Keycloak 1.7.0.CR1 Released
by Stian Thorgersen
I'm pleased to announce the release of Keycloak 1.7.0.CR1. Recently we've
gone straight to Final, but we'd like to give everyone a chance to try a
release out first. Unless there are major issues reported we will release
Final next week.
As usual we've been far from idle and have a number of highlights in this
release, including:
- *Groups* - users can belong to one or more groups and inherit role
mappings and attributes from the group.
- *First Broker Login Flow* - we've introduced a number of improvements
to first login with identity brokers as well as the ability to customize
the flow used.
- *Client Registration* - clients can now dynamically register
themselves with a Keycloak server. This supports Keycloak client
representations, OpenID Connect Dynamic Client Registration and SAML Entity
Descriptors. Client registration are simple REST endpoints, there's also a
Java library and a CLI is coming soon.
- *OpenID Connect Implicit and Hybrid flows* - we've added support for
the Implicit and Hybrid flows. It's also possible to select what flows are
available for a specific client.
- *Add User script* - as a first step to not having a default admin user
we've added a script that allows creating an initial admin account.
- *Cache fixes* - there's a number of fixes related to caching, which
should improve performance especially in clusters.
- *Email Sender SPI* - previously we had one SPI that created email
content from FreeMarker and also sent emails. We've now split this into two
separate SPIs.
- *SAML SP WildFly subsystem* - there's now a WildFly subsystem for the
SAML SP adapter, which makes it easier to use the SAML SP adapter on
WildFly.
- *WildFly 10 adapter support* - the WildFly adapter, including adapter
subsystem, now supports WildFly 10.
For the full list of issues resolved check out JIRA
<https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...>
and
to download the release go to the Keycloak homepage
<http://keycloak.org/downloads>.
10 years, 4 months
Apply group membership filter on ldap login
by internet media
I am using keycloak 1.6.1.Final with Active Directory/LDAP. I am have not
seen any examples of authenticating users within a group membership
(memberOf). I also looked at the tests but no luck. Any help will be
appreciated. I just need to be able to set up a user federation using
ldap/AD and restrict only to users of a certain group.
Thanks.
10 years, 4 months
Config cascading services
by Dirk Franssen
Hi,
how would one configure Keycloak to obtain following scenario's?
Scenario 1:
client A: public (angular app)
client B: bearer-only (microservice)
client C: bearer-only (microservice)
- microservice B is allowed to call microservice C, but an authenticated
user in the js app A should be forbidden to call microservice C directly.
Scenario 2:
client A: public (angular app)
client B: confidential (1 war with a REST service AND a JSF application,
both using the same EJB business layer which is accessing microservice C)
client C: bearer-only (microservice)
- a user authenticated in the angular app can use the REST service of app B
and will see the results of microservice C, but the user may not call
microservice C directly
- a user authenticated in the JSF application will see the results of
microservice C when using the JSF application, but should not be able to
use microservice C directly (if the user would reuse the same access_token)
- should there be different roles for the REST part and the JSF part of app
B (for accessing microservice C)?
Kind regards,
Dirk
10 years, 4 months
Keycloak 1.6.1 fails to start in WF 9.0.2
by Hristo Stoyanov
Hi all. I want to run KC 1.6.1. against a PostgreSQL 9.4 server. The
WF9.0.2 logs show no error, yet KC is not available at http://localhost:8080
- I get 4040 Page not found. Also, none of the KC tables are created either
as one would expect upon first run. Below is the log, the standalone.xml
and keycloak-sertver.json are also attached. Any clue? Thanks.
========================================================================
2015-12-08 09:15:29,324 DEBUG [org.jboss.as.config] (MSC service thread
1-8) VM Arguments: -D[Standalone] -XX:+UseCompressedOops
-XX:+UseCompressedOops -Xmx1024m
-Dorg.jboss.boot.log.file=/opt/wildfly-9.0.2.Final/standalone/log/server.log
-Dlogging.configuration=file:/opt/wildfly-9.0.2.Final/standalone/configuration/
logging.properties
2015-12-08 09:15:30,726 INFO
[org.jboss.as.controller.management-deprecated] (ServerService Thread Pool
-- 15) WFLYCTL0028: Attribute 'job-repository-type' in the resource at
address '/subsystem=batch' is deprecated, and may be removed in future
version. See the attribute description in the output of the read-resour
ce-description operation to learn more about the deprecation.
2015-12-08 09:15:30,729 INFO
[org.jboss.as.controller.management-deprecated] (ServerService Thread Pool
-- 2) WFLYCTL0028: Attribute 'enabled' in the resource at address
'/subsystem=datasources/data-source=ExampleDS' is deprecated, and may be
removed in future version. See the attribute description in the output of
the read-resource-description operation to learn more about the deprecation.
2015-12-08 09:15:30,789 INFO [org.jboss.as.server] (Controller Boot
Thread) WFLYSRV0039: Creating http management service using socket-binding
(management-http)
2015-12-08 09:15:30,812 INFO [org.xnio] (MSC service thread 1-7) XNIO
version 3.3.1.Final
2015-12-08 09:15:30,825 INFO [org.xnio.nio] (MSC service thread 1-7) XNIO
NIO Implementation Version 3.3.1.Final
2015-12-08 09:15:30,891 INFO [org.wildfly.extension.io] (ServerService
Thread Pool -- 43) WFLYIO001: Worker 'default' has auto-configured to 8
core threads with 64 task threads based on your 4 available processors
2015-12-08 09:15:30,897 INFO [org.jboss.as.clustering.infinispan]
(ServerService Thread Pool -- 44) WFLYCLINF0001: Activating Infinispan
subsystem.
2015-12-08 09:15:30,900 INFO [org.wildfly.iiop.openjdk] (ServerService
Thread Pool -- 45) WFLYIIOP0001: Activating IIOP Subsystem
2015-12-08 09:15:30,912 INFO
[org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool
-- 39) WFLYJCA0004: Deploying JDBC-compliant driver class org.h2.Driver
(version 1.3)
2015-12-08 09:15:30,934 INFO
[org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool
-- 39) WFLYJCA0005: Deploying non-JDBC-compliant driver class
org.mariadb.jdbc.Driver (version 1.2)
2015-12-08 09:15:30,962 INFO
[org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool
-- 39) WFLYJCA0005: Deploying non-JDBC-compliant driver class
org.postgresql.Driver (version 9.4)
2015-12-08 09:15:30,964 INFO [org.jboss.remoting] (MSC service thread 1-7)
JBoss Remoting version 4.0.9.Final
2015-12-08 09:15:31,093 WARN [org.jboss.as.txn] (ServerService Thread Pool
-- 63) WFLYTX0013: Node identifier property is set to the default value.
Please make sure it is unique.
2015-12-08 09:15:31,113 INFO [org.jboss.as.security] (ServerService Thread
Pool -- 62) WFLYSEC0002: Activating Security Subsystem
2015-12-08 09:15:31,126 INFO [org.jboss.as.security] (MSC service thread
1-5) WFLYSEC0001: Current PicketBox version=4.9.2.Final
2015-12-08 09:15:31,140 INFO [org.jboss.as.jsf] (ServerService Thread Pool
-- 51) WFLYJSF0007: Activated the following JSF Implementations: [main]
2015-12-08 09:15:31,153 INFO
[org.jboss.as.connector.subsystems.datasources] (ServerService Thread Pool
-- 39) WFLYJCA0005: Deploying non-JDBC-compliant driver class
com.mysql.jdbc.Driver (version 5.1)
2015-12-08 09:15:31,155 INFO [org.jboss.as.connector] (MSC service thread
1-7) WFLYJCA0009: Starting JCA Subsystem (IronJacamar 1.2.5.Final)
2015-12-08 09:15:31,168 INFO [org.jboss.as.naming] (ServerService Thread
Pool -- 55) WFLYNAM0001: Activating Naming Subsystem
2015-12-08 09:15:31,181 INFO [org.jboss.as.webservices] (ServerService
Thread Pool -- 65) WFLYWS0002: Activating WebServices Extension
2015-12-08 09:15:31,188 INFO [org.jboss.as.connector.deployers.jdbc] (MSC
service thread 1-5) WFLYJCA0018: Started Driver service with driver-name =
h2
2015-12-08 09:15:31,188 INFO [org.jboss.as.connector.deployers.jdbc] (MSC
service thread 1-6) WFLYJCA0018: Started Driver service with driver-name =
postgres
2015-12-08 09:15:31,189 INFO [org.jboss.as.connector.deployers.jdbc] (MSC
service thread 1-5) WFLYJCA0018: Started Driver service with driver-name =
mysql
2015-12-08 09:15:31,189 INFO [org.jboss.as.connector.deployers.jdbc] (MSC
service thread 1-2) WFLYJCA0018: Started Driver service with driver-name =
mariadb
2015-12-08 09:15:31,198 INFO [org.wildfly.extension.undertow] (MSC service
thread 1-8) WFLYUT0003: Undertow 1.2.9.Final starting
2015-12-08 09:15:31,198 INFO [org.wildfly.extension.undertow]
(ServerService Thread Pool -- 64) WFLYUT0003: Undertow 1.2.9.Final starting
2015-12-08 09:15:31,300 INFO [org.jboss.as.naming] (MSC service thread
1-6) WFLYNAM0003: Starting Naming Service
2015-12-08 09:15:31,300 INFO [org.jboss.as.mail.extension] (MSC service
thread 1-8) WFLYMAIL0001: Bound mail session [java:jboss/mail/Default]
2015-12-08 09:15:31,459 INFO [org.wildfly.extension.undertow]
(ServerService Thread Pool -- 64) WFLYUT0014: Creating file handler for
path /opt/wildfly-9.0.2.Final/welcome-content
2015-12-08 09:15:31,488 INFO [org.wildfly.extension.undertow] (MSC service
thread 1-4) WFLYUT0012: Started server default-server.
2015-12-08 09:15:31,496 INFO [org.wildfly.extension.undertow] (MSC service
thread 1-4) WFLYUT0018: Host default-host starting
2015-12-08 09:15:31,595 INFO [org.wildfly.extension.undertow] (MSC service
thread 1-1) WFLYUT0006: Undertow HTTP listener default listening on
/0:0:0:0:0:0:0:0:8080
2015-12-08 09:15:31,786 INFO [org.wildfly.iiop.openjdk] (MSC service
thread 1-7) WFLYIIOP0009: CORBA ORB Service started
2015-12-08 09:15:31,799 INFO
[org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2)
WFLYJCA0001: Bound data source [java:jboss/datasources/ExampleDS]
2015-12-08 09:15:31,818 INFO
[org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-4)
WFLYJCA0001: Bound data source [java:jboss/datasources/KeycloakDS]
2015-12-08 09:15:31,820 INFO
[org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-1)
WFLYJCA0001: Bound data source [java:jboss/datasources/S4GDS]
2015-12-08 09:15:32,005 WARN [org.jboss.as.messaging] (MSC service thread
1-6) WFLYMSG0075: AIO wasn't located on this platform, it will fall back to
using pure Java NIO. Your platform is Linux, install LibAIO to enable the
AIO journal.
2015-12-08 09:15:32,026 INFO [org.jboss.as.server.deployment.scanner] (MSC
service thread 1-2) WFLYDS0013: Started FileSystemDeploymentService for
directory /opt/wildfly-9.0.2.Final/standalone/deployments
2015-12-08 09:15:32,028 INFO [org.jboss.as.server.deployment] (MSC service
thread 1-4) WFLYSRV0027: Starting deployment of "keycloak-server.war"
(runtime-name: "keycloak-server.war")
2015-12-08 09:15:32,147 INFO [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221000: live server is starting with configuration
HornetQ Configuration
(clustered=false,backup=false,sharedStore=true,journalDirectory=/opt/wildfly-9.0.2.Final/standalone/data/messagingjournal,bindingsDirectory=/opt/wildfly-
9.0.2.Final/standalone/data/messagingbindings,largeMessagesDirectory=/opt/wildfly-9.0.2.Final/standalone/data/messaginglargemessages,pagingDirectory=/opt/wildfly-9.0.2.Final/standalone/data/messagingpaging)
2015-12-08 09:15:32,157 INFO [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221006: Waiting to obtain live lock
2015-12-08 09:15:32,405 INFO [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221013: Using NIO Journal
2015-12-08 09:15:32,471 INFO [org.jboss.ws.common.management] (MSC service
thread 1-3) JBWS022052: Starting JBoss Web Services - Stack CXF Server
5.0.0.Final
2015-12-08 09:15:32,494 INFO [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221043: Adding protocol support CORE
2015-12-08 09:15:32,502 INFO [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221043: Adding protocol support AMQP
2015-12-08 09:15:32,514 INFO [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221043: Adding protocol support STOMP
2015-12-08 09:15:32,647 INFO [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221034: Waiting to obtain live lock
2015-12-08 09:15:32,647 INFO [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221035: Live Server Obtained live lock
2015-12-08 09:15:32,780 INFO
[org.infinispan.factories.GlobalComponentRegistry] (ServerService Thread
Pool -- 72) ISPN000128: Infinispan version: Infinispan 'Insanely Bad Elf'
7.2.3.Final
2015-12-08 09:15:33,038 INFO [org.jboss.messaging] (MSC service thread
1-5) WFLYMSG0016: Registered HTTP upgrade for hornetq-remoting protocol
handled by http-acceptor-throughput acceptor
2015-12-08 09:15:33,038 INFO [org.jboss.messaging] (MSC service thread
1-1) WFLYMSG0016: Registered HTTP upgrade for hornetq-remoting protocol
handled by http-acceptor acceptor
2015-12-08 09:15:33,143 INFO [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221007: Server is now live
2015-12-08 09:15:33,144 INFO [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221001: HornetQ Server version 2.4.7.Final
(2.4.7.Final, 124) [e4688d93-96cc-11e5-b241-fb4ba7767374]
2015-12-08 09:15:33,149 INFO [org.hornetq.core.server] (ServerService
Thread Pool -- 73) HQ221003: trying to deploy queue jms.queue.DLQ
2015-12-08 09:15:33,194 INFO [org.jboss.as.clustering.infinispan]
(ServerService Thread Pool -- 72) WFLYCLINF0002: Started users cache from
keycloak container
2015-12-08 09:15:33,195 INFO [org.jboss.as.clustering.infinispan]
(ServerService Thread Pool -- 74) WFLYCLINF0002: Started sessions cache
from keycloak container
2015-12-08 09:15:33,197 INFO [org.jboss.as.clustering.infinispan]
(ServerService Thread Pool -- 71) WFLYCLINF0002: Started loginFailures
cache from keycloak container
2015-12-08 09:15:33,208 INFO [org.jboss.as.clustering.infinispan]
(ServerService Thread Pool -- 75) WFLYCLINF0002: Started realms cache from
keycloak container
2015-12-08 09:15:33,227 INFO [org.jboss.as.messaging] (ServerService
Thread Pool -- 77) WFLYMSG0002: Bound messaging object to jndi name
java:/ConnectionFactory
2015-12-08 09:15:33,235 INFO [org.jboss.as.messaging] (ServerService
Thread Pool -- 76) WFLYMSG0002: Bound messaging object to jndi name
java:jboss/exported/jms/RemoteConnectionFactory
2015-12-08 09:15:33,237 INFO [org.hornetq.core.server] (ServerService
Thread Pool -- 70) HQ221003: trying to deploy queue jms.queue.ExpiryQueue
2015-12-08 09:15:33,301 INFO [org.jboss.as.connector.deployment] (MSC
service thread 1-7) WFLYJCA0007: Registered connection factory java:/JmsXA
2015-12-08 09:15:33,377 INFO [org.hornetq.ra] (MSC service thread 1-7)
HornetQ resource adaptor started
2015-12-08 09:15:33,377 INFO
[org.jboss.as.connector.services.resourceadapters.ResourceAdapterActivatorService$ResourceAdapterActivator]
(MSC service thread 1-7) IJ020002: Deployed: file://RaActivatorhornetq-ra
2015-12-08 09:15:33,379 INFO [org.jboss.as.connector.deployment] (MSC
service thread 1-8) WFLYJCA0002: Bound JCA ConnectionFactory [java:/JmsXA]
2015-12-08 09:15:33,379 INFO [org.jboss.as.messaging] (MSC service thread
1-6) WFLYMSG0002: Bound messaging object to jndi name
java:jboss/DefaultJMSConnectionFactory
2015-12-08 09:15:33,554 INFO [org.jboss.as.server] (ServerService Thread
Pool -- 67) WFLYSRV0010: *Deployed "keycloak-server.war" (runtime-name :
"keycloak-server.war")*
2015-12-08 09:15:33,761 INFO [org.jboss.as] (Controller Boot Thread)
WFLYSRV0060: Http management interface listening on http://
[0:0:0:0:0:0:0:0]:9990/management
2015-12-08 09:15:33,762 INFO [org.jboss.as] (Controller Boot Thread)
WFLYSRV0051: Admin console listening on http://[0:0:0:0:0:0:0:0]:9990
2015-12-08 09:15:33,762 ERROR [org.jboss.as] (Controller Boot Thread)
WFLYSRV0026: WildFly Full 9.0.2.Final (WildFly Core 1.0.2.Final) started
(with errors) in 4942ms - Started 365 of 618 services (3 services failed or
missing dependencies, 319 services are lazy, passive or on-demand)
10 years, 4 months
Getting currently logged in user -Angular JS
by Rushil Agarwal
Hi Team,
I am using Keycloak for Authenticating my Angular web based application.
Trying to grasp currently logged in user which I am not able to.
All i know is through KeycloakSecurityContext i may get, but how to use it
not sure.
Kindly help.
Thanks in advance..!!
*With best regards :-*
Rushil Agarwal
Mobile: +91 78298 86000
Please don't print this e-mail unless you really need to. SAVE PAPER TO
SAVE TREES
10 years, 4 months
TOMCAT exclude protection for endpoint
by Christopher Wallace
We are using Apache TOMCAT v. 8.0.18. We have a Javascript application that
we would like to configure web.xml using KEYCLOAK to protect all root URI's
'/' except '/tracking'. Is there a way to exclude '/tracking' from being
protected either in the KEYCLOAK admin console or in the WEB.XML itself.
Some additional information is for the tracking URL we will use both HTTP
and WEBSOCKETS protocols. Our current approach was to specifically protect
all URI except for '/tracking' but that doesn't seem to be working as a
solution.
We have attached our example WEB.XML attempting to specifically protect
URLs:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<module-name>ROOT</module-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>APP</web-resource-name>
<url-pattern>/app/*</url-pattern>
</web-resource-collection>
<!--API-->
<web-resource-collection>
<web-resource-name>API</web-resource-name>
<url-pattern>/api/*</url-pattern>
</web-resource-collection>
<!--HTML-->
<web-resource-collection>
<web-resource-name>HTML</web-resource-name>
<url-pattern>*.html</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>KEYCLOAK</auth-method>
<realm-name>worktrac</realm-name>
</login-config>
<security-role>
<role-name>user</role-name>
</security-role>
</web-app>
We appreciate your feedback and thoughts on a solution.
- Chris
10 years, 4 months
info about brute force detection
by Notarnicola, Mara
Dear all,
I have enabled brute force detection on my keycloak application server.
I used keycloak 1.5.0 Final version.
After several trials I saw that the number of failures of the users are saved in session, so if the server will be restarted the counter starts from 0 again.
Why you don't save it into db?
Mara
10 years, 4 months
