI requested , so I
> have done some fixes and written a naive quick-start using my keycloak
> build. I haven't yet written the test case for quick-start
>
> Can you please check it and give any valuable feedback . I am really
> Sorry for the delay as i was preoccupied with other tasks
>
> Thanks
>
> Sushil
>
>
> ------------------------------
> *From:* Sushil Singh <sushil.singh(a)guavus.com>
> *Sent:* 14 November 2019 12:20
> *To:* keycloak-dev <keycloak-dev(a)lists.jboss.org>; Stian Thorgersen <
> notifications(a)github.com>; Pedro Igor Silva <psilva(a)redhat.com>
> *Subject:* Fw: [keycloak-dev] Custom Policy Enforcer
>
> @Stian Thorgersen <sthorger(a)redhat.com>
>
> Here is the discussion we had 2 days ago when i was not on dev-mailing
> list.
>
> Pedro has suggested changes in
> https://github.com/pedroigor/keycloak/tree/KEYCLOAK-11300 where all the
> changes are in adapter-core , so all the java adapters can anyway get it (*not
> only spring/springboot)*
>
> Actually some changes are not working , so i am correcting them and will
> come out with a quickstart in next few days
>
> ------------------------------
> *From:* Stian Thorgersen <sthorger(a)redhat.com>
> *Sent:* 13 November 2019 14:55
> *To:* Pedro Igor Silva <psilva(a)redhat.com>
> *Cc:* Sushil Singh <sushil.singh(a)guavus.com>; keycloak-dev <
> keycloak-dev(a)lists.jboss.org>
> *Subject:* Re: [keycloak-dev] Custom Policy Enforcer
>
> Missing a bit of context here and missing Sushil's responses as he's not
> on the ML.
>
> I'd like to see an example/quickstart for this as looking at the PR I
> think I get the gist of what the problem is, but not quite sure how it
> would be used. The PR also only focuses on Spring Security, but we'd need
> to have this capability in all JEE adapters, then there's also Node.js to
> consider as that should be consistent as well. We'd also need to test this.
>
> My biggest question is how unique is this use-case? If it's rather unique
> and not generic then I don't think it's worth adding it, especially not
> considering that we need all authz services extensions to support the same
> capabilities.
>
>
>
> On Tue, 12 Nov 2019 at 17:04, Pedro Igor Silva <psilva(a)redhat.com> wrote:
>
> Yes, exactly ... So you just leverage what we already have in order to
> expose "manual enforcement" by wrapping the call to the PE (which is the
> one that creates the AC anyways).
>
> On Mon, Nov 11, 2019 at 6:54 PM Sushil Singh <sushil.singh(a)guavus.com>
> wrote:
>
> > AuthorizationContext authzContext =
> > keycloakSecurityContext.getAuthorizationContext();
> >
> > AdapterAuthorizationContext clientContext =
> AdapterAuthorizationContext.class.cast(, );
> >
> > clientContext.authorize(Map);
> >
> >
> > I think this is the way , i will invoke it programatically.
> >
> > yeah i can write a simple quick-start , i will do it by tomorrow or day
> > after tomorrow and then we can discuss further
> > ------------------------------
> > *From:* Pedro Igor Silva <psilva(a)redhat.com>
> > *Sent:* 12 November 2019 02:42
> > *To:* Sushil Singh <sushil.singh(a)guavus.com>
> > *Cc:* keycloak-dev <keycloak-dev(a)lists.jboss.org>
> > *Subject:* Re: Custom Policy Enforcer
> >
> > You should be able to obtain the context instance like that [1]. And
> then,
> > invoke the method to programmatically enforce access.
> >
> > If I understand correctly, the permission map you pass is basically the
> > set of resource/scopes that you want to return in a permission ticket and
> > later on check if the resulting RPT is granted with the same set. We
> should
> > ideally reuse as much as possible the main logic in the enforcer. And the
> > enforcement mode should be permissive or disabled to allow the request to
> > reach your endpoint so you can enforce access by yourself.
> >
> > In any case, the PE should allow the request to pass with an empty
> > authorization context so that you can invoke the appropriate method to
> > enforce access.
> >
> > [1]
> >
> https://www.keycloak.org/docs/latest/authorization_services/index.html#_e...
> >
> > On Mon, Nov 11, 2019 at 5:56 PM Sushil Singh <sushil.singh(a)guavus.com>
> > wrote:
> >
> > Just by looking , changes look good .
> >
> > I have a question , how will I invoke it programatically , I mean on what
> > object i have to call , giving permission (Map) as as an input
> parameter.
> >
> > If I specify enforcement mode as Enforcing or Permissive , permission
> will
> > always be null
> >
> > Also it will be good if we can incorporate audit logging , if not now
> then
> > we can consider it in future
> >
> >
> >
> > ------------------------------
> > *From:* Pedro Igor Silva <psilva(a)redhat.com>
> > *Sent:* 12 November 2019 01:58
> > *To:* Sushil Singh <sushil.singh(a)guavus.com>
> > *Cc:* keycloak-dev <keycloak-dev(a)lists.jboss.org>
> > *Subject:* Re: Custom Policy Enforcer
> >
> > I see. I'm just trying to figure out if we can't somehow address the
> > problem by enhancing the configuration. For instance, in regards to the
> > `/api/datasets/{databasename}` I think we have a similar approach in the
> > Photoz quickstart, where the path parameter representing the ID of the
> > resource is used to automatically create the ticket and enforce access
> > later on when an RPT arrives.
> >
> > But yeah, the other scenarios are not covered.
> >
> > I'm OK to improve this based on your changes and following an approach
> > similar to what I shared from my branch. Does it make sense for you ? I
> may
> > have removed some bits from your original changes but the idea is just to
> > show how we could leverage the `AuthorizationContext`, which is already
> > available to the application through `KeycloakSecurityContext`.
> >
> > On Mon, Nov 11, 2019 at 4:25 PM Sushil Singh <sushil.singh(a)guavus.com>
> > wrote:
> >
> > @Pedro Igor Silva <psilva(a)redhat.com>
> >
> > I want to clarify little bit about the example you are stating ,
> >
> > {
> > "path" : "/someUri/*",
> > "methods" : [
> > {
> > "method": "GET",
> > "scopes" : ["view"]
> > },
> > {
> > "method": "DELETE",
> > "scopes" : ["delete"]
> > }
> > ]
> > },
> >
> > See , if our resources are static and not dynamic , I can put them in a
> > keycloak.json file no worries.
> > But when it comes to resources which are not end-point specific or not
> > directly related to endpoint , but the actual data itself. I think it is
> > better to keep them on server side rather than a config file . It can be
> > 1000 at present , it can be lakhs and crores if i consider the future
> scope
> >
> > for eg-: /api/datasets/{datasetname} , each dataset will be resource and
> > we will be configuring resources as /datasets/dataset1
> > /datasets/dataset2
> >
> > So, each dataset will be a resource and will be created in keycloak
> server
> > when the actual Data is created. So , every time i create a resource , i
> > won't require to configure keycloak.json.
> >
> > The current implementation of configuring paths that keycloak provides is
> > good when resources are static. for eg-: if end points are resources , so
> > they are most likely static . But for our case it won't work
> >
> > Another example can be , if there is a non rest resource and scope /
> > action is coming as a query parameter. Current keycloak implementation
> will
> > not work as we can configure only on URL's . So the customEnforcer will
> > provide the flexibility to cover all these cases.
> >
> > There are other cases , where there is a pipeline which is dependent on
> > another resources.
> >
> > So let's consider Non Rest resource such as PIPELINE , A pipeline itself
> > will contain a set of resources , So Pipeline can have a scope START,
> STOP
> > , DELETE , RESTART etc.
> > So resources and actions can come as a query parameter . So , the
> > custom-enforcer functionality can provide us enforcing policies with use
> > cases like that
> >
> > Hope the use case is getting more clearer to you
> >
> > Thanks
> >
> > Sushil Pratap Singh
> >
> > ------------------------------
> > *From:* Pedro Igor Silva <psilva(a)redhat.com>
> > *Sent:* 11 November 2019 23:33
> > *To:* Sushil Singh <sushil.singh(a)guavus.com>; keycloak-dev <
> > keycloak-dev(a)lists.jboss.org>
> > *Subject:* Re: Custom Policy Enforcer
> >
> > Here is a scratch [1]. But I'm not fully convinced about the changes you
> > are proposing. Maybe what is missing is an example of how this will be
> used
> > in practice.
> >
> > Isn't that the same thing as configuring a path like this?
> >
> > ```
> > {
> > "path" : "/someUri/*",
> > "methods" : [
> > {
> > "method": "GET",
> > "scopes" : ["view"]
> > },
> > {
> > "method": "DELETE",
> > "scopes" : ["delete"]
> > }
> > ]
> > },
> > ```
> >
> > [1] https://github.com/pedroigor/keycloak/tree/KEYCLOAK-11300
> >
> > On Mon, Nov 11, 2019 at 1:44 PM Pedro Igor Silva <psilva(a)redhat.com>
> > wrote:
> >
> > OK. I'm going to write something and give to you ...
> >
> > On Mon, Nov 11, 2019 at 1:41 PM Sushil Singh <sushil.singh(a)guavus.com>
> > wrote:
> >
> > @Pedro Igor Silva <psilva(a)redhat.com>
> >
> > Can you suggest pseudo flow what you are trying to say
> >
> > It will be good for me to understand how it can be achieved using
> > AuthorizationContext .
> >
> > Get Outlook for Android <https://aka.ms/ghei36>
> > ------------------------------
> > *From:* Pedro Igor Silva <psilva(a)redhat.com>
> > *Sent:* Monday, November 11, 2019 10:05:06 PM
> > *To:* keycloak-dev <keycloak-dev(a)lists.jboss.org>; Sushil Singh <
> > sushil.singh(a)guavus.com>
> > *Subject:* Custom Policy Enforcer
> >
> > Hi,
> >
> > We have started some discussions about a custom policy enforcer at
> > https://github.com/keycloak/keycloak/pull/6448.
> >
> > For those interested in how to programmatically enforce permissions,
> > please look at that PR and discussions that should start to happen here.
> >
> > @Sushil Singh <sushil.singh(a)guavus.com>, If the idea is to expose the PE
> > functionality so that you can programmatically get the same behavior to
> > when requests are processed, I think we can still make it through the
> > `AuthorizationContex` interface.
> >
> > In fact, the code won't change much from what you did so we basically
> > encapsulate the call to the actual policy enforcer.
> >
> > Regards.
> > Pedro Igor
> >
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
5 years, 3 months
Disabled issues section on keycloak github page.
by Wojciech Trocki
---------- Forwarded message ---------
From: Wojciech Trocki <wtrocki(a)gmail.com>
Date: Thu, 28 Nov 2019, 11:57
Subject: Disabled issues section on keycloak github page.
To: keycloak-dev <keycloak-dev(a)lists.jboss.org>
Hi
I have been at the conference recently and chatted with a couple of
developers about keycloak.
What really made me worried that one of the devs made claim that:
"Keycloak does not allow the community to log issues"
Upon later explanation, I have found out that this was
misunderstanding related to the disabled issues section on the keycloak
GitHub page.
Is there any reason why GitHub issues are disabled for keycloak?
I know that the team is using Jira for issue tracking.
GitHub issues became an open-source standard over the couple of years.
--
5 years, 3 months
Code quality & bugs
by Perot Francis
Hi all,
I recently had to start working with Keycloak and, as I’m using a static code analyzer in my IDE (Sonar Lint), I got lots of recommendations about Keycloak code.
These recommendations are not always very relevant but can help to increase the code quality, the readability, can help to detect bugs (I actually found some) and this might be an important point for the stability of the product, especially for a product managing authentication.
First, in MultiValuedHashMap.equalsIgnoreValueOrder(), there is a bug but it can be considered as assumed if we suppose that it is not possible to have duplicated values in this map (which is often the case).
For a given key, if we compare associated lists of 2 MultivaluedHashMap instances [1, 2, 2] and [1, 2, 3], equalsIgnoreValueOrder will return true because lengths are equal and all elements from the first list exist in the second list. Do you think it is necessary to fix this ?
Static code analysis revealed issues described in the following examples and show some inconsistencies : In FileTruststoreProviderFactory.init(), if pass is null, we “return” at the beginning of the method… but pass is still compared to null twice after that.
Similary, in FreeMarkerUtil.processTemplate(), we set cache=null; then we compare cache to null (if (cache!=null))
Don’t you think it could be better to follow some recommendations ? I could work on this : as it should impact lots of code but maybe you should decide which type of recommendation you want to follow and how you prefer to do this : all changes at once, one PR per type of recommendation, on PR per maven module, …
Francis Pérot
(about me: I’m currently working on the multi-factor feature and we had a meeting two weeks ago with Marek P. and Peter S. : the left ear you saw was mine 😊)
Example 1:
byte[] signature = null;
try {
signature = HMACProvider.sign(buffer.toString().getBytes("UTF-8"), Algorithm.HS512, sharedSecret);
} catch (UnsupportedEncodingException e) {
throw new RuntimeException(e);
}
Can become:
byte[] signature = HMACProvider.sign(buffer.toString().getBytes(StandardCharsets.UTF_8), Algorithm.HS512, sharedSecret);
Example 2:
LDAPObject ldapUser = ldapQuery.getFirstResult();
if (ldapUser == null) {
return null;
}
return ldapUser;
Can become:
return ldapQuery.getFirstResult();
Example 3:
if (responderURIs.size() == 0) {
if (responderURIs.isEmpty()) {
Example 4:
Set<Annotation> set = new HashSet<Annotation>();
Set<Annotation> set = new HashSet<>();
Other examples : https://github.com/fperot74/keycloak/pull/1/files
5 years, 3 months
Migrating keycloak-dev mailing list to Google Groups
by Stian Thorgersen
We are migrating the keycloak-dev mailing list to Google Groups.
This is mainly down to a long line of technical issues with lists.jboss.org,
where recently a large number of subscribers have been removed from the
mailing lists due to mail servers bouncing emails from the list. The latter
being caused by issues with the mailing list as well.
Please join the Google Groups either by sending an email to "
keycloak-dev+subscribe(a)googlegroups.com" or by going to
https://groups.google.com/d/forum/keycloak-dev.
5 years, 3 months
Fwd: All realms will all linked entities being read at bootstrap
by Мартынов Илья
Hello,
KC startups longer then default JBoss 5 min timeout and got rolled back,
~300 security realms created.
>From jstack, I see application is busy with multiple queries initiated by
all realms fetch
from org.keycloak.services.managers.UserStorageSyncManager#bootstrapPeriodic
Sequence is following:
1. KeycloakApplication.setupScheduledTasks is called on bootstrap
2. All realms are fetched inside UserStorageSyncManager#bootstrapPeriodic
3. During each realm fetch, RealmEntity is wrapped to CachedRealm by
RealmCacheSession#getRealm
4. In CachedRealm constructor, it reads all RealmEntity collections
5. Sql selects fired for all RealmEntity collections
(RealmAttributeEntity, AuthenticationFlowEntity, RequiredCredentialEntity,
etc)
I see there was optimization to fetch only realms with user storages:
https://issues.jboss.org/browse/KEYCLOAK-8555. This didn't help me because
I have user federation provider in each realm.
Also I see hibernate 1st level cache clear was advised here:
https://github.com/keycloak/keycloak/pull/6012. This also did not help,
probably because too much data is being read.
I suggest to modify realm-extraction code at
UserStorageSyncManager#bootstrapPeriodic so it will select only required
info from DB. I am ready to develop this change, what do you think about it?
5 years, 3 months
