July 2014 - keycloak-user - Jboss List Archives

by Steven Pousty

Hey all: I was thinking about using Keycloak to provide authentication in an application I am building. I am building this app to evaluate how microservices REALLY work rather than all the hype. I am building a single page app & mobile UI, talking to different REST services, each of which is a separate application. Here is a rough picture of all the services. https://github.com/thesteve0/flatfluffy/blob/master/Services.png Reading the doc I see how I can use Keycloak to authenticate if all my REST endpoints are in the same App Server. Unfortunately, I do not want to make that assumption for my architecture. Can I still use Keycloak? Thanks Steve

11 years, 10 months

2
1
0 / 0

Securing subpaths with specific roles

by Edem Morny

Hi, I'm currently using beta2 of keycloak, and we are building a new application with keycloak as our security platform. In our web module, all pages are located under the path src/main/webapps/views. Navigation to the index.xhtml file under this path triggers keycloack login, as expected. We've enabled self-registration and assigned the default realm role to be "user", so a new user automatically obtains the "user" role. Here is a snippet of our web.xml file. <security-constraint> <web-resource-collection> <web-resource-name>Users</web-resource-name> <url-pattern>/views/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Supervisor</web-resource-name> <url-pattern>/views/supervisor/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>supervisor</role-name> </auth-constraint> </security-constraint> ... In effect any person with "user" role can view any content directly under /views/*. However, the newly enrolled user is able to navigate to other subpaths under the /views like the /views/supervisor/* which should normally require the user to have the additional "supervisor" role in addition to being "user". So I have 2 questions. 1. Am I doing something wrong with regards to this setup? Does each registered application also need to have roles specified, or should the realm roles be enough. Or is my understanding wrong? 2. Is there an a means to obtain the roles that a user has after logging in? The IDToken doesn't seem to contain any such information so I can use that with some other security implementation like DeltaSpike's security support in case the above is not supported. Looking forward to your response. Cheers.

11 years, 10 months

2
3
0 / 0

Securing subpaths with specific roles

by Edem Morny

Hi, I'm currently using beta2 of keycloak, and we are building a new application with keycloak as our security platform. In our web module, all pages are located under the path src/main/webapps/views. Navigation to the index.xhtml file under this path triggers keycloack login, as expected. We've enabled self-registration and assigned the default realm role to be "user", so a new user automatically obtains the "user" role. Here is a snippet of our web.xml file. <security-constraint> <web-resource-collection> <web-resource-name>Users</web-resource-name> <url-pattern>/views/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>user</role-name> </auth-constraint> </security-constraint> <security-constraint> <web-resource-collection> <web-resource-name>Supervisor</web-resource-name> <url-pattern>/views/supervisor/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>supervisor</role-name> </auth-constraint> </security-constraint> ... In effect any person with "user" role can view any content directly under /views/*. However, the newly enrolled user is able to navigate to other subpaths under the /views like the /views/supervisor/* which should normally require the user to have the additional "supervisor" role in addition to being "user". So I have 2 questions. 1. Am I doing something wrong with regards to this setup? Does each registered application also need to have roles specified, or should the realm roles be enough. Or is my understanding wrong? 2. Is there an a means to obtain the roles that a user has after logging in? The IDToken doesn't seem to contain any such information. Looking forward to your response. Cheers.

11 years, 10 months

2
1
0 / 0

Logging

by Chris Stier

Hi all, Just a quick question... I have a spring app that I'm deploying into the KeyCloak appliance 1.0 beta 3 and for some reason none of my logging statements are making it out to the console or to my file. The file gets created but nothing gets appended to it. I'm using logback and it was working previously on beta 2. I'm kind of perplexed here :) Is anyone else seeing this? Thanks for your time, Chris PS- I apologize if this email is redundant. I had previously sent this email but I guess I wasn't a member of group. So sorry about.

11 years, 10 months

2
1
0 / 0

Is it possible to use a non Keycloak client to call a Keycloak secured Rest services?

by Christina Lau

Hi Bill, further to last comment, i.e. although I can get the token, when I use it to call the same Rest service, I am getting 403 instead. I don’t know if this helps or not, but I have also noticed that the console produced different output: Using non-keycloak client (Did not work - get 403) 15:05:28,228 INFO [org.keycloak.services.resources.TokenService] (default task-1) no authorization header 15:05:28,345 INFO [org.keycloak.audit] (default task-1) event=LOGIN, realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7, clientId=admin-client, userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783, ipAddress=127.0.0.1, username=roger(a)mailinator.com, response_type=token, auth_method=oauth_credentials, refresh_token_id=3730424f-a718-4be8-a9fc-a090e5932564, token_id=dd1bfeaa-54b1-4824-a6fe-d14eb1ae6f97 15:05:28,547 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-2) --> authenticate() 15:05:28,548 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-2) try bearer 15:05:28,566 INFO [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default task-2) checking whether to refresh. 15:05:28,566 INFO [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default task-2) use realm role mappings 15:05:28,571 INFO [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default task-2) propagate security context to wildfly 15:05:28,571 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-2) Bearer AUTHENTICATED Using keycloak app (similar to customer-cli sample) Work 15:06:30,254 INFO [org.keycloak.services.resources.TokenService] (default task-1) createLogin() now... 15:06:39,965 INFO [org.keycloak.audit] (default task-2) event=LOGIN, realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7, clientId=hellokeycloak, userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783, ipAddress=127.0.0.1, username=roger(a)mailinator.com, response_type=code, redirect_uri=http://localhost:59999, auth_method=form, code_id=bd10d4cc-9f99-42df-b984-b92093f5a6af1405451199946 15:06:39,966 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-2) createLoginCookie 15:06:39,966 INFO [org.keycloak.services.managers.AuthenticationManager] (default task-2) createIdentityToken 15:06:40,092 INFO [org.keycloak.services.resources.TokenService] (default task-3) no authorization header 15:06:40,119 INFO [org.keycloak.audit] (default task-3) event=CODE_TO_TOKEN, realmId=ab9527ff-1dbe-4ce1-934c-ee2e1057d8b7, clientId=hellokeycloak, userId=58cfb6e9-9ff8-45a8-98bb-3a26b341b783, ipAddress=127.0.0.1, refresh_token_id=476b2f86-3df4-4cf6-8d51-55aa70264346, code_id=bd10d4cc-9f99-42df-b984-b92093f5a6af1405451199946, token_id=be0358ab-2c28-4bdc-a95c-681b63095217 15:06:46,567 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-4) --> authenticate() 15:06:46,568 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-4) try bearer 15:06:46,584 INFO [org.keycloak.adapters.RefreshableKeycloakSecurityContext] (default task-4) checking whether to refresh. 15:06:46,584 INFO [org.keycloak.adapters.undertow.KeycloakUndertowAccount] (default task-4) use realm role mappings 15:06:46,589 INFO [org.keycloak.adapters.wildfly.WildflyRequestAuthenticator] (default task-4) propagate security context to wildfly 15:06:46,590 INFO [org.keycloak.adapters.RequestAuthenticator] (default task-4) Bearer AUTHENTICATED

11 years, 10 months

2
4
0 / 0

Re: [keycloak-user] Is it possible to use a non Keycloak client to call a Keycloak secured Rest services?

by Christina Lau

Hi Biil, although I can get the token, when I use it to call the same Rest service, I am getting 403 instead. I also noticed the token string value is not the same as the one that is obtained from key cloak.getTokenString() but I am not sure if they are supposed to be the same or not. Any suggestion what I may be missing now? Thx. Christina

11 years, 10 months

1
0
0 / 0

Re: [keycloak-user] Is it possible to use a non Keycloak client to call a Keycloak secured Rest services?

by Christina Lau

Thanks Bill, it works. However I noticed that it is using the admin-client as the OAuth client for granting access to all users in the same realm. i.e. after I created my own realm, I have to add admin-client to my own realm in order for this to work. New Question: Do you recommend we use admin-client as a generic OAuth client for getting the access token, or should each user have their own OAuth client app like what you show in Keycloak tutorial 3? I am not yet understanding their differences. Using admin-client OAuth client seems more straightforward without the extra grant page and without the need to create more OAuth clients. I just want to make sure that it is intended to be use this way for client making Restful service calls secured by Keycloak. The Keycloak notion still seems to be exposed a little bit, but it is not too bad. Thanks for your help. Christina

11 years, 10 months

2
2
0 / 0

Is it possible to use a non Keycloak client to call a Keycloak secured Rest services?

by Christina Lau

Hi, I finally got some basic code to work. I have a WAR file that contains RestEasy services, and I updated the web.xml and added keycloak.json to secure it. I then add a application similar to customer-app-cli to my KeyCloak realm. I am able to call my Rest services from this program. However this cli program needs to use Keycloakinstalled().getTokenString() in order to get the bearer token to add to the HTTP header. Is it possible to have different non-keycloak clients, i.e. is there a way for other clients to obtain this token string to add to the header, or is this a step that is required, i.e. the client app must be registered to the Keycloak server as well. I may be missing something obvious completely... Christina

11 years, 10 months

2
1
0 / 0

Bower for keycloak.js

by Josh

Hi guys, I have created a little github project to make keycloak.js available to bower package manager <http://bower.io/>. Project here: https://github.com/smysnk/keycloak-adapter-bower Usage: $ bower install keycloak - Josh

11 years, 10 months

4
8
0 / 0

Duplicate user when logging in with social link

by Rodrigo Sasaki

I created a keycloak user, and then I created social links for it on facebook and google, on the account manager at /auth/realms/{realm}/account After that I tried logging in with the user via the social link (google), and it logged in but had no roles associated with it. When I looked into it, I saw that another user was created, and I wasn't logged in with the user I wanted. I have now 2 users with the same social link. When I try to login again with the social link, I get this exception: java.lang.IllegalStateException: More results found for socialProvider=google, socialUserId=108513709823832858822, results=[org.keycloak.models.jpa.entities.UserEntity@2a8bbbe, org.keycloak.models.jpa.entities.UserEntity@13bdb84f] I am using the beta-2 version here, is this a known problem? -- Rodrigo Sasaki

11 years, 10 months

2
2
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user July 2014