June 2019 - keycloak-dev - Jboss List Archives

by Stian Thorgersen

Can someone from the community please review a short update to the Turkish translation? The PR is: https://github.com/keycloak/keycloak/pull/6124

5 years, 1 month

1
0
0 / 0

Using keycloak token as secret key for Des to encrypt banking transaction

by anis khai

In order to share secret key for Des as symetric algorithm To encrypt transaction data shared between mobile device and backend microservices I m thinking to use keycloak token (code grant flow selected) Because it have timetolive infinispan and regrouped information container in scope mappers Is it right choice or there is a vulnérabilités WE will consider refresh token in m'y flow Any advice or proposition is weclome. @Stian Best regards thanks in avance.

5 years, 1 month

1
0
0 / 0

Spring Security and KeycloakRole (GrantedAuthority) Implementation

by Pedro Igor Silva

Hello All, I would like to know from those using the Spring Security Adapter if we can do a very simple change to the KeycloakRole type which is used to represent roles granted by Keycloak. The change [1] is all about changing the equals method to support any instance of GrantedAuthority (parent) instead of KeycloakRole instances only. The reason I'm asking is that in GrantedAuthority docs there is a comment [2] that made me wonder if we could potentially break any existing deployment relying on the current implementation of equals, where an exact match of KeycloakRole instance is expected. Please, let me know your feedback. I'm OK with the proposed changes but I would like to hear more feedback before we accept the changes. [1] https://github.com/keycloak/keycloak/pull/6113 [2] https://github.com/spring-projects/spring-security/blob/master/core/src/m... Regards. Pedro Igor

5 years, 1 month

1
0
0 / 0

Customizing usernames

by Paolo Tedesco

Hi all, I'm looking for a way to customize the unique identifiers used by Keycloak in its internal user database, to avoid possible email or username clashes. For example, I would like to be able to change the username of someone logging in through github to "login(a)github.com", so that if someone has the same login in the CERN LDAP the user is not offered the possibility to merge the accounts. Our problems come from the fact that we allow people to change their mail addresses, and also to use external non-CERN addresses as their email, so we cannot rely on email much. We would also like to avoid people to merge accounts at all as we think this might be confusing for users on some occasions, and generate support tickets for us. Is there a supported way to do this, or would we need to code something ourselves? If we need to code something, should we write a plugin of some kind (e.g. custom mappers) or would we need to modify directly the code that manages the login from the identity provider? In case someone else requested something similar, we might make our development available. Thanks, Paolo Tedesco

5 years, 1 month

4
6
0 / 0

Non blocking KeycloakInstalled loginDesktop() and logout()

by Dimitry Polivaev

Hello folks, currently there are only blocking variants of loginDesktop() and logout() at KeycloakInstalled. It means that if the methods are called they open an URL in browser and wait until they get callback from the Keycloak server. It makes not advisable to call them from the UI thread because they block it. But even if the methods are called from a worker thread so that the application is not blocked, they always open a server socket and start threads and there is no way to close the socket and to kill the associated callback threads from the application code. I would like to contribute non blocking versions which return CompletableFuture<Void>. If the user cancels the returned CompletableFuture, also the opened server socket should be closed. See https://issues.jboss.org/browse/KEYCLOAK-10700 Any objections or opinions? Cheers, Dimitry

5 years, 1 month

1
0
0 / 0

Federated Identity Collisions

by Marc Spehlmann

Hello dev community, I was building a feature on top of keycloak which allows my company’s customers to provision users. While working on this, I realized that I can break a user's federated login by the following procedure: 1. create a User A, add to this user a federation {"identityProvider": "google", "userId":"123", “marc(a)google.com"} 2. create a User B, add to this user a federation {"identityProvider": "google", "userId":"123", “marc(a)google.com"} Now when either user A or B tries to do federated login using the google provider, they receive a 500 error with a phrase like `More results found for identityProvider` being logged on the backend. The code in `getUserByFederatedIdentity` of the JpaUserProvider does not check for uniqueness of the userId/federated_username. Couple questions: - Is there a check I can do prior to adding a user in the admin-api for a duplicate federated_identity? - Is this a known deficiency? Best, Marc

5 years, 1 month

1
0
0 / 0

Client Storage SPI and KEYCLOAK-6408

by Justin Gross

Good afternoon, good evening and good morning everyone! I am Justin and I’d like to start contributing to Keycloak. Is there anyone on the list that is interested in the continuing development of Client Storage SPI? (KEYCLOAK-6408 in JIRA) If you answered yes to the above, what storage systems/software are you interested in using for client storage? Preparing to take on some of the things listed in KEYCLOAK-6408. I am in the middle of a lite refactoring of some useful things which are currently specific to user storage federation such as SynchronizationResult, ImportSynchronization, etc… so they can be used by the yet to be finished Client Storage API. I also plan to refactor some of the LDAP federation stuff so that the user specific stuff is separate from the core LDAP functionality itself. Eventually I want to use LDAP to store client configuration and there’s a lot of useful LDAP functionality stashed away in the user federation stuff. Thank you, Justin Gross

5 years, 1 month

4
8
0 / 0

Re: [keycloak-dev] Dynamic SAML roles to user mapper

by Heger Oliver (INST-IOT/ESB)

Hi all, In the mean time we made some progress by creating an initial implementation of a custom mapper for SAML roles that supports our use case. The mapper extracts a list of role names from a configurable attribute of the SAML response from the IDP. Roles that do not exist in the current realm are created automatically. Then the current user is assigned exactly this list of roles. There are some further configuration options to support a transformation of role names to a certain degree. So it is possible for instance to specify a regular expression to select only a subset of the roles from the SAML response, and a template can be provided for generating role names dynamically. Is there some interest in this mapper implementation? Do you think it could be useful in general? Kind regards Oliver -----Ursprüngliche Nachricht----- Von: keycloak-dev-bounces(a)lists.jboss.org <keycloak-dev-bounces(a)lists.jboss.org> Im Auftrag von Heger Oliver (INST-IOT/ESB) Gesendet: Freitag, 7. Juni 2019 13:35 An: keycloak-dev(a)lists.jboss.org Betreff: [keycloak-dev] Dynamic SAML roles to user mapper Hi all, For an external customer we need to bring together the SAML IDP of the customer as leading system for user data with our services that are only supporting OIDC. We think Keycloak could fit very well as some kind of mediator between the customer's IDP and our OIDC-based services. The services expect JWTs containing basic user data and also a list with all the roles the user has. With the mappers available in Keycloak a JWT can be constructed that contains the desired information. But now it can happen that the roles model is extended in agreement between the IDP and the client services. As we understand it, in order to support the newly added roles, they would have to be added manually into Keycloak before they can be referenced by the existing SAML Attribute to Role mapper. This manual step we would like to avoid. In our ideal scenario, Keycloak would just be an infrastructure component handling the SAML to OIDC conversion. With respect to the roles assigned to users, it should be agnostic and simply copy the information it receives from the SAML IDP verbatim. To achieve this we think about implementing a custom mapper that allows dealing with roles in this way. It would read the roles from a configurable attribute of the SAML response and assign them to the user affected in the Keycloak data model. If a role was encountered that did not exist yet, it would be newly created. That way the roles model used by Keycloak would adapt itself dynamically to the model used by the parties involved, and no manual updates would be required. Do you think there is an easier solution for this problem than writing a custom mapper? If the answer is no, would you be interested in such a mapper implementation? We would be happy to contribute it. In our opinion this feature would strengthen the brokering facilities of Keycloak. Thank you and kind regards Oliver Heger (INST-IOT/ESB) Bosch Software Innovations GmbH | Stuttgarter Straße 130 | 71332 Waiblingen | GERMANY | www.bosch-si.com<http://www.bosch-si.com> Tel. +49 711 811-58473 | Fax +49 711 811-58200 | oliver.heger(a)bosch-si.com<mailto:oliver.heger@bosch-si.com> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten Lücke; Geschäftsführung: Dr. Stefan Ferber, Michael Hahn, Dr. Aleksandar Mitrovic _______________________________________________ keycloak-dev mailing list keycloak-dev(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-dev

5 years, 1 month

1
0
0 / 0

10602 small German translation errors - please review

by Brühlmann Andrea

Hi there, I fixed a few German translation errors. See Jira 10602: https://issues.jboss.org/browse/KEYCLOAK-10602 Anyone up for reviewing it? Thanks. Andrea Andrea Brühlmann Anwendungsentwicklerin DV Bern AG | Nussbaumstrasse 21 | Postfach 106 | CH-3000 Bern 22 T +41 31 378 24 24 | D +41 31 378 24 87 www.dvbern.ch Wir suchen Spezialisten, helfen Sie uns! https://www.dvbern.ch/karriere

5 years, 1 month

4
5
0 / 0

Latest documentation not showing on Google

by Stian Thorgersen

For some reason our latest documentation is not showing on Google. This issue started happening when we changed the toolset for our docs. Does anyone have any clue why this is happening and what we can do to resolve this?

5 years, 1 month

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

keycloak-dev June 2019