Returned mail: Data format error
by MAILER-DAEMON
The original message was received at Thu, 25 Aug 2016 18:47:21 +0530
from lists.jboss.org [182.180.48.197]
----- The following addresses had permanent fatal errors -----
<keycloak-user(a)lists.jboss.org>
8 years, 4 months
Review Japanese translations
by Stian Thorgersen
We have a PR for Japanese translations, but I would like someone to review
it prior to merging it. Is there any Japanese speakers out there that could
review it for me?
8 years, 4 months
How can I access org.keycloak.KeycloakPrincipal without javax.servlet.http.HttpServletRequest
by Stephen More
I am familiar with the Apereo CAS Client, that project has an
AssertionThreadLocalFilter that allows one to access the principal without
having direct access to the web tier session.
org.jasig.cas.client.validation.Assertion assertion =
org.jasig.cas.client.util.AssertionHolder.getAssertion();
org.jasig.cas.client.authentication.AttributePrincipal principal =
assertion.getPrincipal();
Does keycloak have a similar function to access the
org.keycloak.KeycloakPrincipal without access to the HttpServletRequest ?
-Thanks
8 years, 4 months
OAuth scopes in Keycloak
by Adrian Gonzalez
Hello,
I'm using Keycloak for the first time, so sorry if this is a newbie question.
When I use keycloak, oauth scope attribute is never present in keycloak tokenEndpoint responses and in introspect responses.
>From the specs, it scope attribute should be present when calling token and tokenIntrospect endpoint, but it's never returned by keycloak endpoints : * token endpoint response - see [2] for a sample
from https://tools.ietf.org/html/rfc6749#section-5.1
<quote>scope OPTIONAL, if identical to the scope requested by the client; otherwise, REQUIRED</quote> * token introspection see [3] for a sample
from https://tools.ietf.org/html/rfc7662#section-2.2 <quote>scope OPTIONAL. A JSON string containing a space-separated list of
scopes associated with this token, in the format described in
Section 3.3 of OAuth 2.0 [RFC6749].</quote>
Oups... optional in the spec ??? what's the introspection use then ???
I know I can key roles from keycloak JWT AT (in realm_access.roles for instance), but it's not in OAuth specs and I would like to stick with the standard.
Am I doing something wrong ?
I'm using Keycloak with a Spring Boot application (using Spring OAuth library - I know there's a Spring keycloak adapter, but since my application uses others OIDC / OAuth provider I would like to stick with Spring OAuth), and since no scope attribute is present in the responses, I've receive no scope in my application.
I've tested with a sample role hello.say.I created a realm role of the same name, and assigned it to me test user.I've made sure my application request this scope during authorization request.
Here's my spring configuration (requesting a hello.say scope), more exactly :spring:
profiles: keycloak
security:
oidc:
client:
expectedIssuer: http://localhost:8180/auth/realms/demo
keyUri: http://localhost:8180/auth/realms/demo/protocol/openid-connect/certs
oauth2:
client:
clientId: sample-resource-server
clientSecret: 55175ff5-23d4-487c-a572-67d9715ea765
scope: openid refreshToken hello.say
access-token-uri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/token
user-authorization-uri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/auth
resource:
serviceId: ${PREFIX:}resource
tokenInfoUri: http://localhost:8181/auth/realms/demo/protocol/openid-connect/token/intr...
Really sorry for the long mail
Thanks for the help !Adrian
[1] Sample token requestgrant_type=authorization_code&code=Av9RoU-sonFW989gBicCwmXSNDLKX5bIGxUKjT4NTH8.dd753cf2-e1df-47ff-84e0-7cbb74a8f928&redirect_uri=http%3A%2F%2Flocalhost%3A9999%2Flogin
[2] Sample token response (no scope attribute - whether my user has or no the hello.say role) :{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI3YmIzYzc0OS1jMzJhLTRkODgtOTY4OC03OGU4YmNkMGZmNDUiLCJleHAiOjE0NzE5Njk0MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJzYW1wbGUtYXBwbGljYXRpb24tY2xpZW50IiwiYXV0aF90aW1lIjoxNDcxOTY5MTA0LCJzZXNzaW9uX3N0YXRlIjoiN2U2ZTlhNzYtYmVjNC00ZGVkLThiNDktZjcyODA5ZTAzZDY3IiwiYWNyIjoiMSIsImNsaWVudF9zZXNzaW9uIjoiZGQ3NTNjZjItZTFkZi00N2ZmLTg0ZTAtN2NiYjc0YThmOTI4IiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9sb2NhbGhvc3Q6OTk5OSJdLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsidW1hX2F1dGhvcml6YXRpb24iLCJoZWxsby5zYXkiXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50Iiwidmlldy1wcm9maWxlIl19fSwibmFtZSI6InRlc3QgdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYWRyX2dvbnphbGV6QHlhaG9vLmZyIn0.MVBAjfOnJkXHij0Dm8ERFpTwNqximL8OPZEziAhGPTHgj-yJvVtf7WF-9FdbJV_e9_Lx-2ZOOA_xvWlgFtc7qkAojfNiAjb_I40L8-JkqeHid2Wv6MtmzRusGO8aKmO1HJIoy8o5bFVSP57-cSZcgDAfkoUTG-qfx5QDSM2qyTNQ-KfagmfjTm1CAo12F_SY6p3-B1xKEOeD-1PpLc0HhrUuz1qst4gfyIbXbQTWEelDO6UB9Z-w24cVfhs9by2mu8BOdaRtUydzIGq3TPElMyxnElbTvf4Z6XZ8nhNMONEN93yxCfwfQbb__k4-9FiXNnnzDgz_WBXNAlTNfPSdSA","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI3OWE3OGM4NS01YTBhLTQxODUtODE3Yy1kM2QwNWFmYzExMWEiLCJleHAiOjE0NzE5NzA5MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoic2FtcGxlLWFwcGxpY2F0aW9uLWNsaWVudCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjdlNmU5YTc2LWJlYzQtNGRlZC04YjQ5LWY3MjgwOWUwM2Q2NyIsImNsaWVudF9zZXNzaW9uIjoiZGQ3NTNjZjItZTFkZi00N2ZmLTg0ZTAtN2NiYjc0YThmOTI4IiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbInVtYV9hdXRob3JpemF0aW9uIiwiaGVsbG8uc2F5Il19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsInZpZXctcHJvZmlsZSJdfX19.C-HM0bARqyZABW3lR6UiTWKzA5JVq74R1apUu_LvGWHbFGR9TE7EbyqKD4iwHFZSiBj_xP46g3HPQY6cYA3NXmgDYTRI4mqxLOfIqLhAgMBBM5-AYR3UqQyI9MAsqc_BA8fjwUCPv-gpvUnANliSnoYPiaa-dUeFV18TsR_sUShudoDv27RYpjoVjAXCjbAn2gg7_AI0lFtZ3RoxSdmOQXG_HBbYo7gV-31y-jBbR5kLlfMYYGYIr6_ZVvLAFlADgcXug7MTD8ZTf5S76Wb-eDbHyc6Pb7vAgRPtLKRaElyIcGXILmVNo2A8e8557QWgpJRbfqAu8ZWYKGKkz-yUBQ","token_type":"bearer","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJHa0NNdFI2THRXb09XWlhHbmJfbk0ybHFxaGtEc20ycFZrOEc5bW83c2pZIn0.eyJqdGkiOiI4NDg4Y2ZjYy1jOTllLTQyN2ItYmJiZS1hM2FhYmZkM2ZmZjAiLCJleHAiOjE0NzE5Njk0MDQsIm5iZiI6MCwiaWF0IjoxNDcxOTY5MTA0LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJzdWIiOiIzNjhkODk0OC04NmRiLTQzN2EtODY2OS0xOWFiOGIwN2E4MTYiLCJ0eXAiOiJJRCIsImF6cCI6InNhbXBsZS1hcHBsaWNhdGlvbi1jbGllbnQiLCJhdXRoX3RpbWUiOjE0NzE5NjkxMDQsInNlc3Npb25fc3RhdGUiOiI3ZTZlOWE3Ni1iZWM0LTRkZWQtOGI0OS1mNzI4MDllMDNkNjciLCJhY3IiOiIxIiwibmFtZSI6InRlc3QgdGVzdCIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3QiLCJnaXZlbl9uYW1lIjoidGVzdCIsImZhbWlseV9uYW1lIjoidGVzdCIsImVtYWlsIjoiYWRyX2dvbnphbGV6QHlhaG9vLmZyIn0.NiNe0c7ED_K9ILBodi_Qrs9zmxnM_A1oOXLqap4yzhflw5APIxV_KM_dxZrH_dhAGyPpQsofK62GryVuEz-UShqjnT7nhNPxXJ1p9pyD-r9wSqh9e6unFKfeL7vYP4lLe-bz7xzrfe_PEgpZfhMACirwBo5HAIYJNdi8QujBAAwEwEbQUJGwiOTIDDFpo2Cm1UtgobYHgdpliaFRZ-xFudxIDPGWeHhIBGStNdexaPk5kgbVuISKqqreCTnRIqws9MCbg0YNAcPzQEMITifYzobdmHQtIcaDUKcM5Hjuyc9rjfaRp4wzyM9hN_xn2JAz2-cbg6IizxblQ_IQPDU9_Q","not-before-policy":0,"session_state":"7e6e9a76-bec4-4ded-8b49-f72809e03d67"}
[3] Sample token introspection response - there's no scope here :
{
"jti":"7bb3c749-c32a-4d88-9688-78e8bcd0ff45",
"exp":1471969404,
"nbf":0,
"iat":1471969104,
"iss":"http://localhost:8180/auth/realms/demo",
"aud":"sample-application-client",
"sub":"368d8948-86db-437a-8669-19ab8b07a816",
"typ":"Bearer",
"azp":"sample-application-client",
"auth_time":1471969104,
"session_state":"7e6e9a76-bec4-4ded-8b49-f72809e03d67",
"name":"test test",
"given_name":"test",
"family_name":"test",
"preferred_username":"test",
"email":"adr_gonzalez(a)yahoo.fr",
"acr":"1",
"client_session":"dd753cf2-e1df-47ff-84e0-7cbb74a8f928",
"allowed-origins":[
"http://localhost:9999"
],
"realm_access":{
"roles":[
"uma_authorization",
"hello.say"
]
},
"resource_access":{
"account":{
"roles":[
"manage-account",
"view-profile"
]
}
},
"client_id":"sample-application-client",
"username":"test",
"active":true
}
8 years, 4 months
SAML IdP automatically link account
by Glenn Campbell
I have a SAML IdP that is used only for authentication and a separate
database that contains information about the users, including roles. I've
set up the database in User Federation and the SAML IdP in Identity
Providers.
The problem I have is that when users log in they are prompted to link to
an existing account. This is confusing for them because from their
perspective the only account they know about is the one on the SAML IdP.
Is it possible to configure this Identity Provider to be "trusted" so that
the accounts are linked automatically? I started looking into creating a
custom authenticator based on the documentation and the custom
authenticator in the example code but I don't see what the necessary steps
are to cause the automatic account linking.
Any suggestions would be greatly appreciated.
8 years, 4 months
Signed JWT issue
by abhishek raghav
Hi Team,
Recently i ran into an issue where i am using signedJWT tokens as client
authentication mechnaism instead of client id/secret.
My keyclok.json looks like this:
"realm": "nginx",
"realm-public-key":
"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzb6ecdzvU+RoI0Qu6Psh1NFKLUoSuSfoAdW/nD5sr0M1FDpLOrsRIzIRScS9DJ28n1+Kdvrad9aS/UMsr+NXHRoSPeZuabAtfDCYx49+NhtR+LW97rB4lBNnXf148mkhikyZ0B08naQlhgkAqBXR5oxOo/FqWCObhZxBPsU9BcL4Qb5JO1we8k+7kIHTFyhHbZvEAk292eIG+GyrUDh+ZyE8T8Myde0GM1Korg9ZsdYxbb3U78bmxgvBmeye+Dq89EbyNDE3K/7giq7Gmh4Gu6fVcJG9tCjl1pS7CiDH1gTuITJxSJO3bPRf58SVoId8S26/5YMIq7pqwXe/pyvAewIDAQAB",
"auth-server-url": "http://192.168.99.100:31048/auth",
"ssl-required": "external",
"resource": "product-portal",
"enable-cors" : false,
"credentials": {
"jwt": {
"client-key-password": "changeit",
"client-keystore-file": "/keystore/keystore.jks",
"client-keystore-password": "changeit",
"client-key-alias": "product-portal",
"token-timeout": 10,
"client-keystore-type": "jks"
}
}
}
But when i am trying to deploy this app in my local tomcat, the app doesnt
deploy and failed. I saw my catalina.log file which tells this:
12-Aug-2016 07:13:09.400 SEVERE [localhost-startStop-1]
org.apache.catalina.startup.HostConfig.deployWAR Error deploying web
applicatio
n archive /usr/local/tomcat/webapps/product-portal.war
java.lang.RuntimeException: org.codehaus.jackson.map.JsonMappingException:
Can not deserialize instance of java.lang.String out of STA
RT_OBJECT token
at [Source: java.io.FileInputStream@7d33dbab; line: 9, column: 5] (through
reference chain: org.keycloak.representations.adapters.conf
ig.AdapterConfig["credentials"])
at
org.keycloak.adapters.KeycloakDeploymentBuilder.loadAdapterConfig(KeycloakDeploymentBuilder.java:104)
at
org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:93)
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.keycloakInit(AbstractKeycloakAuthenticatorValve.java:116)
at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.lifecycleEvent(AbstractKeycloakAuthenticatorValve.java:65)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:95)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:394)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:165)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:701)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)
at
org.apache.catalina.startup.HostConfig.deployWAR(HostConfig.java:940)
at
org.apache.catalina.startup.HostConfig$DeployWar.run(HostConfig.java:1816)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.codehaus.jackson.map.JsonMappingException: Can not
deserialize instance of java.lang.String out of START_OBJECT token
at [Source: java.io.FileInputStream@7d33dbab; line: 9, column: 5] (through
reference chain: org.keycloak.representations.adapters.conf
ig.AdapterConfig["credentials"])
at
org.codehaus.jackson.map.JsonMappingException.from(JsonMappingException.java:163)
at
org.codehaus.jackson.map.deser.StdDeserializationContext.mappingException(StdDeserializationContext.java:219)
at
org.codehaus.jackson.map.deser.std.StringDeserializer.deserialize(StringDeserializer.java:44)
at
org.codehaus.jackson.map.deser.std.StringDeserializer.deserialize(StringDeserializer.java:13)
at
org.codehaus.jackson.map.deser.std.MapDeserializer._readAndBind(MapDeserializer.java:319)
at
org.codehaus.jackson.map.deser.std.MapDeserializer.deserialize(MapDeserializer.java:249)
at
org.codehaus.jackson.map.deser.std.MapDeserializer.deserialize(MapDeserializer.java:33)
at
org.codehaus.jackson.map.deser.SettableBeanProperty.deserialize(SettableBeanProperty.java:299)
at
org.codehaus.jackson.map.deser.SettableBeanProperty$MethodProperty.deserializeAndSet(SettableBeanProperty.java:414)
at
org.codehaus.jackson.map.deser.BeanDeserializer.deserializeFromObject(BeanDeserializer.java:697)
......
It shows problem in "credentials" property to deserilize.
I am using Keycloak 2.0.0.Final and tomcat 8.0.36 version.
for keycloak I am using tomcat adapter for my app.
Please help.
*- Best Regards*
Abhishek Raghav
8 years, 4 months
Login app not deployed on Keycloak?
by Zhaohua Meng
Hello gurus here,
We are testing Keycloak 2.1.0 and want to know if it’s possible to use a browser login (including 2FA) app that’s not deployed on Keycloak?
Thanks,
Z.M
8 years, 4 months
Inifnispan problems upgrading 1.7.0.Final to 2.0.0.Final
by Kevin Thorpe
Hi,
I'm having problems upgrading from 1.7.0.Final to 2.0.0.Final. I'm
using the Docker images on which we build our own images to add https with
our certs, our theme and a small patch to match our LDAP configuration. The
new image of 2.0.0 works fine with a brand new database but doesn't start
up with the existing database. Do I need to upgrade via an earlier release
to modify the db?
I've attached the startup logs. I don't know enough to see what's wrong.
*Kevin Thorpe*
VP Enterprise Platform
www.p-i.net | @PI_150 <https://twitter.com/@PI_150>
*T: +44 (0)20 3005 6750 <%2B44%20%280%2920%203005%206750> | F: +44(0)20
7730 2635 <%2B44%280%2920%207730%202635> | T: +44 (0)808 204 0344
<%2B44%20%280%29808%20204%200344> *
*150 Buckingham Palace Road, London, SW1W 9TR, UK*
*SAVE PAPER - THINK BEFORE YOU PRINT!*
____________________________________________________________________
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.
8 years, 4 months
