August 2015 - keycloak-user - Jboss List Archives

How to access entity manager from custom thread

by Libor Krzyžanek

Hi there, within my listener factory's postInit method I’m creating a separate thread that needs to run a sql query by using entity manager from JPA provider. In thread I do KeycloakModelUtils.runJobInTransaction(sessionFactory, new KeycloakSessionTask() { @Override public void run(KeycloakSession session) { … EntityManager em = session.getProvider(JpaConnectionProvider.class).getEntityManager(); TypedQuery<UserEntity> query = em.createQuery( "select u from UserEntity u where u.realmId = :realmId order by u.username", UserEntity.class); Unfortunately I got java.lang.NoClassDefFoundError: javax/persistence/EntityManager I tried to set various class loaders via thread.setContextClassLoader(DefaultJpaConnectionProviderFactory.class.getClassLoader()); but with no success. I’m running this on EAP 6.4. What is the proper way how to retrieve entity manager for running custom queries? Thanks, Libor Krzyžanek jboss.org <http://jboss.org/> Development Team

9 years, 4 months

2
3
0 / 0

Apache https proxy / Set context path of keycloak standalone

by Gerd Aschemann

Hi, I seem to have problems to run keycloak behind an Apache httpd proxy. I would like to run (the Docker version of) keycloak on e.g. http://localhost:xxxx/ and have an Apache httpd proxy configuration which forwards https://my.domain.tld/keycloak/ to this internal server. Very often it is best to have the same web context path on the app server and on the httpd proxy configuration. So which is the best way to set the context path of keycloak standalone? In particular it would be great if I could give the context path to the Docker container as environment setting. Any hints are appreciated as well as other solutions to this problem. Thx, Gerd -- Gerd Aschemann --- Veröffentlichen heißt Verändern (Carmen Thomas) +49/173/3264070 -- gerd(a)aschemann.net -- http://www.aschemann.net

9 years, 4 months

1
0
0 / 0

HMAC and its implementation for a mobile app

by Mohan.Radhakrishnan＠cognizant.com

Hi, This is just a general question about HMAC and its implementation for a mobile app. The backend is a set of layers and one of it is a WebSphere Broker that has to send a message digest of JSON data. In order to ensure both data integrity and authenticity we also need a shared secret. This means that we need to distribute the shared key and store it somewhere. What do keycloak users use for this scenario ? Does the Android mobile app. Request for a shared key which the backend also knows(like what the AWS REST flow does) ? How is this done ? If we want to use digital signatures then the apps. Need one part of a keypair. How can we distribute and share the public keys ? We don't have any requirement for OAuth. Thanks, Mohan This e-mail and any files transmitted with it are for the sole use of the intended recipient(s) and may contain confidential and privileged information. If you are not the intended recipient(s), please reply to the sender and destroy all copies of the original message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email, and/or any action taken in reliance on the contents of this e-mail is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail and other e-mail communications sent to and from Cognizant e-mail addresses may be monitored.

9 years, 4 months

2
3
0 / 0

Exception after changing roles

by Thomas Raehalme

Hi, I have been doing some experiments with Keycloak and encountered a problem: If a user is logged in and her client role mappings are changed in the admin UI, why is an exception thrown "User no long has permission for client role OLD_ROLE" when the token expires and the refresh token is used to acquire a new one? I was expecting the new token to contain the new set of roles, but instead got this error. Thanks for your help! Best regards, Thomas

9 years, 4 months

3
5
0 / 0

Can some one point me in the right direction

by Christopher Davies

First thanks for all the help I have had so far. I currently have a client using direct access to get a grant from KeyCloak via the protocol/openid-connect/token url. The two direct access requests I need that I am having problems tracking down are; 1) Getting a new grant using the refresh_token 2) Getting a grant for a bearer only client using (I assume the access token). Chris

9 years, 4 months

2
2
0 / 0

IP Address Restrictions

by Evan Thompson

Howdy, I was wondering if there was any planned functionality that would allow for IP address based access restriction? I noticed there is an issue for this in the Keycloak JIRA (KEYCLOAK-844), but it has not been updated for some time. Thanks, Evan

9 years, 4 months

1
0
0 / 0

Keycloak is Enterprise ready project ?

by Bhanu Kiran

Hi Team, Please let us know if Keycloak is Enterprise ready application or its still in incubation project. We are planning to evaluate keycloak as SSO solution. Thanks, Bhanu

9 years, 4 months

4
3
0 / 0

Would like to deprecate/remove JPA/Mongo UserSessions

by Bill Burke

Hi all, Keycloak team would like to deprecate and remove the JPA and Mongo stores for UserSessions and just provide an Infinispan one. It is a pain to maintain these, and in our opinion, users really shouldn't be using JPA or Mongo to store User Sessions. Infinispan has a wide variety of configuration options for internal, external, and cloud networks. -- Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com

9 years, 4 months

2
3
0 / 0

Client Credentials grant Question

by Raghu Prabhala

Bill/Stian, Is it possible to use an external system to authenticate a client for the client credentials grant option? In our organization, we have a large number of applications that interact with each other using kerberos accounts. Today, a client application 1 will use its kerberos id and keytab to authenticate against MIT kerberos and get a custom token which is passed to client application 2 which then validates that token and grants access to the first application. Now if we want to use Keycloak's client credentials grant, the client application 1 is expected to have its client_id and secret registered with keycloak. It is not possible for all our existing applications to discard the current Kerberos account and go with this new client_id and secret required by Keycloak. So we are wondering, if there is any way, we can avoid registering a client application with keycloak and use our existing Kerberos infrastructure to do the client authentication and then provide the access token based on the client credentials grant option. If that is not possible, any pointers on how we can use Keycloak without requiring all our thousands of apps to register with keycloak? Thanks in advance,Raghu

9 years, 4 months

3
3
0 / 0

Configuration of Load Balancer with the Keycloak server

by Thomas Connolly

Hi Looking for advise on deploying keycloak behind an F5 load balancer. An F5 has been setup with a pool pointing to two keycloak servers. The browser connection to the F5 is using https, the F5 terminates the SSL and forwards to one of the unencrypted keycloak servers on port 8080. The problem is that when hitting the admin console, https://fqdn/auth/admin, a 302 redirect lands on http://fqdn/auth/realms/master/tokens/login?client_id=... not maintaining the https protocol resulting in the login page not displaying as only https requests are allowed. In the docs there is a section about using a reverse proxy i.e. 3.2.6.2. Enable SSL on a Reverse Proxy http://keycloak.github.io/docs/userguide/html/server-installation.html#d4... It is not clear to me, I have not tried yet, if this configuration terminates ssl at the web server and then handles the 302 redirect back on the https protocol of the web server. I'm asking as I need to find out how to X-Forwarded-For and X-Forwarded-Proto to the fqdn and the protocol https. And then raise tickets which could take time to complete. Essentially I'm verifying that I'm configuring wildfly undertow and sockets correctly and the F5 forwarding headers. Regards Tom Connolly

9 years, 4 months

2
1
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user August 2015