Authorization resource SPI
by Corentin Dupont
Hi,
is it possible to implement a resource SPI? The idea would be to let an
external database to manage Keycloak resources.
I currently manage my resources in two databases: Keycloak for properties
such as owner and visibility; and a regular Mongo for the rest of
properties relative to my business (think location, sensor values etc.).
However, having resource split over two databases becomes more and more
awkward.
I have to keep them always in sync, for example creating and deleting the
resource in both location. It becomes even more complicated when something
fails on one database (such as 409 Conflict): I have to undo what was done
on the other DB.
So it would be best to avoid duplication of data and manage everything in
the Mongo external database. Is it possible?
Cheers
6 years, 6 months
update keycloak realm
by Pierre-Arnaud Galiana
Following on an old thread (
http://lists.jboss.org/pipermail/keycloak-user/2016-May/006230.html), I
want to mention a pragmatic startup strategy I'm currently implementing in
a project:
To upgrade an existing realm (containing users) with a new realm.json
configuration (prepared in dev), we go through these steps:
- start a one-off "export instance", that exports realms and their users
(one json per realm, and realm users in "chunked files")
- once export complete, we kill that "export instance"
- prepare files to be imported: realm.json from our dev build, and users
json files that were just exported in the first step
- start the "real" keycloak with import flag, and mode OVERWRITE_EXISTING:
realms are deleted and recreated, then users re-imported
Still a few things to improve, such as environmnent-specific values (e.g.
redirect URLs), and of course that requires to shut down your instance.
Also the whole things is mostly our docker entrypoint, so a bit
heavy-handed approcah for docker...
Call to the keycloak team: this seems to be working, but is there some kind
of flaw that I didn't see yet?
Hope this can help someone too.
Pierre
6 years, 6 months
Introspection of RPT fails
by stefan.wachter
Hi,
I have difficulties in determining the cause why introspection of an RPT
fails. The RPT can be introspected a couple of times before it fails. In
the log shown below I grepped for "task-26" that seems to have handled
the failed introspection request.
I have the impression that the problem is related to token refreshments.
If the "Access Token Lifespan" is set to a smaller value (e.g. 1
minute), then the failure happens earlier. In particular, it seems that
after the SECOND set of token refreshments the introspection fails. In
detail:
There are 3 tokens (together with their refresh tokens) involved:
1. An IdToken that is used for logging into the web application. The
IdToken is used when a Ticket is exchanged for an RPT (the IdToken is
set as the "claim_token" parameter in the token request).
2. An RPT.
3. A PAT
When a request hits the application after the tokens have expired the
first time all tokens are refreshed in turn and the introspection
succeedes. Yet, if a request hits the application after the tokens have
expired the second time then all tokens are refreshed again (using the
refresh tokens that were returned on the first refreshment). The
following RPT introspection however, fails.
Has anyone experienced the same failure?
Thanks for you attention
Stefan
06:46:12,779 DEBUG
[org.keycloak.authorization.protection.introspect.RPTIntrospectionProvider]
(default task-26) Introspecting requesting party token
06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default
task-26) Active key found: realm=device
kid=t00ewHrCADcXjvvIFBWQrZnOWiBTVBoyt0-UOzBP7w0 algorithm=RS256
06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default
task-26) Active key found: realm=device
kid=ae1f030a-b3a5-4c9a-875a-a0802119fa2a algorithm=HS256
06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default
task-26) Active key found: realm=device
kid=2aefcc15-33cf-45f6-a4bf-88535501712c algorithm=AES
06:46:12,779 TRACE [org.keycloak.keys.DefaultKeyManager] (default
task-26) Active key realm=device
kid=t00ewHrCADcXjvvIFBWQrZnOWiBTVBoyt0-UOzBP7w0 algorithm=RS256
06:46:12,780 TRACE
[org.infinispan.interceptors.InvocationContextInterceptor] (default
task-26) Invoked with command GetKeyValueCommand
{key=device.client.query.by.clientId.web-gui, flags=null} and
InvocationContext
[org.infinispan.context.SingleKeyNonTxInvocationContext@6cb8a247]
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
task-26) Exists in context? null
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
task-26) Retrieved from container
ImmortalCacheEntry{key=device.client.query.by.clientId.web-gui, value=0}
(ignoreOwnership=false, isLocal=true)
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
task-26) Wrap device.client.query.by.clientId.web-gui for read.
Entry=ImmortalCacheEntry{key=device.client.query.by.clientId.web-gui,
value=0}
06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
(default task-26) Executing command: GetKeyValueCommand
{key=device.client.query.by.clientId.web-gui, flags=null}.
06:46:12,780 TRACE
[org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
task-26) Release locks for keys=[]. owner=null
06:46:12,780 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-26) client by name cache hit: web-gui
06:46:12,780 TRACE
[org.infinispan.interceptors.InvocationContextInterceptor] (default
task-26) Invoked with command GetKeyValueCommand
{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null} and
InvocationContext
[org.infinispan.context.SingleKeyNonTxInvocationContext@3a2141a6]
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
task-26) Exists in context? null
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
task-26) Retrieved from container
ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, value=0}
(ignoreOwnership=false, isLocal=true)
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
task-26) Wrap b5f94341-0d4c-4280-94e1-10b6771cd66c for read.
Entry=ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, value=0}
06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
(default task-26) Executing command: GetKeyValueCommand
{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null}.
06:46:12,780 TRACE
[org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
task-26) Release locks for keys=[]. owner=null
06:46:12,780 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-26) client by id cache hit: web-gui
06:46:12,780 TRACE
[org.infinispan.interceptors.InvocationContextInterceptor] (default
task-26) Invoked with command GetKeyValueCommand {key=device,
flags=null} and InvocationContext
[org.infinispan.context.SingleKeyNonTxInvocationContext@2f9442f3]
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
task-26) Exists in context? null
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
task-26) Retrieved from container ImmortalCacheEntry{key=device,
value=0} (ignoreOwnership=false, isLocal=true)
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
task-26) Wrap device for read. Entry=ImmortalCacheEntry{key=device, value=0}
06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
(default task-26) Executing command: GetKeyValueCommand {key=device,
flags=null}.
06:46:12,780 TRACE
[org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
task-26) Release locks for keys=[]. owner=null
06:46:12,780 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-26) by id cache hit: device
06:46:12,780 TRACE
[org.infinispan.interceptors.InvocationContextInterceptor] (default
task-26) Invoked with command GetKeyValueCommand
{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null} and
InvocationContext
[org.infinispan.context.SingleKeyNonTxInvocationContext@30227841]
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
task-26) Exists in context? null
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
task-26) Retrieved from container
ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, value=0}
(ignoreOwnership=false, isLocal=true)
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
task-26) Wrap b5f94341-0d4c-4280-94e1-10b6771cd66c for read.
Entry=ImmortalCacheEntry{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, value=0}
06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
(default task-26) Executing command: GetKeyValueCommand
{key=b5f94341-0d4c-4280-94e1-10b6771cd66c, flags=null}.
06:46:12,780 TRACE
[org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
task-26) Release locks for keys=[]. owner=null
06:46:12,780 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-26) client by id cache hit: web-gui
06:46:12,780 TRACE
[org.infinispan.interceptors.InvocationContextInterceptor] (default
task-26) Invoked with command GetKeyValueCommand {key=device,
flags=null} and InvocationContext
[org.infinispan.context.SingleKeyNonTxInvocationContext@19214e98]
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
task-26) Exists in context? null
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
task-26) Retrieved from container ImmortalCacheEntry{key=device,
value=0} (ignoreOwnership=false, isLocal=true)
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
task-26) Wrap device for read. Entry=ImmortalCacheEntry{key=device, value=0}
06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
(default task-26) Executing command: GetKeyValueCommand {key=device,
flags=null}.
06:46:12,780 TRACE
[org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
task-26) Release locks for keys=[]. owner=null
06:46:12,780 TRACE
[org.keycloak.models.cache.infinispan.RealmCacheSession] (default
task-26) by id cache hit: device
06:46:12,780 DEBUG
[org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider]
(default task-26)
getUserSessionWithPredicate(a3320548-da14-4e0c-adc1-5616c9d0c23b): found
in local cache
06:46:12,780 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default
task-26) getuserById d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c
06:46:12,780 TRACE
[org.infinispan.interceptors.InvocationContextInterceptor] (default
task-26) Invoked with command GetKeyValueCommand
{key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, flags=null} and
InvocationContext
[org.infinispan.context.SingleKeyNonTxInvocationContext@29bd006b]
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
task-26) Exists in context? null
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
task-26) Retrieved from container
ImmortalCacheEntry{key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, value=0}
(ignoreOwnership=false, isLocal=true)
06:46:12,780 TRACE [org.infinispan.container.EntryFactoryImpl] (default
task-26) Wrap d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c for read.
Entry=ImmortalCacheEntry{key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, value=0}
06:46:12,780 TRACE [org.infinispan.interceptors.CallInterceptor]
(default task-26) Executing command: GetKeyValueCommand
{key=d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c, flags=null}.
06:46:12,780 TRACE
[org.infinispan.util.concurrent.locks.impl.DefaultLockManager] (default
task-26) Release locks for keys=[]. owner=null
06:46:12,780 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default
task-26) getuserById d22c43c4-04fb-4756-82d6-fc9fe3bd9e8c
06:46:12,780 TRACE
[org.keycloak.models.cache.infinispan.UserCacheSession] (default
task-26) return managedusers
06:46:12,781 TRACE [org.keycloak.events] (default task-26)
type=INTROSPECT_TOKEN_ERROR, realmId=device, clientId=resource-server,
userId=null, ipAddress=139.15.216.71, error=invalid_request,
detail='Failed to introspect token.', client_auth_method=client-secret,
requestUri=https://keycloak.apps.de1.bosch-iot-cloud.com/auth/realms/devi...,
cookies=[]
--
Best regards,
*Stefan Wachter
INST-ICM/BSV-BS*
Tel. +49(711)811-58477
*Be**QIK
*
6 years, 6 months
Global "reporting" role like admin but with read-only access to everything?
by pkboucher801@gmail.com
According to
https://www.keycloak.org/docs/latest/server_admin/index.html#global-roles
there are two global roles, admin and create-realm, but we would like to add
a third one, call it reporting, that has read-only access to all settings in
every realm (so all of the view- and query- permissions).
We can create the role as a composite with permissions over every realm, but
if a new realm is added later, the reporting role has no access unless we
explicitly grant it.
Is it possible for us to add a global role by creating a new realm role in
the master realm, and giving it a particular configuration and/or set of
permissions?
Thanks!
Regards,
Peter K. Boucher
6 years, 6 months
Customizing account change password to send an email
by Ori Doolman
Hello,
In the Account management page, I have an option to change user's password.
Is there any way (SPI) to customize the change password function, and add the ability for sending an email after password is changed ?
I think the current implementation code is under
/keycloak-services/src/main/java/org/keycloak/forms/account/freemarker/FreeMarkerAccountProvider.java
Thanks,
Ori Doolman
Lead Software Architect
Amdocs Optima
+972 9 778 6914 (office)
+972 50 9111442 (mobile)
[cid:image001.png@01D2C8DE.BFF33E10]
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
6 years, 6 months
hard time with keycloak
by vandana thota
Any other SAML 2.0 module ( other than keycloak for wildfly server)
which talks to External SAML 2.0 Identity provider ?
Because keycloak is not possible to have single sign on configuration for
wildfly server.
6 years, 6 months
Need Wildfly Technical person
by vandana thota
Hello
Is there any contact number to reach wildfly technical person from
wildfyl organization ?
Thanks.
6 years, 6 months
ERROR [org.keycloak.services.resources.IdentityBrokerService
by vandana thota
Hello
Can any one look into this and please show the solution to this :
*realmId=master, clientId=null, userId=null,
ipAddress=10.9.7.2,=invalidRequestMessage14:11:30,568 ERROR
[org.keycloak.services.resources.IdentityBrokerService] (default task-1)
invalidRequestMessage*
Thanks,
Vandana
6 years, 6 months
