Multitenancy for WAR
by Nils Preusker
Hi,
first of all, congrats on the beta 1 release!
Here's my question: I have a WAR with a REST API that I'm securing with
Keycloak. Now I'd like to add multitenancy support.
If I understand the concept in keycloak correctly, I would somehow have to
have several realms in the keycloak.json and the web.xml of the war, right?
However there is just one realm-name attribute in the web.xml and the
structure of keycloak.json also looks like it is intended for one realm. Am
I missing something?
Cheers,
Nils
11 years, 2 months
JPA Authentication Provider
by Josh
Hi guys,
Wondering if it would be possible to create a JPA authentication provider?
What I am trying to do is share the hibernate user model between keycloak
authentication provider and my application. I've got as far as extracting
the models into their own project so they can be used as dependency between
my application / authentication provider.
Still wrapping my head around JavaEE architecture so forgive me if this
next sentence doesn't make any sense... The properties authentication
adapter in beta1 examples is a jar which can't really declare it's own data
sources. So wondering how I would implement a provider that defines its
own datasource?
Thanks,
Josh
11 years, 5 months
Keycloak Docker images
by Juraci Paixão Kröhling
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
All,
I've just scratched a pair of Docker images for Keycloak, and I would be
interested in getting some feedback. If you already have Docker
installed, you can start an auth server by running this command:
docker run -it -p 8080:8080 jpkroehling/keycloak-server
Then, it should be available as:
http://localhost:8080/auth (admin/admin)
The second image is built on top of the server, and contains the
examples. To run it, execute this command:
docker run -it -p 8080:8080 jpkroehling/keycloak-examples
Same procedure for the admin:
http://localhost:8080/auth (admin/admin)
And you can login into the Customer Portal sample application using
bburke(a)redhat.com/password at
http://localhost:8080/customer-portal/customers/view.jsp
If you have questions or comments, I'm also available at #keycloak on
freenode as jpkroehling .
- - Juca.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBCgAGBQJTfMJqAAoJEDnJtskdmzLMETEH/2t65Id17Ui+Kvz7gAKSFPAk
M8Ur9cGKs8Yqg6pQSXsW3HSc28iBpbtHxOf/DdwlzELe2xOGnuvDD63GKObQoprC
jnaEgtWGR6dwbRqzfdSUxNQJ4Zf4/bHD1lb8yx7mQ+Bel99fCNIShAQdiVFv0szC
tfOACIbAvosAQnyQTD1yJMS09JxEZxCgGbiCYfXDtbV4cmvSFxB1LTNmwlBP3wR9
tw1HZP64S53SAq60rN0H7FtnG/sXxTjGASQuvYVLYAkGRzo62pKGX3ZjdZtoqbhD
JzNk74IpI/a4ftFnmTaLgtv/7ynz6793Q/xv2OdvBY2UEErT02Ri41uV/jChg5Y=
=XqNI
-----END PGP SIGNATURE-----
11 years, 5 months
Re: [keycloak-user] Integration of Keycloak with Picketlink
by Marek Posolda
Hi Kamal,
there is interface IdentityManagerProvider, which allows you to provide
your own way from where to retrieve Picketlink
IdentityManager/PartitionManager. Right now, there is just one
implementation of this interface available RealmIdentityManagerProvider,
which uses PartitionManager initialized with LDAP and configuration of
LDAP is taken from realm configuration. I was thinking about adding
another implementation, which will be able to use PartitionManager from
picketlink subsystem.
So if you want, you can create your own implementation of this interface
and plug it in . See our examples for more details how to do it:
https://github.com/keycloak/keycloak/tree/master/examples/providers
There is no example for retrieving custom configuration of picketlink,
but there are other examples, which can point you to how to create
custom provider...
Marek
On 29.5.2014 15:41, Kamal Jagadevan wrote:
> Hello Marek,
> Thanks for the information, I was wondering if Keycloak can integrate
> with picketlink that our application already uses.
> Looks like we might have implement a new authentication provider that
> uses our existing picketlink as per your documentation.
>
> Is that right? Please confirm.
>
> Best
> Kamal
>
> ------------------------------------------------------------------------
> *From:* Marek Posolda <mposolda(a)redhat.com>
> *To:* Kamal Jagadevan <j.kamal(a)ymail.com>;
> "keycloak-user(a)lists.jboss.org" <keycloak-user(a)lists.jboss.org>
> *Sent:* Wednesday, May 28, 2014 4:49 PM
> *Subject:* Re: [keycloak-user] Integration of Keycloak with Picketlink
>
> Hi,
>
> currently Picketlink IDM is used for LDAP integration and it's used
> just in Authentication as you pointed. You first need to configure
> your LDAP server and then you can configure "picketlink"
> authenticatonProvider, which will mean that your LDAP users will be
> able to authenticate through picketlink into your realm.
>
> More info is in latest documentation, but you will need to build it
> from sources https://github.com/keycloak/keycloak/tree/master/docbook
> . It should be available in documentation on official website
> http://www.keycloak.org <http://www.keycloak.org/> in few days.
>
> Marek
>
>
> On 28.5.2014 18:07, Kamal Jagadevan wrote:
>>
>>
>> Hello,
>> From the admin console, I noticed that there is a support to use
>> picketlink with Keycloak.
>> How is that configured as "Authentication options providers options"
>> are not displayed in the "Authentication" tab of settings.
>> Is this intentional or am I missing something?
>>
>>
>> Cheers
>> Kamal
>>
>>
>>
>>
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org>
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
>
11 years, 5 months
Migrating Users Database
by Rodrigo Sasaki
Hi,
I'm trying to replace my current authentication system with Keycloak, but I
have one problem. I already have a database of users, populated with
millions of records, and I wanted to make it work with Keycloak.
What would be the best approach on this scenario? Should I migrate
everything to the Keycloak tables, or try to make Keycloak understand my
current database?
Is there any recommendation on this matter? And if there is, some
explanation or documentation?
Thanks!
--
Rodrigo Sasaki
11 years, 5 months
Request to add bindIp setting to pom files referencgin embedmongo-maven-plugin
by Patrick V. Madden
Hi,
I recently added building Keycloak as a Jenkins job that runs on a Windows build machine. I noticed that each time a build is done, we get four Firewall popups requesting to grant access to something related to mongo embedded plugin. I did not see this on my MacBook Pro local build so its a Windows only issue. The problem is it creates a new application name each time it is run so simply adding the access restriction to Windows firewall once doesn't do the trick.
I tracked it down to pom files that reference the embedmongo-maven-plugin needing to add a <bindIp>127.0.0.1</bindIp> to the plugin configuration.
There are four pom files that need to be modified:
audit/mongo/pom.xml
export-import/export-import-impl/pom.xml
model/mongo/pom.xml
testsuite/integration/pom.xml
There is a very simple pattern. In each pom there is a properties section for keycloak.model.mongo.*
I added a property for bindIp as follows:
<properties>
<keycloak.model.mongo.host>localhost</keycloak.model.mongo.host>
<keycloak.model.mongo.port>27018</keycloak.model.mongo.port>
<keycloak.model.mongo.db>keycloak</keycloak.model.mongo.db>
<keycloak.model.mongo.clearOnStartup>true</keycloak.model.mongo.clearOnStartup>
<keycloak.model.mongo.bindIp>127.0.0.1</keycloak.model.mongo.bindIp>
</properties>
Then for surefire I added a system property variable as follows:
<systemPropertyVariables>
<keycloak.model.mongo.host>${keycloak.model.mongo.host}</keycloak.model.mongo.host>
<keycloak.model.mongo.port>${keycloak.model.mongo.port}</keycloak.model.mongo.port>
<keycloak.model.mongo.db>${keycloak.model.mongo.db}</keycloak.model.mongo.db>
<keycloak.model.mongo.clearOnStartup>${keycloak.model.mongo.clearOnStartup}</keycloak.model.mongo.clearOnStartup>
<keycloak.model.mongo.bindIp>${keycloak.model.mongo.bindIp}</keycloak.model.mongo.bindIp>
</systemPropertyVariables>
And lastly for the embedmongo-maven-plugin modify the configration as follows:
<configuration>
<port>${keycloak.model.mongo.port}</port>
<logging>file</logging>
<logFile>${project.build.directory}/mongodb.log</logFile>
<bindIp>${keycloak.model.mongo.bindIp}</bindIp>
</configuration>
For the audit file replace model with audit.
I'm able to build on Windows now without any popups.
This will be greatly appreciated if it can be done!
Patrick Madden
Principal Design Engineer
Tom Sawyer Software
1997 El Dorado Avenue
Berkeley, CA 94707
E-mail: pmadden@ tomsawyer.com
11 years, 5 months
Integration of Keycloak with Picketlink
by Kamal Jagadevan
Hello,
From the admin console, I noticed that there is a support to use picketlink with Keycloak.
How is that configured as "Authentication options providers options" are not displayed in the "Authentication" tab of settings.
Is this intentional or am I missing something?
Cheers
Kamal
11 years, 5 months
Where to Post Keycloak Question Regarding Sign-Off
by Kevin Bailey
I am not sure if this is the appropriate way to post a Keycloak question. If it is not, I apologize.
I have sent up a Wildfly JSP application (confidential) and a Wildfly REST API application (bearer-only) to use Keycloak Alpha 3. The Keycloak, JSP, and REST API applications are each running in a different Wildfly server on the same machine.
Everything seems to work except the sign-off. It appears to work and there is no error, but in actuality the sign-off doesn't work. When the logout URL redirects back to the homepage (not secure) and I click the link tothe get Countries JSP page (secured) again, it still shows me the country list without redirecting me to the Keycloak login page.
I set @NoCahe on the JAX-RS endpoints in the API application and in the JSP app I put:<head>
<%
response.setHeader("Cache-Control", "no-cache");
response.setHeader("Pragma", "no-cache");
response.setDateHeader("Expires", 0);
%>
<title>Country List</title>
</head>
I use:
<%
String logoutUri = KeycloakUriBuilder.fromUri("http://localhost:6080/auth/rest/realms/MyRealm/tokens/logout")
.queryParam("redirect_uri", "http://localhost:8080/MyAppJSP").build("MyRealm").toString();
%>
to create the log-off URL.
Also, if I go into the Keycloak Admin as "admin" and force log-off the user, it doesn't work either.
Is there some setting I am missing in the JSP. I turned off all the caching I know about in Chrome and Wildfly. I am not sure this is a Keycloak problem or my ignorance of Wildfly and JSP.
Any help is greatly appreciated.
Cheers,
A. Kevin Bailey
11 years, 5 months
KeycloakDS
by Josh
Hi folks,
The latest keycloak/server/src/main/resources/META-INF/persistence.xml
seems to reference ExampleDS, shouldn't it be KeycloakDS instead?
Thanks,
- Josh
11 years, 5 months
