Re: [keycloak-dev] Improve search for a specific user in the admin console
by Alexis Almeida
Hi, Stan!
> Another approach for now would be to write a standalone java app that
> uses the keycloak-admin-client to find the user id.? Then it opens that
> user in the browser.? This way, you could use it with any keycloak server.
Thanks for your answer and your sugestion. I just think it is not
interesting to use two tools to operate the solution: the console itself
and another application just to get the user id.
Anyway, your suggestion gave me another idea and I got a workaround for the
problem by just changing the Admin Theme. I implemented the same filter
idea in the "admin/resources/js/controllers/users.js" file. It really is a
workaround but it makes me comfortable to wait for the new version of the
console.
Thanks
Aléxis
Date: Thu, 31 Jan 2019 07:46:43 -0500
> From: Stan Silvert <ssilvert(a)redhat.com>
> Subject: Re: [keycloak-dev] Improve search by a specific user in the
> admin console
> To: keycloak-dev(a)lists.jboss.org
> Message-ID: <c7809c72-348b-b984-f3e9-8c8714e4c31d(a)redhat.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> This has always been a sore spot.? I expect that we will address it when
> we rewrite the admin console, which is in the plan but we don't have a
> timeline yet.
>
> Another approach for now would be to write a standalone java app that
> uses the keycloak-admin-client to find the user id.? Then it opens that
> user in the browser.? This way, you could use it with any keycloak server.
>
> On 1/31/2019 7:21 AM, Alexis Almeida wrote:
> > Considering an instalation of Keycloak where there are 2mi (or more) of
> > users on user_entity table, search for a specific user on the console is
> a
> > stressing task if you do it several times a day. I think it should be
> > possible to do "direct" search by username.
> >
> > Today it is possible to search for a specific user by ID, by typing
> > id:xxxxxx in the search field in the console. IMO this feature could be
> > expanded, so someone could search for a specific user by username or by
> > email, like this: username:xxxxx or email:xxxxxx.
> >
> > I made this change on my local machine and the result was ok.
> >
> > private static final String SEARCH_USERNAME_PARAMETER = "username:";
> > private static final String SEARCH_EMAIL_PARAMETER = "email:";
> > .
> > .
> > .
> > } else if (search.startsWith(SEARCH_USERNAME_PARAMETER)) {
> > UserModel userModel =
> >
> session.users().getUserByUsername(search.substring(SEARCH_USERNAME_PARAMETER.length()).trim(),
> > realm);
> > if (userModel != null) {
> > userModels = Arrays.asList(userModel);
> > }
> > } else if (search.startsWith(SEARCH_EMAIL_PARAMETER)) {
> > UserModel userModel =
> >
> session.users().getUserByEmail(search.substring(SEARCH_EMAIL_PARAMETER.length()).trim(),
> > realm);
> > if (userModel != null) {
> > userModels = Arrays.asList(userModel);
> > }
> > } else {
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev(a)lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>
>
>
5 years, 2 months
Authz services feedback
by Marek Posolda
I recently have a chance to play a bit more with authz services when
preparing for the devconf demo. Great stuff and cudos to Pedro and all
the others who contributed to authorization services!
I just have few questions and possible suggestions to improve in the
future :) Also based on some questions and discussion I had after the talk:
- My REST service was SpringBoot based and protected by policy enforced
configured in the applications.properties like this
https://github.com/mposolda/devconf2019-authz/blob/master/devconf2019-ser...
. However I was stuck when I wanted to enable UserManagedAccess for my
service. The PolicyEnforcerConfig.UserManagedAccessConfig is an empty
class and I couldn't figure how to properly add it in the
application.properties file. I've tried to add various things in
application.properties like this, but none of them helped:
keycloak.policy-enforcer-config.user-managed-access
keycloak.policy-enforcer-config.user-managed-access=
keycloak.policy-enforcer-config.user-managed-access= (Just left single
space here after equals character)
As a workaround, I ended with having separate bean to do it
programatically -
https://github.com/mposolda/devconf2019-authz/blob/master/devconf2019-ser...
. Is it a bug or is it just me doing something stupid?
- I wonder about possible improvements of keycloak-authz.js and if
usability can be a bit improved? More specifically I mean this:
-- Handling of the 401 response with UMA ticket from resource-server -
Can this be done "automatically"? I meant the flow described here:
https://www.keycloak.org/docs/latest/authorization_services/index.html#ha...
. Maybe the keycloak-authz itself can just handle the response from
resource server, then send the AuthorizationRequest to KC with the UMA
ticket and then possibly re-send the request to resource-server with new
RPT and do this "automatically" without a need to manually handle it by
the application like this:
https://github.com/keycloak/keycloak-quickstarts/blob/latest/app-authz-um...
. WDYT?
-- Another thing is refreshing of RPT. It looks that RPT response
contains the refresh token, so refreshing of RPTs is possible. However
the keycloak-authz.js client doesn't have any support for automatically
refreshing RPT token. I mean something similar, which is provided by
keycloak.js itself (method "keycloak.updateToken" which automatically
refreshes the token if needed). Due this limitation, it seems there is a
bug in our quickstart. When you try the quickstart
"app-authz-uma-photoz" and you go through the flow like this:
- Open http://localhost:8080/photoz-html5-client and login as jdoe
- Create some album
- Wait 10 minutes (RPT expiration is same like AccessTokenLifespan, so 5
minutes by default)
- Try to create some album again - now fails with 403 due the RPT
expired and no support for refreshing it in the keycloak-authz.js or the
application itself.
Should I create JIRA for this?
- It seems we don't have any Java based adapter for the frontend clients
written in Java? We have Java based authorization client, but that
provides just sending REST requests. It doesn't provide things like I
mentioned above though (Storing RPT, automatically refreshing RPT,
Automatically handling 401 response with the UMA ticket from
resource-server and sending the request to KC etc). Any plan to have this?
Marek
5 years, 2 months