October 2015 - keycloak-user - Jboss List Archives

Re: [keycloak-user] Keycloak to set up Teams and Organizations

by Nic Grange

>From my understanding Realms allow Keycloak itself to be Multi Tenant, completely isolated Tenants. Adding Groups (or Teams/Organisations) would make it easier for Applications leveraging Keycloak to be Multi Tenanted themselves (within a Realm). While some people seem to be using Composite roles with great affect, it is probably not what they were intended for. The biggest benefit of Groups I see is being able to link groups of users to specific data so that their role only applies to that data and not to everything in the system/application (e.g. A Group Admin role allows a user permission to administrator only data created/owned by users in that group). Cheers, Nic >Date: Wed, 14 Oct 2015 11:35:38 -0400 >From: Bill Burke <bburke(a)redhat.com> >Subject: Re: [keycloak-user] Keycloak to set up Teams and > Organizations >To: keycloak-user(a)lists.jboss.org >Message-ID: <561E764A.4030706(a)redhat.com> >Content-Type: text/plain; charset=windows-1252; format=flowed > >That's just not how keycloak was designed. > >Realms contain users, applications/clients, roles, groups etc. Realms >were meant to be completely isolated from one another. > >On 10/14/2015 10:53 AM, Tim Dudgeon wrote: >> The use case for me is to use multiple realms for authentication (e.g. >> one realm for each organisation) that can access a single application >> using a common set of roles. >> Its sort of discussed from a different perspective on the apiman list here: >> http://lists.jboss.org/pipermail/apiman-user/2015-October/000361.html >> >> Tim >> >> On 14/10/2015 15:34, Bill Burke wrote: >>> No, we are not creatin "global" groups and roles. use case please?. >>> We're trying to keep realms isolated from one another. >>> >>> On 10/14/2015 7:29 AM, Tim Dudgeon wrote: >>>> The scope of this is presumably groups within an individual realm? >>>> Is there any possibility for "global" groups and roles that can span >>>> multiple realms? >>>> >>>> Tim >>>> >>>> On 13/10/2015 17:18, Bill Burke wrote: >>>>> You just want something like github groups? List your requirements.

8 years, 6 months

2
1
0 / 0

logging

by Fadi Abdin

Does anyone know if there is a way to enable extra logging in the keycloak log file ? Thanks, Fadi

8 years, 6 months

2
1
0 / 0

Issue with XPathFactory

by carmen

Hi all, I am writing a federation provider that accesses Oracle using MyBatis. I get the following error when MyBatis is trying to read its xml configuration: ### Cause: java.lang.RuntimeException: XPathFactory#newInstance() failed to create an XPathFactory for the default object model: http://java.sun.com/jaxp/xpath/dom <http://java.sun.com/jaxp/xpath/dom> with the XPathFactoryConfigurationException: javax.xml.xpath.XPathFactoryConfigurationException: No XPathFactory implementation found for the object model: http://java.sun.com/jaxp/xpath/dom <http://java.sun.com/jaxp/xpath/dom> at org.apache.ibatis.exceptions.ExceptionFactory.wrapException(ExceptionFactory.java:26) at org.apache.ibatis.session.SqlSessionFactoryBuilder.build(SqlSessionFactoryBuilder.java:54) The federation provider jar is a big fat jar that includes all its dependencies. Any ideas? Thank you Maria

8 years, 6 months

2
2
0 / 0

Different password policies for the same client

by Sebastian Olscher

Hi guys, is there any way to configure different password policies for different kind of users in one realm? We´re dealing with the following use case: Two different types of users: one represents human users, who are able to login via a login page. The second represents other applications which do a system to system communication without login via a login page . For human users we want to specify the policy that they have to change their password at least all 90 days. User which were used for other applications (machine to machine communication) were not able to change their password. So we want to define this policy is only for human users. I can´t find a possibility to distinguish between user types, so our idea was to use two separated realms. I can add user from type A to Realm 1 and user from type B to Realm 2 and with that, I´m able to configure different password policies for both groups. But at the end if both user types have access to the same client, I have to configure the same client with all its roles in both realms identically to add roles of this client to users within this realm. What would be your recommendation to fulfil the requirement described in the use case? Thanks for your help, Sebastian

8 years, 6 months

2
1
0 / 0

Keycloak to set up Teams and Organizations

by Kunal K

Hi all, I am setting up an SSO server and i'm evaluating both CAS and Keycloak. One of my main requirements is letting users have multiple teams and be a part of multiple organizations. I'm trying to wrap my head around how to do this in Keycloak. Something on the lines of what Github does - https://github.com/blog/674-introducing-organizations As an evaluation process, I've already created a POC using CAS. I would really appreciate any pointers on how to do this with Keycloak. Best, Kunal -- *KUNAL KERKAR *| PRODUCT ENGINEER Plivo, Inc. 340 Pine St, San Francisco - 94104, USA Web: www.plivo.com | Twitter: @plivo <http://twitter.com/plivo>, @tsudot <http://twitter.com/tsudot>

8 years, 6 months

6
10
0 / 0

Refresh token - should it expire?

by Juraci Paixão Kröhling

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, I'm building a secret store application that will sit in front of Hawkular and will be responsible for replacing API keys into actual Keycloak authentication data. Based on the suggestions from Stian, the current code does the following : - - User logs in Hawkular via Keycloak - - Once the user wants to create a new application key/secret, the user is redirected to /secret-store/tokens/create , which takes the KC authentication data and stores the refresh_token into the database, creating a new key/secret - - User configures an external application (like a monitoring agent in a server), adding this key/secret to its configuration - - The agent makes a call to the Hawkular backend, sending this key/secre t - - An undertow filter gets this key/secret from the request, fetches the refresh_token from the database, gets a bearer token from Keycloak based on this refresh_token and sets it to the request's context (ie: replacing the Authorization header) - - Keycloak uses this bearer token to perform what it needs to do - - Request reaches the Hawkular backend It all works, but the session from the *user* (second step) eventually expires, causing the refresh_token to be invalid[1]. So, the question is whether this token is indeed supposed to be attached to an user session, or if it's a bug. If the behavior I'm seeing is the correct one, what could be a proper way to store a token so that it can be replaced at a later time? 1 - http://git.io/vLAtF Best, Juca. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJViUgHAAoJEDnJtskdmzLMCIsH/iOeGmCDANgjvliyeKMWcx0/ j0cFdJuENBqzgPRlj0tSSJeFZeNnIs07ARJk2E0Xoq1D2gSq3KAw3hTOq7nPNfOk SoG5f1dLDkwCB8a+d/IGNfPw6Tmbzn0i2kwRSbhSJdfYCDxg9xiMPnV2MjvunPYa f6sXHz0yZjwylis3UuBw7WUNr1wAYOpjfmdBmt0B6hEqBXbIZflX2OEhim7dC+PQ WBx4lobqWWR+pMF12oabngNPLoE1r8SGSJkkiusMZxaTIWOViiHIYkRzVcul32z7 1OI0EOHnnv4YJ1rzc9frAIu7EPZq0i4BM1YT9pRBlNFBWH/ZQawEyCN6KCrNHDI= =EA+F -----END PGP SIGNATURE-----

8 years, 6 months

5
11
0 / 0

Re: [keycloak-user] Keycloak to set up Teams and Organizations (Bill Burke)

by Schneider, John DODGE CONSULTING SERVICES, LLC

Hi Bill, For the most part, I liked how PicketLink IDM relationships were structured. If I recall correctly, it was something like this: Users could be assigned to 0...n Groups Groups could have subgroups Roles could be assigned to 0...n Groups Roles could be assigned to 0..n Users So, we could manage security within a hierarchical group structure but also add additional roles on per-user basis when needed. If it could all also optionally be done with composite roles, all the better. Some relevant documentation: https://docs.jboss.org/picketlink/2/latest/reference/html-single/#chap-Id... https://docs.jboss.org/picketlink/2/latest/reference/html-single/#sect-Ma... https://docs.jboss.org/picketlink/2/latest/reference/html-single/#Realms_... John -----Original Message----- From: Bill Burke <bburke(a)redhat.com> Subject: Re: [keycloak-user] Keycloak to set up Teams and Organizations To: keycloak-user(a)lists.jboss.org Message-ID: <561D2EBC.50509(a)redhat.com> Content-Type: text/plain; charset=windows-1252; format=flowed You just want something like github groups? List your requirements. I am starting on Groups next week after 1.6 goes out.

8 years, 6 months

2
1
0 / 0

ERROR: value too long for type character varying(255)

by Remi Cartier

Hi guys, it seems the size of an attribute is limited to 255 characters. That is quite small considering one might want to store JSON into attributes. Would simply change the hibernate config file to use TEXT vs VARYING(255) be enough ? any reason for that artificial limitation ? Cheers ! ________________________________ REMI CARTIER B.O.S.S. (Business & Operation Support Systems) P.O (Product Owner) IMETRIK GLOBAL INC. T : +1 514 448-6407 x2009 T : +1 866 276-5382 (toll free) F : +1 514 904-0611 740 Notre Dame St. West, Suite 1575 Montreal, Quebec, Canada H3C 3X6 imetrik.com<http://www.imetrik.com/>

8 years, 6 months

2
2
0 / 0

Keycloak 1.5.1 Released

by Stian Thorgersen

We've just released Keycloak 1.5.1. This release contains a moderate impact security fix and we recommend everyone that are currently using 1.5.0 to upgrade as soon as possible. The security issue does not affect older releases.

8 years, 6 months

1
0
0 / 0

what does "unauthorized_client" mean?

by Tim Dudgeon

I'm having problems generating an access token. $ curl -X POST http://192.168.59.103:8080/auth/realms/Customer1/protocol/openid-connect/... -H "Content-Type: application/x-www-form-urlencoded" -d 'username=user2' -d 'password=user2' -d 'grant_type=password' -d 'client_id=app1' {"error":"unauthorized_client"} From what I can see everything is set up correctly and looks the same to another realm/client/user that does work: - realm exists and works - user exists and can log in to console - client has been created in realm But I'm getting "unauthorized_client" error. What should I look at? Tim

8 years, 6 months

3
4
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user October 2015