How do I get just keycloak.js
by Steven Pousty
Hey all:
Where is the keycloak.js file? I have looked through the WAR download
and can not find it.
Why is the JS adapter not included with the WAR file?
Is it on a CDN?
Thanks
Steve
10 years, 7 months
Migration from Beta-2 to Beta-4
by Rodrigo Sasaki
Is there a step by step on how I should proceed on migrating keycloak
versions?
I tried to simply deploy the beta-4, but I had some weird symptoms. Even
though I had the same datasource configuration, keycloak acted as though I
didn't have any data, asking me for a new password for the admin account.
I checked my mysql and everything is there, and the datasource is the same,
since the standalone.xml is the same.
I'm using the wildfly bundled on the appliance distribution.
Is there something specific I should be careful with? Or a different
procedure I should have tried?
Thanks
--
Rodrigo Sasaki
10 years, 7 months
How to validate LDAP connection?
by Aaron Held
I'm setting up keycloak to test it out and having trouble setting up and
testing the LDAP input.
Is there a way to explicit test that the LDAP is setup correctly? no
matter what I enter into the settings page I don't see anything in the logs
and I don't see any new users on the users page.
What I am looking for is a way to use our ActiveDirectory (via LDAP) as the
source. I'm not sure if it will support roles from AD yet, but that would
be my next step.
thanks,
-Aaron
10 years, 7 months
Re: [keycloak-user] Bearer Only Application access with token
by Rodrigo Sasaki
Oh, that was it. The client needs to have the roles from the application, I
didn't think of that.
Thank you again
copying back the mailing-list because I didn't reply to it by mistake
On Wed, Aug 6, 2014 at 11:18 AM, Bill Burke <bburke(a)redhat.com> wrote:
> The security-admin-console has a limited scope, so the access token
> doesn't get populated with the roles you desire. A quick workaround is to
> go to the Scope page on the security-admin-console and click "Full scope
> allowed".
>
> IMO, instead, you should create an oauth client and assign the scope you
> want for that client_id. This allows you to:
>
> * Reduce the size of the access token created for that client_id
> * Limit the roles that tokens created for that client_id can obtain.
>
> Scope is really an extra security measure. For example, with scope, you
> can enforce that only the security-console-application can ever get get
> tokens that have admin roles within it.
>
> On 8/6/2014 10:10 AM, Rodrigo Sasaki wrote:
>
>> I get the token sending a POST using *security-admin-console* as
>> *client_id*.
>>
>>
>> The application I'm trying to access is bearer only, so I can't generate
>> a token directly for it
>>
>>
>> On Wed, Aug 6, 2014 at 11:06 AM, Bill Burke <bburke(a)redhat.com
>> <mailto:bburke@redhat.com>> wrote:
>>
>> How do you obtain the token? Access tokens are created specifically
>> for
>> the application/oauth client that intiated the token protocol. So the
>> access token will be stuffed with only the role mappings for that
>> application/oauth client. A bearer-only application doesn't need a
>> scope configured because it never initiates a login.
>>
>> I changed things in beta 4 to hopefully mitigate the confusion around
>> "scope". Applications have a full scope enabled by default now.
>>
>> On 8/6/2014 9:58 AM, Rodrigo Sasaki wrote:
>> > Is there any news on this? I tried it on beta-4 on wildfly and I
>> still
>> > get the same response.
>> >
>> >
>> > On Tue, Jul 29, 2014 at 5:56 PM, Rodrigo Sasaki
>> > <rodrigopsasaki(a)gmail.com <mailto:rodrigopsasaki@gmail.com>
>> <mailto:rodrigopsasaki@gmail.com <mailto:rodrigopsasaki@gmail.com>>>
>>
>> wrote:
>> >
>> > I made sure of all that, I just recreated everything using
>> realm
>> > roles just for the sake of completeness, but I'm still
>> getting a 403
>> >
>> >
>> > On Tue, Jul 29, 2014 at 4:09 PM, Vivek Srivastav (vivsriva)
>> > <vivsriva(a)cisco.com <mailto:vivsriva@cisco.com>
>> <mailto:vivsriva@cisco.com <mailto:vivsriva@cisco.com>>> wrote:
>> >
>> > Make sure you have the following settings configured for
>> your
>> > database service:
>> >
>> >
>> >
>> >
>> >
>> > In the web.xml, make sure you have the security setup
>> with the
>> > appropriate user role:
>> > <?xml version="1.0" encoding="UTF-8"?>
>> > <web-app xmlns="http://java.sun.com/xml/ns/javaee"
>> > xmlns:xsi="http://www.w3.org/
>> 2001/XMLSchema-instance"
>> > xsi:schemaLocation="http://
>> java.sun.com/xml/ns/javaee
>> > http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
>> > version="3.0">
>> >
>> > <module-name>database</module-name>
>> > <security-constraint>
>> > <web-resource-collection>
>> > <url-pattern>/*</url-pattern>
>> > </web-resource-collection>
>> > <!-- <user-data-constraint>
>> >
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> > </user-data-constraint> -->
>> > <auth-constraint>
>> > <role-name>user</role-name>
>> > </auth-constraint>
>> > </security-constraint>
>> >
>> > <login-config>
>> > <auth-method>KEYCLOAK</auth-method>
>> > <realm-name>demo</realm-name>
>> > </login-config>
>> >
>> > <security-role>
>> > <role-name>user</role-name>
>> > </security-role>
>> > </web-app>
>> >
>> >
>> >
>> > From: Rodrigo Sasaki <rodrigopsasaki(a)gmail.com
>> <mailto:rodrigopsasaki@gmail.com>
>> > <mailto:rodrigopsasaki@gmail.com
>>
>> <mailto:rodrigopsasaki@gmail.com>>>
>> > Date: Tuesday, July 29, 2014 at 12:51 PM
>> > To: Bill Burke <bburke(a)redhat.com
>> <mailto:bburke@redhat.com> <mailto:bburke@redhat.com
>>
>> <mailto:bburke@redhat.com>>>
>> > Cc: "keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> > <mailto:keycloak-user@lists.jboss.org
>>
>> <mailto:keycloak-user@lists.jboss.org>>"
>> > <keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> > <mailto:keycloak-user@lists.jboss.org
>>
>> <mailto:keycloak-user@lists.jboss.org>>>
>> > Subject: Re: [keycloak-user] Bearer Only Application
>> access with
>> > token
>> >
>> > It is defined under the application itself, so I it's
>> under the
>> > scope. This should be working right?
>> >
>> >
>> > On Tue, Jul 29, 2014 at 11:59 AM, Bill Burke
>> <bburke(a)redhat.com <mailto:bburke@redhat.com>
>> > <mailto:bburke@redhat.com <mailto:bburke@redhat.com>>>
>> wrote:
>> >
>> > What kind of role is it? Is the new role defined
>> under the
>> > "database-service" application? If not, then you
>> must add
>> > this role to
>> > the "database-service"'s scope in the admin console.
>> >
>> > On 7/29/2014 10:51 AM, Rodrigo Sasaki wrote:
>> > > Hi,
>> > >
>> > > I'm trying to secure a bearer-only application with
>> keycloak, to access
>> > > it with access tokens, but I think I'm missing
>> something.
>> > >
>> > > I tried it with the database-service of the
>> unconfigured demo.
>> > >
>> > > 1. I created the user role in the application.
>> > > 2. I assigned that role to my user
>> > > 3. I copied the contents of the installation json to
>> > > *webapp/META-INF/keycloak.json*
>> > >
>> > > {
>> > > "realm": "demo",
>> > > "realm-public-key":
>> > >
>> "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwRayjzh7W+
>> EfPaeSdyXWLyXof7c3fwD7vb0AEtG+ogLHtMkYiTdX9y/
>> JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOVsSlYH56c5+Ev4QmSGK/+6e+WcZMcgmscoz1OoXKom4+
>> pzqMey42hqdwwMhkvCq/jxJSmUGnZJQuqEKVH00NZ1wIDAQAB",
>> > > "bearer-only": true,
>> > > "ssl-not-required": true,
>> > > "resource": "database-service",
>> > > "use-resource-role-mappings": true
>> > > }
>> > >
>> > > 4. Set the auth-method to *KEYCLOAK* on web.xml
>> > > 5. Started the server deploying the
>> *database-service*
>> > > 6. Generated a token using *security-admin-console*
>> client_id and my user
>> > > 7. Submitted a GET request to
>> /localhost:8080/database/customers/
>> > >
>> > > After these steps I get a 403 error, saying that
>> I'm not authorized to
>> > > access the resource, wasn't this supposed to work?
>> > >
>> > > --
>> > > Rodrigo Sasaki
>> > >
>> > >
>> > > _______________________________________________
>> > > keycloak-user mailing list
>> > >keycloak-user(a)lists.jboss.org
>> <mailto:keycloak-user@lists.jboss.org>
>> > <mailto:keycloak-user@lists.jboss.org
>>
>> <mailto:keycloak-user@lists.jboss.org>>
>> > >https://lists.jboss.org/
>> mailman/listinfo/keycloak-user
>> > >
>> >
>> > --
>> > Bill Burke
>> > JBoss, a division of Red Hat
>> > http://bill.burkecentral.com
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.
>> jboss.org>
>> > <mailto:keycloak-user@lists.jboss.org
>>
>> <mailto:keycloak-user@lists.jboss.org>>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>> >
>> >
>> >
>> > --
>> > Rodrigo Sasaki
>> >
>> >
>> >
>> >
>> > --
>> > Rodrigo Sasaki
>> >
>> >
>> >
>> >
>> > --
>> > Rodrigo Sasaki
>> >
>> >
>> > _______________________________________________
>> > keycloak-user mailing list
>> > keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.
>> jboss.org>
>>
>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
>> >
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>>
>>
>>
>> --
>> Rodrigo Sasaki
>>
>
> --
> Bill Burke
> JBoss, a division of Red Hat
> http://bill.burkecentral.com
>
--
Rodrigo Sasaki
10 years, 7 months
Bearer Only Application access with token
by Rodrigo Sasaki
Hi,
I'm trying to secure a bearer-only application with keycloak, to access it
with access tokens, but I think I'm missing something.
I tried it with the database-service of the unconfigured demo.
1. I created the user role in the application.
2. I assigned that role to my user
3. I copied the contents of the installation json to
*webapp/META-INF/keycloak.json*
{
"realm": "demo",
"realm-public-key":
"MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCwRayjzh7W+EfPaeSdyXWLyXof7c3fwD7vb0AEtG+ogLHtMkYiTdX9y/JXOmXwWDzGhx7NM3Q6vkCG0F3lZqOVsSlYH56c5+Ev4QmSGK/+6e+WcZMcgmscoz1OoXKom4+pzqMey42hqdwwMhkvCq/jxJSmUGnZJQuqEKVH00NZ1wIDAQAB",
"bearer-only": true,
"ssl-not-required": true,
"resource": "database-service",
"use-resource-role-mappings": true
}
4. Set the auth-method to *KEYCLOAK* on web.xml
5. Started the server deploying the *database-service*
6. Generated a token using *security-admin-console* client_id and my user
7. Submitted a GET request to *localhost:8080/database/customers*
After these steps I get a 403 error, saying that I'm not authorized to
access the resource, wasn't this supposed to work?
--
Rodrigo Sasaki
10 years, 7 months
How can I customize the New User Registration workflow?
by Christina Lau
Is it possible to add a call to call my own code before a new user is added to the system using the New User Registration form? I need to call some other services when onboarding a new user. Thx.
Christina
10 years, 7 months
User Image
by Dean Peterson
It would be great if Keycloak had a built in mechanism for uploading and
storing a user profile image. That way, I could just make a call to a
Keycloak REST service to get the image stored in the centrally located
keycloak server where all the other user attributes are stored. Has
anything like that been discussed?
10 years, 7 months
Datasource configuration on keycloak-server.json
by Rodrigo Sasaki
Hi,
I noticed that now there is no persistence.xml file in
*server/src/main/resources/META-INF*
There is only a keycloak-server.json, that according to the github commit
comments, is to be used now to configure the datasources.
I'm trying to deploy it with *JBoss 7.1.1.Final* and I'm getting this error
message:
"JBAS014771: Services with missing/unavailable dependencies" =>
["jboss.deployment.unit.\"auth-server.war\".WeldServicejboss.persistenceunit.\"auth-server.war#keycloak-default\"
*Missing[jboss.deployment.unit.\"auth-server.war\".WeldServicejboss.persistenceunit.\"auth-server.war#keycloak-default\"]*
"]
The datasource defined in the connectionsJpa section of the JSON file
exists, i'm using the ExampleDS.
Am I missing something, or is this expected?
--
Rodrigo Sasaki
10 years, 7 months