ProviderFactory::postInit + transactions = startup failure
by Dmitry Telegin
Hi,
(TL;DR) if a KeycloakTransaction is opened from
ProviderFactory::postInit, sometimes the transaction is already active
on the underlying
org.jboss.jca.adapters.jdbc.local.LocalManagedConnection, which leads
to errors.
(full version) I think it's essential for the providers to be able to
access realm data in postInit(). For that, a transaction is required;
using KeycloakModelUtils.runJobInTransaction() is a convenient method
to do that:
@Override
public void postInit(KeycloakSessionFactory factory) {
KeycloakModelUtils.runJobInTransaction(factory,
(KeycloakSession session) -> {
List<RealmModel> realms = session.realms().getRealms();
// do stuff
});
}
When such a provider is deployed, in about half of cases Keycloak fails
to start due to the following exception:
java.sql.SQLException: IJ031017: You cannot set autocommit during a
managed transaction
(see full stacktrace here https://pastebin.com/ETtPqXQk)
I've managed to track it down to something that looks like transaction
clash over a single instance of
org.jboss.jca.adapters.jdbc.local.LocalManagedConnection. What happens
is that the two treads at the same time begin two KeycloakTransactions
which end up with the same instance of LocalManagedConnection. The
above exception results from the second begin() call.
There's a system property called "ironjacamar.jdbc.ignoreautocommit"
that allows to ignore the situation, but I think it's dangerous because
it doesn't eliminate the transaction clash, just suppresses the check.
If I'm not mistaken, this began to happen around Keycloak 2.2.x, which
coincides with the changes to Keycloak transaction management. That
said, do I need now some additional transaction coordination with the
rest of Keycloak, or is it a bug? If former, how do I do that? If
latter, how do we fix it?
I hope we'll sort it out, since the ability to access the data at every
phase of provider's lifecycle seems something fundamental to me.
Regards,
Dmitry
7 years, 6 months
Keycloak offline token
by Sherminator Kasuga
I have a web app (called A) that is using Keycloak to login in.
There is another external web app (called B) that uses an own system as
login.
Now I need to create a link between A to B that automatic logins into web
app B without keycloak login form (auto-login).
How can i reproduce this behavior?
I have user and a password for B , and i am thinking to use an offline
token could help me with this objective.
username=bburke&password=geheim&grant_type=password&scope=offline_access
Saving into the database of A the offline token at the first time that
i use the link and then using this offline token for the next.
could it be possible?
my idea is something like:
If database.offlinetoken = empty
LINK_TO_GENERATE_OFFLINE_TOKEN --- save this token into db after login in B
else
LINK_USING_OFFLINETOKEN
endif
Do you have any example about how to build above links? Thanks in advance :)
7 years, 6 months
ProviderFactory::postInit not called with hot deployment
by Dmitry Telegin
Hi,
Seems like o.k.provider.ProviderFactory::postInit() is called only upon
server startup, no matter which way the provider has been deployed, as
a module or via the deployments dir. However, if the provider is hot
(re)deployed on the running server, the method is not called.
(ProviderFactory::init() is called always, but it's insufficient for
most init phase tasks since normally a KeycloakSessionFactory instance
is required.)
Indeed, o.k.services.DefaultKeycloakSessionFactory::deploy() doesn't
contain mentions of postInit, contrary to
DefaultKeycloakSessionFactory::init(). Seems like a bug to me, OK to
file JIRA issue and PR?
Regards,
Dmitry
7 years, 6 months
Okta as IdP, Keycloak as SP, end-app is node.js w/openid-connect
by Eric Malenfant
So, I’m trying to figure this one out, see if it’s possible. Maybe I’m just not using the right re-directs..
Anyways, keycloak is version 3.0.0, on centos 7.3.1611
I’ve got my App able to use Okta from app -> keycloak -> okta – but the customer has a requirement to use the Okta portal, click on the app, and be auto-logged in (after account creation).
What I am not seeing, or understanding perhaps, is which URL I should be using to redirect for SSO from Okta -> go through keycloak then onto my App.
Is this even possible?
Thanks in advance.
Eric
7 years, 6 months
Re: [keycloak-user] Keycloak relations between resources in a system
by Kirill Liubun
Thank you for your answer. Mapping company as the realm is a good idea I
thought about this too but it has a big disadvantage for my case.
I forgot to note that device can change a company and if I made the company
as a realm, it will complicate the way of transferring the device from one
company to another. Also, as far as I know, I can specify in keycloak
adapter only one realm thus I need to create separate resource server per
company instead of storing all data in one. It makes my architecture more
tangled and harder to implement future features those require executing
operations in more than one company.
What do you suggest to do in such case?
Also, I want to ask one more question: Can keycloak's javascript-based
policy call API of remote service? I need this because relations in my
system can become much complex (will be added companies' departments and
subdepartments, a device can be into two or more departments at the same
time). And as far as I know, keycloak don't allow to implement
sophisticated *hierarchical (network) relation model *among system's
resources. So, I decided to create separate *mapping server* that would
know all those relations and keycloak policies would call one to figure out
to grant or deny access to the resources.
On Fri, Jun 30, 2017 at 6:46 PM, Kirill Liubun <igneuslynx(a)gmail.com> wrote:
> Thank you for your answer. Mapping company as the realm is a good idea I
> thought about this too but it has a big disadvantage for my case.
> I forgot to note that device can change a company and if I made the
> company as a realm, it will complicate the way of transferring the device
> from one company to another. Also, as far as I know, I can specify in
> keycloak adapter only one realm thus I need to create separate resource
> server per company instead of storing all data in one. It makes my
> architecture more tangled and harder to implement future features those
> require executing operations in more than one company.
> What do you suggest to do in such case?
> Also, I want to ask one more question: Can keycloak's javascript-based
> policy call API of remote service? I need this because relations in my
> system can become much complex (will be added companies' departments and
> subdepartments, a device can be into two or more departments at the same
> time). And as far as I know, keycloak don't allow to implement
> sophisticated *hierarchical (network) relation model *among system's
> resources. So, I decided to create separate *mapping server* that would
> know all those relations and keycloak policies would call one to figure out
> to grant or deny access to the resources.
>
>
> On Fri, Jun 30, 2017 at 2:27 PM, Pedro Igor Silva <psilva(a)redhat.com>
> wrote:
>
>> Hello ...
>>
>> On Thu, Jun 29, 2017 at 1:26 PM, Kirill Liubun <igneuslynx(a)gmail.com>
>> wrote:
>>
>>> Hi there,
>>>
>>>
>>> I am new to keycloak and try to use it as auth server in my solution.
>>>
>>> I have next entity's model: the *devices* are owned by a particular
>>> *company* to which belongs some *users*. A user with role *admin* can
>>> grant
>>> permission for viewing some set of devices to a regular user but only
>>> those
>>> devices that belong to admin's company. Thus all users except admins can
>>> view the only subset of all devices in the company. Based on
>>> requirements I
>>> decided to make a company as *group* and devices as keycloak's
>>> *resources*.
>>> To evaluating permissions I chose *rule-based policy*. The problem is I
>>> ran
>>> into next question about hot to implement other relations and business
>>> rules:
>>>
>>> 1.
>>>
>>> Can I set the group as an owner of the resource to check this relation
>>> in policy?
>>>
>>
>> You can't. Right the owner should be an user (or service account). But I
>> think groups should also be included in the list if supported owners
>> though. I think that would help you to address your requirement [1].
>>
>> In fact, maybe we should allow anything as the owner. I think we had some
>> discussions around this on https://issues.jboss.org/browse/KEYCLOAK-3135.
>>
>> [1] https://issues.jboss.org/browse/JBEAP-11377
>>
>>
>>> 2.
>>>
>>> Which mechanism better to use in my case to grant view permission on a
>>> particular device to a regular user?
>>>
>>> If someone is more experienced in keycloak and knows how to better
>>> represent such model, please help.
>>>
>>> Thank you in advance.
>>>
>>> *P.S.*
>>>
>>> For the second question I have two solutions:
>>>
>>> - Create on each device new role which name consists of *device's
>>> name* +
>>> word *view* (This solution has big disadvantage because If user has
>>> over
>>> 1000 devices the *Permission Ticket* will be very huge)
>>> - Represent mapping between user and device via scope -- when you
>>> admin
>>> set relation between particular device and user to the resource
>>> (device)
>>> added scope which name consists of *user id* plus word *view* (I know
>>> it
>>> is not good way to use scopes but I have no idea can better configure
>>> this
>>> relation in keycloak)
>>>
>>
>> It seems company and realm have a 1:1 mapping ? If so, we end up missing
>> the group issue I mentioned previously.
>>
>> Makes sense ?
>>
>>
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
7 years, 6 months
keycloak.js - access custom claims in token
by java_os
Hi Group
Using keycloak.js, what is the best approach to access any custom claims
(other claims) from the token.
Anyway can share this I would appreciate it.
Thanks
D
7 years, 6 months
Keycloak 3.2.0.CR2 released
by Stian Thorgersen
We've just released Keycloak 3.2.0.CR1.
To download the release go to the Keycloak homepage
<http://www.keycloak.org/downloads>.
HighlightsFine grained admin permissions
This is something that we've wanted to add for a long time! Through our
authorization services it's now possible to finely tune permissions for
admins. This makes it possible to limit what clients, users, roles, etc.
admins have access to. Documentation is missing for this at the moment, but
will be added in time for 3.2.0.Final.
Docker Registry support
It's not possible to secure a Docker Registry with a standard OAuth or
OpenID Connect provider. For some strange reason they have only partially
followed the specifications and the Docker Registry maintainers refuse to
fix this! Fear not, thanks to cainj13 <https://github.com/cainj13> who
contributed this we now have a special Docker Registry protocol that can be
enabled in Keycloak.
Authentication sessions and access tokens
In the effort to provide support for running Keycloak in multiple data
centers we've done a large amount of work around user sessions. We've
introduced authentication sessions that are special sessions used primarily
during the authentication flows. There are two main reasons for this.
Authentication flows can fairly easily be fixed to a specific node within a
specific data center and there is no need to replicate this to other data
centers. They are also more write heavy than the user sessions. The
introduction of access tokens makes it possible to detach actions (for
example verify email) from a user session, which has a number of benefits.
More will come in future 3.x releases and by the end of the year we aim to
fully support replicating Keycloak cross multiple data centers.
Authorization Service improvements
There's been a lot of work done to the authorization services in this
release. Way to many to list here so check out JIRA
<https://issues.jboss.org/browse/KEYCLOAK-5072?jql=project%20%3D%20keycloa...>
for
details.
QuickStarts
We've introduced new QuickStarts with the aim to make it even simpler for
you to get started securing your applications and services with Keycloak.
The QuickStarts have proper tests as well, which can serve as a reference
on how to tests your own applications and services secured with Keycloak.
Check out the new QuickStarts in the keycloak-quickstarts GitHub repository
<https://github.com/keycloak/keycloak-quickstarts>.
Upgraded AngularJS and JQuery
We've upgraded the versions we use of AngularJS and JQuery as there where a
number of known vulnerabilities. We're fairly certain neither of the known
vulnerabilities affect Keycloak, but to be on the safe side we decided to
upgrade.
Updated Password Hashing Algorithms
We're still using PBKDF2, but we've added support for SHA256 and SHA512.
PBKDF2 is SHA256 is now used by default.
Spring Boot QuickStarter
We've added a new Spring Boot QuickStarter that makes it super simple to
get started securing your Spring Boot applications. For more details check
out the blog post about it
<http://blog.keycloak.org/2017/05/easily-secure-your-spring-boot.html>.
Loads more..
- Partial export of realms in the admin console
- Redirect URI rewrite rules for adapters
- Test email settings in the admin console
- Initial access tokens now persisted to the db
The full list of resolved issues is available in JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...>
.
Upgrading
Before you upgrade remember to backup your database and check the migration
guide
<https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationF...>.
Release candidates are not recommended in production and we do not support
upgrading from release candidates.
7 years, 6 months
Keycloak relations between resources in a system
by Kirill Liubun
Hi there,
I am new to keycloak and try to use it as auth server in my solution.
I have next entity's model: the *devices* are owned by a particular
*company* to which belongs some *users*. A user with role *admin* can grant
permission for viewing some set of devices to a regular user but only those
devices that belong to admin's company. Thus all users except admins can
view the only subset of all devices in the company. Based on requirements I
decided to make a company as *group* and devices as keycloak's *resources*.
To evaluating permissions I chose *rule-based policy*. The problem is I ran
into next question about hot to implement other relations and business
rules:
1.
Can I set the group as an owner of the resource to check this relation
in policy?
2.
Which mechanism better to use in my case to grant view permission on a
particular device to a regular user?
If someone is more experienced in keycloak and knows how to better
represent such model, please help.
Thank you in advance.
*P.S.*
For the second question I have two solutions:
- Create on each device new role which name consists of *device's name* +
word *view* (This solution has big disadvantage because If user has over
1000 devices the *Permission Ticket* will be very huge)
- Represent mapping between user and device via scope -- when you admin
set relation between particular device and user to the resource (device)
added scope which name consists of *user id* plus word *view* (I know it
is not good way to use scopes but I have no idea can better configure this
relation in keycloak)
7 years, 6 months
