March 2014 - keycloak-user - Jboss List Archives

Keycloak and OAuth 2.0 Resource Owner Password Credentials Grant

by Nils Preusker

Hi all, first of all, congrats on the first alpha release of Keycloak! We're looking for a simple and lean way to add the OAuth 2.0 Resource Owner Password Credentials Grant to a web application written in JavaScript with a Java/REST backend (JBoss AS 7, planning to switch to WildFly, JAX-RS etc.). Since I didn't find any references in the code or the docs, I'm wondering: does Keycloak provide an implementation of the Resource Owner Password Credentials Grant as described in the OAuth Spec ( http://tools.ietf.org/html/rfc6749#section-4.3)? In other words, is there a way to simply send a username and password to the auth server in exchange for an access token (and optionally a refresh token - from previous posts I gather this will be added soon...)? Cheers, Nils

11 years, 10 months

3
15
0 / 0

Multi Tenancy

by Travis De Silva

I was initially under the impression that I can configure realms as tenants and use KeyCloak for applications that are designed for multi tenancy. But now I have discovered that this is not possible, at least not possible to do it on demand. I hope I am wrong and someone can correct me. Basically what I was trying to do was, when someone signs up to my application platform, I was going to create a realm programmatically via the API. Hence the feature request I raised to have a realm level admin https://issues.jboss.org/browse/KEYCLOAK-292 But that means, I will then have to either configure my Wildfly standalone.xml config with the new realm or add the installation json to my war and redeploy it. This is obviously not ideal for a on demand multi tenant application. Maybe using Roles and create unique roles per tenant which hopefully I can do programatically via the API. I think I might be able to get something going like this but it just feels very hacky and not elegant. Is there any other elegant way? Is Keycloak designed for multi tenancy environments? Cheers Travis

11 years, 10 months

3
18
0 / 0

How to access realms/{realm}/users/{user} with Application

by Dean Peterson

Hello, I am trying to find the best way to access the UsersResource.java Rest services outside the keycloak admin application to get a user's information. How do I make a request using just the client's credentials? I currently use something like this but I get a 401 because I am using a user's oauth token and they only have user privileges: SkeletonKeySession session = (SkeletonKeySession) request .getAttribute(SkeletonKeySession.class.getName()); ResteasyClient client = new ResteasyClientBuilder() .trustStore(session.getMetadata().getTruststore()) .hostnameVerification( ResteasyClientBuilder.HostnameVerificationPolicy.ANY) .build(); String username = request.getRemoteUser(); Profile profile = null; try { Response response = client .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/") .path(username) .request() .header(HttpHeaders.AUTHORIZATION, "Bearer " + session.getTokenString()).get(); // Get the existing entry if there is one. Otherwise, just return // the regular // entity retrieved from the remote system. try { profile = profileRepository .findByRegistrationId(member.getId()); } catch (NoResultException e) { // ignore } } finally { client.close(); } Is there a way for the application to make a request directly as an admin without giving the user admin privileges?

11 years, 10 months

3
6
0 / 0

Re: [keycloak-user] keycloak-user Digest, Vol 3, Issue 2

by Dean Peterson

I just saw Bill Burke's response. I will try one of your two approaches. Yes, I just need the basic info so what you suggested will work for me. Thanks! On Wed, Mar 5, 2014 at 2:29 PM, <keycloak-user-request(a)lists.jboss.org>wrote: > Send keycloak-user mailing list submissions to > keycloak-user(a)lists.jboss.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.jboss.org/mailman/listinfo/keycloak-user > or, via email, send a message with subject or body 'help' to > keycloak-user-request(a)lists.jboss.org > > You can reach the person managing the list at > keycloak-user-owner(a)lists.jboss.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of keycloak-user digest..." > > > Today's Topics: > > 1. Openshift installation (Davide Ungari) > 2. How to access realms/{realm}/users/{user} with Application > (Dean Peterson) > 3. Re: How to access realms/{realm}/users/{user} with > Application (Bill Burke) > 4. Re: How to access realms/{realm}/users/{user} with > Application (Stian Thorgersen) > 5. Re: How to access realms/{realm}/users/{user} with > Application (Dean Peterson) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 2 Mar 2014 06:20:15 -0500 (EST) > From: Davide Ungari <davide(a)billdrawer.com> > Subject: [keycloak-user] Openshift installation > To: keycloak user list <keycloak-user(a)lists.jboss.org> > Message-ID: > < > 155451129.27399.1393759215776.open-xchange(a)app1.ox.registrar-servers.com> > > Content-Type: text/plain; charset="utf-8" > > > At the end I got it! > I followed the instructions of section 4.1 "Create Keycloak instance with > the > web tool" instead of the command-line tool. > > Davide Ungari, Founder > www.billdrawer.com | davide(a)billdrawer.com > Milan, IT > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.jboss.org/pipermail/keycloak-user/attachments/20140302/7bc0c... > > ------------------------------ > > Message: 2 > Date: Tue, 4 Mar 2014 13:15:31 -0600 > From: Dean Peterson <peterson.dean(a)gmail.com> > Subject: [keycloak-user] How to access realms/{realm}/users/{user} > with Application > To: keycloak-user(a)lists.jboss.org > Message-ID: > <CAFGzvPkrgJtAq= > 6jAJOsa9x8cw4Boo3PEO3nDEPAz8eSUa6AOg(a)mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Hello, > > I am trying to find the best way to access the UsersResource.java Rest > services outside the keycloak admin application to get a user's > information. How do I make a request using just the client's credentials? > > I currently use something like this but I get a 401 because I am using a > user's oauth token and they only have user privileges: > SkeletonKeySession session = (SkeletonKeySession) request > .getAttribute(SkeletonKeySession.class.getName()); > ResteasyClient client = new ResteasyClientBuilder() > .trustStore(session.getMetadata().getTruststore()) > .hostnameVerification( > > ResteasyClientBuilder.HostnameVerificationPolicy.ANY) > .build(); > > String username = request.getRemoteUser(); > > Profile profile = null; > > try { > > Response response = client > .target(" > http://server:8080/auth/rest/admin/realms/myrealm/users/") > .path(username) > .request() > .header(HttpHeaders.AUTHORIZATION, > "Bearer " + session.getTokenString()).get(); > > > // Get the existing entry if there is one. Otherwise, just > return > // the regular > // entity retrieved from the remote system. > try { > profile = profileRepository > .findByRegistrationId(member.getId()); > > } catch (NoResultException e) { > // ignore > } > > } finally { > client.close(); > } > > Is there a way for the application to make a request directly as an admin > without giving the user admin privileges? > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.jboss.org/pipermail/keycloak-user/attachments/20140304/06169... > > ------------------------------ > > Message: 3 > Date: Tue, 04 Mar 2014 15:46:04 -0500 > From: Bill Burke <bburke(a)redhat.com> > Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user} > with Application > To: keycloak-user(a)lists.jboss.org > Message-ID: <53163B8C.3060605(a)redhat.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > > > On 3/4/2014 2:15 PM, Dean Peterson wrote: > > Hello, > > > > I am trying to find the best way to access the UsersResource.java Rest > > services outside the keycloak admin application to get a user's > > information. How do I make a request using just the client's > credentials? > > > > You just want basic information right? name, email, etc.? Next release > (March 13th) we'll have OpenID Connect support. SkeletonKeysession > (renamed to KeycloakSecurityContext) will have a reference to an IDToken > which can be populated with various user information (claims). Allowed > claims are specified per application/oauth client. > > You can build and use this right now. View the > preconfigured/customer-portal examples to see how its being done right > > If you don't want to build/run from master you can do a POST to > /auth/rest/realms/keycloak-admin/tokens/grants/access > > URL form encoded parameters of: > > username=admin > password=admin-password > > This will return an access token which you can use to invoke on the > admin REST API. *NOTE* we're chaning this particular REST API next > release too :( > > > > > > I currently use something like this but I get a 401 because I am using a > > user's oauth token and they only have user privileges: > > SkeletonKeySession session = (SkeletonKeySession) request > > .getAttribute(SkeletonKeySession.class.getName()); > > ResteasyClient client = new ResteasyClientBuilder() > > .trustStore(session.getMetadata().getTruststore()) > > .hostnameVerification( > > > > ResteasyClientBuilder.HostnameVerificationPolicy.ANY) > > .build(); > > > > String username = request.getRemoteUser(); > > > > Profile profile = null; > > > > try { > > > > Response response = client > > > > .target("http://server:8080/auth/rest/admin/realms/myrealm/users/") > > .path(username) > > .request() > > .header(HttpHeaders.AUTHORIZATION, > > "Bearer " + session.getTokenString()).get(); > > > > // Get the existing entry if there is one. Otherwise, just > > return > > // the regular > > // entity retrieved from the remote system. > > try { > > profile = profileRepository > > .findByRegistrationId(member.getId()); > > > > } catch (NoResultException e) { > > // ignore > > } > > > > } finally { > > client.close(); > > } > > > > Is there a way for the application to make a request directly as an > > admin without giving the user admin privileges? > > > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com > > > ------------------------------ > > Message: 4 > Date: Wed, 5 Mar 2014 04:09:35 -0500 (EST) > From: Stian Thorgersen <stian(a)redhat.com> > Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user} > with Application > To: Dean Peterson <peterson.dean(a)gmail.com> > Cc: keycloak-user(a)lists.jboss.org > Message-ID: > <1739218212.20951754.1394010575408.JavaMail.zimbra(a)redhat.com> > Content-Type: text/plain; charset=utf-8 > > There's also a Keycloak specific mechanism for accessing the account of > the user associated with the token. > > To do this open the scope mappings for your app/client, and select > 'account' in the application roles, select 'view-profile' and click the > right-arrow. This will allow your app/client to view the profile of the > current user. > > Then you can make a request (with bearer token) to: > > /auth/rest/realms/myrealm/account > > In the future we'll add support to do all account specific things through > these REST endpoints to support all operations provided by the account > management application. > > ----- Original Message ----- > > From: "Dean Peterson" <peterson.dean(a)gmail.com> > > To: keycloak-user(a)lists.jboss.org > > Sent: Tuesday, 4 March, 2014 7:15:31 PM > > Subject: [keycloak-user] How to access realms/{realm}/users/{user} with > Application > > > > Hello, > > > > I am trying to find the best way to access the UsersResource.java Rest > > services outside the keycloak admin application to get a user's > information. > > How do I make a request using just the client's credentials? > > > > I currently use something like this but I get a 401 because I am using a > > user's oauth token and they only have user privileges: > > SkeletonKeySession session = (SkeletonKeySession) request > > .getAttribute(SkeletonKeySession.class.getName()); > > ResteasyClient client = new ResteasyClientBuilder() > > .trustStore(session.getMetadata().getTruststore()) > > .hostnameVerification( > > ResteasyClientBuilder.HostnameVerificationPolicy.ANY) > > .build(); > > > > String username = request.getRemoteUser(); > > > > Profile profile = null; > > > > try { > > > > Response response = client > > .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/ ") > > .path(username) > > .request() > > .header(HttpHeaders.AUTHORIZATION, > > "Bearer " + session.getTokenString()).get(); > > > > // Get the existing entry if there is one. Otherwise, just return > > // the regular > > // entity retrieved from the remote system. > > try { > > profile = profileRepository > > .findByRegistrationId(member.getId()); > > > > } catch (NoResultException e) { > > // ignore > > } > > > > } finally { > > client.close(); > > } > > > > Is there a way for the application to make a request directly as an admin > > without giving the user admin privileges? > > > > _______________________________________________ > > keycloak-user mailing list > > keycloak-user(a)lists.jboss.org > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > ------------------------------ > > Message: 5 > Date: Wed, 5 Mar 2014 14:28:53 -0600 > From: Dean Peterson <peterson.dean(a)gmail.com> > Subject: Re: [keycloak-user] How to access realms/{realm}/users/{user} > with Application > To: Stian Thorgersen <stian(a)redhat.com> > Cc: keycloak-user(a)lists.jboss.org > Message-ID: > <CAFGzvPkYz5ZVwzJ+WmDoirWn= > W3fW3kGV7GRvQxCCpeVC2ULAw(a)mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Thank you. I tried what you said. I am able access that REST service on > the Keycloak server but it returns an AccountService object. Actually, I > get a 406 error response on my end. I think it is because I did not have > the keycloak-services dependency in my application's pom. However, when I > add it and I try to start the server, I get the error: Could not find > constructor for class: org.keycloak.services.resources.RealmsResource. > Should I make my own local version of AccountService and not add > keycloak-services to my application? What is the best approach? Any ideas > why I might be getting a 406 error? > > SkeletonKeySession session = (SkeletonKeySession) request > .getAttribute(SkeletonKeySession.class.getName()); > ResteasyClient client = new ResteasyClientBuilder() > .trustStore(session.getMetadata().getTruststore()) > .hostnameVerification( > > ResteasyClientBuilder.HostnameVerificationPolicy.ANY) > .build(); > > String username = request.getRemoteUser(); > > Profile profile = null; > > try { > > Response response = client > .target(" > http://server:8080/auth/rest/realms/myrealm/account") > .request() > .header(HttpHeaders.AUTHORIZATION, > "Bearer " + session.getTokenString()).get(); > > . > . > . > > > > On Wed, Mar 5, 2014 at 3:09 AM, Stian Thorgersen <stian(a)redhat.com> wrote: > > > There's also a Keycloak specific mechanism for accessing the account of > > the user associated with the token. > > > > To do this open the scope mappings for your app/client, and select > > 'account' in the application roles, select 'view-profile' and click the > > right-arrow. This will allow your app/client to view the profile of the > > current user. > > > > Then you can make a request (with bearer token) to: > > > > /auth/rest/realms/myrealm/account > > > > In the future we'll add support to do all account specific things through > > these REST endpoints to support all operations provided by the account > > management application. > > > > ----- Original Message ----- > > > From: "Dean Peterson" <peterson.dean(a)gmail.com> > > > To: keycloak-user(a)lists.jboss.org > > > Sent: Tuesday, 4 March, 2014 7:15:31 PM > > > Subject: [keycloak-user] How to access realms/{realm}/users/{user} with > > Application > > > > > > Hello, > > > > > > I am trying to find the best way to access the UsersResource.java Rest > > > services outside the keycloak admin application to get a user's > > information. > > > How do I make a request using just the client's credentials? > > > > > > I currently use something like this but I get a 401 because I am using > a > > > user's oauth token and they only have user privileges: > > > SkeletonKeySession session = (SkeletonKeySession) request > > > .getAttribute(SkeletonKeySession.class.getName()); > > > ResteasyClient client = new ResteasyClientBuilder() > > > .trustStore(session.getMetadata().getTruststore()) > > > .hostnameVerification( > > > ResteasyClientBuilder.HostnameVerificationPolicy.ANY) > > > .build(); > > > > > > String username = request.getRemoteUser(); > > > > > > Profile profile = null; > > > > > > try { > > > > > > Response response = client > > > .target(" http://server:8080/auth/rest/admin/realms/myrealm/users/ ") > > > .path(username) > > > .request() > > > .header(HttpHeaders.AUTHORIZATION, > > > "Bearer " + session.getTokenString()).get(); > > > > > > // Get the existing entry if there is one. Otherwise, just return > > > // the regular > > > // entity retrieved from the remote system. > > > try { > > > profile = profileRepository > > > .findByRegistrationId(member.getId()); > > > > > > } catch (NoResultException e) { > > > // ignore > > > } > > > > > > } finally { > > > client.close(); > > > } > > > > > > Is there a way for the application to make a request directly as an > admin > > > without giving the user admin privileges? > > > > > > _______________________________________________ > > > keycloak-user mailing list > > > keycloak-user(a)lists.jboss.org > > > https://lists.jboss.org/mailman/listinfo/keycloak-user > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > http://lists.jboss.org/pipermail/keycloak-user/attachments/20140305/c2782... > > ------------------------------ > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > > End of keycloak-user Digest, Vol 3, Issue 2 > ******************************************* >

11 years, 10 months

1
0
0 / 0

Openshift installation

by Davide Ungari

At the end I got it! I followed the instructions of section 4.1 "Create Keycloak instance with the web tool" instead of the command-line tool. Davide Ungari, Founder www.billdrawer.com | davide(a)billdrawer.com Milan, IT

11 years, 10 months

1
0
0 / 0

Openshift installation

by Davide Ungari

Hi Bill, thanks for your answers. > What servlet/HTTP container are you deploying to? The frontend application is running on Tomcat and I was trying to deploy Keycloak using https://github.com/keycloak/openshift-keycloak-cartridge Davide Ungari, Founder www.billdrawer.com | davide(a)billdrawer.com Milan, IT

11 years, 10 months

1
0
0 / 0

Openshift installation

by BillDrawer Administrator

Hi everybody, I'm trying to install keycloak on openshift but server returned an unexpected error, as follow: > > The cartridge > 'https://raw.github.com/keycloak/openshift-keycloak-cartridge/master/metad...' > will be downloaded and installed > > Application Options > ------------------- > Domain: billdrawer > Cartridges: > https://raw.github.com/keycloak/openshift-keycloak-cartridge/master/metad... > Gear Size: default > Scaling: no > > Creating application 'keycloak' ... Server returned an unexpected error code: > 504 > I'm developing a project called BillDrawer and I'm going to develop a distributed architecture, to give you an idea http://www.asciiflow.com/#Draw1257757860375711949. I just developed the core module of my project but the security is my first concern so now I was using ApacheShiro https://shiro.apache.org/ and PAC4J https://github.com/bujiio/buji-pac4j when I discovered Keycloak. I would be glad to adopt Keycloak even if is in alpha stage and cotribute as a case study. To evaluate the adoption I would like to understand: 1- Do I need Shiro or PAC4J with Keycloa? 2- Is there a pulbic roadmap Best regards, Davide Ungari

11 years, 10 months

2
1
0 / 0

Openshift installation

by BillDrawer Administrator

Hi everybody, I'm trying to install keycloak on openshift but there is some problem: > > The cartridge > 'https://raw.github.com/keycloak/openshift-keycloak-cartridge/master/metad...' > will be downloaded and installed > > Application Options > ------------------- > Domain: billdrawer > Cartridges: > https://raw.github.com/keycloak/openshift-keycloak-cartridge/master/metad... > Gear Size: default > Scaling: no > > Creating application 'keycloak' ... Server returned an unexpected error code: > 504 > I'm developing a project called BillDrawer and I'm going to develop a distributed architecture http://www.asciiflow.com/#Draw1257757860375711949 I just developed the core modules with ApacheShiro https://shiro.apache.org/ and PAC4J https://github.com/bujiio/buji-pac4j as security stack. I would be glad to adopt Keycloak even if is in alpha stage and cotribute as a case study, but I would like to understand: 1- do I need Shiro or PAC4J with Keycloak? 2- is there a pulbic roadmap to evaluate if it can match my schedules and requirements? Best regards, Davide!

11 years, 10 months

1
0
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user March 2014