Keycloak Server -swarm.jar
by Bob McWhirter
For those of you not familiar with WildFly Swarm, it’s a project that
intends to support microservices by taking your application components,
along with just-enough WildFly, and bundling them all into a standalone
uberjar.
Keycloak counts as “part of WildFly” since it’s implemented mostly as a
WildFly subsystem.
Therefore, WildFly Swarm now supports adding Keycloak Server to your
microservice (we’ve supported the client-adapter for a while now, already).
To that end, we are also producing an handy, all-in-one uberjar for
Keycloak Server.
http://repository-projectodd.forge.cloudbees.com/snapshot/org/wildfly/swa...
Just download that .jar, and `java -jar` it and visit
http://localhost:8080/auth/
It still uses the H2 database, and by default creates or uses a database
located at $PWD/keycloak.db, but you can also use the
-Dwildfly.swarm.keycloak.server.db=/path/to/keycloakdatabase property to
change that.
Please feel free to give it a test, and for more information about WildFly
Swarm, we hang out in #wildfly-swarm on FreeNode IRC.
Thanks!
-Bob
9 years
Get the user of the current request from the KeycloakSession?
by Erik Mulder
Seems like a simple scenario, but I can't figure it out: I have an
instance of the KeycloakSession and I want to get the UserModel for the
current request. Is this possible?
Context: I'm creating a custom REST service that runs inside keycloak
and needs to get some data that is related to the current authenticated
user. For instance the realm and client I can get through the
session.getContext().getClient/Realm(). I would expect a getUser() there
too, but I can't find it anywhere 'in' the session.
If this isn't possible, shouldn't it be? Or if not, why not?
9 years
Automated testing for keycloak secured applications
by Orestis Tsakiridis
Hello,
I try to build automated tests for a keycloak secured REST application. I
plan to use arquilian as a test platform.
Do i need to have a working keycloak server to be used in the tests ? Or
is it possible to embed keycloak in the temporary deployment created by
arquilian?
Btw, my endpoints don't use web.xml based security rules. I instead use
RSATokenVerifier.verifyToken() to manually verify the token.
Thus, i suppose that being able to manually create auth tokens from my test
cases (and not relying on a keycloak server) would also work.
Regards
Orestis
9 years
[Authorization] Get user roles from token
by Pavel Maslov
Hi everyone,
Do Keycloak adapters support user authorization? I mean, of course they do
:) For example, the API I have secured with Keycloak receives a Keycloak
access token from the client. How can I validate the token (check user
roles) in my code? I am interested in the Java (wildfly) and Javascript
adapters.
Manually I am using jwt.io to check the token. I am just curious if the
Keycloak adapters support smth similar out of the box.
Thank you for your answers.
Regards,
Pavel Maslov, MS
9 years
Token Validation
by Brian Thai
Hi All,
I have just started to work with keycloak 1.7.0 and I have a PHP rest
service that I want to write an adapter for. I have read the docs and the
code but I don't understand how the token is validated from the rest
service.
I understand that with a js client they would be redirected to keycloak to
obtain an access token which will be passed to my rest api. At that point I
should validate the token, and I see that keycloak provides a rest endpoint
for validation:
http://docs.jboss.org/keycloak/docs/1.0-rc-1/rest-api/realms/%7Brealm%7D/...
I get held from cors because the realm itself does not have configuration
for setting the 'Access-Control-Allow-Origin' header. Can anyone point me
in the right direction?
Thanks,
-Brian
9 years
Direct access to Send reset password email
by Fabricio Milone
Hi all,
I’ve been working on adding custom endpoints under the realm level to
perform some new functions like user registration and send password reset
email without going through the keycloak’s default web view. I’ve read the
discussion regarding add custom REST paths, but I wouldn’t like to go off
topic there.
Why I am doing this?
This is needed because I have to hit the keycloak server directly from the
native Android UI, without going through the Keycloak default login/reset
creds screen and get an user registered or an email to reset the password
(among other possible future use cases).
What I got so far?
I’ve added a custom endpoint class (ForgotPasswordEndpoint) to
org.keycloak.protocol.oidc.endpoints package in order to add a new path
/auth/realms/{realm}/forgotten-password-email that sends an email to the
specified user in a form attribute without going through the web view. I am
also generating a key to be able to execute a client session required
action of UPDATE_PASSWORD, so when the user clicks the link it will be
asked to update its password.
What I’m not sure is about the approach I used to get this done. Let’s
clear that up:
- Created a new endpoint class similar to TokenEndpoint.java which sends
an email with a link to update the user password.
- The link is generated using the UriBuilder for the base path and the
ClientSessionCode class for the access code, using the given realm, session
and any other necessary data.
- I am adding a required action to the clientSession
(ClientSessionModel, created with the given UserModel) of the type
UserModel.RequiredAction.UPDATE_PASSWORD.
- Once the user clicks on the link, the normal updated account starts,
without any modification.
That’s the less invasive way I’ve found so far. However, today I have been
trying to implement an SPI to achieve this (still trying to understand how
to do that)
Is there a clean/proper way to generate a valid code/execution id as it is
generated on the normal forgotten password email?
What is the right way to make a direct call to get a reset password email?
Thank you in advance.
Regards,
Fabricio
9 years
