Keycloak and OAuth 2.0 Resource Owner Password Credentials Grant
by Nils Preusker
Hi all,
first of all, congrats on the first alpha release of Keycloak!
We're looking for a simple and lean way to add the OAuth 2.0 Resource Owner
Password Credentials Grant to a web application written in JavaScript with
a Java/REST backend (JBoss AS 7, planning to switch to WildFly, JAX-RS
etc.).
Since I didn't find any references in the code or the docs, I'm wondering:
does Keycloak provide an implementation of the Resource Owner Password
Credentials Grant as described in the OAuth Spec (
http://tools.ietf.org/html/rfc6749#section-4.3)? In other words, is there a
way to simply send a username and password to the auth server in exchange
for an access token (and optionally a refresh token - from previous posts I
gather this will be added soon...)?
Cheers,
Nils
11 years, 11 months
Multi Tenancy
by Travis De Silva
I was initially under the impression that I can configure realms as
tenants and use KeyCloak for applications that are designed for multi
tenancy.
But now I have discovered that this is not possible, at least not possible
to do it on demand. I hope I am wrong and someone can correct me.
Basically what I was trying to do was, when someone signs up to my
application platform, I was going to create a realm programmatically via
the API. Hence the feature request I raised to have a realm level admin
https://issues.jboss.org/browse/KEYCLOAK-292
But that means, I will then have to either configure my Wildfly
standalone.xml config with the new realm or add the installation json to my
war and redeploy it. This is obviously not ideal for a on demand multi
tenant application.
Maybe using Roles and create unique roles per tenant which hopefully I can
do programatically via the API. I think I might be able to get something
going like this but it just feels very hacky and not elegant.
Is there any other elegant way? Is Keycloak designed for multi tenancy
environments?
Cheers
Travis
11 years, 11 months
keycloak and open id connect
by J Coder
After spending some time reading about keycloak and the open id connect specification (seems that it was just finalized yesterday), I am getting the impression that keycloak and open id connect are competing technologies. They seem very similar in implementation since they are both build on top of OAuth 2 and JWT, while solving a similar problem, which is that OAuth 2 on it's own is an authorization framework and not an authentication mechanism.
My assumptions could very well be incorrect, as I haven't spent enough time digging into both offerings to assert the above with any sort of certainty.
Bill (et al), would you kindly address my concerns as outlined above and perhaps explain why they are or aren't competing technologies, how they may compliment each other or how they could be used together in either an enterprise (closed environment) or web (open social environment) setting?
Thanks a lot for your time.
J
12 years
NPE when deploying EAR using Wildfly Submodule
by Michael Irwin
I’ve got an EAR file that has an embedded WAR. I’ve configured the security-deployment in wildfly to match the ear’s name. During deploy, I get an NPE. I’ve created an issue on JIRA about it, but for documentation purposes, I assume this is how this should be configured? Is EAR support just not in place yet? Using Keycloak Alpha 2.
https://issues.jboss.org/browse/KEYCLOAK-331
Thanks!
Michael Irwin
12 years
@RolesAllowed on @Stateless
by Juraci Paixão Kröhling
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hello,
I'm playing with Keycloak on a pet project, and I'm really impressed
with it. It looks really nice and it's easy to get it working fast.
I have one question, though. I know it's early and it's alpha, but I
wonder if this is a bug or a non-implemented feature :-)
Basically, I wanted to annotate a REST method with
@RolesAllowed("admin") for a DELETE request, and @RolesAllowed("user")
for a @GET, something that works on with the usual scenario.
With Keycloak, however, it seems that it's not being properly
propagated to the EJB layer, so, I get a execution denied on the GET,
even if the user has the "user" role.
I've done a quick experiment, and it's available here:
https://github.com/jpkrohling/sample-ejb-roles-basic
On the master branch, the implementation with Keycloak. At the
"Endpoint" class, I've added the output from Wildfly 8 as a comment:
https://github.com/jpkrohling/sample-ejb-roles-basic/blob/master/src/main...
On the "QuickStartCode" branch, I've done the same:
https://github.com/jpkrohling/sample-ejb-roles-basic/blob/QuickstartCode/...
So, is this scenario supposed to work already, or is it planned for a
future release?
Thanks!
Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBCgAGBQJTB6zYAAoJEDnJtskdmzLMtM4H/R231Yuyt0oTUEn6sOTkwEW+
jZmB61agIOuIa5ZqMukPVozH6xB4RGEUtSBjaC4a3+wdZeEm7jEg/ERqp4XoM2up
53u0v6sWLJRve8Te3L4P2SD9rsiS6Gro54/Wn+ITMcnJt/ERlwQKlwiwj/zEdvNq
nmrr2ZUBDCHmgN9qAbSjjWAP+jRelKd/1yZLhiXmRAnrS21+rMe5hRTV/XFKwmDK
UFO13BKHDlF43OYZTdcYDZwAw8Zj15pewTfti0t7IbjoFKAfzfs3zWuhC8sB4GCp
vHR4CEa/NeOeQVcAPQ9bHcDu3g7QPTqHSY3LzSUVeJ3gOCDG1eO4KaGM4slfp4c=
=fE0v
-----END PGP SIGNATURE-----
12 years
Securing WARs within EARs using Keycloak subsystem (JBoss 7.1.3)
by Derek Mortimer
I was asked in IRC to e-mail this in to the list:
Does securing WARs within EARs through the Keycloak subsystem work?
If so, what format would the name attribute take in the '<secure-deployment
name="???">' tag?
Moreover, is there somewhere in the JBoss admin console where I could find
what the value of that name attribute would be (e.g., from a list of
current deployments)
Cheers,
Derek
12 years
RealmEntity still not converted to UUID
by Dean Peterson
Hello,
I realize you are still in development for the alpha2 release. Thank you
for making the change to UUID rather than Identity String columns. I
noticed I can now deploy to a Postgresql database but I still fail on MSSQL
because the RealmEntity class has not been converted to use the new
identity mechanism. I am sure this would have been updated before alpha2
was released but I wanted to bring some attention to it just in case.
Thanks,
Dean
12 years
Realm Level Admin
by Travis De Silva
I have not been able to figure out if we can have Realm level admins. My
use case is:
We have keycloak application wide super admins. They can create new realms,
go into any realm and create users, applications etc. Just how the default
admin user operates now.
Then within a Realm, for example lets say Demo realm, can we have a
different admin user (e.g demo realm admin) who can perform all the tasks
but only within that Realm. That user will not be able to view the other
realms (i.e it should not display the realm selection drop down and also
should not be able to create new realms.
Thoughts? I am happy to raise a feature request in Jira if this is
currently not possible and doable in a future release as I believe this
feature will increase user adoption, especially for applications that are
built with multi-tenancy functionality.
12 years
User registration link/button not showing, with exception on console
by Edem Morny
I logged in as the admin user and enabled the User Registration. However
when i logged out, I realise there seems to be no link/button for creating
self registering. The login screen only shows "New User?" but it seems an
exception is thrown on the console whenever I enable User Registration and
attempt to try it out. Any pointers on what's going on? Find the exception
stacktrace below.
Template processing error: "get(registrationUrl) failed on instance of
org.keycloak.forms.UrlBean": freemarker.template.TemplateModelException:
get(registrationUrl) failed on instance of org.keycloak.forms.UrlBean
at freemarker.ext.beans.BeanModel.get(BeanModel.java:224)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.Dot._getAsTemplateModel(Dot.java:76)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.Expression.getAsTemplateModel(Expression.java:89)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.Expression.getStringValue(Expression.java:93)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.DollarVariable.accept(DollarVariable.java:76)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.Environment.visit(Environment.java:221)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.MixedContent.accept(MixedContent.java:92)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.Environment.visit(Environment.java:221)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.ConditionalBlock.accept(ConditionalBlock.java:79)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.Environment.visit(Environment.java:221)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.MixedContent.accept(MixedContent.java:92)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.Environment.visit(Environment.java:221)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.IfBlock.accept(IfBlock.java:82)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.Environment.visit(Environment.java:221)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.Environment.visit(Environment.java:406)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.BodyInstruction.accept(BodyInstruction.java:93)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.Environment.visit(Environment.java:221)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.MixedContent.accept(MixedContent.java:92)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.Environment.visit(Environment.java:221)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.Macro$Context.runMacro(Macro.java:172)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.Environment.visit(Environment.java:614)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.UnifiedCall.accept(UnifiedCall.java:106)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.Environment.visit(Environment.java:221)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.MixedContent.accept(MixedContent.java:92)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.Environment.visit(Environment.java:221)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.core.Environment.process(Environment.java:199)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.template.Template.process(Template.java:259)
[freemarker-2.3.19.jar:2.3.19]
at
org.keycloak.service.FormServiceImpl.processFmTemplate(FormServiceImpl.java:111)
[keycloak-forms-1.0-alpha-1.jar:]
at
org.keycloak.service.FormServiceImpl.process(FormServiceImpl.java:99)
[keycloak-forms-1.0-alpha-1.jar:]
at
org.keycloak.services.resources.flows.FormFlows.forwardToForm(FormFlows.java:143)
[keycloak-services-1.0-alpha-1.jar:]
at
org.keycloak.services.resources.flows.FormFlows.forwardToForm(FormFlows.java:154)
[keycloak-services-1.0-alpha-1.jar:]
at
org.keycloak.services.resources.flows.FormFlows.forwardToLogin(FormFlows.java:178)
[keycloak-services-1.0-alpha-1.jar:]
at
org.keycloak.services.resources.TokenService.loginPage(TokenService.java:521)
[keycloak-services-1.0-alpha-1.jar:]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[rt.jar:1.7.0_45]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
[rt.jar:1.7.0_45]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_45]
at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_45]
at
org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
[resteasy-jaxrs-3.0.6.Final.jar:]
at
org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280)
[resteasy-jaxrs-3.0.6.Final.jar:]
at
org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234)
[resteasy-jaxrs-3.0.6.Final.jar:]
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
[resteasy-jaxrs-3.0.6.Final.jar:]
at
org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
[resteasy-jaxrs-3.0.6.Final.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
[resteasy-jaxrs-3.0.6.Final.jar:]
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
[resteasy-jaxrs-3.0.6.Final.jar:]
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
[resteasy-jaxrs-3.0.6.Final.jar:]
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
[resteasy-jaxrs-3.0.6.Final.jar:]
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
[resteasy-jaxrs-3.0.6.Final.jar:]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
[jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
at
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:87)
[undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
[undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at
org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:36)
[keycloak-services-1.0-alpha-1.jar:]
at
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:56)
[undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
[undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
[undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
[undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
[undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at
org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:70)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113)
[undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.security.handlers.AuthenticationCallHandler.handleRequest(AuthenticationCallHandler.java:52)
[undertow-core-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:51)
[undertow-core-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
[undertow-core-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61)
[undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:56)
[undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:67)
[undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:70)
[undertow-core-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.0.Beta30.jar:1.0.0.Beta30]
at
org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
[undertow-core-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240)
[undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
[undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73)
[undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146)
[undertow-servlet-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.server.Connectors.executeRootHandler(Connectors.java:164)
[undertow-core-1.0.0.Beta30.jar:1.0.0.Beta30]
at
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:654)
[undertow-core-1.0.0.Beta30.jar:1.0.0.Beta30]
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
[rt.jar:1.7.0_45]
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
[rt.jar:1.7.0_45]
at java.lang.Thread.run(Thread.java:744) [rt.jar:1.7.0_45]
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[rt.jar:1.7.0_45]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
[rt.jar:1.7.0_45]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
[rt.jar:1.7.0_45]
at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_45]
at
freemarker.ext.beans.BeansWrapper.invokeMethod(BeansWrapper.java:866)
[freemarker-2.3.19.jar:2.3.19]
at
freemarker.ext.beans.BeanModel.invokeThroughDescriptor(BeanModel.java:277)
[freemarker-2.3.19.jar:2.3.19]
at freemarker.ext.beans.BeanModel.get(BeanModel.java:184)
[freemarker-2.3.19.jar:2.3.19]
... 78 more
Caused by: java.lang.IllegalArgumentException: No @Path annotated method
for org.keycloak.services.resources.admin.AdminService.registerPage
at
org.jboss.resteasy.specimpl.ResteasyUriBuilder.path(ResteasyUriBuilder.java:394)
[resteasy-jaxrs-3.0.6.Final.jar:]
at
org.keycloak.services.resources.flows.Urls.saasRegisterPage(Urls.java:152)
[keycloak-services-1.0-alpha-1.jar:]
at org.keycloak.forms.UrlBean.getRegistrationUrl(UrlBean.java:92)
[keycloak-forms-1.0-alpha-1.jar:]
... 85 more
--
Edem Morny
====================
http://edemmorny.wordpress.com
12 years
