E-mail verification required action issues
by Viliam Rockai
Hey all,
I got a couple of problems with the e-mail verification required action.
1. If it's turned on in the realm settings ("login tab") and I change
the account e-mail (in "manage account"), I can't get back to the app.
2. While the (?) tooltip text in the realm settings clearly says
"Require the user to verify their email address the first time they
login.", the feature includes verification with each e-mail change
(not only the first login). If that's expected behavior, it would be
nice to have it more clear in the (?) tooltip text.
For 1., the steps to reproduce are:
1. Download latest KC, unzip it, start it.
2. Configure logged-in user (admin) e-mail (in "manage account") and
the Email realm settings. Make sure e-mail sending works.
3. Go to "manage account" and change your email.
4. Click "Back to Security Admin Console"
5. You should see the "EMAIL VERIFICATION" page
6. Click on the verification link in the e-mail
7. You should see the "YOU ARE ALREADY LOGGED IN" page, click on the
"« Back to Application" link. This brings you back to step 5. instead
of the admin console.
And this is the error itself, you will find yourself in an endless
loop defined by steps 5 - 7.
I can create a JIRA for that, just wanted to make sure this is a bug,
not a feature.
Thanks!
Viliam
6 years, 10 months
Keycloak Unable to Handle Heavy Load
by Scott Finlay
Hi,
We've been doing some load tests of our services, and we've found that when we raise the traffic rate to about 50 logins per second (with a roughly similar rate of logouts) we kill our Keycloak instances after just a few minutes. What are the normal recommended specs for a Keycloak instance to be able to handle such a load?
We're running three instances of Keycloak in AWS (c4.large instances) with a db.t2.medium database. The CPU is Intel Xeon E5-2666 v3 dual core and the instances have 4GB memory with 2GB allocated to Keycloak.
Regards,
Scott
6 years, 10 months
Roles without "Full Scope Allowed"?
by Michael Poettgen
All,
I've got Keycloak 3.4.3 configured to return client roles in a "role" Claim to an OpenID Connect client. (The client has got a list of roles, these are assigned to the user and I've got a User Client Role Token mapper that maps the roles of that client into the "role" claim.) Everything works until I turn "Full Scope Allowed" off. Then all roles disappear and trying to request the roles via the "scope" (with or without client ID prefix) doesn't seem to work.
Am I doing something stupid or is there something that does not work as (I) expected?
Thanks for your help!
Michael
This message may contain confidential information. If you are not the intended recipient, do not disseminate, distribute, or copy this e-mail or its attachments. Please notify the sender of the error immediately by e-mail or at the telephone number listed below, and delete this e-mail and any attachments from your system. Receipt by anyone other than the intended recipient(s) is not a waiver of any trade secrets, proprietary interests, or other applicable rights. E-mail transmission is not necessarily secure or error-free, as information could be intercepted, corrupted, lost, destroyed, delayed, incomplete, or may contain viruses. The sender disclaims all liability for any errors or omissions arising as a result of the e-mail transmission.
OEConnection LLC, (888) 776-5792, www.oeconnection.com
6 years, 10 months
Authorization Services and UMA 2.0 changes
by Pedro Igor Silva
Hi All,
We are about to finish the initial round of changes to make Keycloak
Authorization Services compliant with UMA 2.0.
One of the main changes is related with a new OAuth2 Grant Type introduced
by UMA 2.0 [1] and how it will be used as a replacement for both
Entitlement and Authorization API. In UMA 2.0, there is no Authorization
API anymore, thus it will be removed on future versions of Keycloak.
Regarding Entitlement API, it will also be removed in favor of the new
grant type, but in this case we are using some extensions to UMA grant type
to provide the same functionality. One of the objectives of this change in
particular is to have a single endpoint from where permissions can be
obtained.
Another important change is also related with UMA where end-users should be
able now to manage their own resource and permissions via Account
Management Console. Users would be able to access a "Resource" page from
where they can:
* See the resources they own
* Check for pending permission requests (waiting for the owners approval).
As well options to grant/deny the request.
* Check for all "shared resources" / granted permissions. As well options
to revoke permissions
* Select an user they want to grant access to a resource and/or scope
Other changes are related with the Policy Enforcer, Authorization Client
Java API and configuration. For these areas in particular changes are
minimal, specially regarding policy enforcer configuration.
These changes are targeted to Keycloak v4 and we'll be updating docs
accordingly, specially on how to migrate to the new version.
Regards.
Pedro Igor
[1] https://docs.kantarainitiative.org/uma/wg/oauth-uma-grant-2.0-09.html
6 years, 10 months
Downloading docker compose certs using cli
by Rehman, Abdur
Hi
I am able to download the docker compose bundle by navigating the web UI as follows:
Clients -> {client id} -> Installation -> Format Option -> Docker Compose YAML -> Download
Is there a programmatic way to do the same? I am able to authenticate by calling auth/admin rest api from curl. But I am not sure how to proceed with downloading the yaml archive. I am only interested in the certs directory inside the archive. Can I get these certificates/key from some other method?
I do not have graphical access to the machine I am running keycloak on, so I am limited to using command line.
Best Regards
Abdur
6 years, 10 months
status
by Mail Delivery Subsystem
This message was not delivered due to the following reason:
Your message was not delivered because the destination computer was
unreachable within the allowed queue period. The amount of time
a message is queued before it is returned depends on local configura-
tion parameters.
Most likely there is a network problem that prevented delivery, but
it is also possible that the computer is turned off, or does not
have a mail system running right now.
Your message could not be delivered within 6 days:
Host 66.110.37.223 is not responding.
The following recipients could not receive this message:
<keycloak-user(a)lists.jboss.org>
Please reply to postmaster(a)lists.jboss.org
if you feel this message to be in error.
6 years, 10 months
Group Id not available in storage provider
by Subodh Joshi
[root@server tmp]# GROUP_ID=`/opt/keycloak/bin/kcadm.sh create groups -r
master -s name=Admin_UserGroup`
But when i am checking
echo $GROUP_ID
Nothing displaying
What is wrong with the approach?
While when i tried
USER_ID=`/opt/keycloak/bin/kcadm.sh create users -s username=admin -s
enabled=true -s realm=myrealm`
and then
echo $USER_ID
It is displaying generated userid.
--
Subodh Chandra Joshi
<subodh1_joshi82(a)yahoo.co.in>
http://www.questioninmind.com
6 years, 10 months
Keycloak AJAX authentication flow
by moritz.becker@gmx.at
Hi,
I am trying to implement a Keycloak registration theme using the Aurelia JS
Framework.
The problem is that there is currently no possibility to submit the
registration form via AJAX and get back a reduced response that just
contains validation errors etc. instead of reloading the whole page. Page
reload is problematic in this scenario since it causes a reload of the
Aurelia-App which takes too long.
As far as I can see, I would need to customize the
org.keycloak.authentication.FormAuthenticationFlow but there is not SPI to
do so at the moment.
Do you have any recommendations for me?
Thanks,
Moritz
6 years, 10 months