Re: [keycloak-dev] Regarding https://issues.jboss.org/browse/KEYCLOAK-8162
by Stian Thorgersen
Yes, feel free to send a PR. I would add url.resourcesUrl and use that
instead of "${hostname}${url.resourcesPath}".
On Tue, 19 Nov 2019 at 15:04, vidhyadharan D <it.vidhyadharan(a)gmail.com>
wrote:
> Hi Stian,
>
> May i give PR for this, ?
>
> Thanks,
> vidhya
>
> On Wed, Sep 12, 2018 at 2:00 PM vidhyadharan D <it.vidhyadharan(a)gmail.com>
> wrote:
>
>> suppose if i move the themes from development to production, in that
>> case i need to update the properties each time . where as in template
>> variable it is automatically calculated.
>>
>>
>> inline base64 images will suit for web emails, but for outlook it is not
>> supported , however logo svg will apt for all email clients.
>>
>> by implementing the *${hostname}/${url.**resourcesPath}* *Custom fonts*
>> also served from *themes location*.
>>
>> <style>
>> .
>> .
>> .
>> @font-face {
>> font-family: 'Roboto';
>> src: url('${hostname}${url.resourcesPath}/fonts/Roboto/Roboto-Light.eot'
>> );
>> src: local('Roboto Light'),
>> local('Roboto-Light'),
>> url(
>> '${hostname}${url.resourcesPath}/fonts/Roboto/Roboto-Light.eot?#iefix')
>> format('embedded-opentype'),
>> url('${hostname}${url.resourcesPath}/fonts/Roboto/Roboto-Light.woff2')
>> format('woff2'),
>> url('${hostname}${url.resourcesPath}/fonts/Roboto/Roboto-Light.woff')
>> format('woff'),
>> url('${hostname}${url.resourcesPath}/fonts/Roboto/Roboto-Light.ttf')
>> format('truetype'),
>> url(
>> '${hostname}${url.resourcesPath}/fonts/Roboto/Roboto-Light.svg#Roboto')
>> format('svg');
>> font-weight: 300;
>> font-style: normal;
>> }
>> .
>> .
>> .
>>
>> Thanks,
>> vidhya
>>
>> On Tue, Sep 11, 2018 at 6:38 PM Stian Thorgersen <sthorger(a)redhat.com>
>> wrote:
>>
>>> I was thinking inline base64 images. I don't have an issue with a PR to
>>> make the resourceUrl available to emails, do you need it in the template or
>>> the properties? Having it in the properties is a lot messier.
>>>
>>> On Tue, 11 Sep 2018 at 10:08, vidhyadharan D <it.vidhyadharan(a)gmail.com>
>>> wrote:
>>>
>>>> <img src="${hostname}/${url.resourcesPath}/img/sci-logo.svg" >
>>>>
>>>>
>>>> On Tue, Sep 11, 2018 at 1:37 PM vidhyadharan D <
>>>> it.vidhyadharan(a)gmail.com> wrote:
>>>>
>>>>> The logo can be sent in the email like below
>>>>>
>>>>> <img src="${url.resourcesPath}/img/sci-logo.svg" >
>>>>>
>>>>>
>>>>> On Mon, Sep 10, 2018 at 12:46 PM Stian Thorgersen <sthorger(a)redhat.com>
>>>>> wrote:
>>>>>
>>>>>> For emails shouldn't images actually be encoded into the email itself
>>>>>> rather than linked to?
>>>>>>
>>>>>> On Sun, 9 Sep 2018 at 19:18, vidhyadharan D <
>>>>>> it.vidhyadharan(a)gmail.com> wrote:
>>>>>>
>>>>>>> Hi Experts,
>>>>>>>
>>>>>>> I have been working on keycloak html email. I am in need to embed
>>>>>>> logo to
>>>>>>> the emails i.e. from the *themes/email/resources/img/logo.png *
>>>>>>>
>>>>>>> In the login module there is a way to locate image / favicon via
>>>>>>> ${url.resourcesPath}
>>>>>>>
>>>>>>> However in email module we dont have access to locate the resources..
>>>>>>>
>>>>>>> I have achieved by adding custom email template provider. If possible
>>>>>>> please add these into email module because it is useful for all .
>>>>>>>
>>>>>>> or let me know i can provide PR.
>>>>>>>
>>>>>>> https://issues.jboss.org/browse/KEYCLOAK-8162
>>>>>>>
>>>>>>>
>>>>>>> Thanks,
>>>>>>> vidhya
>>>>>>> _______________________________________________
>>>>>>> keycloak-dev mailing list
>>>>>>> keycloak-dev(a)lists.jboss.org
>>>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>>>
>>>>>>
6 years, 1 month
Session duration for clients
by Stian Thorgersen
Today we have SSO session max and idle, but there is no way to control
duration for individual clients.
One side-effect of this is that if the SSO session max is very large all
refresh tokens will have a long expiration time.
It is also related to max_age parameter. As tokens have a long expiration
the only way to control it is the client has to manually check auth_time in
the tokens.
One idea is that we could introduce a Client Session Max and Idle. The
realm would allow setting a default value, but it would also be possible to
override on a per-client basis. If not set for realm or client it would
fallback to SSO Session Max/Idle
For Client Session Max implementation should be pretty straight forward.
When issuing tokens we make sure the expiration is set according to the
Clients Session Max.
For Client Session Idle implementation should also be pretty straight
forward. Tokens would only be valid if within Client Session Idle. As long
as clients refresh tokens they will get newly issued tokens that would be
within the Client Session Idle, up until they reach Client Session Max when
the refresh token would no longer be valid and the client would need to do
a new authentication request to obtain new tokens.
We should also add default_max_age to clients, which would make it possible
to easily configure re-authentication for specific clients.
6 years, 1 month
Checking whether a client has offline access enabled
by Douglas Palmer
Hi everyone
I need to check whether a client has offline access enabled for the application page of the new account console. Is the correct way to do this to check if the client has the offline role? i.e. client.getRole(Constants.OFFLINE_ACCESS_ROLE) != null
Regards
Doug
6 years, 1 month
Client.getBaseURL() inconsistencies
by Douglas Palmer
Hi everyone
I have a problem with Client.getBaseURL(). When called locally in a test it returns "/auth/realms/test/account" when the same test is executed in Travis it returns "/realms/test/account”. Does anyone know why this happens and how I can fix it?
Regards
Doug
6 years, 1 month
keycloak-nodejs-connect - Expose Token for manual websocket handling
by Wolfgang Ederer
Hello,
in our application we are using the nodejs adapter in the backend and
communicate to the frontend via a websocket connection. Because the adapter
does not provide websocket authentication out of the box we need to check
the token manually.
Because *Token *is not exposed via the *Keycloak *module we need to do the
following:
*const Token =
require('node_modules/keycloak-connect/middleware/auth-utils/token.js');*
*const newToken = new Token(socket.handshake.query.token);*
This is a workaround of sorts - especially when using TypeScript - and in
my opinion *Token *should be exposed via the *Keycloak *prototype in order
to be used like this:
*import * as Keycloak from 'keycloak-connect';*
*const newToken = new Keycloak.Token(socket.handshake.query.token);*
*//or*
*const newToken = new Keycloak.getToken(socket.handshake.query.token); *
What is your opinion on this topic?
Best Regards
Wolfgang Ederer
https://github.com/wederer
6 years, 1 month
Re: [keycloak-dev] JBoss_Keycloak_"404 - Not Found"
by Naga Vijay
(+) keycloak-dev
On Tue, Nov 12, 2019 at 7:56 PM Naga Vijay <nagausb2(a)gmail.com> wrote:
>
> Hello,
>
> Can someone help me with this?
>
> ==============
> Environment -
> ==============
>
> 1. OS - Mac OS X
> 2. JBoss EAP 7.1
>
> 3. Keycloak 7.0.1
>
> ==============
> Issue -
> ==============
>
> . Getting "404 - Not Found" for a simple hello.war (with KEYCLOAK as the
> auth-method in its web.xml) when accessing http://localhost:8080/hello
>
> ==============
> Attachments -
> ==============
>
> 1. kc.json - export dump of keycloak database/configuration
> 2. hello.war - the simple war tested with
>
> Let me know if you need any other info.
>
> Thanks
>
> Naga
>
>
>
6 years, 1 month
Fw: [keycloak-user] Fw: Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer
by Sushil Singh
Based on my understanding ,
In keycloak what ever you want to protect is a Resource
In your case Resources will be created based on Organizations
Organization (Resources)
Example
/org/O1
/org/O2
/org/O3
/org/O4
So create two roles and associate policies with them
1. Account-role [ assign Account-role to the users / groups whom you want to give multiple access]
2. General-role [ assign General-role to users / groups whom you don’t want to give organization]
So you can create Role based policy and attach that policy to the permission
You can Associate the Resource with a Permission and Associate the permission with the above Policies
Checkout these links to get an overview of how to manage resources, policies and permissions
https://www.keycloak.org/docs/latest/authorization_services/index.html#_r...
https://www.keycloak.org/docs/latest/authorization_services/index.html#_p...
https://www.keycloak.org/docs/latest/authorization_services/index.html#_p...
Authorization Services Guide - Keycloak<https://www.keycloak.org/docs/latest/authorization_services/index.html#_p...>
For instance, you might have a Bank Account resource that represents all banking accounts and use it to define the authorization policies that are common to all banking accounts. However, you might want to define specific policies for Alice Account (a resource instance that belongs to a customer), where only the owner is allowed to access some information or perform an operation.
www.keycloak.org
Thanks
Sushil
Authorization Services Guide - Keycloak<https://www.keycloak.org/docs/latest/authorization_services/index.html#_p...>
For instance, you might have a Bank Account resource that represents all banking accounts and use it to define the authorization policies that are common to all banking accounts. However, you might want to define specific policies for Alice Account (a resource instance that belongs to a customer), where only the owner is allowed to access some information or perform an operation.
www.keycloak.org
________________________________
From: Tumenjargal B <b.tume(a)yahoo.com>
Sent: 15 November 2019 15:39
To: Stian Thorgersen <sthorger(a)redhat.com>; Pedro Igor Silva <psilva(a)redhat.com>; Sushil Singh <sushil.singh(a)guavus.com>
Subject: Re: [keycloak-user] Fw: Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer
Hello dears,
I want to integrate old system to keycloak. A user has many organization.
my case Users have account and general account position. a Account position has working many organization. How to intergate keycloak? How to save organization data of user on keycloak?
Thank you
On Friday, November 15, 2019, 05:52:03 PM GMT+8, Sushil Singh <sushil.singh(a)guavus.com> wrote:
________________________________
From: Sushil Singh <sushil.singh(a)guavus.com<mailto:sushil.singh@guavus.com>>
Sent: 15 November 2019 15:14
To: Vishnu Prakash <vishnuprakash323(a)gmail.com<mailto:vishnuprakash323@gmail.com>>; Pedro Igor Silva <psilva(a)redhat.com<mailto:psilva@redhat.com>>; Stian Thorgersen <sthorger(a)redhat.com<mailto:sthorger@redhat.com>>
Subject: Re: [keycloak-user] Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer
Hi,
I think the use case is similar to what I am proposing
@Vishnu Prakash<mailto:vishnuprakash323@gmail.com<mailto:vishnuprakash323@gmail.com>>
I have also proposed to impose custom policy-enforcement on a set of resources.
https://github.com/keycloak/keycloak/pull/6448
[https://repository-images.githubusercontent.com/11125589/bd31cf00-70f4-11...]<https://github.com/keycloak/keycloak/pull/6448>
KEYCLOAK-11300 : Creating CustomEnforcer functionality for spring adapters by sushil-singh-guavus · Pull Request #6448 · keycloak/keycloak<https://github.com/keycloak/keycloak/pull/6448>
KEYCLOAK-11300 : Creating CustomEnforcer functionality for spring adapters https://issues.jboss.org/browse/KEYCLOAK-11300
github.com
Where user can specify a Map<Resource, Set<scopes>> and it will evaluate to a positive result only if it satisfies permission for all resources in the Map
Currently I don't think this functionality is available in keycloak
Thanks,
Sushil
________________________________
From: keycloak-user-bounces(a)lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org> <keycloak-user-bounces(a)lists.jboss.org<mailto:keycloak-user-bounces@lists.jboss.org>> on behalf of Vishnu Prakash <vishnuprakash323(a)gmail.com<mailto:vishnuprakash323@gmail.com>>
Sent: 15 November 2019 10:01
To: keycloak-user <keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>>
Subject: [keycloak-user] Associating a REST api end point to multiple resources in Keycloak in Policy Enforcer
Hi,
I want to protect my REST api's using Keycloak. I am deploying my
application in Wildfly application server and using keyclaok wildfly
adapters.
Is it possible to associate a REST api end point to multiple resources in
keycloak using the Policy Enforcer. If the user is having permission to
access all the associated resources, then only access should be granted to
the api.
Any input will be a great help to me.
Thanks & Regards,
Vishnu Prakash
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
_______________________________________________
keycloak-user mailing list
keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-user
6 years, 1 month
Master update breaks account console
by Stan Silvert
In new account console, I pass the auth URL to Freemarker. I call:
session.getContext().getUri(UrlType.FRONTEND).getBaseUri().toString())
This has always returned something like "http://localhost:8080/auth"
However, the latest in master puts a slash at the end,
"http://localhost:8080/auth/"
I can easily update my code for this to work, but I'm concerned that
this change might have broken more than just the new account console.
Perhaps other code in the community is relying on the URL not having a
slash at the end.
Does anyone recognize the change that might have caused this?
Stan
6 years, 1 month
PR - Remove Keycloak version from resource paths
by Stian Thorgersen
Today, Keycloak includes the Keycloak version in resource paths to make
sure browsers fetch the new versions of resources after an upgrade.
It is not good practice to expose the version of software on public
endpoints, as such we need to change this behavior.
To achieve this I've updated the migration model to create a random 5
character URL friendly id that is persisted in the database, which is then
used in place of the Keycloak version.
That means there will be a unique resource version for each installation of
Keycloak, which is updated when Keycloak is upgraded. To prevent conflicts
the previous versions are not deleted from the migration model.
PR is here: https://github.com/keycloak/keycloak/pull/6473
6 years, 1 month
