February 2018 - keycloak-user - Jboss List Archives

Kerberos & login, multiple environments with multiple users

by Dominik Guhr

Hi everyone, so I've built a custom kerberos authenticator which should, depending on a querystring, not automatically login. So, when I add &login=manual to the url, kerberos authenticator starts, checks, and stops. Now everything is fine when I use this authenticator under normal conditions, in one tab, but: - As a dev, I sometimes have different tabs with different environments open. e.g. http://myapp-local, http://myapp-dev - these apps are different clients in keycloak as well, e.g. my-webapp-local, my-webapp-dev Now I get logged in via kerberos in myapp-local, logout in myapp-test and try to login with different credentials manually in myapp-test. Then, the AuthenticationProcessor raises the following exception when doing this with kerberos login-enabled browsers (chrome, ie): ===================== 2018-02-28 09:57:12,236 WARN [org.keycloak.events] (default task-2) type=LOGIN_ERROR, realmId=myrealm, clientId=my-webapp-dev, userId=null, ipAddress=10.242.50.137, error=different_user_authenticated, auth_method=openid-connect, auth_type=code, response_type=code, redirect_uri=https://myurl/my-webapp-dev/, consent=no_consent_required, previous_user=f:1661b7a5-933a-4bda-8bb9-6822c7f40211:412997, code_id=eb950380-511d-41a0-b816-d06b2331569c, response_mode=query 2018-02-28 09:57:12,236 WARN [org.keycloak.services] (default task-2) KC-SERVICES0013: Failed authentication: org.keycloak.services.ErrorPageException: HTTP 500 Internal Server Error at org.keycloak.authentication.AuthenticationProcessor.attachSession(AuthenticationProcessor.java:898) at org.keycloak.services.managers.AuthenticationManager.finishedRequiredActions(AuthenticationManager.java:796) at org.keycloak.authentication.AuthenticationProcessor.authenticationComplete(AuthenticationProcessor.java:951) at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:724) at org.keycloak.protocol.AuthorizationEndpointBase.handleBrowserAuthenticationRequest(AuthorizationEndpointBase.java:145) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.buildAuthorizationCodeAuthorizationResponse(AuthorizationEndpoint.java:395) at org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint.build(AuthorizationEndpoint.java:139) at sun.reflect.GeneratedMethodAccessor513.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) ================= and in the browser I get an "unexpected error when handling request to identity provider" errormsg. When doing the same thing in firefox (no kerberos, manual login, open 2 tabs in 2 different environments and login with different users), I get at least the errormsg "You are already authenticated as different user [name] in this session. Please logout first." So, my questions are: - Why is this not possible? - Is there anything I can do (having a custom authenticator for kerberos/AD and a custom userstorageprovider for applicationdb) to make it possible to have different users logged in in different tabs for different kc-clients in the same realm? - More specifically: Is there a possibility to use the AuthenticationProcessor in an SPI without having to make a custom keycloakbuild and remove the check in line 246/setAuthenticatedUser, or does this mess up the whole authentication session? Would be great to get a hint here. Thanks! Best regards, Dominik

6 years, 10 months

2
1
0 / 0

Linkedin Login Issue

by Anurag Saran

Hello all I am trying to login with linked in and I get the below error: invalid redirect_uri. This value must match a URL registered with the API Key. invalid redirect_uri. This value must match a URL registered with the API Key. URL: http://localhost:8080/auth/realms/designer-springboot/broker/linkedin/end... Thanks, ------------------------------------- Anurag Saran Middleware Solutions Architect Email: asaran(a)redhat.com Mobile: (732) 662-8053 Schedule A Meeting With Me: https://calendly.com/asaran/ <http://bit.ly/AnuragSaranAvailability>

6 years, 10 months

2
1
0 / 0

Is keycloak also affect with this: https://www.kb.cert.org/vuls/id/475445

by Abhishek Koserwal

Hi, I don't see keycloak (SAML 2.0) list here: https://www.kb.cert.org/vuls/id/475445 Is it also affected? -- Regards, Abhishek Koserwal

6 years, 10 months

2
1
0 / 0

Identity broker and token refresh

by Łukasz Dywicki

Hi all, During my tests I’ve ran into situation where keycloak identity broker returned me expired access token. Is there a way to let keycloak refresh tokens automatically? Kind regards, Łukasz Dywicki

6 years, 10 months

2
1
0 / 0

Re: [keycloak-user] [keycloak-dev] Running Keycloak in a clustered mode

by Marek Posolda

On 28/02/18 11:15, Shankar_Bhaskaran wrote: > Hi , > > We are running 2 standalone instances of keycloak with a shared database(later on a clustered database) in active passive mode using haproxy as the loadbalancer . I had tested some rest services by running the request again with the same bearer token with the active keycloak server down and passive server now becomes active one and it still works. > Can we run 2 instances of keycloak in the standalone mode behind a proxy with a shared database ? Or should we cluster it first using standlone-ha.xml configuration? > What features will be disabled if we use the former way of loadbalancing keycloak I suggest to always rather use clustered keycloak with standalone-ha.xml and since you want failover support, increase number of owners to 2 for distributed caches. One of the things, which won't work for the former setup (with standalone instances) is the replication of user sessions. In other words, userSession created on node1 won't be visible on node2. The scenario you mentioned may work (EG. the REST endpoint triggered on node2 will be able to successfully verify accessToken created on node1). However access tokens are usually short lived and it is assumed that you periodically "refresh" them (our adapters do refresh automatically). And refreshing the token requires userSession to be present, so with the former setup, it will fail as userSession created on node1 won't be available on node2. User session is one example. There are some other things, which won't work. We never tried to test such setup and I wouldn't do it. Marek > > Regards. > Shankar > _______________________________________________ > keycloak-dev mailing list > keycloak-dev(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-dev

6 years, 10 months

1
0
0 / 0

Getting SSLPeerUnverifiedException

by Chandran Soundrapandian

Hi, When we moved the working QA Setup to Production, we are getting the following error when user uses Google identity provider: I do see the CN name doesn't match the name in the certificate. But I am not sure if that is the problem. We are using Keycloak version - keycloak-3.2.0.Final 2018-02-27 03:16:50,531 ERROR [org.keycloak.broker.oidc. AbstractOAuth2IdentityProvider] (default task-63) Failed to make identity provider oauth callback: javax.net.ssl.SSLPeerUnverifiedException: Host name 'www.googleapis.com' does not match the certificate subject provided by the peer (*CN=gateway.***.***.org*, OU=PositiveSSL, OU=Domain Control Validated) at org.apache.http.conn.ssl.SSLConnectionSocketFactory. verifyHostname(SSLConnectionSocketFactory.java:465) at org.apache.http.conn.ssl.SSLConnectionSocketFactory. createLayeredSocket(SSLConnectionSocketFactory.java:395) at org.apache.http.conn.ssl.SSLConnectionSocketFactory. connectSocket(SSLConnectionSocketFactory.java:353) at org.apache.http.impl.conn.DefaultHttpClientConnectionOpe rator.connect(DefaultHttpClientConnectionOperator.java:134) at org.apache.http.impl.conn.PoolingHttpClientConnectionMan ager.connect(PoolingHttpClientConnectionManager.java:353) at org.apache.http.impl.execchain.MainClientExec. establishRoute(MainClientExec.java:380) at org.apache.http.impl.execchain.MainClientExec. execute(MainClientExec.java:236) at org.apache.http.impl.execchain.ProtocolExec. execute(ProtocolExec.java:184) at org.apache.http.impl.execchain.RetryExec.execute( RetryExec.java:88) at org.apache.http.impl.execchain.RedirectExec. execute(RedirectExec.java:110) at org.apache.http.impl.client.InternalHttpClient.doExecute( InternalHttpClient.java:184) at org.apache.http.impl.client.CloseableHttpClient.execute( CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute( CloseableHttpClient.java:107) at org.apache.http.impl.client.CloseableHttpClient.execute( CloseableHttpClient.java:55) at org.keycloak.broker.provider.util.SimpleHttp.makeRequest( SimpleHttp.java:142) at org.keycloak.broker.provider.util.SimpleHttp.asString( SimpleHttp.java:90) at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider $Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:230) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke( NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke( DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke( MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke( ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker. invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( ResourceLocatorInvoker.java:107) at org.jboss.resteasy.core.ResourceLocatorInvoker. invokeOnTargetObject(ResourceLocatorInvoker.java:133) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke( ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke( SynchronousDispatcher.java:395) at org.jboss.resteasy.core.SynchronousDispatcher.invoke( SynchronousDispatcher.java:202) at org.jboss.resteasy.plugins.server.servlet. ServletContainerDispatcher.service(ServletContainerDispatcher.java:221) at org.jboss.resteasy.plugins.server.servlet. HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet. HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) Please let me know, when do we get this error. I really appreciate your help. Thanks, -Chandran

6 years, 10 months

1
0
0 / 0

Review French translation update

by Stian Thorgersen

Can someone fluent in French review the following PR please: https://github.com/keycloak/keycloak/pull/5036

6 years, 10 months

1
1
0 / 0

Re: [keycloak-user] Authorization Services (2.4. Build, Deploy, and Test Your Application)

by hmidi slim

Thank you for your answer Jonathan. Now when I run the command mvn -DskipTests clean wildfly:deploy I got this error : [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 2.793 s [INFO] Finished at: 2018-02-27T19:46:09+01:00 [INFO] Final Memory: 46M/382M [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Final:deploy (default-cli) on project keycloak-app-authz-jee-vanilla: Failed to execute goal deploy.: java.net.ConnectException: WFLYPRT0053: Could not connect to http-remoting://localhost:9990. The connection failed: Connection refused -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException And the server is runing.

6 years, 10 months

2
1
0 / 0

Authorization Services (2.4. Build, Deploy, and Test Your Application)

by hmidi slim

Hi, I'm trying to test the tutorial concerning the Authorization Services (2.4. Build, Deploy, and Test Your Application). I followed all the instructions mentioned: I run this command .../bin/standalone.sh -Djboss.socket.binding.port-offset=100 then I created a realm and a user as mentioned in section *2.2 Creating a Realm and a User.* After that I enable the authorization services as mention in *2.3 Enabling Authorization Services*. Then I installed maven v3.5.0 and jsdk 8 and I installed the repo keycloak-quickstarts and follow the instructions. First of all in the doc in the section *2.4.2 Building and Deploying the Application *it's mentioned *cd redhat-sso-quickstarts/app-authz-jee-vanilla * I don't found redhat-sso-quickstarts maybe it is a fault. I run: cd keycloak-quickstarts/app-authz-jee-vanilla mvn clean package wildfly:deploy I got this error: ------------------------------------------------------- T E S T S ------------------------------------------------------- Running org.keycloak.quickstart.ArquillianJeeAuthzVanillaTest Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.436 sec <<< FAILURE! org.keycloak.quickstart.ArquillianJeeAuthzVanillaTest Time elapsed: 0.435 sec <<< ERROR! java.lang.RuntimeException: Could not create new instance of class org.jboss.arquillian.test.impl.EventTestRunnerAdaptor at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:166) at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:103) at org.jboss.arquillian.test.spi.TestRunnerAdaptorBuilder.build(TestRunnerAdaptorBuilder.java:52) at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:114) at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252) at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141) at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189) at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165) at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85) at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115) at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75) Caused by: java.lang.reflect.InvocationTargetException at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:162) ... 15 more Caused by: org.jboss.arquillian.container.impl.ContainerCreationException: Could not create Container jboss at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:85) at org.jboss.arquillian.container.impl.client.container.ContainerRegistryCreator.createRegistry(ContainerRegistryCreator.java:78) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96) at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116) at org.jboss.arquillian.core.impl.ManagerImpl.bindAndFire(ManagerImpl.java:265) at org.jboss.arquillian.core.impl.InstanceImpl.set(InstanceImpl.java:74) at org.jboss.arquillian.config.impl.extension.ConfigurationRegistrar.loadConfiguration(ConfigurationRegistrar.java:73) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96) at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116) at org.jboss.arquillian.core.impl.ManagerImpl.start(ManagerImpl.java:290) at org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.<init>(EventTestRunnerAdaptor.java:63) ... 20 more Caused by: java.lang.IllegalArgumentException: DeployableContainer must be specified at org.jboss.arquillian.core.spi.Validate.notNull(Validate.java:44) at org.jboss.arquillian.container.impl.ContainerImpl.<init>(ContainerImpl.java:71) at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:80) ... 44 more Results : Tests in error: org.keycloak.quickstart.ArquillianJeeAuthzVanillaTest: Could not create new instance of class org.jboss.arquillian.test.impl.EventTestRunnerAdaptor Tests run: 1, Failures: 0, Errors: 1, Skipped: 0 [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ [INFO] Total time: 3.144 s [INFO] Finished at: 2018-02-27T18:57:34+01:00 [INFO] Final Memory: 37M/389M [INFO] ------------------------------------------------------------------------ [ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:2.12.4:test (default-test) on project keycloak-app-authz-jee-vanilla: There are test failures. [ERROR] [ERROR] Please refer to /home/user1/Downloads/keycloak-quickstarts-latest/app-authz-jee-vanilla/target/surefire-reports for the individual test results. [ERROR] -> [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException I didn't know what's the problem and how can I fix that?

6 years, 10 months

1
0
0 / 0

Authorization returning less scopes than requested

by luke＠code-house.org

Hey, At the beginning, I would like to say thank you, for delivering such great software, and also people who read this message for handling community support. :-) I come into key cloak because I do need two functionalities of it - oidc provider and also identity broker. I do integrate with services which have predefined set of scopes. My application can request multiple scopes such "patient/*.write” (write data related to patient), however user or system where authentication takes place, may decide to grant lower access than requested. For example above patient write scope request might be constrained to "patient/*.read" or even subset of that "patient/Patient.read” (patient demographics). Reason why it might happen depends on few things - because user who decides to unmark these on consent page or it might not be allowed by system. In second case user will not be even asked about giving such permission to his data. >From logical point of view, as long as authorisation request ends up with token grant, these are still proper tokens which application must handle. Question is - is such use case is supported by Keycloak? Also, how should I map such wildcard scopes in keycloak? Second use case, which I have, is similar to first one. Main difference is that it must be implemented on key cloak authorisation part - when user application requests access token, it sends two scopes, lets call them “user" and "patient”. Because application doesn’t know actual permissions of the user, it can not decide which scopes should be used. We theoretically could work around that with two login pages resulting in different scope requests. However, our intention is to implement this on keycloak side - based on our own logic we will know what is role of given user and which scope is permitted. Biggest question - which extension point, if any available, we could use for that? Kind regards, Łukasz

6 years, 10 months

2
1
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user February 2018