Domain-extension example is not working for 4.x
by Yegui Cai
Hi.
The Domain-extension example is not fully working. The authorized rest API
is not working. With proper token, the client gets a 403 instead of 2XX.
Please kindly let me know how to make it work.
thanks,
Yegui
6 years, 6 months
facing issue while having the single sign on flow
by vandana thota
ERROR [org.keycloak.services.resources.IdentityBrokerService] (default
task-25) invalidRequestMessage
We are configuring the Single sign on for the application deployed on the
Wildfly instance by having keycloak , external IDP , SAML 2.0 standards
.Below is the flow .
There was an error at the flow while we are trying this flow . PFA It has
pictorial representation of the flow .
Wildfly app or servlet container -> (SP) SAML request to IdP -> Keycloak ->
(identify Okta IdP... may or may not need a username) -> (SP SAML Request
to Okta) -> Okta IdP (May or may not need user to login depends on if they
have an active okta session or not) -> IdP SAML Response -> Keycloak -> IdP
SAML Response Wildfly app / servlet container
6 years, 6 months
WildFly adapter - dynamically added roles missing in access token
by Torsten Roemer
Following the "Example User Storage Provider with EJB and JPA" I've created a custom user storage provider.
In UserAdapter#getRoleMappings, I am returning the roles retrieved via JPA entity like this:
@Override
public Set<RoleModel> getRoleMappings() {
final Set<RoleModel> roles = super.getRoleMappings();
for (final GroupBean group : groups) {
roles.add(new RoleAdapter(this, String.valueOf(group.getObjectID()), group.getName()));
}
return roles;
}
RoleAdapter is my own (possibly incomplete!) implementation of RoleModel which I am using since I did not find a way to create an instance of i.e. org.keycloak.models.cache.infinispan.RoleAdapter so far.
In the Admin Console, the dynamically added roles are listed as "Assigned Roles" for a particular user but not as "Effective Roles", maybe already that is a problem.
When I request an access token for the user via the OIDC REST endpoint "/realms/{realm-name}/protocol/openid-connect/token" all roles are included in realm_access, roles.
However, when I log in to a Webapp deployed to WildFly secured with the KEYCLOAK auth-method using the WildFly adapter and have a look at the token obtained from the RefreshableKeycloakSecurityContext in the servlet session, the dynamically added roles are not included in the access token.
What could I be missing?
6 years, 6 months
Rest API for creating token exchange permission
by Madhu
Hi is there an API for creating policies and binding polices to client permissions? E.g. I want to create token exchange permissions for an existing client.. how to go about it through rest API?
Madhu
Sent from Yahoo Mail on Android
6 years, 6 months
Sync Issues
by Aaron Echols
Hello All,
I've successfully setup a cluster with 2 nodes. Everything is working
great, except for one issue I can't figure out. I'm starting to pull my
hair out and wanted to see if anyone else has seen the issue and how to
correct it.
I've setup a user federation using Active Directory (Server 2016) using
Keycloak 3.4.3. They are load balanced behind Netscaler 12.0.x. Infinispan
seems to be working correctly. It's backed by a MariaDB 10.1.x, 3 node
cluster. Things I've noted:
- I can create a local user and it syncs instantly between the KC 3.4.3
nodes
- Password syncs work, all changes to attributes sync, etc
- I change settings for the user federation I created and they DON'T
sync, so creating a mapper, changing a sync setting, etc, they have to be
changed by hand manually on each node.
- Same with Role and realm-management. I can apply a permission to a
group or user and it doesn't sync.
- If I restart the wildfly server, the changes to propagate to the
opposite node everytime.
I deleted a custom role in the realm-management client, and it deleted it
from the database. On the secondary node, I saw the file was still listed,
even with hard refreshes of the browser. I clicked to delete the custom
role and got the following in the server.log:
ERROR [org.keycloak.services.error.KeycloakErrorHandler] (default task-26)
Uncaught server error: java.lang.IllegalStateException: Not found in
database
at
org.keycloak.models.cache.infinispan.RoleAdapter.isUpdated(RoleAdapter.java:66)
at
org.keycloak.models.cache.infinispan.RoleAdapter.getId(RoleAdapter.java:105)
at
org.keycloak.models.cache.infinispan.RealmCacheSession.removeRole(RealmCacheSession.java:736)
at
org.keycloak.models.cache.infinispan.ClientAdapter.removeRole(ClientAdapter.java:587)
at
org.keycloak.services.resources.admin.RoleResource.deleteRole(RoleResource.java:53)
at
org.keycloak.services.resources.admin.RoleByIdResource.deleteRole(RoleByIdResource.java:115)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:107)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:133)
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129)
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90)
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61)
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131)
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84)
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62)
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131)
at
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46)
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64)
at
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60)
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77)
at
io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50)
at
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43)
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138)
at
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135)
at
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48)
at
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43)
at
org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508)
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272)
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81)
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104)
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:326)
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
I'm not sure if there is an issue with Infinispan or a sql connection
issue. I've included my SQL connection string as well:
<datasource jndi-name="java:jboss/datasources/KeycloakDS"
pool-name="KeycloakDS" enabled="true" use-java-context="true">
<connection-url>jdbc:mariadb://
10.5.30.202:3306/keycloak?useUnicode=yes;characterEncoding=UTF-8;sessionVariables=wait_timeout=180;autoRe
connect=true</connection-url>
<driver>mariadb</driver>
<pool>
<max-pool-size>20</max-pool-size>
</pool>
<security>
<user-name>keycloak_user</user-name>
<password><some-passphrase></password>
</security>
<validation>
<check-valid-connection-sql>select
1</check-valid-connection-sql>
<validate-on-match>true</validate-on-match>
<background-validation>true</background-validation>
<background-validation-millis>10000</background-validation-millis>
</validation>
</datasource>
<drivers>
<!-- driver declaration -->
<driver name="mariadb" module="org.mariadb">
<xa-datasource-class>org.mariadb.jdbc.Driver</xa-datasource-class>
</driver>
<driver name="h2" module="com.h2database.h2">
<xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
</driver>
</drivers>
</datasources>
I'm using the mariadb-java-client-2.2.3 driver.
<?xml version="1.0" ?>
<module xmlns="urn:jboss:module:1.3" name="org.mariadb">
<resources>
<resource-root path="mariadb-java-client-2.2.3.jar"/>
</resources>
<dependencies>
<module name="javax.api"/>
<module name="javax.transaction.api"/>
</dependencies>
</module>
Any assistance would be appreciated. I'll grab whatever information is
needed. Thank you in advance. :)
--
*Aaron Echols*
6 years, 6 months
Programmatical users authentication
by Leonid Rozenblyum
Thanks to REST API we can authentcate admin users who can work on behalf of
'admin-cli' account.
Can we authenticate usual users programmatically?
6 years, 6 months
secret import/export
by Brandon Philips
Hello-
I want to automate setup/teardown of keycloak on top of Kubernetes.
However, I was surprised that when I got the export JSON that all of the
secrets were replaced with "*******".
Is there a way to export the actual secrets in an automated fashion? And if
exported does the importer read them?
Sorry for the naive questions.
Thank You,
Brandon
6 years, 6 months
RPT can not be issued to resource owner
by stefan.wachter
Hi,
I have a user managed resource without any permissions.
If a user different from the resource owner tries to get an RPT the
request fails with error "request_submitted" and a corresponding "need
for approval" entry is displayed on the Account Management UI where the
resource owner can approve the request. After approval the RPT is issued.
If the resource owner herself tries to acquire an RPT the request also
fails with error "request_submitted". However, no "need for approval"
entry is created.
Either the issuance of an RPT should succeed if the requesting party is
the resource owner herself (preferred) or an approval entry should be
created.
--
Best regards,
*Stefan Wachter
INST-ICM/BSV-BS*
Tel. +49(711)811-58477
*Be**QIK
*
6 years, 6 months
Policy-API - How to Set a User Policy
by stefan.wachter
Hi,
how can one set a user policy, (i.e. a set of users) to a user managed
resource? Looking at the class
org.keycloak.representations.idm.authorization.UmaPermissionRepresentation
I do not see a field that could be used for specifiying a set of user ids.
public class UmaPermissionRepresentationextends AbstractPolicyRepresentation {
private Stringid;
private Stringdescription;
private Set<String>roles;
private Set<String>groups;
private Set<String>clients;
private Stringcondition;
...
}
public class AbstractPolicyRepresentation {
private Stringid;
private Stringname;
private Stringdescription;
private Stringtype;
private Set<String>policies;
private Set<String>resources;
private Set<String>scopes;
private Logiclogic = Logic.POSITIVE;
private DecisionStrategydecisionStrategy = DecisionStrategy.UNANIMOUS;
private Stringowner;
...
}
BTW: Why does the derived UmaPermissionRepresentation class have an id
and description field of its own? I think these fields are inherited
from its base class AbstractPolicyRepresentation.
--
Best regards,
*Stefan Wachter
INST-ICM/BSV-BS*
Tel. +49(711)811-58477
*Be**QIK
*
6 years, 6 months
ABAC policy, attributes not avialable
by Nicolas Gillet
Hello
I am trying to write a javascript Attribute Based Access Control (ABAC) policy.
I want to control the access to group resource using the authenticated user's attributes and the attributes configured on the group.
So I configured the policy via Groups > myGroup > permissions > view-members and select my javascript policy.
Problem: in the script, neither my identity nor my group attributes are available.
Here is my script:
var context = $evaluation.getContext();
var resourcePermission = $evaluation.getPermission();
var identity = context.getIdentity();
var idAttributes = identity.getAttributes();
var ctxAttributes = context.getAttributes();
var resource = resourcePermission.getResource();
print('idAttributes.CUSTOM_PROP: ' + idAttributes.getValue('CUSTOM_PROP'));
print('ctxAttributes.CUSTOM_PROP: ' + ctxAttributes.getValue('CUSTOM_PROP'));
print('resource.getAttributes: ' + resource.getAttributes);
$evaluation.grant();
When I use the API end point as follow :
http://keycloak.dev.local/auth/admin/realms/ngp/groups/myGroup/members/
It triggers the script and prints the following in wildfly console :
ESC[0mESC[0m15:36:13,000 INFO [stdout] (default task-3) idAttributes.CUSTOM_PROP: null
ESC[0mESC[0m15:36:13,011 INFO [stdout] (default task-3) ctxAttributes.CUSTOM_PROP: null
ESC[0mESC[0m15:36:13,011 INFO [stdout] (default task-3) resource.getAttributes: undefined
So my custom attribute is null. And worse, the resource does not even seems to have a getAttributes() method at all ?!
I tripple checked, my user has the custom attribute "CUSTOM_PROP" defined with value "test" and my group has attributes as well.
The documentation says the resource I retrieve that way should be an instance of org.keycloak.authorization.model.Resource
which, according to the javadoc, must define a getAttributes() methods. However it's ... undefined ?!
The keycloak version I use is 4.0.0.
Can anyone help me find what's wrong with my script ?
Many thanks,
Nicolas GILLET
6 years, 6 months
