November 2019 - keycloak-dev - Jboss List Archives

[KEYCLOAK-11293] Create build for new account console

by Bruno Oliveira

Good afternoon, Alex is working on https://issues.jboss.org/browse/KEYCLOAK-11293 and I would like to double-check if we're ok with the requirements described below. What The new account console needs to be built from Maven. The build also needs to be able to build the RH-SSO version. Why There's no way to build the new account console from Maven and that's a requirement that has an impact on testing and distribution. How - Build the new account console as part of the default distribution (Keycloak and RHSSO build) - The Maven build should be based on the steps described in the README Acceptance Criteria - Have all the artifacts from the new account console in the same Keycloak/RHSSO server distribution Additional information This Jira can also incorporate https://issues.jboss.org/browse/KEYCLOAK-5392 if possible, but that's not mandatory Comments are welcome, in the same Jira or here. -- - abstractj

6 years, 4 months

5
13
0 / 0

Governance model

by Stian Thorgersen

We are working on defining a governance model for Keycloak. The PR is here https://github.com/keycloak/keycloak/pull/6427 Feedback from the community is more than welcome!

6 years, 4 months

1
0
0 / 0

Latest and archive version for documentation

by Stian Thorgersen

Google (and probably others, are there any?) keeps insisting on returning random versions of the documentation when searching. To improve on this I've made two changes to the documentation: * Add a version to the top of the documentation, including latest or link to latest if not the latest * For the latest version, all cross-links within the documentation now uses /latest/ in the url, while in the past it had the version in the link One minor issue is that we need to build the documentation twice when doing a release, but that's not a big deal. As we need to build the version/archive build as well as the latest build separately. When building docs just include the -Platest to build the latest, by default it will build version/archive. PR for this is here: https://github.com/keycloak/keycloak-documentation/pull/770 This is how it looks like: [image: docs-archive.png] [image: docs-latest.png]

6 years, 4 months

1
0
0 / 0

keycloak/extensions-init-container

by Bruno Oliveira

Good afternoon, just a quick heads up. A new repository was created on quay.io (https://quay.io/repository/keycloak/extensions-init-container) and the motivation behind this is to provide support to download and install Keycloak extensions inside the Keycloak Operator. More details in the Jiras below: - https://issues.jboss.org/browse/KEYCLOAK-11910 - https://issues.jboss.org/browse/INTLY-3606 Questions/comments/concerns, please let us know. -- - abstractj

6 years, 5 months

2
1
0 / 0

KEYCLOAK-11152 : attributes for clients

by cedric＠couralet.eu

Hi, Do you have any idea if this feature could land in keycloak ? For us, it could limit *a lot* the number of themes we have to maintain. We have a lot of login page where app developer want to put link to help page or other informational notice (or descriptions, logos...), but keycloak lack a way to add it by client (except by a new theme each time). We play a little with client description but it is not really elegant. I see attributes for clients as a way to better customize keycloak page by clients (attributes would need to be accessible from template obviously). Cédric

6 years, 5 months

2
3
0 / 0

Feature request - login URL additional params in js keycliak adapter -already inplemented

by Tom Adam

Hi, Recently I had a PR about the option to define additional URL parameters to be passed along with the login URL. It is a requirement in some of our enterprise applications, and currently many of our clients do some kind of hacking to achieve this. How does the community think about it? https://github.com/keycloak/keycloak/pull/6226 Thanks for the feedback. Best Regards: Tom

6 years, 5 months

2
1
0 / 0

Authentication flow

by Belinda Cowey

I am trying to configure an authentication flow that restricts login to a particular group but initially when I overrode the public client authentication flow, we got this error which indicates the user object was null. Initially script did a user.hasRole, but now does isMember. I only had the script as part of the new flow. 09:51:07,319 ERROR [org.keycloak.authentication.authenticators.browser.ScriptBasedAuthenticator] (default task-15316) org.keycloak.scripting.ScriptExecutionException: Could not execute script 'restrict-public-db-admin' problem was: TypeError: null has no such function "hasRole" in <eval> at line number 31 I then added in these flows which now authenticate me, but the script doesn't even execute now and always gives me a token. Cookie - Alternative Identity Provider Redirector - Alternative Username Password Form - Required Script - Required I setup the following New role: db-admin. No users have been assigned to this role New group: db-admin. Assigned db-admin role I am a member of the group db-admin New authentication flow: restricted-public Script: restrict-public-db-admin which only passes authentication when user is a member of the group db-admin New public client: restricted-public. Authentication Flow Overrides set to restricted-public authentication flow We have confirmed that -Dkeycloak.profile.feature.scripts is enabled, as per https://www.keycloak.org/docs/7.0/server_admin/#executions We followed this example https://stackoverflow.com/a/54384513 Are we implementing/using the authorisation flow override incorrectly? How do I restrict a client to users in a group only? Thanks

6 years, 5 months

1
0
0 / 0

Deprecating WildFly adapter container image

by Stian Thorgersen

I propose we deprecate the WildFly adapter container image. I believe very few if any use it as it is still stuck on WildFly 15 and no-one has complained. In general users should modify containers to include adapters, rather us providing re-distributed versions of containers.

6 years, 5 months

1
0
0 / 0

Filtering in New Account Console

by Stan Silvert

Specifically, we need to discuss filtering and pagination as it relates to the "Applications" page: https://marvelapp.com/c90dfi0/screen/59942290 The current design allows filtering by name and application type. However, Stian has pointed out that some customers will have thousands of clients. So this design might be unworkable. I don't want to go too far into the weeds right now because I want to understand the problem better first. What is the use case when customers have many, many clients? How common is it to have many, many clients for a single user? What do those clients look like? What could we use to filter on? The information we currently have on the client side looks something like what you see here: https://marvelapp.com/c90dfi0/screen/59942292

6 years, 5 months

6
42
0 / 0

User/ClientSession for Offline Access Management Issue (lost, never recovered and unused one left on DB everlastingly)

by 田畑義之 / TABATA，YOSHIYUKI

Hello, # This is Yoshiyuki Tabata writing on behalf of Takashi Norimatsu. I've used the keycloak (4.8.3.Final) in clustering environment and managed about 500k user sessions for Offline Access. I've encountered the following 2 problems : [Problems] (i) Still valid User/Client Session for Offline Access are lost, meaning lost on the infinispan cache (offlineSessions, offlineClientSessions) of every keycloak node in the cluster. (ii) Such the lost User/Client Session for Offline Access are left on DB everlastingly. As for (i), it seems to be reasonable for ordinal SSO UserSession/ClientSession. However, it seems not to be reasonable for persisted User/Client Session for Offline Access on DB. As for (ii), the size of unused resources on DB seems to increase so that it is the problem. I think such the problems seem to occur in the following clustering environment : [Environment] (a) Infinispan setting owners=1 for offlineSessions and offlineClientSessions At least one keycloak node is down. The actual case has been reported on https://issues.jboss.org/browse/KEYCLOAK-11829. (b) # of keycloak nodes is larger than the value of owners for offlineSessions and offlineClientSessions The keycloak nodes are down more than or equal to the value of owners simultaneously. (c) # of keycloak nodes is equal to the value of owners for offlineSessions and offlineClientSessions & The size of the caches of offlineSessions and offlineClientSessions are bounded. The active User/Client Session for Offline Access is evicted from the Infinispan cache. I think the current workaround of these problems is as follows : * Shut down all keycloak nodes. * Reboot one keycloak node. To do so, rebooted keycloak node recovers all of User/Client Session for Offline Access from DB to infinispan cache. However, as reported on https://issues.jboss.org/browse/KEYCLOAK-11019, downtime tends to be long in the situation that vast number of User/Client Session for Offline Access exist in DB, and it seems not to be acceptable. To get around it, what do you think about the following idea? * If some User/Client Session for Offline Access are searched on the infinispan cache and not found, try to search it on DB. I know it seems to increase disk access, so needs to consider this point. Regards, Yoshiyuki Tabata (On behalf of Takashi Norimatsu) Hitachi, Ltd.

6 years, 5 months

2
1
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev November 2019