OpenId connect and saml application intercommunication
by Pulkit Gupta
Hi Team,
I have a scenario where I have one application which is using SAML adapter
and another application which is using openid connect. Both these
applications are built using different technologies. The first one uses
Java and is hosted on Jboss. The second one uses angular js.
The point which I would like to check is :
Is it possible for these two application to
intercommunicate. For Example if I login in SAML based application and then
I switch to openID connect based application will it ask for me to login
again or it will get the token/assertion from the keycloak server without
asking me to enter my credentials again.
--
Thanks,
Pulkit
AMS
7 years, 3 months
Testing secured EJB with Arquillian (using Keycloak adapter as SecurityDomain)
by Jordan Conner
Hello,
I am getting EJBAccessException (method invocation is not allowed) when
using Arquillian to test secured EJBs. I expect to get this exception
because I have not logged in at all. My project works great outside of the
test suite when redirecting to my keycloak server and then serving up my
web applications protected resource. Before securing my EJBs, Arquillian
was working fine.
I've looked all over and the only example that comes remotely close is this
link... https://samaxes.com/2014/11/test-javaee-security-with-arquillian/
In it the author uses @RunAs. I would also like to use this annotation. I
have set up my project exactly like the authors, however I still can not
access my secured EJB.
The author's project does not use @SecurityDomain("keycloak") and I'm
having a hard time finding any examples that do.
Can my test suite use @RunAs when configured with the
keycloak-wildfly-adapter?
The only other option I can think of (and would rather not go this route)
is writing a custom module (because I don't see how to do it via the
adapter) to obtain an access token with Resource Owner Password Grant. But
then I do not see any examples of how to use keycloak-wildfly-adapter and
programmatically login with a raw access token, so is this even possible?
Thanks for your time,
Jordan
7 years, 3 months
what is resource owner with spring boot adapter ?
by uğur kolip
Hi,
I am using spring boot adapter.
is owner of resource just a attribute like others (name, type ) to use ?
*Resource owner filter all request if request's owner is not same. I expect
to not filter*
when make a request to server with admin user , resource which owner is not
admin not shown.
I try to add some logic to js policy but js policy not work because even
don't reach that level.
what should i do , if a group of user use same resource ?
i think that photoz example work different .(both admin and owner can
access to album)
should i do something to not filter who is not owner ?
Thank you for helping
7 years, 3 months
Migrate data between realms by the startup command
by marcelo.miura
Hi,
Is there a way to import data from a realm to another by the startup
command?
I could do it by the admin console option, but it does not keep the user
ids and I would need that.
Also tried using the option -Dkeycloak.migration.realmName for importing
the data, but it did work either.
Thanks in advance.
7 years, 3 months
Updating resources via adapter client
by Richard van Duijn
Hi,
Referring to ticket: https://issues.jboss.org/browse/KEYCLOAK-4136
I'm puzzled. I was investigating the possibility to update a given resource
(for instance updating the name of the resource). I read the documentation (
here
<https://keycloak.gitbooks.io/authorization-services-guide/content/v/2.4/t...>)
stating that there is a PUT endpoint with the path set to:* Update resource
set description: PUT /resource_set/{_id}*
I use the AuthzClient to manage resources from my client using the line:
*ProtectedResource resourceClient =
this.authzClient.protection().resource()*;
The ProtectedResource class does not implement the updateResource method.
(I hope this will be fixed soon.)
BUT, I attempted to implement the logic myself but kept receiving a *405*
response from keycloak stating. Details on the call can be found here
<https://issues.jboss.org/browse/KEYCLOAK-4136?focusedCommentId=13341799&p...>
In the debug mode I get the following data:
"PUT
/auth/realms/photoz/authz/protection/resource_set/98800456-37d5-4ebe-9a63-c007e7bdd70b
HTTP/1.1[\r][\n]"
14:17:52.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >>
"Authorization: Bearer [BEARER-TOKEN-HERE][\r][\n]"
14:17:52.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >>
"Content-Type: application/json[\r][\n]"
14:17:52.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >>
"Content-Length: 206[\r][\n]"
14:17:52.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Host:
127.0.0.1:8080[\r][\n]"
14:17:52.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >>
"Connection: Keep-Alive[\r][\n]"
14:17:52.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >>
"User-Agent: Apache-HttpClient/4.5.2 (Java/1.8.0_112)[\r][\n]"
14:17:52.610 [main] DEBUG org.apache.http.wire - http-outgoing-0 >>
"Accept-Encoding: gzip,deflate[\r][\n]"
14:17:52.612 [main] DEBUG org.apache.http.wire - http-outgoing-0 >>
"[\r][\n]"
14:17:52.612 [main] DEBUG org.apache.http.wire - http-outgoing-0 >>
"{"name":"my-resource-2","uri":"/test/1","type":"urn:nl.company:type:testresource","scopes":[{"name":"urn:
nl.company
:scope:testscope"}],"owner":"admin","_id":"98800456-37d5-4ebe-9a63-c007e7bdd70b"}"
14:17:52.620 [main] DEBUG org.apache.http.wire - http-outgoing-0 <<
"HTTP/1.1 405 Method Not Allowed[\r][\n]"
14:17:52.620 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Allow:
HEAD, DELETE, GET, OPTIONS[\r][\n]"
14:17:52.620 [main] DEBUG org.apache.http.wire - http-outgoing-0 <<
"Connection: keep-alive[\r][\n]"
14:17:52.620 [main] DEBUG org.apache.http.wire - http-outgoing-0 <<
"X-Powered-By: Undertow/1[\r][\n]"
14:17:52.620 [main] DEBUG org.apache.http.wire - http-outgoing-0 <<
"Server: WildFly/10[\r][\n]"
14:17:52.620 [main] DEBUG org.apache.http.wire - http-outgoing-0 <<
"Content-Length: 0[\r][\n]"
14:17:52.620 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "Date:
Wed, 28 Dec 2016 13:17:52 GMT[\r][\n]"
14:17:52.620 [main] DEBUG org.apache.http.wire - http-outgoing-0 <<
"[\r][\n]"
Is the endpoint correctly configured or is there something else I'm doing
incorrectly.
7 years, 3 months
understanding the photoz example
by Avinash Kundaliya
I have been going through the photoz example and I am curious how does
the drool application know the resource owner [1] or get details about
the resource in general ? Can this be done with a javascript based policy?
Is there a post/description about how the photoz example works and how
information flows in this example. I am trying to understand via the
code as of now, the Readme is a good introduction of what it does, but
not enough to understand what's really happening?
I am having a hard time understanding how to setup keycloak
authorization and also missing documentation/explanation on how to do
things. If there's a resource that someone could refer to, that would be
great.
[1]
https://github.com/keycloak/keycloak/blob/master/examples/authz/photoz/ph...
Regards,
Avinash
7 years, 3 months
Performance lag in client role creation and retrieval
by Padmaka Wijaygoonawardena
Hi,
I'm currently using Keycloak 2.2.1 with a MySQL database. The setup I'm
using has 2 Keycloak nodes and around 4000 client roles for one client. the
process I go through for adding is as follows:
1. GET call to check whether the role already exists. (takes around
2000ms)
2. POST call to create the new client role. (takes around 10000ms)
3. GET call to get the newly created client role(Since the create role
call doesn't send the full client role in the response body). (takes around
10000ms)
The Keycloak version I used earlier was 1.9.0 with that version this
process worked fine with one call taking around 700ms on average.
So as shown above this is a huge performance lag. With further
investigation I found the following points
1. When using only one Keycloak node this problem doesn't appear.
Therefore it should be some issue with infinispan cache.
2. When I remove the get calls and only send the create calls then the
calls return in 2000ms in average.
3. This lag only appears when executing a get role call soon after
creating a client role.
I double checked the changes for 2.3.0 [1] since there is nothing said
about cache or related issues I raised this issue.
Any advice or fix would be highly appreciated. Thanks in advance.
[1] - http://blog.keycloak.org/2016/10/keycloak-230cr1-released.html
Cheers,
Padmaka.
7 years, 3 months
Spring security adapter best practices
by Haim Vana
Hi,
We were wondering what is the best practice for the use of spring security adapter:
I notice that the security context is an instance of RefreshableKeycloakSecurityContext, which means (correct me if I'm wrong) that whenever a token is about to revoke, a refresh is issued.
I used all xml beans that's in the documentation<https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fkeyclo...>, but still, when I put a breakpoint on RefreshableKeycloakSecurityContext -> refreshExpiredToken, it stops only once - on logout (which is another mystery to me). I also noticed that this method is public yet no other class uses it.
Do I need to invoke it explicitly? Where?
Thanks,
Dekel.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
7 years, 4 months
After keycloak upgrade offline tokens are revoked
by Haim Vana
Hi,
We would to upgrade our keycloak version to latest, currently we use 1.9.3.
After upgrading to version 2.3 we noticed that the offline tokens that were created before the upgrade are revoked - the below response is received.
Is it a known defect ? is there any workaround ?
{
"error": "invalid_grant",
"error_description": "Invalid refresh token"
}
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
7 years, 4 months
policy enforcer without content path
by uğur kolip
Hi
i use keycloack 4.5.0.Final with spring boot adapter.
When there isn't context path , i get 403 forbidden error. (message:"Could
not find a configuration for path [/getRoles/alice]."
path:"/admin/getRoles/alice" )
do we have to add contextPath ? do i do something wrong ? or is it bug ?
if we don't , path be wrong,
My opinion because of these :
In AbstractPolicyEnforcer class(keycloak-adapter-core) , there are
String pathInfo = URI.create(request.getURI()).getPath().substring(1);
String path = pathInfo.substring(pathInfo.indexOf('/'),
pathInfo.length());
Thank you for helping
7 years, 4 months