Keycloak-js adapter ES6/Promise
by Alexander Philippi
Hi,
I start using the javascript adapter this week. The documentation https://www.keycloak.org/docs/4.6/securing_apps/#_javascript_adapter "says" that the init(...) function should returns a Promise.
After installing the official(?) javascript adapter with "npm install keycloak-js" I only get the old "success" function as return value.
I don't understand what I am doing wrong here. Shouldn't I get a keycloak.js file with a Promise in it? Also I wonder if the keycloak-js adapter should be on ES6 so I am able to do an "import Keycloak from "keycloak-js"". I don't find any information about on https://github.com/keycloak/keycloak-js-bower. Since 4.0.0-beta nothing changed here.
Best Regards
Alex
6 years
Logging not working properly
by So Be
I see this in keycloak log:
LogManager error of type FORMAT_FAILURE: Formatting error
java.util.IllegalFormatConversionException: d != java.util.UUID
...
Anyone knows the cause of this issue?
Sofiane.
6 years
Updating user attributes within an Authenticator
by marco.scheuermann@daimler.com
Hi community,
is there a way to update custom user attributes within an Authenticator?
I currently cannot find any API which allows to update an existing user.
I only can find this for credentials:
UserCredentialModel userCredentialModel = new UserCredentialModel();
userCredentialModel.setType(UserCredentialModel.PASSWORD);
userCredentialModel.setValue(“password”);
session.userCredentialManager().updateCredential(realmModel, userModel, userCredentialModel);
How can I update custom user attributes?
Thank you,
Marco
If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
6 years
How to add Authorization (policies) for public clients in keycloak
by Shubham Akodiya
Hi,
I've one public client 'react' which uses the implicit grant for
authentication. Now I want to secure this app back-end APIs, thus need to
apply the authorization (policy, resource) settings. Is there any way to
use the *Authorization* settings for the public client?
As per my understanding, Authorization (policy, resource, scope) settings
does not apply for *Public (Client Protocol)* client, It only for *Credential
(Client Protocol) *client. Now the problem here is that when a user tries
to log in using *credential-keycloak-client, *In that case, we need to use
the *client_secret key* in front-end which would make the application more
vulnerable.
Let me know If my understanding is incorrect and feel free to share another
approach to resolve this issue.
Thanks,
Shubham Akodiya
6 years
Theoretical max number of clients Kecyloak can handle
by Daniel Fernandez Rodriguez
Hi All,
What's the theoretical max number of clients Keycloak can handle
efficiently?
I'm doing some tests where I created around 10000 clients (saml &
openid, all under the same realm) and now every operation that has to do
with clients (list them, create new one, get one by ID, etc) became
extremely slow and sometimes they even timeout. The other API endpoints
seem to perform just fine.
I'm using 4.6.0.Final and MySQL DB as a data store.
Are there some options I can tweak to improve the performance with a few
thousands clients (ideally around 50K)? Will postgres perform better?
Thanks a lot,
Daniel.
6 years
SPI with a third party database. Could not find any META-INF/persistence.xml file in the classpath
by Luis Rodríguez Fernández
Hello there,
I am using the standalone server distribution [1].
We need to extend the keycloak server [2] and we need to access a third
party database to get some data.
I developed a sample domain extension based on the keycloak example domain
extension [3]. The deployment of this example one works at the first try,
thanks!!!
My sample domain extension access a third party database (mysql), so in
wildfly...
- I install the mysql driver
- I create a datasource
... and in my sample I create a META-INF/persistence.xml
<persistence version>
<persistence-unit name="JavaHelps" transaction-type="RESOURCE_LOCAL">
<non-jta-data-source>java:/MySqlDS</non-jta-data-source>
<class>my.entity.Class</class>
<properties>
<property name="hibernate.dialect"
value="org.hibernate.dialect.MySQLDialect"/>
</properties>
</persistence-unit>
</persistence>
I add my sample $KEYCLOAK_HOME/bin/jboss-cli.sh --command="module add
--name=...
And it seems that wildfly likes evrything (from standard output), you can
see below part of the wildfly output at startup time. However when I run it
I get:
Uncaught server error: java.lang.ExceptionInInitializerError.... Caused by:
javax.persistence.PersistenceException: No Persistence provider for
EntityManager named JavaHelps
I found a workaround: having a deeper look at the standard output I saw
this message...
parse checking if
"$KEYCLOAK_HOMEl/modules/system/layers/keycloak/org/keycloak/keycloak-server-subsystem/main/server-war/WEB-INF/classes/META-INF/persistence.xml"
exists, result = false
10:59:55,279 TRACE [org.jboss.as.jpa] (MSC service thread 1-1) parsed
persistence unit definitions for war server-war
... so if I copy my persistence.xml to that location my domain extension
sample WORKS! My question is WHY???
Any thoughts on this?
Thanks in advance,
Luis
[1]
https://downloads.jboss.org/keycloak/4.6.0.Final/keycloak-4.6.0.Final.zip
[2]
https://www.keycloak.org/docs/latest/server_development/index.html#_exten...
[3]
https://github.com/keycloak/keycloak/tree/master/examples/providers/domai...
10:59:54,575 INFO [org.jboss.as.connector.subsystems.datasources]
(ServerService Thread Pool -- 28) WFLYJCA0005: Deploying non-JDBC-compliant
driver class com.mysql.jdbc.Driver (version 5.1)
10:59:55,071 INFO [org.jboss.as.connector.subsystems.datasources] (MSC
service thread 1-8) WFLYJCA0001: Bound data source [java:/MySqlDS]
10:59:55,158 TRACE [org.jboss.as.jpa] (MSC service thread 1-7) parse
checking if
"/content/domain-extension-example.jar/META-INF/persistence.xml" exists,
result = true
10:59:55,163 TRACE [org.jboss.as.jpa] (MSC service thread 1-7) parse
persistence.xml: attribute value(0) = JavaHelps
10:59:55,163 TRACE [org.jboss.as.jpa] (MSC service thread 1-7) parse
persistence.xml: attribute value(1) = RESOURCE_LOCAL
10:59:55,164 TRACE [org.jboss.as.jpa] (MSC service thread 1-7) parse
persistence.xml: element=non-jta-data-source
10:59:55,164 TRACE [org.jboss.as.jpa] (MSC service thread 1-7) parse
persistence.xml: element=class
10:59:55,164 TRACE [org.jboss.as.jpa] (MSC service thread 1-7) parse
persistence.xml: element=properties
10:59:55,165 TRACE [org.jboss.as.jpa] (MSC service thread 1-7) parse
persistence.xml: reached ending persistence-unit tag
10:59:55,165 INFO [org.jboss.as.jpa] (MSC service thread 1-7) WFLYJPA0002:
Read persistence.xml for JavaHelps
10:59:55,166 TRACE [org.jboss.as.jpa] (MSC service thread 1-7)
PersistenceUnitMetadataImpl(version=2.1) [
name: JavaHelps
jtaDataSource: null
nonJtaDataSource: java:/MySqlDS
transactionType: RESOURCE_LOCAL
provider: org.hibernate.jpa.HibernatePersistenceProvider
classes[
com.javahelps.jpa.Student ]
packages[
]
mappingFiles[
]
jarFiles[
]
validation-mode: AUTO
shared-cache-mode: UNSPECIFIED
properties[
hibernate.dialect: org.hibernate.dialect.MySQLDialect
]]
10:59:55,167 TRACE [org.jboss.as.jpa] (MSC service thread 1-7) parsed
persistence unit definitions for jar domain-extension-example.jar
10:59:55,168 TRACE [org.jboss.as.jpa] (MSC service thread 1-7) incrementing
PU count for domain-extension-example.jar by 1
10:59:55,174 DEBUG [org.jboss.as.jpa] (MSC service thread 1-3) added
javax.persistence.api dependency to domain-extension-example.jar
10:59:55,174 DEBUG [org.jboss.as.jpa] (MSC service thread 1-3) added
org.hibernate.bytecodetransformer dependency to domain-extension-example.jar
10:59:55,175 DEBUG [org.jboss.as.jpa] (MSC service thread 1-3) added
org.jboss.as.jpa dependency to domain-extension-example.jar
10:59:55,175 DEBUG [org.jboss.as.jpa] (MSC service thread 1-3) added
org.jboss.as.jpa.spi dependency to domain-extension-example.jar
10:59:55,175 DEBUG [org.jboss.as.jpa] (MSC service thread 1-3) added
(default provider) org.hibernate dependency to domain-extension-example.jar
(since 1 PU(s) didn't specify jboss.as.jpa.providerModule)
10:59:55,175 DEBUG [org.jboss.as.jpa] (MSC service thread 1-3) added
org.hibernate dependency to domain-extension-example.jar
10:59:55,196 TRACE [org.jboss.as.jpa] (MSC service thread 1-8) install
persistence unit definition for jar domain-extension-example.jar
10:59:55,196 TRACE [org.jboss.as.jpa] (MSC service thread 1-8) adding
'vfs:/content/domain-extension-example.jar/' to annotation index map
10:59:55,196 TRACE [org.jboss.as.jpa] (MSC service thread 1-8) returning
global (module) Persistence Provider
org.hibernate.jpa.HibernatePersistenceProvider
10:59:55,199 DEBUG [org.jboss.as.jpa] (MSC service thread 1-8) loaded
persistence provider adapter
org.jboss.as.jpa.hibernate5.HibernatePersistenceProviderAdaptor from
classloader ModuleClassLoader for Module "org.hibernate" version
5.3.6.Final from local module loader @400cff1a (finder: local module finder
@275710fc (roots:
/media/hdd/keycloak-4.6.0.Final/modules,/media/hdd/keycloak-4.6.0.Final/modules/system/layers/keycloak,/media/hdd/keycloak-4.6.0.Final/modules/system/layers/base))
10:59:55,202 TRACE [org.jboss.as.jpa] (MSC service thread 1-8) add second
level cache dependencies with properties '{caches=entity,
container=hibernate}'
10:59:55,203 TRACE [org.jboss.as.jpa] (MSC service thread 1-8) added
PersistenceUnitService (phase 1 of 2) for 'service
jboss.persistenceunit."domain-extension-example.jar#JavaHelps".__FIRST_PHASE__'.
PU is ready for injector action.
10:59:55,204 TRACE [org.jboss.as.jpa] (MSC service thread 1-8) returning
global (module) Persistence Provider
org.hibernate.jpa.HibernatePersistenceProvider
10:59:55,206 INFO
[org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor]
(MSC service thread 1-4) Deploying Keycloak provider:
domain-extension-example.jar
10:59:55,234 TRACE [org.jboss.as.jpa] (MSC service thread 1-6) install
persistence unit definition for jar domain-extension-example.jar
10:59:55,234 TRACE [org.jboss.as.jpa] (MSC service thread 1-6) adding
'vfs:/content/domain-extension-example.jar/' to annotation index map
10:59:55,234 TRACE [org.jboss.as.jpa] (MSC service thread 1-6) returning
global (module) Persistence Provider
org.hibernate.jpa.HibernatePersistenceProvider
10:59:55,235 TRACE [org.jboss.as.jpa] (MSC service thread 1-6) add second
level cache dependencies with properties '{caches=entity,
container=hibernate}'
10:59:55,235 TRACE [org.jboss.as.jpa] (MSC service thread 1-6) added
PersistenceUnitService (phase 2 of 2) for 'service
jboss.persistenceunit."domain-extension-example.jar#JavaHelps"'. PU is
ready for injector action.
10:59:55,645 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 57)
WFLYJPA0010: Starting Persistence Unit (phase 1 of 2) Service
'domain-extension-example.jar#JavaHelps'
10:59:55,695 INFO [org.hibernate.jpa.internal.util.LogHelper]
(ServerService Thread Pool -- 57) HHH000204: Processing PersistenceUnitInfo
[
name: JavaHelps
...]
10:59:56,038 INFO [org.jboss.as.jpa] (ServerService Thread Pool -- 57)
WFLYJPA0010: Starting Persistence Unit (phase 2 of 2) Service
'domain-extension-example.jar#JavaHelps'
--
"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."
- Samuel Beckett
6 years
keucloak Hash Algorithm
by Dimitris Charlaftis
Hello,
I use keykloak 4.5 and i have set up a user federation to an ldap directory
that uses SHA-1 password encoding.
In order to login to a realm that is connected to that ldap, I use the ldap
username and the SHA-1 encoded password in the login form for the time
being.
This is not good for common users!
All i want is this:
The user puts his username / password in plain text and keycloak transforms
that password in plain text in the login form to the SHA-1 equivalent (that's how our ldap directory works..) , so
that the ldap authorization succeeds.
In your password policy docs you state "See the Server Developer
Guide<https://keycloak.gitbooks.io/server-developer-guide/content/> on how
to plug in your own algorithm". Server dev guide does not have that
information, where is it?
Thanks in advance,
Dimitris
--
_____________________________
Dimitris Charlaftis
Software Engineer
National Documentation Center
email: dharlaftis(a)ekt.gr
_____________________________
6 years
Keycloak javascript client iframe policy
by Lukasz Lech
Hello,
I haven't looked in internals how Javascript Keycloak client is speaking with keycloak server until the token refresh has stopped to work in one of our instalations, which was because firewall was adding per default HTTP header X-Frame-Options: sameorigin. Then I've found out Keycloak client is creating and manipulating iframe.
Is this solution really safe against CSRF attacks? I'm not an expert in that domain, but I've read recommendations to use Authorization: Bearer headers and call API directly, so I don't understand, why is this Iframe needed.
I have a bit problem now explaining WHY do we need to use Iframes and how (un)safe is it...
Best regards,
Lukasz Lech
6 years
Library for external HTTP calls.
by marco.scheuermann@daimler.com
Hi community,
I wrote a keycloak extension based on Authenticator SPI.
What is currently the preferred way to do HTTP calls to an external system within a provider module?
Which library should I use for that purpose?
Should I use an external one, like e.g. Apache HTTP Client or a lib already packaged with keycloak.
Thank you,
Marco
Marco Scheuermann
Dipl.-Informatiker
[id:image001.png@01D3CB2E.313F1BF0]
Software Engineer
RD/UIA – Team Rising Stars
Tel.: +49 151 5860 5255
E-Mail: marco.scheuermann(a)daimler.com
Daimler AG
Sitz und Registergericht/Domicile and Court of Registry: Stuttgart
HRB-Nr./Commercial Register No. 19360
Vorsitzender des Aufsichtsrats/Chairman of the Supervisory Board: Manfred Bischoff
Vorstand/Board of Management: Dieter Zetsche (Vorsitzender/Chairman), Wolfgang Bernhard, Renata Jungo Brüngger, Ola Källenius, Wilfried Porth, Hubertus Troska, Bodo Uebber, Thomas Weber
If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.
6 years
