Migrating custom user database to Keycloak
by Anton Hughes
Hello
Im currently investigating using Keycloak as a solution to manage users, as
well as authentication and authorization.
Currently, we have a jboss Errai application, and have a relational
database of users and their encrypted password.
Is there any tutorials, or advice, on how we would migrate our users to the
Keycloak IDM?
Thanks and regards
Anton
10 years, 9 months
Re: [keycloak-user] Application Management
by Thiago Presa
Hi there,
I'm Alex's coworker and I'll be working on this too.
We were just discussing your idea, and it seems to fit our requirements.
As far as we have seen, keycloak already has a realm-admin concept.
Whenever a realm "R" is created, it creates a R-realm application with
a bunch of default roles (manage-users, manage-roles, etc.) into the
realm master.
We are currently thinking if we could mimic this structure for
applications. What do you think?
> I had an idea a while back that is a simple way to achieve what you're asking for. Th> e idea would be to only allow an admin to grant roles that the admin has access to.
> Basically:> * A user with admin (super user) role can grant any roles (we would need to add a per-> realm super user role)
> * A user with the role manage-users and some roles on app1 can only grant other users > the roles on app1
> * A user with the role manage-users and some roles on app2 can only grant other users > the roles on app2
>
> This is something we should add in either case (to prevent users granting
themselves more access). Would it solve your problems?
10 years, 9 months
Re: [keycloak-user] Help troubleshooting config
by Thomas LaPorte
Thanks to a list member for some debug setup help, I'm getting much more
information.
Now I can see (and confirm my suspicion), that something is not right and
my resource is unprotected.
For the example customer-portal app, I see that after the "callback-uri:
..." message, I get a "Sending redirect to login page:..." message.
For my app, it goes directly to "AuthenticatedActionsValve.invoke"
-- Tom
On Tue, Mar 31, 2015 at 2:49 PM, Guy Davis <guydavis.ca(a)gmail.com> wrote:
> Hi Thomas,
>
> To dial up logging, try adding this to your standalone.xml file in the
> logging subsystem and re-starting your Wildfly instance:
>
> <logger category="org.keycloak">
> <level name="DEBUG"/>
> </logger>
>
> Then, be sure you have the right configuration in your web.xml of your
> test WAR file. See the docs here
> <http://docs.jboss.org/keycloak/docs/1.1.0.Final/userguide/html_single/#d4...>
> for details.
>
> Hope this helps,
> Guy
>
>
> On Tue, Mar 31, 2015 at 3:30 PM, Thomas LaPorte <
> Thomas.LaPorte(a)dreamworks.com> wrote:
>
>> Apologies for cutting off by hitting send prematurely.
>>
>>
>>
>> On Tue, Mar 31, 2015 at 2:26 PM, Thomas LaPorte <
>> Thomas.LaPorte(a)dreamworks.com> wrote:
>>
>>> Greetings. I'm a first-time user of Keycloak, trying to set up a simple
>>> demonstration after the examples, however, I'm having 0% success in getting
>>> my configuration correct enough such that my web resource is protected.
>>>
>>> I have reduced my setup all the way down to a basic "HelloWorld.jsp" in
>>> a WAR file that is deployed into the standalone Wildfly server that is also
>>> hosting the Keycloak server.
>>>
>>> I am convinced that it is a configuration step being missed somewhere,
>>> as I can always access my URL without intervention from the Keycloak server.
>>>
>>> My WAR file consists of the following:
>>>
>>> 0 Tue Mar 31 14:20:20 PDT 2015 META-INF/
>>> 68 Tue Mar 31 14:20:20 PDT 2015 META-INF/MANIFEST.MF
>>> 0 Tue Mar 31 14:08:34 PDT 2015 WEB-INF/
>>> 1584 Tue Mar 31 09:47:52 PDT 2015 WEB-INF/web.xml
>>> 491 Tue Mar 31 14:08:34 PDT 2015 WEB-INF/keycloak.json
>>> 308 Tue Mar 31 14:20:18 PDT 2015 index.jsp
>>>
>>
>> I have added my application to the demo realm by copying the
>> customer-portal application stanza, and replacing the "customer-portal"
>> with my app name:
>>
>> {
>> "name": "goalkeepers",
>> "enabled": true,
>> "adminUrl": "/goalkeepers",
>> "baseUrl": "/goalkeepers",
>> "redirectUris": [
>> "/goalkeepers/*"
>> ],
>> "secret": "password"
>> }
>>
>> At this stage I am just looking for suggestions on how best to
>> troubleshoot my configuration? What logging properties can I set to enable
>> more debugging? Or where else can I look for some clues as to the errors in
>> my configuration?
>>
>> I fear I am missing something extremely fundamental, but I can't for the
>> life of me see what it is.
>>
>> - Tom
>>
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user(a)lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
10 years, 10 months
Help troubleshooting config
by Thomas LaPorte
Greetings. I'm a first-time user of Keycloak, trying to set up a simple
demonstration after the examples, however, I'm having 0% success in getting
my configuration correct enough such that my web resource is protected.
I have reduced my setup all the way down to a basic "HelloWorld.jsp" in a
WAR file that is deployed into the standalone Wildfly server that is also
hosting the Keycloak server.
I am convinced that it is a configuration step being missed somewhere, as I
can always access my URL without intervention from the Keycloak server.
My WAR file consists of the following:
0 Tue Mar 31 14:20:20 PDT 2015 META-INF/
68 Tue Mar 31 14:20:20 PDT 2015 META-INF/MANIFEST.MF
0 Tue Mar 31 14:08:34 PDT 2015 WEB-INF/
1584 Tue Mar 31 09:47:52 PDT 2015 WEB-INF/web.xml
491 Tue Mar 31 14:08:34 PDT 2015 WEB-INF/keycloak.json
308 Tue Mar 31 14:20:18 PDT 2015 index.jsp
10 years, 10 months
keycloak tomcat 7 adapter
by Henk Laracker
Hi,
I’m using the key cloak tomcat 7 adaptor, I created a sample application which works fine with keycloak. I created a jsp page with the following code
String username = request.getRemoteUser();
<tr><td>User</td><td><%= username %></td></tr>
I have logged in with the username : supervisor
So I expect the username to be : supervisor
But the result is :3d5bfb0c-9495-48b8-a11c-2e83097b2f39
What do I do wrong ?
Met vriendelijke groet / Yours sincerely / Mit freundlichen Grüßen / Très cordialement,
Henk Laracker
10 years, 10 months
API Based Authentication and Access Token Retrieval
by Lohitha Chiranjeewa
Hi,
Due to the nature of our set of applications that are authenticated against
KeyCloak, we have a requirement to access KeyCloak APIs outside of SSO
session(s). So the questions are:
1. Seems that all admin APIs are authenticated with the provided
access_token (Bearer). Are there any other authentication mechanisms?
2. If not, is there a way for us to get the access_token without going
through the browser based login flow? (like a single token provider API
which doesn't expect an authorization_code)
Thanks!
10 years, 10 months
Keycloak session attribute
by Chen Keong Yap
Hi,
I was trying to set a session attribute using custom filter and retrieve it
from login.ftl with no success and the session attribute value is null. Any
advice?
10 years, 10 months
