OAuth Access Token Response in XML
by Aswini Sarathi
Hi,
I am trying to find out if there is a way to get response from token endpoint /realms/{realm-name}/protocol/openid-connect/token in xml or json format based on the Accept header. If its not supported out of the box, what other options are available to do this? Should I look at creating a custom endpoint by implementing the SPI to do the mapping?
Thanks!!
8 years, 5 months
Fwd: functionality questions (Keycloak 2)
by Bradley Beddoes
Hello,
I've been evaluating Keycloak 2 releases recently (documentation and local
deployment) to determine if Keycloak might be a suitable fit for a future
project we're considering.
A lot of the moving parts we require are present but I see a few
incompatibilities when it comes to the model we need vs my interpretation
of Keycloak functionality.
To help explain what I'm trying to achieve I've created two small diagrams:
1. https://drive.google.com/file/d/0B9Ye3fFQSfx-YWUtcEF2Z0MxSjA/view
This is the overall goal. On the far right 1 or more OIDC or SAML service
instances are grouped together and overseen by 1 or more local
administrators. Each group then relies on some
central process to handle authentication, sso and identity resolution by
some process it doesn't need to care about. In our case this would be
mostly by authentication against and identity transfer from
multiple SAML 2.x IdP (Shibboleth) from which we'd locally
store/update/augment as a single cache of identity data. Groups would have
the ability to translate/augment identity data before returning it back
to the service instance the end user was attempting to access.
End users would have the ability to:
- Approve release of identity information to a service group (approval
would apply to all service instances within a group);
- Review all identity information which is held about them centrally and
update if required;
- View a list of previous release approvals across all service groups
(and revoke if desired);
- Undertake a range of standard session based actions, such as revoking
currently active tokens, determining where active sessions are held etc.
2. https://drive.google.com/file/d/0B9Ye3fFQSfx-amJZVGF5QWZwdmM/view
This is my interpretation of Keycloak functionality. OIDC and SAML service
instances belong to realms and administrators are assigned to a realm. Each
realm can be configured to offload authentication
and identity resolution to a central realm which can be configured to talk
to 1 or more SAML 2.x IdP. This realm will cache identity data locally.
When an end user approves identity
release it applies to all service instances within the owning realm.
>From here though I believe the following differences are present:
- Each realm duplicates identity data for every user who authenticates
to a service within that realm
- If user identity changes in the master realm those changes are not
reflected in all service facing realms
- Any augmentation of identity, such as role membership, is per realm
- Users can only manage identity information, release approvals etc
per realm
- Session based actions are only per realm
Based on the above descriptions, any help the community could offer to
align my design goals with functionality present Keycloak would be
fantastic.
cheers,
Bradley
--
*Bradley Beddoes*
*Australian Access Federation Inc*
8 years, 5 months
Keycloak and Salesforce IdP identity brokering
by Peter Nalyvayko
Hello,
I am trying to integrate keycloak and Salesforce using Salesforce as an identity provider. It seems some of the information required to properly set up the Salesforce as SAML IdP is missing in the keycloak's SAML identity provider configuration. For example, "Entity Id", according to the Salesforce documentation, is "This value comes from the service provider. Each entity ID in an organization must be unique. If you’re accessing multiple apps from your service provider, you only need to define the service provider once, and then use the RelayState parameter to append the URL values to direct the user to the correct app after signing in." (https://help.salesforce.com/HTViewHelpDoc?id=service_provider_define.htm&...). The SAML identity provider configuration in keycloak does not have a setting to specify "Entity Id". Another missing attribute is "ACS URL" (The ACS, or assertion consumer service, URL comes from the SAML service provider.). Has anyone been able to set up Salesforce as IdP and keycloak as SP using keycloak's SAML identity provider? Is this even possible given that some required parameters are missing?ThxPeter
8 years, 5 months
Mongo and 2.0.0.Final
by John Bartko
Hello all,
I get the following stack trace attempting to use 2.0.0.Final against a
MongoDB backend. Following the keycloak-mongo
<https://github.com/jboss-dockerfiles/keycloak/tree/master/server-mongo>
readme should reproduce the behavior.
21:58:31,802 ERROR [org.jboss.msc.service.fail] (ServerService Thread Pool
-- 47) MSC000001: Failed to start service
jboss.undertow.deployment.default-server.default-host./auth:
org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./auth:
java.lang.RuntimeException: RESTEASY003325: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:85)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
at org.jboss.threads.JBossThread.run(JBossThread.java:320)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to construct
public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:162)
at
org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2209)
at
org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:299)
at
org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:240)
at
org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:113)
at
org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117)
at
org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78)
at
io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103)
at
io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:231)
at
io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:132)
at
io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:526)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:101)
at
org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:82)
... 6 more
Caused by: java.lang.RuntimeException: Property 'databaseSchema' needs to
be specified in the configuration
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.lazyInit(DefaultJpaConnectionProviderFactory.java:131)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:60)
at
org.keycloak.connections.jpa.DefaultJpaConnectionProviderFactory.create(DefaultJpaConnectionProviderFactory.java:48)
at
org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103)
at
org.keycloak.authorization.jpa.store.JPAAuthorizationStoreFactory.getEntityManager(JPAAuthorizationStoreFactory.java:54)
at
org.keycloak.authorization.jpa.store.JPAAuthorizationStoreFactory.create(JPAAuthorizationStoreFactory.java:35)
at
org.keycloak.authorization.jpa.store.JPAAuthorizationStoreFactory.create(JPAAuthorizationStoreFactory.java:32)
at
org.keycloak.services.DefaultKeycloakSession.getProvider(DefaultKeycloakSession.java:103)
at
org.keycloak.models.authorization.infinispan.CachedPolicyStore.getStoreFactory(CachedPolicyStore.java:193)
at
org.keycloak.models.authorization.infinispan.CachedPolicyStore.getDelegate(CachedPolicyStore.java:201)
at
org.keycloak.models.authorization.infinispan.CachedPolicyStore.findByType(CachedPolicyStore.java:179)
at
org.keycloak.authorization.policy.provider.drools.DroolsPolicyProviderFactory$1.onEvent(DroolsPolicyProviderFactory.java:75)
at
org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:64)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:130)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at
org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150)
... 19 more
21:58:31,809 ERROR [org.jboss.as.controller.management-operation]
(Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address:
([("deployment" => "keycloak-server.war")]) - failure description:
{"WFLYCTL0080: Failed services" =>
{"jboss.undertow.deployment.default-server.default-host./auth" =>
"org.jboss.msc.service.StartException in service
jboss.undertow.deployment.default-server.default-host./auth:
java.lang.RuntimeException: RESTEASY003325: Failed to construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
Caused by: java.lang.RuntimeException: RESTEASY003325: Failed to
construct public
org.keycloak.services.resources.KeycloakApplication(javax.servlet.ServletContext,org.jboss.resteasy.core.Dispatcher)
Caused by: java.lang.RuntimeException: Property 'databaseSchema' needs
to be specified in the configuration"}}
Any thoughts?
Thanks,
-John Bartko
8 years, 5 months
how get info from adapterConfig
by LIEVRE Olivier
Hello,
I've secured a REST server with keycloak 1.9.7, and I would like to implement a public REST GET method for an non-authenticated user to get the adapderConfig info linked to my war.
My war adapter is configured in my standalone.xml.
Is there an easy way to read the adapterConfig info from standalone in that case?
When a user makes an authenticated request, I can get that info with getting RefreshableKeycloakSecurityContext from httprequest.
KR,
Olivier
8 years, 5 months
