keycloak 3.4.0 - Missing relation
by Kevin Hirschmann
Hello everybody,
I am setting up a new keycloak instance (3.4.0) resulting in the following error (Relation does not exist):
INFO [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 78) Updating database. Using changelog META-INF/jpa-changelog-master.xml
ERROR [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 78) Change Set META-INF/jpa-changelog-authz-3.4.0.CR1.xml::authz-3.4.0.CR1-resource-server-pk-change-part2::glavoie@gmail.com failed. Error: FEHLER: Relation Ųesource_server_policyӠexistiert nicht
Position: 8 [Failed SQL: UPDATE RESOURCE_SERVER_POLICY p SET RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE s.ID = p.RESOURCE_SERVER_ID)]: liquibase.exception.DatabaseException: FEHLER: Relation Ųesource_server_policyӠexistiert nicht
Position: 8 [Failed SQL: UPDATE RESOURCE_SERVER_POLICY p SET RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE s.ID = p.RESOURCE_SERVER_ID)]
The problem only occurs, if I do NOT use the default schema. If I use the default schema everything is great.
How can I work around this problem?
Thx for your help
Kevin Hirschmann
HUEBINET Informationsmanagement GmbH & Co. KG
Telefon: +49 (0) 261 / 5 00 86 - 17
Telefax: +49 (0) 261 / 5 00 86 - 29
E-Mail: kevin.hirschmann(a)huebinet.de<mailto:kevin.hirschmann@huebinet.de>
Internet: www.huebinet.de<http://www.huebinet.de/>
HUEBINET Informationsmanagement GmbH & Co. KG
An der Königsbach 8
56075 Koblenz
Sitz und Registergericht: Koblenz HRA 5329
Persönlich haftender Gesellschafter der KG:
HUEBINET GmbH;
Sitz und Registergericht: Koblenz HRB 6857
Geschäftsführung:
Dr. Carsten Schöpp; Michael Biemer; Michael Ewertz
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG, Koblenz via E-Mail dient lediglich zu Informationszwecken. Rechtsgeschäftliche Erklärungen mit verbindlichem Inhalt können über dieses Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch Dritte nicht ausgeschlossen werden kann.
Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is only intended to provide information of a general kind, and shall not be used for any statement with binding contents in respect to legal relations. It is not totally possible to prevent a third party from manipulating emails and email contents.
7 years, 1 month
Re: [keycloak-user] Authorization transfer
by Corentin Dupont
I see, so I need to create "mydomain" as a resource.
But what should be the type for both "mydomain" and "myhouse"? Should it be
something like "domain:mydomain"?
What I would like is to grant different access to users to that domain.
For example: user Bob can only view resources in domain "mydomain".
User Alice can view and delete resources in "mydomain".
Should I create a "User Policy" with the list of users that have access?
If I understand, I need to use the "resource-based" permission. However it
does not seem to let me select the scopes (as in my example: Bob can only
view, but Alice can delete).
Another question: how to invoke the API for typed resources?
I have:
curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer
$TOKEN" -d '{
"permissions" : [
{
"resource_set_name" : "Sensors",
"scopes" : [
"view"
]
}
]
}' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup"
But this uses the name of the resource, so I am not sure. Is there a
reference for this API?
Thanks a lot
PS. I found some minor bugs related to the API, should I report them here
or create a JIRA?
On Tue, Nov 21, 2017 at 1:51 PM, Pedro Igor Silva <psilva(a)redhat.com> wrote:
> Resources have a *type* field that can be used to group resources.
> Permissions granted to a "typed resource" (which is created with the
> resource server itself as the owner) applies to any other resource with the
> same type and owned by an user. Think about a "typed resource" as a
> general/parent resource.
>
> If you have a "mydomain" typed resource and a "myhouse" resource, sharing
> the same type, any permission you apply to "mydomain" is going to be
> applied to "myhouse".
>
> Does it makes sense ?
>
> On Mon, Nov 20, 2017 at 9:10 AM, Corentin Dupont <
> corentin.dupont(a)gmail.com> wrote:
>
>> Thanks for the answer.
>> My plan is to make authorizations based on groups of resources, that we
>> call "domains".
>> Basically, when a user creates a resource, he can decide to put it in an
>> existing domain.
>> The URL reflects that domain:
>>
>> http://www.example.com/api/v1/domains/mydomain/houses/myhouse
>>
>> The user can also create domains with the domains endpoint:
>>
>> POST http://www.example.com/api/v1/domains/
>>
>> What is not clear for me is how users can get access to domains.
>> Probably users can have an attribute "domains", with the list of domains
>> they have access to?
>> Or should a domain be represented in Keycloak as a resource?
>> In this case, should we create roles to access that domain?
>> For example, the role "admin-mydomain" ?
>>
>> Or should it be implemented with user groups in Keycloak? Or with User
>> policies?
>>
>>
>>
>> On Fri, Nov 17, 2017 at 9:06 PM, Pedro Igor Silva <psilva(a)redhat.com>
>> wrote:
>>
>>> Right now you can't do it. This is all about the work we are doing to
>>> better support UMA protocol. Soon you'll be able to let your users to
>>> manage their resources (and their policies) from Keycloak Account Service,
>>> grant and revoke access to other users, authorization flows. We are really
>>> missing this.
>>>
>>> However, I think you can try to use the Policy Management API. It
>>> provides a RESTful API that you can use to manage permissions and policies.
>>> As an example https://github.com/pedroigor/keycloak/blob/cedc095a9
>>> c50a1d16482acbbc9876de1730c9fb1/testsuite/integration-arquil
>>> lian/tests/base/src/test/java/org/keycloak/testsuite/admin/
>>> client/authorization/UserPolicyManagementTest.java. There are other
>>> tests in the same package for other permission and policy types.
>>>
>>> Please, let me know about your achievements if you start doing something
>>> with the Policy Management API. Any feedback is welcome and will probably
>>> help with the work I mentioned before around UMA.
>>>
>>> On Fri, Nov 17, 2017 at 4:59 PM, Corentin Dupont <
>>> corentin.dupont(a)gmail.com> wrote:
>>>
>>>> Hi guys,
>>>> is it possible for an application user to grant some authorizations to
>>>> another user?
>>>> For example in the photoz example, how can I give access to my albums
>>>> to another user?
>>>> What would be the mechanism?
>>>>
>>>> Thanks a lot
>>>> Corentin
>>>>
>>>
>>>
>>
>
7 years, 1 month
Unable to use Implicit Flow in Spring Security
by HALLEGUEN, Roderic
Hi,
I followed the two articles on the blog (https://developers.redhat.com/video/youtube/O5ePCWON08Y/) to make Keycoak work with Spring Security. It works nice, but I'm only able to use the standard flow. Is there something to configure in Spring Security to make it work with the Implicit flow ? I didn't find anything about this in the documentations.
Thank's for your help !
This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.
7 years, 1 month
UMA Authorization
by Damian Czaja
Hello guys,
AFAIK Keycloak currently does not have full UMA support and for e.x. it's
not possible for users to manage resources they own. There already a PR for
KEYCLOAK-3169 on that.
First question:
How is the "owner" of the resource set when using the Resource Registration
Endpoint (
https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html)?
Is it set to the "subject" of the PAT token used to register the resource
or is it always the Resource Server, who registered it?
Second question:
>From what I know in UMA to get the Permission Ticket you need to use the
PAT of the Resource Owner. In case the Resource Owner is an End-User does
it mean the Resource Server will need to perform OAuth2 with the End-user
and store the PAT somewhere to be able to issue Permission Tickets to
Requesting Parties anytime, without the active present of the End-user?
Best regards,
Damian
7 years, 1 month
org.hibernate.LazyInitializationException (could not initialize proxy - no Session) when getting user attributes
by Ilya Korol
Hi. I've wrote some implementation of org.keycloak.timer.ScheduledTask
that should periodically conditionally delete some users, depending on
their attribute values:
@Override
public void run(KeycloakSession session) {
long currentTime =
TimeUnit.MILLISECONDS.toSeconds(Time.currentTimeMillis());
RealmModel realm; // appropriate realm was set
GroupModel group; // appropriate group was set
session.userLocalStorage()
.getGroupMembers(realm, group).stream()
.filter(user -> isNotVerified(user) &&
isExpired(user, currentTime))
.forEach(user -> {
session.userLocalStorage().removeUser(realm, user);
});
}
private boolean isNotVerified(UserModel user) {
return user.getFirstAttribute(UserAttributes.STATUS) != null
&&
user.getFirstAttribute(UserAttributes.STATUS).equals(UserStatuses.NOT_VERIFIED);
}
private boolean isExpired(UserModel user, long currentTime) {
return
TimeUnit.MILLISECONDS.toSeconds(user.getCreatedTimestamp()) +
expirationTimeout < currentTime;
}
When it runs i got following exception in method isNotVerified(UserModel
user) for users that don't have any attributes. (For users with any
attributes this will work)
2017-11-21 14:51:31,030 ERROR [org.keycloak.services] (Timer-2)
KC-SERVICES0089: Failed to run scheduled task
ClearExpiredOnboardingUsers: org.hibernate.LazyInitializationException:
failed to lazily initialize a collection of role:
org.keycloak.models.jpa.entities.UserEntity.attributes, could not
initialize proxy - no Session
at
org.hibernate.collection.internal.AbstractPersistentCollection.throwLazyInitializationException(AbstractPersistentCollection.java:567)
at
org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:205)
at
org.hibernate.collection.internal.AbstractPersistentCollection.initialize(AbstractPersistentCollection.java:546)
at
org.hibernate.collection.internal.AbstractPersistentCollection.read(AbstractPersistentCollection.java:133)
at
org.hibernate.collection.internal.PersistentBag.iterator(PersistentBag.java:277)
at
org.keycloak.models.jpa.UserAdapter.getFirstAttribute(UserAdapter.java:176)
at
company.utils.ClearExpiredOnboardingUsers.isNotVerified(ClearExpiredOnboardingUsers.java:50)
at
company.utils.ClearExpiredOnboardingUsers.lambda$run$0(ClearExpiredOnboardingUsers.java:41)
at
java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
at
java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1380)
at
java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481)
at
java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471)
at
java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:151)
at
java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:174)
at
java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
at
java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:418)
at
company.utils.ClearExpiredOnboardingUsers.run(ClearExpiredOnboardingUsers.java:42)
at
org.keycloak.services.scheduled.ScheduledTaskRunner.runTask(ScheduledTaskRunner.java:61)
at
org.keycloak.services.scheduled.ScheduledTaskRunner.run(ScheduledTaskRunner.java:45)
at
org.keycloak.timer.basic.BasicTimerProvider$1.run(BasicTimerProvider.java:51)
at java.util.TimerThread.mainLoop(Timer.java:555)
at java.util.TimerThread.run(Timer.java:505)
I found a workaround by surrounding attributes verification with
try/catch RuntimeException. In debugger i checked that
session.getTransactionManager.isActive() returns true. So i'm
interesting in possible problems here. Do i have any mistakes in my code
or there is a some kind of bug? Should it be moved to Jira?
7 years, 1 month
User registration outside of Keycloak login form
by Ilya Korol
You should use your custom Authenticator (see docs for Server
development -> Authentication SPI). So the idea is to put this
authenticator (Optional requirement) inside browser flow right after
Cookie. It will check whether user is authenticated or not (if user was
authenticated it means that Cookie worked). Then it will show form that
you described via its challenge() method, and process user reaction in
action() method. If you don't fully understand what i've wrote check
docs and you definitely should get the idea. Cheers.
7 years, 1 month
Integrating Login With Facebook
by Madhan Kumar S P
Hello,
I am trying to integrate the Keycloak with Facebook social plugin.
I had gone through the examples and documentation. This works fine if I use
the Keycloak hosted Login Page.
What I need is that we want to host our own login page and use the
Keycloak APIs to register the user and login.
I mean, I want to host our Sign Up/Login Page. When the user clicks
on the Login with Facebook, we want to redirect the user to FB and get the
approval and collect the details, create the user details that we need for
our application. Then register the user on the Keycloak.
I don’t see any documentation for this. I would be really grateful
if you can shed some light on this and point to the documentation that
would help me in achieving this.
Thanks & Regards,
Madhan Kumar S P
7 years, 1 month
