3:47 p.m.
Dear Keycloak developers,What is the appropriate authorisation flow For mobile ( swift ,
kotlin) application ? I used before code grant flow for spa app ( react js) To use the
same strong flow i m facing during redirect uri to personalise the webview , But the end
users continue to make remarks concerning webview, I m thinking to use resource owner user
credentials passwords but after a lot search i find a lot of bad recommandations precisely
about trusting end user app (mobile).Can u advice or help me to adopt best approach.Best
regards.Envoyé depuis mon smartphone Samsung Galaxy.
-------- Message d'origine --------De : keycloak-dev-request(a)lists.jboss.org Date :
13/05/2019 22:20 (GMT+00:00) À : keycloak-dev(a)lists.jboss.org Objet : keycloak-dev
Digest, Vol 71, Issue 7 Send keycloak-dev mailing list submissions
to keycloak-dev(a)lists.jboss.orgTo subscribe or unsubscribe via the World Wide Web,
visit https://lists.jboss.org/mailman/listinfo/keycloak-devor, via email, send a message
with subject or body 'help' to keycloak-dev-request(a)lists.jboss.orgYou can reach
the person managing the list at keycloak-dev-owner(a)lists.jboss.orgWhen replying, please
edit your Subject line so it is more specificthan "Re: Contents of keycloak-dev
digest..."Today's Topics: 1. Re: Proposal: REST Endpoint for creating TOTP
(Stian Thorgersen) 2. Not properly closed connections in
org.keycloak.adapters.ServerRequest (Maksym Gendin) 3. Re: Cannot get UMA photoz example
working (keycloak quickstart 6.0.1) (Olivier Rivat) 4. How to enable logging on
console for dev environment (Shiva Prasad Thagadur Prakash) 5. Re: How to enable
logging on console for dev environment (Michal Hajas) 6. Re: How to enable logging
on console for dev environment (Shiva Prasad Thagadur Prakash) 7. Re: Typescript
support for Node.js adapter (Bruno
Oliveira)----------------------------------------------------------------------Message:
1Date: Mon, 13 May 2019 10:57:50 +0200From: Stian Thorgersen
<sthorger(a)redhat.com>Subject: Re: [keycloak-dev] Proposal: REST Endpoint for
creating TOTPTo: Roland Werner <contributing.to.keycloak(a)gmail.com>Cc: keycloak-dev
<keycloak-dev(a)lists.jboss.org>Message-ID: <CAJgngAdRCZvrH+Wa13rGi93=0J1ZuN+dWW0NmELW36gDn1U2gw(a)mail.gmail.com>Content-Type:
text/plain; charset="UTF-8"Having an admin create OTP codes in this way and
printing it out meansthere are more people with access to confidential secrets that
needed. Thisis also a harder way for users to configure/enable OTP. Further, it is notvery
future proof. Sofware OTP tokens are already pretty much legacy soyour company will at
some point want to move to something more secure likeWebAuthn Security Keys, in which case
your approach of printing QR codes onpaper won't work and you will need to change your
process.A better approach which is what Keycloak already supports is requiringusers to
enable OTP on first login. That way the secret is only exposed toKeycloak and the user,
not to other systems and people. Further, this caneasily be changed in the future to
require users to register a WebAuthnsecurity key for instance.With regards to the proposed
endpoint we do not want specific OTP endpointslike this as we are working towards making
Keycloak less hard-coded aroundthe concept of software OTP and allow flexiblity to support
any credentialtypes.On Mon, 13 May 2019 at 10:42, Roland Werner
<contributing.to.keycloak(a)gmail.com> wrote:> Hi,>> I noticed that the REST
API (> https://www.keycloak.org/docs-api/6.0/rest-api/index.html) does contain an>
endpoint "Remove TOTP from the user", but none that allows to create a TOTP>
for a user in the first place.>> I'm proposing to add this
"create-totp" endpoint and would also contribute> it. The call would look
like this:>> curl -X PUT -H 'Content-Type: application/json' -H
'Authorization: Bearer> <token>' -i http://>
<keycloak-url>:<port>/auth/admin/realms/myrealm/users/<user-id>/create-totp>>
and the reply as follow:> {> "totpSecret":
"aA3mIuIzvxTmC5gqUqpl",> "qrCode":
"iVBORw0KGgoAAA...AAABJRU5ErkJggg=="> }>> I would check the existence
of TOTP on the requested user and would reply> with 400-Bad-Request and the message>
{> "errorMessage": "User already has totp. Remove first.">
}> in that case (just to make sure that this doesn't happen on accident).> One
question in that respect: The JavaDocs of>
org.keycloak.representations.idm.UserRepresentation says that isTotp is> deprecated,
but doesn't say what to use instead. Can someone point me to> the right direction
here?>> I am aware that the current practice in Keycloak when adding a TOTP to a>
user is to instantly request a generated OTP and only if that is correct> add the
credential-type to the user. Obviously this would not apply for the> REST endpoint.
However, as the endpoint is only reachable for an admin I> don't think this would
result in a significant security loss, especially as> the "remove-totp"
endpoint can also be used without the need to enter an> OTP.>> I suggest to align
the code with the behavior of the remove-totp endpoint,> such that> - it uses
PUT> - it is called on given user> - it requires the same admin rights>> This
reason for my approach is that we want to introduce a process in our> organisation
where every user in the given realm is forced to use an OTP to> login and there is no
self-registration but instead the users are handed> over the QR-Code outside of
Keycloak (on paper or digitally). In the> meantime we use a custom plugin, but I would
love to see this also make its> way into the standard Keycloak.>> What do you
think?>> Thanks and Regards,> Roland>
_______________________________________________> keycloak-dev mailing list>
keycloak-dev(a)lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev>----------------...:
2Date: Mon, 13 May 2019 13:36:30 +0200From: Maksym Gendin
<maksym.gendin(a)gmail.com>Subject: [keycloak-dev] Not properly closed connections
in org.keycloak.adapters.ServerRequestTo:
keycloak-dev(a)lists.jboss.orgMessage-ID: <CAKm1Xe+3EzfY-_gbLsfHJhbN474O9ift3FLtfFCCFv_yhwbgXA(a)mail.gmail.com>Content-Type:
text/plain; charset="UTF-8"Dear Keycloak developers,I have noticed a potential
problem with closing the connectionsin
org.keycloak.adapters.ServerRequest#invokeClientManagementRequest method.I'm facing
problems with number of opened files on a linux machine andtrying to identify the
source...querying the open connections with netstatI see a couple of connections in
CLOSE_WAIT status from my microserviceinstances towards Keycloak...Can someone confirm me
that the ServerRequest class closes the connectionsin a proper way?Best
regardsMaksym------------------------------Message: 3Date: Mon, 13 May 2019 14:16:06
+0200From: Olivier Rivat <orivat(a)janua.fr>Subject: Re: [keycloak-dev] Cannot get UMA
photoz example working (keycloak quickstart 6.0.1)To: Sebastien Blanc
<sblanc(a)redhat.com>Cc: keycloak-dev
<keycloak-dev(a)lists.jboss.org>, keycloak-user <keycloak-user(a)lists.jboss.org>Message-ID:
<646ae16a-96a3-1f24-2b31-62642dd7134e(a)janua.fr>Content-Type: text/plain;
charset=utf-8; format=floweddiscrepancy is :1) I was using the import command of the
master realm to upload photoz-realm.json(it was my mistake)2) you should do as follows:a)
select "Add realm"b) select "Select File" and upload
photoz-realm.json---> quickstart realm and everything is created succesfullyIt is
following text which has confused me quite a lot, and which should be clearer documented
(indicating to use the button add-realm for
exampkle)https://github.com/keycloak/keycloak-quickstarts/tree/latest/app...
/Create the Example Realm and a Resource Server////Considering that your Keycloak Server
is up and running, log in to the Keycloak Administration Console.////Now, create a new
realm based on the following configuration
file:////|keycloak-quickstarts/app-authz-photoz/photoz-realm.json |////That will import a
pre-configured realm with everything you need to run this quickstart. For more details
about how to import a realm into Keycloak, check the Keycloak's reference
documentation.////After importing that file, you'll have a new realm called
//|photoz|//./Regarsd,OlivierLe 12/05/2019 ? 07:56, Sebastien Blanc a ?crit?:> I have
used the import command, whereas one should use the "add> realm"/select file
and doc should you mention to upload file here.> I think keycloak quikstart guide doc
example clarity could be improved> with above comment to avoid any further confusion--
<http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/i... <http://www.janua.fr/images/6g_top.gif> Olivier
RivatCTOorivat(a)janua.fr <mailto:dchikhaoui@janua.fr>Gsm: +33(0)682 801 609T?l:
+33(0)489 829 238Fax: +33(0)955 260 370http://www.janua.fr
<http://www.janua.fr/> <http://www.janua.fr/images/6g_top.gif>------------------------------Me...:
4Date: Mon, 13 May 2019 12:42:26 +0000From: Shiva Prasad Thagadur
Prakash <shiva.prasad.thagadur.prakash(a)ericsson.com>Subject: [keycloak-dev] How to
enable logging on console for dev environmentTo: "keycloak-dev(a)lists.jboss.org"
<keycloak-dev(a)lists.jboss.org>Message-ID:
<1557751346.22248.3.camel(a)ericsson.com>Content-Type: text/plain;
charset="utf-8"Hi Guys,How to enable logging on console in development
environment? I am notable to see logs on console when I start keycloak server using
"mvn -ftestsuite/utils/pom.xml exec:java
-Pkeycloak-server?".?Thanks,Shiva------------------------------Message: 5Date: Mon,
13 May 2019 15:07:53 +0200From: Michal Hajas <mhajas(a)redhat.com>Subject: Re:
[keycloak-dev] How to enable logging on console for dev environmentTo: Shiva Prasad
Thagadur Prakash <shiva.prasad.thagadur.prakash(a)ericsson.com>Cc:
"keycloak-dev(a)lists.jboss.org"
<keycloak-dev(a)lists.jboss.org>Message-ID: <CACv4bCQL996OqNq1C08SGD=X02F9cUpyB5vP=2sUf1p30qOfuw(a)mail.gmail.com>Content-Type:
text/plain; charset="UTF-8"Hi,you need to add property
-Dkeycloak.logging.level=debug.
See:https://github.com/keycloak/keycloak/blob/master/testsuite/utils/src/...
HajasOn Mon, May 13, 2019 at 2:44 PM Shiva Prasad Thagadur Prakash
<shiva.prasad.thagadur.prakash(a)ericsson.com> wrote:> Hi Guys,> How to enable
logging on console in development environment? I am not> able to see logs on console
when I start keycloak server using "mvn -f> testsuite/utils/pom.xml exec:java
-Pkeycloak-server ".>> Thanks,> Shiva>>
_______________________________________________> keycloak-dev mailing list>
keycloak-dev(a)lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev--------------------...:
6Date: Mon, 13 May 2019 13:29:53 +0000From: Shiva Prasad Thagadur
Prakash <shiva.prasad.thagadur.prakash(a)ericsson.com>Subject: Re: [keycloak-dev] How
to enable logging on console for dev environmentTo: "mhajas(a)redhat.com"
<mhajas(a)redhat.com>Cc: "keycloak-dev(a)lists.jboss.org"
<keycloak-dev(a)lists.jboss.org>Message-ID:
<1557754193.22248.6.camel(a)ericsson.com>Content-Type: text/plain;
charset="utf-8"Hi Michal Hajas,Thank you very much.Best regards,ShivaOn ma,
2019-05-13 at 15:07 +0200, Michal Hajas wrote:> Hi,> > you need to add
property?-Dkeycloak.logging.level=debug. See:?https:/>
/github.com/keycloak/keycloak/blob/master/testsuite/utils/src/main/re>
sources/log4j.properties#L26> > Regards,> Michal Hajas> > On Mon, May 13,
2019 at 2:44 PM Shiva Prasad Thagadur Prakash <shiva.>
prasad.thagadur.prakash(a)ericsson.com> wrote:> > Hi Guys,> > How to enable
logging on console in development environment? I am> > not> > able to see logs
on console when I start keycloak server using "mvn> > -f> >
testsuite/utils/pom.xml exec:java -Pkeycloak-server?".?> > > >
Thanks,> > Shiva> > > >
_______________________________________________> > keycloak-dev mailing list>
> keycloak-dev(a)lists.jboss.org> >
https://lists.jboss.org/mailman/listinfo/keycloak-dev--------------------...:
7Date: Mon, 13 May 2019 19:17:09 -0300From: Bruno Oliveira
<bruno(a)abstractj.org>Subject: Re: [keycloak-dev] Typescript support for Node.js
adapterTo: Stan Silvert <ssilvert(a)redhat.com>Cc: evanshortiss(a)gmail.com,
keycloak-dev(a)lists.jboss.orgMessage-ID:
<20190513221709.GC1516(a)abstractj.org>Content-Type: text/plain; charset=utf-8Thanks
Stan, I'm adding Evan so he can provide his thoughts on it.On 2019-05-10, Stan Silvert
wrote:> On 5/10/2019 8:15 AM, Bruno Oliveira wrote:> > If you ask me, I'm not
crazy about the idea of providing Typescript> > definitions inside the Node.js
adapter. And there's a single request> > from the community about it.>
>> > At the same time, it's hard to ignore some numbers. The weekly NPM>
> downloads for Typescript is almost 5 million[1] and for ts-node[2] is> > almost
2 million.> >> > The goal of that PR is to provide only the Typescript
definitions for> > the Node.js adapter, so that projects using the adapter can
benefit from> > it. If we agree to move forward with this, I believe some automated
way> > to generate it, has to be provided.> >> > Thoughts?> Yes, you
should provide it.? These days, every serious javascript > library is expected to have
a definition file.> > I don't think there would be any way to automate creation
of the file > unless you write your code in TypeScript.> >> > [1] -
https://www.npmjs.com/package/typescript> > [2] -
https://www.npmjs.com/package/ts-node> >> > On 2019-05-10, Stian Thorgersen
wrote:> >> Is Typescript commonly used in the Node.js community? From what>
>> I understand it is very popular with client-side js these days.> >>>
>> On Thu, 9 May 2019 at 20:59, Bruno Oliveira <bruno(a)abstractj.org>
wrote:> >>> >>> Good morning, we have this PR opened long time
ago> >>>
https://github.com/keycloak/keycloak-nodejs-connect/pull/123/files.> >>>
Before review it and probably update it I would like to ask.> >>>>
>>> Is Typescript something that we would like to support in the Node.js>
>>> adapter? If your answer is yes, why?> >>>> >>> -->
>>> - abstractj> >>>
_______________________________________________> >>> keycloak-dev mailing
list> >>> keycloak-dev(a)lists.jboss.org> >>>
https://lists.jboss.org/mailman/listinfo/keycloak-dev> >>>> >
_______________________________________________> keycloak-dev mailing list>
keycloak-dev(a)lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev--
abstractj------------------------------_______________________________________________keycloak-dev
mailing
listkeycloak-dev@lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-devEnd
of keycloak-dev Digest, Vol 71, Issue 7*******************************************
2073
days inactive
2073
days old
0 comments
1 participants
participants (1)
-
khaianisnizar2007