Re: [keycloak-dev] passing SAML extensions and context to custom authenticators
by Caranzo Gideon
Hi Hynek,
Thank you for your response. Yes, I agree with you. It would be good to have this mechanism in those areas as well.
I already have a PR ready for just the SAML login portion. Is it fine with you if I submit this first so that we can use it as early as possible? We can create a separate ticket to implement similar mechanism for other SAML messages and broker endpoint which can be done in near future.
Thanks,
Gideon
-----Original Message-----
From: keycloak-dev-bounces(a)lists.jboss.org [mailto:keycloak-dev-bounces@lists.jboss.org] On Behalf Of Hynek Mlnarik
Sent: Thursday, January 24, 2019 1:58 AM
To: Gideon Caranzo <gideonray(a)gmail.com>
Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org>
Subject: Re: [keycloak-dev] passing SAML extensions and context to custom authenticators
Hi Gideon,
thanks for the idea. Something like that would be a useful enhancement. The implementation would need to cover also the broker endpoint, other SAML message types (extensions are part of message types other than AuthnRequest as well), and count on several implementations of the hypothetical SamlAuthenticationPreprocessor. Could you please file an "Enhancement" JIRA?
--Hynek
On Wed, Jan 16, 2019 at 5:49 PM Gideon Caranzo <gideonray(a)gmail.com> wrote:
> Hi All,
>
> I'd like to propose a feature that allows custom authenticators to
> handle SAML extensions, authentication context and other request attributes.
>
> Right now in OIDC, all request claims are passed to custom
> authenticators which allows for customized behavior depending on the claims.
> However, this is not the case for SAML. Only attributes that are
> explicitly set (e.g. NameID) in the auth session are passed to custom authenticators.
>
> Information like SAML extension and authentication context are not
> available which limits the ability to define custom behaviors. In the
> past, we ran into similar limitation and we had to update keycloak
> core to add support for NameID attribute.
>
> To solve this, we can have an optional hook that pre-process SAML
> login request right before authentication. The hook can then extract
> the needed attributes and set it accordingly for custom authenticators to process.
>
> The pre-processing will be done in
> *SamlService.BindingProtocol.loginRequest()*:
>
> *public* *class* SamlService *extends* AuthorizationEndpointBase {
>
> *. . .*
>
> *public* *abstract* *class* BindingProtocol {
>
> . . .
>
> *protected* Response loginRequest(String relayState,
> AuthnRequestType requestAbstractType, ClientModel client) {
>
> . . .
>
> SamlAuthenticationPreprocessor preProcessor = session
> .getProvider(SamlAuthenticationPreprocessor.*class*);
>
> *if* (preProcessor != *null*) {
>
> preProcessor.process(requestAbstractType, authSession);
>
> }
>
>
>
> *return* newBrowserAuthentication(authSession,
> requestAbstractType.isIsPassive(), redirectToAuthentication);
>
> }
>
>
> Let me know what you think. Thanks.
>
> Best regards,
> Gideon
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flis
> ts.jboss.org%2Fmailman%2Flistinfo%2Fkeycloak-dev&data=02%7C01%7Cgi
> deon.caranzo%40gemalto.com%7C6f947d88676b4f788b2108d681d1d529%7C37d0a9
> db7c464096bfe31add5b495d6d%7C0%7C0%7C636839135555784466&sdata=Yhpx
> 28KFJWJGa1kv1ROWWqJd3nt60YvAb0YmeKUU5Mg%3D&reserved=0
>
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists....
________________________________
This message and any attachments are intended solely for the addressees and may contain confidential information. Any unauthorized use or disclosure, either whole or partial, is prohibited.
E-mails are susceptible to alteration. Our company shall not be liable for the message if altered, changed or falsified. If you are not the intended recipient of this message, please delete it and notify the sender.
Although all reasonable efforts have been made to keep this transmission free from viruses, the sender will not be liable for damages caused by a transmitted virus.
5 years, 3 months
Re: [keycloak-dev] Request for someone to contribute an WebAuthn4j extension
by 中村雄一 / NAKAMURA,YUUICHI
Hi,
We've updated the webauthn authenticator prototype based on webauthn4j :
https://github.com/webauthn4j/keycloak-webauthn-authenticator/tree/demo-c...
We've confirmed that this demo worked well under the following environments:
* U2F with Resident Key Not supported Authenticator Scenario
OS : Windows 10
Browser : Google Chrome (ver 73), Mozilla FireFox (ver 66)
Authenticator : Yubico Security Key
Server(RP) : keycloak-5.0.0
* U2F with Resident Key supported Authenticator Scenario
OS : Windows 10
Browser : Microsoft Edge (ver 44)
Authenticator : Internal Fingerprint Authentication Device
Server(RP) : keycloak-5.0.0
* UAF with Resident Key supported Authenticator Scenario
OS : Windows 10
Browser : Microsoft Edge (ver 44)
Authenticator : Internal Fingerprint Authentication Device
Server(RP) : keycloak-5.0.0
We will continue to improve the prototype, so feedback is welcomed.
Regards,
Yuichi Nakamura
-----Original Message-----
From: keycloak-dev-bounces(a)lists.jboss.org <keycloak-dev-bounces(a)lists.jboss.org> On Behalf Of 中村雄一 / NAKAMURA,YUUICHI
Sent: Tuesday, March 19, 2019 4:32 PM
To: stian(a)redhat.com
Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org>
Subject: [!]Re: [keycloak-dev] Request for someone to contribute an WebAuthn4j extension
Hi,
Sorry, we have implemented only for Edge now.
Please wait for other browsers.
> One comment is that it shouldn't create a new table, but rather just serialize the value to the existing credential table in the same way as the FIDO U2F example does [1].
Thank you, we will fix.
Regards,
Yuichi Nakamura
From: Stian Thorgersen <sthorger(a)redhat.com>
Sent: Monday, March 18, 2019 5:49 PM
To: 中村雄一 / NAKAMURA,YUUICHI <yuichi.nakamura.fe(a)hitachi.com>
Cc: keycloak-dev <keycloak-dev(a)lists.jboss.org>; 乗松隆志 / NORIMATSU,TAKASHI <takashi.norimatsu.ws(a)hitachi.com>; 茂木昂士 / MOGI,TAKASHI <takashi.mogi.ep(a)hitachi.com>; Yoshikazu Nojima <mail(a)ynojima.net>
Subject: [!]Re: [keycloak-dev] Request for someone to contribute an WebAuthn4j extension
Tried this out today and it didn't work for me. I was getting some JS error both on Chrome and Firefox when trying to register authenticator.
One comment is that it shouldn't create a new table, but rather just serialize the value to the existing credential table in the same way as the FIDO U2F example does [1].
[1] https://clicktime.symantec.com/3XYorxFfnwRutc8N4z3Ubc77Vc?u=https%3A%2...
On Fri, 15 Mar 2019 at 08:13, 中村雄一 / NAKAMURA,YUUICHI <mailto:yuichi.nakamura.fe@hitachi.com> wrote:
Hi,
We’ve uploaded the initial prototype of webauthn authenticator below: https://clicktime.symantec.com/37NWG7BAMWtR42Swt5VUTw77Vc?u=https%3A%2F%2...
Feedback is welcomed.
From: Stian Thorgersen <mailto:sthorger@redhat.com>
Sent: Thursday, February 28, 2019 6:53 PM
To: 中村雄一 / NAKAMURA,YUUICHI <mailto:yuichi.nakamura.fe@hitachi.com>
Cc: keycloak-dev <mailto:keycloak-dev@lists.jboss.org>
Subject: [!]Re: [keycloak-dev] Request for someone to contribute an WebAuthn4j extension
That's great, thanks.
Do you have an idea on roughly when you can have a prototype ready?
On Thu, 28 Feb 2019 at 00:32, 中村雄一 / NAKAMURA,YUUICHI <mailto:mailto:yuichi.nakamura.fe@hitachi.com> wrote:
Hi,
My team has begun to help webauthn4j project, and is going to develop prototype of authenticator for keycloak.
We'd like to take this.
Regards,
Yuichi Nakamura
Hitachi, Ltd.
-----Original Message-----
From: mailto:mailto:keycloak-dev-bounces@lists.jboss.org <mailto:mailto:keycloak-dev-bounces@lists.jboss.org> On Behalf Of Stian Thorgersen
Sent: Thursday, February 28, 2019 12:26 AM
To: keycloak-dev <mailto:mailto:keycloak-dev@lists.jboss.org>
Subject: [!][keycloak-dev] Request for someone to contribute an WebAuthn4j extension
A while back I created an experimental extension to Keycloak for FIDO U2F.
It would be great if someone could adapt this to WebAuthn by leveraging webauthn4j library [1].
Any takers? It shouldn't be hard ;)
[1] https://clicktime.symantec.com/3DJdi8ZVRTPPRjKw5d1qT287Vc?u=https%3A%2F%2...
_______________________________________________
keycloak-dev mailing list
mailto:mailto:keycloak-dev@lists.jboss.org
https://clicktime.symantec.com/35NVx3Bd41ZVjjssocqwjpK7Vc?u=https%3A%2F%2...
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://clicktime.symantec.com/3K7AmDtC5f54UYS4NNrH1wo7Vc?u=https%3A%2F%2...
5 years, 6 months
Override "native" Keycloak providers
by Jerry Saravia
Hello,
We’ve been using version 3.4.3 for a while now and are attempting to upgrade to 4.8 and we’ve run into some issues.
Summary: We have created our own providers with the same PROVIDER_ID as some of the built in providers. For example, PasswordCredentialProvider has a provider id of “keycloak-password” and we created our own with the same id that gets loaded after the native one. This worked because in 3.4.3 providers that were using the same id would still have their factories added to the factory map.
See this link here for 3.4.3 changes:
https://github.com/keycloak/keycloak/blob/3.4.3.Final/services/src/main/j...
These are the 4.8 changes
https://github.com/keycloak/keycloak/blob/4.8.3.Final/services/src/main/j...
In 4.8, the fully qualified class name (FQCN) is not longer used. Instead it uses the provider id and the spi name. I can no longer use the same PROVIDER_ID as the native providers to ‘override’ them, but sometimes there is code that gets the provider specifically by id. For example, in the UpdatePassword required action we have this:
PasswordCredentialProvider passwordProvider = (PasswordCredentialProvider)context.getSession().getProvider(CredentialProvider.class, PasswordCredentialProviderFactory.PROVIDER_ID);
In 3.4.3 because our provider was loaded we were able to inject into code that normally isn’t overridable. We did the same for the OIDCLoginProtocolFactory to alter some token endpoint behavior even the UpdatePassword required action itself rather than making a brand new required action that is a “second rate” because it isn’t native to Keycloak.
Is there a solution for this in 4.8.3? I see this change was made in 4.0.0.Beta1 according to some of the history.
J
Jerry Saravia
Software Engineer
T(516) 603-6914
M516-603-6914
virginpulse.com
|virginpulse.com/global-challenge
492 Old Connecticut Path, Framingham, MA 01701, USA
Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore | Switzerland | United Kingdom | USA
Confidentiality Notice: The information contained in this e-mail, including any attachment(s), is intended solely for use by the designated recipient(s). Unauthorized use, dissemination, distribution, or reproduction of this message by anyone other than the intended recipient(s), or a person designated as responsible for delivering such messages to the intended recipient, is strictly prohibited and may be unlawful. This e-mail may contain proprietary, confidential or privileged information. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Virgin Pulse, Inc. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message.
v2.48
5 years, 6 months
mvn install fails
by Chris Smith
A fresh clone from Github and mvn install fails to complete.
Any reason why?
Tests run: 2860, Failures: 0, Errors: 22, Skipped: 211
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary for Keycloak 7.0.0-SNAPSHOT:
[INFO]
[INFO] Keycloak BOM Parent ................................ SUCCESS [ 11.402 s]
[INFO] Keycloak BOM for adapters .......................... SUCCESS [ 0.111 s]
[INFO] Keycloak BOM for server extensions ................. SUCCESS [ 0.105 s]
[INFO] Keycloak BOM utilities for the quickstarts ......... SUCCESS [ 0.098 s]
[INFO] Keycloak ........................................... SUCCESS [ 1.655 s]
[INFO] Keycloak Common .................................... SUCCESS [ 15.064 s]
[INFO] Keycloak Core ...................................... SUCCESS [ 12.195 s]
[INFO] Keycloak Dependencies Parent ....................... SUCCESS [ 0.130 s]
[INFO] Keycloak Drools BOM ................................ SUCCESS [ 0.129 s]
[INFO] Keycloak Server SPI ................................ SUCCESS [ 3.287 s]
[INFO] Keycloak Server Private SPI ........................ SUCCESS [ 8.419 s]
[INFO] Keycloak Kerberos Federation ....................... SUCCESS [ 0.910 s]
[INFO] Keycloak LDAP UserStoreProvider .................... SUCCESS [ 7.065 s]
[INFO] Keycloak SAML Core Public API ...................... SUCCESS [ 2.849 s]
[INFO] Keycloak SAML Core ................................. SUCCESS [ 9.528 s]
[INFO] Keycloak REST Services ............................. SUCCESS [ 25.199 s]
[INFO] Keycloak JS Integration ............................ SUCCESS [ 5.176 s]
[INFO] Keycloak Themes .................................... SUCCESS [ 9.625 s]
[INFO] Keycloak Dependencies Server Min ................... SUCCESS [ 0.139 s]
[INFO] Keycloak Model Parent .............................. SUCCESS [ 0.139 s]
[INFO] Keycloak Model JPA ................................. SUCCESS [ 7.185 s]
[INFO] Keycloak Model Infinispan .......................... SUCCESS [ 13.296 s]
[INFO] Keycloak SSSD Federation ........................... SUCCESS [ 5.565 s]
[INFO] KeyCloak Authz: Parent ............................. SUCCESS [ 0.222 s]
[INFO] KeyCloak AuthZ: Provider Parent .................... SUCCESS [ 0.182 s]
[INFO] KeyCloak AuthZ: Common Policy Providers ............ SUCCESS [ 2.537 s]
[INFO] KeyCloak AuthZ: Drools Policy Provider ............. SUCCESS [ 1.934 s]
[INFO] Keycloak Dependencies Server All ................... SUCCESS [ 0.195 s]
[INFO] Keycloak Federation ................................ SUCCESS [ 0.220 s]
[INFO] Keycloak Util Embedded LDAP ........................ SUCCESS [ 3.089 s]
[INFO] Keycloak Util Parent ............................... SUCCESS [ 0.209 s]
[INFO] Keycloak WildFly Integration ....................... SUCCESS [ 0.184 s]
[INFO] Keycloak WildFly Add User Script ................... SUCCESS [ 1.151 s]
[INFO] Keycloak WildFly Extensions ........................ SUCCESS [ 1.184 s]
[INFO] Keycloak WildFly Server Subsystem .................. SUCCESS [ 8.763 s]
[INFO] Keycloak Integration ............................... SUCCESS [ 0.133 s]
[INFO] Keycloak Admin REST Client ......................... SUCCESS [ 1.111 s]
[INFO] Keycloak Client Registration API ................... SUCCESS [ 0.736 s]
[INFO] Keycloak Client CLI ................................ SUCCESS [ 0.133 s]
[INFO] Keycloak Client Registration CLI ................... SUCCESS [ 6.737 s]
[INFO] Keycloak Admin CLI ................................. SUCCESS [ 5.972 s]
[INFO] Keycloak Client CLI Distribution ................... SUCCESS [ 3.475 s]
[INFO] Keycloak Adapter SPI ............................... SUCCESS [ 0.939 s]
[INFO] Keycloak Tomcat Adapter SPI ........................ SUCCESS [ 0.822 s]
[INFO] Keycloak Undertow Integration SPI .................. SUCCESS [ 1.166 s]
[INFO] Keycloak Servlet Integration ....................... SUCCESS [ 0.828 s]
[INFO] Common JBoss/Wildfly Core Classes .................. SUCCESS [ 0.591 s]
[INFO] Keycloak Jetty Adapter SPI ......................... SUCCESS [ 0.928 s]
[INFO] Keycloak Client Adapter SPI Modules ................ SUCCESS [ 0.163 s]
[INFO] Keycloak SAML Client Adapter Public API ............ SUCCESS [ 0.621 s]
[INFO] Keycloak SAML Client Adapter Core .................. SUCCESS [ 5.196 s]
[INFO] Keycloak Undertow SAML Adapter ..................... SUCCESS [ 1.009 s]
[INFO] Keycloak SAML Tomcat Integration ................... SUCCESS [ 0.165 s]
[INFO] Keycloak Tomcat Core SAML Integration .............. SUCCESS [ 0.839 s]
[INFO] Keycloak Tomcat 8 SAML Integration ................. SUCCESS [ 0.743 s]
[INFO] Keycloak Tomcat 6 Saml Integration ................. SUCCESS [ 0.617 s]
[INFO] Keycloak Tomcat 7 SAML Integration ................. SUCCESS [ 0.625 s]
[INFO] Keycloak Wildfly SAML Adapter ...................... SUCCESS [ 0.999 s]
[INFO] KeyCloak Authz: Client API ......................... SUCCESS [ 1.963 s]
[INFO] Keycloak Adapter Core .............................. SUCCESS [ 6.558 s]
[INFO] Keycloak WildFly Elytron SAML Adapter .............. SUCCESS [ 1.130 s]
[INFO] Keycloak Wildfly SAML Adapter Subsystem ............ SUCCESS [ 7.527 s]
[INFO] Keycloak SAML Wildfly Integration .................. SUCCESS [ 0.146 s]
[INFO] Keycloak AS7 / JBoss EAP 6 Integration ............. SUCCESS [ 0.183 s]
[INFO] Keycloak AS7 SPI ................................... SUCCESS [ 3.170 s]
[INFO] Keycloak SAML EAP Integration ...................... SUCCESS [ 0.130 s]
[INFO] Keycloak SAML AS7 Integration ...................... SUCCESS [ 1.062 s]
[INFO] Keycloak SAML AS7 Subsystem ........................ SUCCESS [ 5.323 s]
[INFO] Keycloak SAML Servlet Filter ....................... SUCCESS [ 0.804 s]
[INFO] Keycloak Jetty Core SAML Integration ............... SUCCESS [ 0.865 s]
[INFO] Keycloak Jetty 9.2.x SAML Integration .............. SUCCESS [ 0.820 s]
[INFO] Keycloak Jetty 9.3.x SAML Integration .............. SUCCESS [ 0.894 s]
[INFO] Keycloak Jetty 9.4.x SAML Integration .............. SUCCESS [ 1.066 s]
[INFO] Keycloak SAML Jetty Integration .................... SUCCESS [ 0.144 s]
[INFO] Keycloak SAML Client Adapter Modules ............... SUCCESS [ 0.132 s]
[INFO] Keycloak Tomcat Integration ........................ SUCCESS [ 0.140 s]
[INFO] Keycloak Tomcat Core Integration ................... SUCCESS [ 0.758 s]
[INFO] Keycloak AS7 Integration ........................... SUCCESS [ 0.906 s]
[INFO] Keycloak AS7 Subsystem ............................. SUCCESS [ 4.368 s]
[INFO] Keycloak Installed Application ..................... SUCCESS [ 1.609 s]
[INFO] Keycloak Undertow Integration ...................... SUCCESS [ 2.295 s]
[INFO] Keycloak Fuse 7.0 Integration ...................... SUCCESS [ 0.161 s]
[INFO] Keycloak Fuse 7.0 Adapter - Camel + Undertow ....... SUCCESS [ 1.773 s]
[INFO] Keycloak OSGI Adapter .............................. SUCCESS [ 3.531 s]
[INFO] Keycloak Fuse 7.0 Adapter - Undertow ............... SUCCESS [ 1.514 s]
[INFO] Keycloak Jetty Core Integration .................... SUCCESS [ 1.175 s]
[INFO] Keycloak Jetty 9.4.x Integration ................... SUCCESS [ 0.945 s]
[INFO] Keycloak Fuse 7.0 Adapter - Jetty 9.4 .............. SUCCESS [ 1.345 s]
[INFO] Keycloak Tomcat 8 Integration ...................... SUCCESS [ 0.767 s]
[INFO] Keycloak Fuse 7.0 Adapter - Tomcat 8 ............... SUCCESS [ 1.105 s]
[INFO] Keycloak CLI SSO Framework ......................... SUCCESS [ 4.620 s]
[INFO] Keycloak JAX-RS OAuth Client ....................... SUCCESS [ 1.314 s]
[INFO] Keycloak Jetty 9.2.x Integration ................... SUCCESS [ 1.142 s]
[INFO] Keycloak Jetty 9.3.x Integration ................... SUCCESS [ 1.144 s]
[INFO] Keycloak Jetty Integration ......................... SUCCESS [ 0.173 s]
[INFO] Keycloak Servlet Filter Adapter Integration ........ SUCCESS [ 1.061 s]
[INFO] Keycloak Servlet OAuth Client ...................... SUCCESS [ 4.150 s]
[INFO] spring-boot-container-bundle ....................... SUCCESS [ 1.761 s]
[INFO] Keycloak Spring Security Integration ............... SUCCESS [ 8.449 s]
[INFO] Keycloak Spring Boot Adapter Core .................. SUCCESS [ 1.759 s]
[INFO] Keycloak Spring Boot Integration ................... SUCCESS [ 4.437 s]
[INFO] Keycloak Spring Boot 2 Integration ................. SUCCESS [ 4.172 s]
[INFO] Keycloak Tomcat 6 Integration ...................... SUCCESS [ 0.689 s]
[INFO] Keycloak Tomcat 7 Integration ...................... SUCCESS [ 0.761 s]
[INFO] Keycloak Wildfly Integration ....................... SUCCESS [ 0.998 s]
[INFO] Keycloak Wildfly Elytron OIDC Adapter .............. SUCCESS [ 1.763 s]
[INFO] Keycloak Wildfly Adapter Subsystem ................. SUCCESS [ 8.862 s]
[INFO] Keycloak Wildfly 8 Adapter Subsystem ............... SUCCESS [ 5.703 s]
[INFO] Keycloak WildFly Integration ....................... SUCCESS [ 0.138 s]
[INFO] Keycloak OIDC Client Adapter Modules ............... SUCCESS [ 0.124 s]
[INFO] Keycloak Adapters .................................. SUCCESS [ 0.130 s]
[INFO] Keycloak Misc ...................................... SUCCESS [ 0.138 s]
[INFO] Keycloak :: Spring :: Boot ......................... SUCCESS [ 0.148 s]
[INFO] Keycloak :: Spring :: Boot :: Default :: Starter .. SUCCESS [ 0.371 s]
[INFO] Keycloak :: Spring :: Boot ......................... SUCCESS [ 0.139 s]
[INFO] Keycloak :: Legacy :: Spring :: Boot :: Default :: Starter SUCCESS [ 0.388 s]
[INFO] keycloak-test-helper ............................... SUCCESS [ 0.937 s]
[INFO] Keycloak TestSuite ................................. SUCCESS [ 0.128 s]
[INFO] DB Allocator Plugin ................................ SUCCESS [ 14.444 s]
[INFO] Keycloak Arquillian Integration TestSuite .......... SUCCESS [ 0.212 s]
[INFO] Test apps .......................................... SUCCESS [ 0.144 s]
[INFO] Test apps distribution ............................. SUCCESS [ 7.201 s]
[INFO] Keycloak Authz: PhotoZ Test Parent ................ SUCCESS [ 0.145 s]
[INFO] Keycloak Authz Test: Photoz RESTful API ............ SUCCESS [ 1.871 s]
[INFO] Keycloak Authz Tests: Photoz HTML5 Client .......... SUCCESS [ 1.330 s]
[INFO] Keycloak Authz Tests: Photoz Authz Rule-based Policy SUCCESS [ 0.442 s]
[INFO] Keycloak Authz Tests: Hello World Example .......... SUCCESS [ 0.406 s]
[INFO] Keycloak Authz: Servlet Authorization Test ......... SUCCESS [ 0.577 s]
[INFO] Keycloak Authz: Simple Servlet App with Policy Enforcer SUCCESS [ 0.393 s]
[INFO] integration-arquillian-test-apps-servlets .......... SUCCESS [ 1.327 s]
[INFO] Keycloak Test App Profile JEE ...................... SUCCESS [ 0.638 s]
[INFO] integration-arquillian-test-apps-cors-parent ....... SUCCESS [ 0.144 s]
[INFO] Angular Product Portal JS .......................... SUCCESS [ 2.995 s]
[INFO] JAX-RS Database Service Using OAuth Bearer Tokens .. SUCCESS [ 0.728 s]
[INFO] Fuse Test Applications ............................. SUCCESS [ 0.139 s]
[INFO] Customer Portal - Secured in Karaf/Fuse ............ SUCCESS [ 1.778 s]
[INFO] CXF JAXRS Example - Secured in Karaf/Fuse .......... SUCCESS [ 2.099 s]
[INFO] CXF JAXRS Example - Secured in Karaf/Fuse 7.0 on Undertow SUCCESS [ 0.798 s]
[INFO] CXF JAXWS Example - Secured in Karaf/Fuse .......... SUCCESS [ 1.012 s]
[INFO] CXF JAXWS Example - Secured in Karaf/Fuse 7.0 on Undertow SUCCESS [ 0.830 s]
[INFO] Product Portal - Secured in Karaf/Fuse ............. SUCCESS [ 0.960 s]
[INFO] Product Portal - Secured in Karaf/Fuse 7.0 on Undertow SUCCESS [ 1.012 s]
[INFO] Camel endpoint example - Secured in Karaf/Fuse ..... SUCCESS [ 0.779 s]
[INFO] Camel endpoint example - Secured in Karaf/Fuse 7.0 on Undertow SUCCESS [ 0.879 s]
[INFO] Keycloak Fuse Example - Features ................... SUCCESS [ 0.670 s]
[INFO] Keycloak Examples - External Config ................ SUCCESS [ 0.776 s]
[INFO] spring-boot-adapter ................................ SUCCESS [ 1.358 s]
[INFO] spring-boot-adapter-2 .............................. SUCCESS [ 1.571 s]
[INFO] spring-boot-adapter-21 ............................. SUCCESS [ 1.435 s]
[INFO] Servers ............................................ SUCCESS [ 0.152 s]
[INFO] Auth Server ........................................ SUCCESS [ 0.127 s]
[INFO] Auth Server Services ............................... SUCCESS [ 0.129 s]
[INFO] Auth Server Services - Testsuite Providers ......... SUCCESS [ 5.076 s]
[INFO] Auth Server - JBoss ................................ SUCCESS [ 0.131 s]
[INFO] Keycloak TestSuite Utils ........................... SUCCESS [ 2.794 s]
[INFO] Test Util .......................................... SUCCESS [ 1.798 s]
[INFO] Auth Server - Undertow ............................. SUCCESS [ 2.305 s]
[INFO] App Server ......................................... SUCCESS [ 0.137 s]
[INFO] App Server - SPI ................................... SUCCESS [ 0.541 s]
[INFO] App Server - JBoss ................................. SUCCESS [ 0.132 s]
[INFO] App Server - Karaf ................................. SUCCESS [ 0.127 s]
[INFO] App Server - Tomcat ................................ SUCCESS [ 0.130 s]
[INFO] App Server - Undertow .............................. SUCCESS [ 1.122 s]
[INFO] App Server - Jetty Parent .......................... SUCCESS [ 0.151 s]
[INFO] Cache Server ....................................... SUCCESS [ 0.119 s]
[INFO] Cache Server - JBoss Family ........................ SUCCESS [ 0.124 s]
[INFO] Tests .............................................. SUCCESS [ 0.493 s]
[INFO] Base TestSuite ..................................... FAILURE [ 01:45 h]
[INFO] Other Tests Modules ................................ SKIPPED
[INFO] Adapter Tests ...................................... SKIPPED
[INFO] Adapter Tests - JBoss .............................. SKIPPED
[INFO] Adapter Tests - Karaf .............................. SKIPPED
[INFO] Adapter Tests - WAS ................................ SKIPPED
[INFO] Adapter Tests - WLS ................................ SKIPPED
[INFO] SSSD tests ......................................... SKIPPED
[INFO] integration-arquillian-tests-springboot ............ SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 01:51 h
[INFO] Finished at: 2019-04-23T19:51:55+08:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:2.19.1:test (default-test) on project integration-arquillian-tests-base: There are test failures.
[ERROR]
[ERROR] Please refer to C:\Users\christopher.smith\Documents\keycloak\workspace\keycloak-parent\testsuite\integration-arquillian\tests\base\target\surefire-reports for the individual test results.
[ERROR] -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException
[ERROR]
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR] mvn <goals> -rf :integration-arquillian-tests-base
C:\Users\christopher.smith\Documents\keycloak\workspace\keycloak-parent>
5 years, 7 months
Proposal: Improvements to IdpUsernamePasswordForm
by Dmitry Telegin
Hi,
I'm currently working to implement the following requirements:
- users are managed externally via LDAP, self-registrations disabled;
- there is an external IdP;
- generally, there is no way to automatically match IdP identity with Keycloak's one, so IdP linking will always be performed by the user manually;
- in order to do that, the user should click the IdP icon in the login screen, authenticate with the IdP, get back to Keycloak and "claim" his/her Keycloak account by entering correct username and password.
Currently, the closest thing in Keycloak is o.k.authentication.authenticators.broker.IdpUsernamePasswordForm (aka "idp-username-password-form", aka "Username Password Form for identity provider reauthentication").
However, it 1) prefills username field and makes it non-editable, 2) depends on the preceding IdpCreateUserIfUniqueAuthenticator execution to provide existing user model (EXISTING_USER_INFO auth note).
My proposal is to improve IdpUsernamePasswordForm by allowing its execution even without the preceding IdpCreateUserIfUniqueAuthenticator. In the absence of EXISTING_USER_INFO, IdpUsernamePasswordForm should allow the user to manually enter username.
Please let me know if you think it's worth having this in Keycloak. Regards,
Dmitry
5 years, 7 months
HA mode with JDBC_PING shows warning in the logs after migration to 4.8.3 from 3.4.3
by abhishek raghav
Hi
After the migration of keycloak HA configurations from 3.4.3.Final to
4.8.3.Final, I am seeing some WARNINGS on one of the nodes of keycloak
immediately after the keycloak is started with 2 nodes. This occurs after
every time when the cluster is scaled up or whenever infinispan is trying
to update the cluster member list.
I am using JDBC_PING to achieve clustering in keycloak.
Below is the stacktrace -
2019-04-24 12:20:43,687 WARN
>> [org.infinispan.topology.ClusterTopologyManagerImpl]
>> (transport-thread--p18-t2) [dcidqdcosagent08] KEYCLOAK DEV 1.5.RC
>> ISPN000197: Error updating cluster member list:
>> org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out
>> waiting for responses for request 1 from dcidqdcosagent02
>
> at
>> org.infinispan.remoting.transport.impl.MultiTargetRequest.onTimeout(MultiTargetRequest.java:167)
>
> at
>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:87)
>
> at
>> org.infinispan.remoting.transport.AbstractRequest.call(AbstractRequest.java:22)
>
> at
>> java.util.concurrent.FutureTask.run(FutureTask.java:266)
>
> at
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180)
>
> at
>> java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293)
>
> at
>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
>
> at
>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
>
> at java.lang.Thread.run(Thread.java:748)
>
> Suppressed: org.infinispan.util.logging.TraceException
>
> at
>> org.infinispan.remoting.transport.Transport.invokeRemotely(Transport.java:75)
>
> at
>> org.infinispan.topology.ClusterTopologyManagerImpl.confirmMembersAvailable(ClusterTopologyManagerImpl.java:525)
>
> at
>> org.infinispan.topology.ClusterTopologyManagerImpl.updateCacheMembers(ClusterTopologyManagerImpl.java:508)
>
>
Now after I searched, I really did not see anyone reported such error on
keycloak but there is similar bug reported in WILDLFY 14 and is categorized
as a blocker in WILDLFY 14.This bug is already fixed in WILDLFY 15.
https://issues.jboss.org/browse/WFLY-10736?attachmentViewMode=list
Now since keycloak 4.8 is also based on WILDLFY 14, these WARNINGS could be
because of this blocker in WILDFLY 14.
What should I do to get rid this error. Is this really a problem in
keycloak 4.8.3.Final. Did anyone notice any such issue while running
keycloak 4.8.3 in HA mode.
Is there a workaround to fix this.
One more thing we noticed is - It is regarding a property in JDBC_PING
protocol we are using in our 3.4.3 setup i.e. "clear_table_on_view_change"
but it is no more supported in 4.8 version. and thus the JGROUPSPING table
is filled up with lot of stale entries. Is there a workaround to clear the
table after view change in 4.8 also.
Thanks
Abhishek
5 years, 7 months
docker quickstart example compilation is failing (keycloak 6.0.1) in photoz example
by Olivier Rivat
Hi,
Keyclaok 6.01 docker quickstart compilation is failing with error
java.lang.RuntimeException: Could not obtain configuration from server
[http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration
The instructions are taken from
https://hub.docker.com/r/abstractj/keycloak-quickstarts?ref=login
The endpoint
http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration
deos not exist.
The (real) endpoint is
http://localhost:8180/auth/realms/photoz/.well-known/uma2-configuration
This has to be fixed in the docker quickstart example
Regards,
Olivier Rivat
--------------------------------------------------------------------------------------------------------------------
DEBUG] No <id> element was found in the POM - Getting credentials from
CLI entry
[DEBUG] No <id> element was found in the POM - Getting credentials from
CLI entry
[DEBUG] Executing deployment
[INFO]
------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO]
------------------------------------------------------------------------
[INFO] Total time: 3.474 s
[INFO] Finished at: 2019-04-25T15:49:30+00:00
[INFO] Final Memory: 30M/366M
[INFO]
------------------------------------------------------------------------
[ERROR] Failed to execute goal
org.wildfly.plugins:wildfly-maven-plugin:1.2.0.Final:deploy
(default-cli) on project photoz-uma-restful-api: Failed to execute goal
deploy: {"WFLYCTL0062: Composite operatio
n failed and was rolled back. Steps that failed:" => {"Operation step-1"
=> {"WFLYCTL0080: Failed services" =>
{"jboss.deployment.unit.\"photoz-uma-restful-api.war\".undertow-deployment"
=> "java.lang.Run
timeException: Could not obtain configuration from server
[http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration].
[ERROR] Caused by: java.lang.RuntimeException: Could not obtain
configuration from server
[http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration].
[ERROR] Caused by: java.lang.RuntimeException: Error executing http
method [org.apache.http.client.methods.RequestBuilder@2c0b0edc].
Response : null
[ERROR] Caused by: java.net.ConnectException: Connection refused
(Connection refused)"}}}}
[ERROR] -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to
execute goal org.wildfly.plugins:wildfly-maven-plugin:1.2.0.Final:deploy
(default-cli) on project photoz-uma-restful-api: Failed to execut
e goal deploy: {"WFLYCTL0062: Composite operation failed and was rolled
back. Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080:
Failed services" => {"jboss.deployment.unit.\"photoz-uma-restful-
api.war\".undertow-deployment" => "java.lang.RuntimeException: Could not
obtain configuration from server
[http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration].
Caused by: java.lang.RuntimeException: Could not obtain
configuration from server
[http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration].
Caused by: java.lang.RuntimeException: Error executing http method
[org.apache.http.client.methods.RequestBuilder@2c0b0edc]. Response : null
Caused by: java.net.ConnectException: Connection refused
(Connection refused)"}}}}
at
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:212)
at
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
at
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
at
org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
at
org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
at
org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
------------------------------------------------------------------------------------------------------------------
5 years, 7 months
Proposal: more flexible brokered identity with SAML IdP
by Dmitry Telegin
Background
==========
Consider the problem: we are preparing a Keycloak deployment with the
following properties:
- users come from LDAP/AD, self-registration disabled;
- vast majority of the users will be authenticating via a 3rd party
SAML IdP that shares user DB with our Keycloak.
To make onboarding easier, we want to free the users from the need to
manually link their accounts with the IdP, by mass pre-creating the
links programmatically using Admin REST API.
In theory, this should be doable by issuing a POST to
users/{id}/federated-identity/saml, passing IdP's userId and userName,
which should create and persist a FederatedIdentity instance.
In practice, we're hitting a roadblock because of how SAML brokered
identities are implemented in Keycloak.
Problem
=======
Currently, it is hardcoded [1] that FederatedIdentity's userId and
userName should be taken verbatim from SAML assertion's NameID value
(via intermediary BrokeredIdentityContext). The problem is that most
SAML IdPs provide meaningless NameIDs, like hashes or purely random
strings. In general, SAML NameID is not predictable. To make things
worse, NameID can be different for SPs, so we can't simply peek it in
another application already integrated with the IdP.
OTOH, incoming assertion is guaranteed to contain other attributes that
are well-known to us and uniquely identify the user, like e.g. mobile
phone number.
[1] https://github.com/keycloak/keycloak/blob/master/services/src/main/
java/org/keycloak/broker/saml/SAMLEndpoint.java#L398
Solution
========
The problem could be solved by introducing a configurable (and thus
more flexible) mechanism to map SAML assertions to FederatedIdentities.
With that, we could instruct Keycloak to take userId and userName from
arbitrary assertion attributes, or even complex expression, similar to
what we have in UsernameTemplateMapper.
Questions are:
1. From what I've learned, this should be doable with the help of a
custom IdP mapper, using preprocessFederatedIdentity() method. Is that
correct?
2. Regardless of the answer to 1, would Keycloak team welcome this
contribution?
Some thoughts not directly related to this particular problem; from my
3+ years experience with Keycloak and its corporate users, I can surely
tell that SAML under no circumstances should be considered either
legacy or obsolete. It is *very* actively used in the areas like
fintech, education and healthcare. I'd myself be happy to see Keycloak
become 1st class SAML IdP/broker, and going to do my best to make it
happen. I'm particularly interested in improving SAML/OIDC
interoperability in terms of IdP-initiated SSO and token exchange.
Best regards,
Dmitry
5 years, 7 months