Terms and Conditions
by Bruno Palermo
Hi,
It's possible to link directly to the terms and conditions page? What's the URL?
In case there's an update to terms, is possible to add the required action to accept the terms again to all users?
Thanks,
Bruno
8 years, 7 months
keycloak openid connect session management
by Jannik Hüls
Hi guys,
I am using keycloak together with mod_auth_openidc and ran into some trouble. I want to use the login-status-iframe endpoint but it seems to be not working (at least for my configuration).
The aim is to use a federated logout:
1. Login via an app protected by mod_auth_openidc
2. Open keycloak admin
3. Destroy the session
4. Refresh the app —> User is still logged in.
So mod_auth_openidc supports the OpenID Connect Session Management via iframe and as I saw in keycloaks code a iframe endpoint is available. So:
- Is the OpenID Connect session management via iframe already working in keycloak? I was wondering that the endpoint is not mentioned in the openID connect well-known configuration.
- What is the correct origin value that should be presented when calling the iframe endpoint?
I call:
<keycloak url>/protocol/openid-connect/login-status-iframe.html?client_id=<client>&origin=<origin>
- Is there any documentation available regarding the iframe endpoint? I suggested that I have to include the above link into the iframe src attribute? Is this correct?
Bests
Jannik
8 years, 7 months
Keycloak 1.9.5.Final Released
by Stian Thorgersen
Keycloak 1.9.5.Final has just been released. There's one change worth
highlighting in this release. We've increased the default password hashing
intervals to 20000. Yes, you read that right. We've actually recommended
using 20000 for a while now, but the default was only 1. This is a clear
trade-off between performance and how secure passwords are stored. With 1
password hashing interval it takes less than 1 ms to hash a password, while
with 20000 it takes tens of ms.
For the full list of resolved issues check out JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...>
and
to download the release go to the Keycloak homepage
<http://www.keycloak.org/downloads>.
8 years, 7 months
Keycloak 1.5 HA clustering failure
by Moon S.Yim
Hello keycloak users,
Not sure this is a correct way to ask question in User Forum.
We're using keyclock 1.5 for production as single node, it works well.
We're trying to make HA clustering with 2 nodes, but doesn't work.
just following keycloak user guide (http://keycloak.github.io/docs/userguide/keycloak-server/pdf/keycloak-ref...) Chapter 29. Clustering.
how to start is
/opt/keycloak-1.5.0.Final/keycloak/bin/standalone.sh --server-config=standalone-keycloak-ha.xml -Djboss.bind.address=`hostname -i` &
or
/opt/keycloak-1.5.0.Final/keycloak/bin/standalone.sh --server-config=standalone-keycloak-ha.xml -Djboss.bind.address=`hostname -i` -bpublic=`hostname -i` -bprivate=`hostname -i` &
standalone-keycloak-ha.xml or standalone-ha.xml, the same results.
keyclock process is up and running on 2 nodes, but no log for clustering when it starts up.
and Admin console login is failed.
18:02:59,625 WARN [org.keycloak.events] (default task-21) type=CODE_TO_TOKEN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=10.x.x.113, error=invalid_code, code_id=c4f010be-9747-4b8a-a7be-e44f9bc1e3bf, client_auth_method=client-secret
18:03:51,482 WARN [org.keycloak.events] (default task-6) type=LOGIN_ERROR, realmId=master, clientId=null, userId=null, ipAddress=10.x.x.113, error=invalid_code
my questions for HA clustering is
1) how 2 nodes recognize each other? there is no configuration for that except sessions cache of infinispan/Keycloak container
2) any good example of standalone-keycloak-ha.xml for 2 nodes clustering.
Thanks
Best Regards, MoonY
8 years, 7 months
Using dependencies for an SPI provider
by Sarp Kaya
Hi,
I am trying to extend an event listener and the example one works fine, which just prints out every event.
However I want to do something more complicated than that. So I added two more dependency on top of keycloak dependencies:
com.codahale.metrics:metrics-core and com.readytalk:metrics3-statsd
In my IDE I was able to develop fine, then maven packages it fine. I package it by including all the dependencies (so JAR file is like 6 MB), otherwise it won’t have the dependencies (I have tried that and it complained at the runtime saying it doesn’t have the class).
Then I start the keycloak service, it starts fine. I get an exception throw like below when I initially use the service (which is when the first event trigger happens):
07:10:01,453 ERROR [io.undertow.request] (default task-6) UT005023: Exception handling request to /auth/realms/master/protocol/openid-connect/auth: org.jboss.resteasy.spi.UnhandledException: java.lang.NoClassDefFoundError: sun/misc/Unsafe
at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:76)
at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:212)
at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:168)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:411)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:202)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:221)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:88)
at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:284)
at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:263)
at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:174)
at io.undertow.server.Connectors.executeRootHandler(Connectors.java:202)
at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:793)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.NoClassDefFoundError: sun/misc/Unsafe
at com.codahale.metrics.Striped64.getUnsafe(Striped64.java:330)
at com.codahale.metrics.Striped64.<clinit>(Striped64.java:311)
at com.codahale.metrics.EWMA.<init>(EWMA.java:29)
at com.codahale.metrics.EWMA.oneMinuteEWMA(EWMA.java:39)
at com.codahale.metrics.Meter.<init>(Meter.java:15)
at com.codahale.metrics.Meter.<init>(Meter.java:28)
at com.codahale.metrics.MetricRegistry$MetricBuilder$3.newMetric(MetricRegistry.java:426)
at com.codahale.metrics.MetricRegistry$MetricBuilder$3.newMetric(MetricRegistry.java:423)
at com.codahale.metrics.MetricRegistry.getOrAdd(MetricRegistry.java:313)
at com.codahale.metrics.MetricRegistry.meter(MetricRegistry.java:134)
at com.expedia.keycloak.spi.providers.events.SysoutEventListenerProvider.<init>(SysoutEventListenerProvider.java:22)
at com.expedia.keycloak.spi.providers.events.SysoutEventListenerProviderFactory.create(SysoutEventListenerProviderFactory.java:23)
at com.expedia.keycloak.spi.providers.events.SysoutEventListenerProviderFactory.create(SysoutEventListenerProviderFactory.java:16)
at org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:115)
at sun.reflect.GeneratedMethodAccessor27.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.ContextParameterInjector$GenericDelegatingProxy.invoke(ContextParameterInjector.java:56)
at com.sun.proxy.$Proxy81.getProvider(Unknown Source)
at org.keycloak.events.EventBuilder.<init>(EventBuilder.java:62)
at org.keycloak.services.resources.RealmsResource.getProtocol(RealmsResource.java:98)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:79)
at org.jboss.resteasy.core.ResourceLocatorInvoker.createResource(ResourceLocatorInvoker.java:58)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:100)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:395)
... 37 more
Caused by: java.lang.ClassNotFoundException: sun.misc.Unsafe
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
... 66 more
I don’t know what could be wrong. When I googled the java.lang.NoClassDefFoundError with Keycloak I found that there was an error with Facebook integration. So I am wondering whether this is something similar and a bug with Keycloak? If not then what have I missed?
Kind Regards,
Sarp Kaya
8 years, 7 months
How to apply updates to keycloak instances
by Jesse Chahal
Following some of the best practices for continuous Integration and
continuous delivery there needs to be environments for build, test,
and production. This would mean that following these practices would
require you to have multiple versions of keycloak at different stages
of development cycle. Some of these environments might not have
important persistent data while others might. In order to have builds
transition from one environment to another there may be configuration
changes required for a build to be valid. This is especially true when
new services (openid clients) are being added or "default" accounts.
I'm trying to come up with a scripted way of updating keycloak
instances that are backed up by an RDMS. This may include adding new
clients, adding new users, updating realm config, etc... Originally I
was planning on simply exporting the realm config and importing it
every time keycloak starts. If I enabled the OVERWRITE option I might
overwrite things that I do not want overridden. This is especially
true if there is some config that differ's based on whether it is a
build, test, or production instance. If I don't enable it then it is
only useful for new/blank keycloak environments. I considered using
liquibase but since I do not have control of schema changes created by
the keycloak team I might run into issues with my liquibase file not
being valid after a migration/liquibase update by the keycloak team as
my liquibase file would run after keycloak's does. There might also be
some other unknown issues our liquibase changes conflicting somehow
with keycloak's liquibase changes. I've also considered writing my own
updater tool using a scripting language (python/ruby) that calls
keycloak's rest api. The issues with this mechanism is it feels like I
am recreating the wheel as well as not being able to find good
documentation on keycloak's openid endpoints/url's used for different
oauth2 flows. Even if I did find this documentation it would also
require me to find a good openid client for the scripting language.
This doesn't matter for our normal clients as they simply use the
keycloak subsystems and adapters instead. I've also looked at commonly
used server configuration software such as chef, puppet, and ansible.
I don't see a good solution using any of those tools yet either. What
have other people done for cases like this? Please don't tell me there
is someone who is doing this all manually because that doesn't work in
modern software development.
- doesn't accidentally delete users
- doesn't accidentally delete clients
- doesn't invalidate sessions (optional)
- works to bring up new, correctly configured, keycloak instances
- handles applying updates to existing keycloak instances
- can handle minor differences between keycloak instances (build,
test, production) when updating
- preferably can work well in rolling deployment scenario's.
-- I hope the keycloak team is taking these into consideration when
doing database migration between 1-2 releases. It would be nice if
they set some specific rules for rolling updates between versions (aka
backwards breaking changes)
8 years, 7 months
Non Browser based TOTP setup
by Fabricio Milone
Hi all,
I am trying to find a way to setup a (optional) TOTP for an specific user
using an endpoint, but I couldn't find anything like that in the
documentation. Is that even possible? is it something that you will include
at some point in your roadmap?
The scenario is a native mobile app using keycloak through endpoints
(registration, login, logout, etc). I know that's not the way you
recommend, but sadly I cannot change that.
TOTP is currently working if I set it up using the account management
console and I'm trying to re use those calls, but they use cookies included
in the requests and that model just doesn't fit on my requirements.
I'd really appreciate a little guidance if it is possible to create an SPI
(I have some already) to do such task.
Thanks in advance,
Regards,
Fab
--
*Fabricio Milone*
Developer
*Shine Consulting *
30/600 Bourke Street
Melbourne VIC 3000
T: 03 8488 9939
M: 04 3200 4006
www.shinetech.com *a* passion for excellence
8 years, 7 months
Is KC a good fit for your business case?
by Hristo Stoyanov
Hi all,
I wanted to share my thought process of fitting KC against a very common
use case.
Perhaps this would lead to better docs (so other can avoid this process or
ask the same questions in this forum)
Use case:
Build a fictious "Utlimate Produce Store Web App" SaaS application for
produce store management. Basically,
a produce store owner wants to register his/her store, link it to credit
ard/bank account,
and add other staffers under the store registration. It boils down to two
roles per store registartion:
1. admins - can add/delete staffers, store credit cards and everything a
staffer can do.
2. staffers - limited store management activites.
Here is how I look at KC for utilizing it for this kind of SaaS app:
1. Map each produce store to a separate Realm. Register store admin users
with "manage users" realm-level built-in role.
==================
A. pros
a1 Leverage almost all of UI of KC
a2 there is some "multi-tenancy" section of the documentation, but it is
not clear if the one can dynamically assign/remove realm to a WAR app.
B. cons
b1 Nothing in the KC suggest that realms can be created dynamically.
There is lots of xml/json configurations that go into specific places, and
with each realm
b2 WAR app files need to have the realm hard-coded in the web.xml
b2 No attributes for realms? There are attributes for users and groups,
but not for clients,roles,realms. (Someone explain the thought process
here...)
b3 How does KC scales with 1000s of realms?
b4 Realms can not share users (A store staffer can work at two stores, I
suppose, and a manager can have several stores)
b5 Produce store manager will see "user federation" in the menu that
would confuse them a lot!
2. Map each produce store to a KC client. All under the same realm
"Utlimate Produce Store Web App"
===================
A. pros
a1. It looks like clients can be created dynamically without json/xml
configuration.
a2. There are "cleint templates" which can make the process even simpler.
a3. The admin console has search for clients, which suggests that this
approach may scale - e.g. having 1000s of clients
a4. Via the KC Events, one can detect when a new user registers under
the realm and automatically create a client(produce store) for him/her.
a5. A user can work in one or more stores (clients)
B. cons
b1. There is no admin console at the client level in KC to be leveraged.
This would need to be developed from scratch.
b2. Clients do not have attributes. A workaround is to create a
surrogate group in each client, solely for the purpose of storing produce
store attributes (e.g credit card)
b3. UI for adding/removing people to store registration needs to be
developed from scratch. Nothing out-of-the-box.
3. Map each produce store to a group. Have a single client "Utlimate
Produce Store Web App" under a bogus realm.
====================
A. pros
a1. Groups have attributes. There can even be a hierarchy of them for
more sophisticated arrangements.
a2. Each store can have specific group hierarchy.
a3. A user can work in one or more stores (clients)
B. cons
b1. Virtually no usefull KC out-of-the-box UI for managing groups on
per-group bases. You cant really give store owners realm-level priviledges
b2. The realm admin console does not look like optimized for serch
managaement of large number of groups
I do not know if I am on the right track and would have to spend
significant time reading KC docs and Java sources to figure out
A/ if KC is a good choice, and B/ if so, which appoach is best for such a
common SaaS business case.
The point here is that the KC documentation should discuss such business
scenarious a lot more and help solution architects decide
quickly the 2 most important questions:
- Is KC right for my web/mobile app needs.
- If so, how do I map KC concepts to my business domain withouth making
costly mistakes.
/Hristo Stoyanov
8 years, 7 months
SAML Mappers
by robinfernandes .
Hi All,
I am trying to connect Shibboleth IdP as an external IdP with Keycloak
acting as an SP.
I get the email of the user with friendly name as "mail" back in the SAML
assertions. I want to set this as my username for this user in Keycloak.
I am attaching a screenshot of my configurations for the mappers which is
not working. Maybe someone might have resolved this already or know how to
solve it?
Thanks,
Robin
8 years, 7 months
