Social login Issue
by Tom Pearson
Hi,
I'm currently part of a team implementing a single sign on solution using
Open ID Connect and Keycloak.
We have a number of services which all interact with a central Json Rest
API. The API is secured according to the second Open ID Connect use case as
described in the Keycloak docs
<https://keycloak.gitbooks.io/securing-client-applications-guide/content/v...>.
That
is to say, all API clients must obtain a digitally signed access token from
Keycloak and then pass it over on every request (in our case, within the
Authorization header).
One of the services is a native mobile application. This application
already has social login/registration implemented and the team would prefer
not to redirect to Keycloak as per the standard authorization code flow.
Instead, they would like to obtain a Keycloak access token using the
previously obtained social login credentials.
This seems to pose a problem as the direct grant flow doesn't support
social login. Is there any way to achieve this?
Kind Regards,
Tom Pearson
8 years, 5 months
API Token param
by Harry Trinta
Hi,
When authenticate through the API token ("*/openid-connect/token"), is
possible to send a parameter (key/value) and this parameter be added to
access_token?
Regards,
Harry
8 years, 5 months
JDBC Connection is closed early for Infinispan
by Sarp Kaya
Hello,
For the caching if we are using infinispan with JDBC_PING then JDBC connection is closed before infinispan stops its caching related stuff. This causes an exception to be thrown and therefore it does not really shut infinispan gracefully.
Logs:
2016-07-11 00:53:48,330 INFO [org.jboss.as.server] (Thread-2) WFLYSRV0220: Server shutdown has been requested.
2016-07-11 00:53:48,385 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) WFLYJCA0010: Unbound data source [java:/MySQLDS]
2016-07-11 00:53:48,394 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000080: Disconnecting JGroups channel web
2016-07-11 00:53:48,396 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000080: Disconnecting JGroups channel server
2016-07-11 00:53:48,395 INFO [org.wildfly.extension.undertow] (ServerService Thread Pool -- 60) WFLYUT0022: Unregistered web context: /auth
2016-07-11 00:53:48,397 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000082: Stopping the RpcDispatcher for channel web
2016-07-11 00:53:48,398 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000082: Stopping the RpcDispatcher for channel server
2016-07-11 00:53:48,403 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000080: Disconnecting JGroups channel hibernate
2016-07-11 00:53:48,408 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000082: Stopping the RpcDispatcher for channel hibernate
2016-07-11 00:53:48,407 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000080: Disconnecting JGroups channel ejb
2016-07-11 00:53:48,411 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000082: Stopping the RpcDispatcher for channel ejb
2016-07-11 00:53:48,414 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0008: Undertow HTTPS listener https suspending
2016-07-11 00:53:48,416 WARN [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (ServerService Thread Pool -- 59) IJ000615: Destroying active connection in pool: MySQLDS (org.jboss.jca.adapters.jdbc.local.LocalManagedConnection@57e067d0)
2016-07-11 00:53:48,423 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0007: Undertow HTTPS listener https stopped, was bound to 0.0.0.0:8443
2016-07-11 00:53:48,429 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-1) WFLYJCA0019: Stopped Driver service with driver-name = mysql
2016-07-11 00:53:48,434 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0019: Host default-host stopping
2016-07-11 00:53:48,448 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-1) WFLYJCA0010: Unbound data source [java:jboss/datasources/ExampleDS]
2016-07-11 00:53:48,467 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 59) WFLYCLINF0003: Stopped sessions cache from keycloak container
2016-07-11 00:53:48,472 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 60) WFLYCLINF0003: Stopped realms cache from keycloak container
2016-07-11 00:53:48,475 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 60) WFLYCLINF0003: Stopped loginFailures cache from keycloak container
2016-07-11 00:53:48,477 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 59) WFLYCLINF0003: Stopped offlineSessions cache from keycloak container
2016-07-11 00:53:48,487 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-1) WFLYJCA0019: Stopped Driver service with driver-name = h2
2016-07-11 00:53:48,489 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 63) WFLYCLINF0003: Stopped users cache from keycloak container
2016-07-11 00:53:48,492 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0008: Undertow AJP listener ajp suspending
2016-07-11 00:53:48,496 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 62) WFLYCLINF0003: Stopped realmVersions cache from keycloak container
2016-07-11 00:53:48,497 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0007: Undertow AJP listener ajp stopped, was bound to 0.0.0.0:8009
2016-07-11 00:53:48,500 INFO [org.jboss.as.clustering.infinispan] (ServerService Thread Pool -- 64) WFLYCLINF0003: Stopped work cache from keycloak container
2016-07-11 00:53:48,499 INFO [org.jboss.modcluster] (ServerService Thread Pool -- 65) MODCLUSTER000002: Initiating mod_cluster shutdown
2016-07-11 00:53:48,506 INFO [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0028: Stopped deployment keycloak-server.war (runtime-name: keycloak-server.war) in 138ms
2016-07-11 00:53:48,499 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0008: Undertow HTTP listener default suspending
2016-07-11 00:53:48,508 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0007: Undertow HTTP listener default stopped, was bound to 0.0.0.0:8080
2016-07-11 00:53:48,516 INFO [org.jboss.as.clustering.infinispan] (MSC service thread 1-2) WFLYCLINF0003: Stopped authorization cache from keycloak container
2016-07-11 00:53:48,517 INFO [org.wildfly.extension.undertow] (MSC service thread 1-1) WFLYUT0004: Undertow 1.3.15.Final stopping
2016-07-11 00:53:48,542 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000080: Disconnecting JGroups channel keycloak
2016-07-11 00:53:48,543 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000082: Stopping the RpcDispatcher for channel keycloak
2016-07-11 00:53:48,553 ERROR [org.jgroups.protocols.JDBC_PING] (MSC service thread 1-1) Could not open connection to database: java.sql.SQLException: javax.resource.ResourceException: IJ000470: You are trying to use a connection factory that has been shut down: java:/MySQLDS
at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:146)
at org.jboss.as.connector.subsystems.datasources.WildFlyDataSource.getConnection(WildFlyDataSource.java:66)
at org.jgroups.protocols.JDBC_PING.getConnection(JDBC_PING.java:348)
at org.jgroups.protocols.JDBC_PING.delete(JDBC_PING.java:379)
at org.jgroups.protocols.JDBC_PING.deleteSelf(JDBC_PING.java:395)
at org.jgroups.protocols.JDBC_PING.stop(JDBC_PING.java:144)
at org.jgroups.stack.ProtocolStack.stopStack(ProtocolStack.java:1015)
at org.jgroups.JChannel.stopStack(JChannel.java:1002)
at org.jgroups.JChannel.disconnect(JChannel.java:373)
at org.wildfly.clustering.jgroups.spi.service.ChannelConnectorBuilder.stop(ChannelConnectorBuilder.java:103)
at org.jboss.msc.service.ServiceControllerImpl$StopTask.stopService(ServiceControllerImpl.java:2056)
at org.jboss.msc.service.ServiceControllerImpl$StopTask.run(ServiceControllerImpl.java:2017)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.resource.ResourceException: IJ000470: You are trying to use a connection factory that has been shut down: java:/MySQLDS
at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:735)
at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:138)
... 14 more
2016-07-11 00:53:48,559 ERROR [org.jgroups.protocols.JDBC_PING] (MSC service thread 1-1) Failed to delete PingData in database
2016-07-11 00:53:51,576 INFO [org.jboss.as] (MSC service thread 1-1) WFLYSRV0050: Keycloak 2.0.0.Final (WildFly Core 2.0.10.Final) stopped in 3208ms
Kind Regards,
Sarp Kaya
8 years, 5 months
Admin user from LDAP server
by Fabricio Milone
Hi,
We would like to be able to create the admin user using LDAP, so the
credentials are not stored in Keycloak's database at all.
I think there is no way to achieve this at the moment, would you think this
is possible?
I'd like to create a feature request if you don't mind.
Regards
--
*Fabricio Milone*
Developer
*Shine Consulting *
30/600 Bourke Street
Melbourne VIC 3000
T: 03 8488 9939
M: 04 3200 4006
www.shinetech.com *a* passion for excellence
8 years, 5 months
Keycloak behind Apache with SSL - read certificate from body
by Filipe Lautert
Hello
short story: is there a way to get the request body sent from the client
inside an Authenticator (my class implements Authenticator , unsing method
@Override authenticate(context)) ? I'm trying with
context.getHttpRequest().getInputStream()
but it is empty.
Full story:
I'm trying to build a Keycloak authenticator that reads a client
certificate and uses it to validate the user, using as a base the
SecretQuestionAuthenticator example . The client certificate is a hard
token that is read by Firefox. To handle the certificate read part I'm usng
Apache mod ssl, with the below relevant configuration:
SSLEngine on
SSLProxyEngine on
<LocationMatch "/auth">
ProxyPass ajp://localhost:8010/auth
ProxyPassReverse ajp://localhost:8010/auth
</LocationMatch>
SSLOptions +StdEnvVars +ExportCertData
... etc
Looking at a tcpdump/wireshark on port 8010, I can see that the client
certificate is sent on the request body to Keycloak.
So far fine, Apache validates the certificate, extracts it and send to
Keycloak. The problem is that I'm unable to read the request body inside my
authenticator class as context.getHttpRequest().getInputStream() is empty,
and as the body is the raw certificate the method
context.getHttpRequest().getFormParameters()
method won't return me anything.
public class SecretQuestionAuthenticator implements Authenticator {
@Override
public void authenticate(AuthenticationFlowContext context) {
System.out.println(context.getHttpRequest().getInputStream().available());
// prints 0 System.out.println(getStringFromInputStream(context.getHttpRequest().getInputStream()));
//empty :(
Any ideas of how I can get it to work?
Thanks
filipe
--
filipe lautert
8 years, 5 months
User federation provider taking care of ID provider links
by Matuszak, Eduard
Hello
I have implemented a (JPA-based) user federation provider that works pretty fine so far. We now want to be able to load the link information to a federated id provider (like google) from the external datasource into the Keycloak's DB by means of the user federation provider, when the user is initially created in the Keycloak DB via his first login (or via user-synchronization). So far I could see, the user federation SPI works with a UserModel class which does not care about those attributes. Do you see any chance to set such attributes in a userfederation-implementation?
One issue is, that keycloak's user entries are deleted when the userfederation provider fails to connect to the federated resource (not found how to to deactivate this behaviour so far). The user entry is recreated after the next login succeeded (OK and fine), but the link to the identity provider is lost (not fine). The other issue is, that we want to administer userattributes completey in the federated datasource to reduce complexity of our datamanagement.
Best regards, Eduard Matuszak
Dr. Eduard Matuszak
Worldline, an atos company
T +49 (211)399 398 63
M +49 (163)166 23 67
F +49(211) 399 22 430
eduard.matuszak(a)atos.net<mailto:eduard.matuszak@atos.net>
Max-Stromeyer-Straße 116
78467 Konstanz
Germany
de.worldline.com<http://worldline.com/de/1/Home.html>
worldline.jobs.de<http://worldline.jobs.de>
facebook.com/WorldlineKarriere<http://www.facebook.com/WorldlineKarriere>
Worldline GmbH
Geschäftsführer: Wolf Kunisch
Aufsichtsratsvorsitzender: Christophe Duquenne
Sitz der Gesellschaft: Frankfurt/Main
Handelsregister: Frankfurt/Main HRB 40 417
* * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail by error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the internet, the Atos group liability cannot be triggered for the message content. Although the sender endeavors to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and shall not be liable for any damages resulting from any virus transmitted.
* * * * * * * * L E G A L D I S C L A I M E R * * * * * * * *
8 years, 5 months
Interoperability and SelfService
by Eduardo Turella
Hi,
I am new to keycloak and starting to study it since it has become Red Hat's
new Single Sign On solution.
I've been through a demonstration and saw some nice features like
two-factor authentication and social media login, and other basic features
like Realm configuration and so on. Some (very basic) questions occurred to
me, though, as I describe below:
1. There are applications in which users authenticate through ADFS (via
SAML 2.0), and other situations where the application has its own database
with its users (external public). How does Keycloak work to allow single
sign on between these two different types of authentication?
2. Keycloak offers an interface where the application user himself changes
the values of some of his own attributes (name, telephone, etc.). Can it be
extended and show other metadata? How can I customize and embed this
functionality within my application?
3. Is it possible to enable single sign on between multiple applications
using different types protocols? e.g.: an user accessed a Java application
and acquired an OAuth Token; then he accessed a .NET application based in
SAML 2.0. Will the SSO work in this case? How?
Thank you for your help.
Regards,
--
Eduardo Turella
8 years, 5 months
Servlet Filter Adapter not working with Tomcat/Memcached
by LEONARDO NUNES
Hi everyone,
An application is deployed using Servlet Filter Adapter at 2 Tomcats in which are saving sessions to 1 Memcached. There's a Nginx load balancer with sticky session in front of both Tomcats.
After log in to the application if one Tomcat goes down or is removed from the load balancer we get the exception below. The problem occur using Servlet Filter Adapter, it works with Tomcat Adapter but we can't use it for some of our applications.
java.lang.NullPointerException
org.keycloak.KeycloakSecurityContext.getRealm(KeycloakSecurityContext.java:73)
org.keycloak.adapters.RefreshableKeycloakSecurityContext.refreshExpiredToken(RefreshableKeycloakSecurityContext.java:103)
org.keycloak.adapters.servlet.OIDCFilterSessionStore.checkCurrentToken(OIDCFilterSessionStore.java:87)
org.keycloak.adapters.servlet.KeycloakOIDCFilter.doFilter(KeycloakOIDCFilter.java:145)
1. Access a restricted page of the application
2. Nginx will direct to Tomcat1 (because of sticky session next requests will go to Tomcat1)
3. You will be redirected to Keycloak Login page
4. After login, Keycloak redirects back to the restricted page
(Note: this session is already saved to memcached)
5. At Nginx disable Tomcat1 server
6. At the browser refresh the application page
7. Now the request will go to Tomcat2 server
8. The session is retrieved from memcached
9. An exception is thrown because token is null inside of KeycloakSecurityContext.getRealm()
(Note: sometimes at this step the restricted page is displayed, but if I refresh the page the exception is thrown)
I've opened the issue ticket below:
https://issues.jboss.org/browse/KEYCLOAK-3288
--
Leonardo Nunes
________________________________
Esta mensagem pode conter informa??o confidencial e/ou privilegiada. Se voc? n?o for o destinat?rio ou a pessoa autorizada a receber esta mensagem, n?o poder? usar, copiar ou divulgar as informa??es nela contidas ou tomar qualquer a??o baseada nessas informa??es. Se voc? recebeu esta mensagem por engano, por favor avise imediatamente o remetente, respondendo o e-mail e em seguida apague-o. Agradecemos sua coopera??o.
This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation
8 years, 5 months
Re: [keycloak-user] How to setup a maven project generating jar containing authentication providers in a debug mode in eclipse
by Bruno Oliveira
Hi Rashmi, moving to keycloak-user mailing list, because it's more appropriate for this
kind of discussion. Also, I believe that would make sense to change the
subject, in this way people can easily search for this subject.
Unless I'm mistaken "--debug" parameter is for the application server
script. I didn't have enough time to think about the best solution, but
here's what worked here: https://gist.github.com/abstractj/67d07610de7ae1ec1d5d4c28dc19c75e
Instructions:
1. Get the two files into the gist and put under a new folder
2. Run docker build -t keycloak-debug .
3. docker run -e KEYCLOAK_USER=user -e KEYCLOAK_PASSWORD=password -it -p 8787:8787 -p 8080:8080 keycloak-debug
I hope it helps.
On 2016-07-06, Rashmi Singh wrote:
> Does anyone have a clue on this issue I am having?
>
> On Sat, Jul 2, 2016 at 7:13 PM, Rashmi Singh <singhrasster(a)gmail.com> wrote:
>
> > Thanks for your reply Francis. I still have one problem:
> >
> > When I run this:
> > $ docker run --name keycloak1 -p 8080:8080 -p 8787:8787 jboss/keycloak
> >
> > I can access the keycloak app console on http://192.168.99.100:8080/auth/
> > from my browser
> >
> > But when I run it in debug mode as:
> > $ docker run --name keycloak1 -p 8080:8080 -p 8787:8787 jboss/keycloak
> > --debug
> >
> > I cannot access the keycloak console. What is wrong here, any idea?
> >
> > On Fri, Jul 1, 2016 at 12:48 AM, Francis Pouatcha <
> > francis.pouatcha(a)adorsys.com> wrote:
> >
> >> Rashmi,
> >>
> >> follow these instructions to have keycloack debug accessible from eclipse:
> >>
> >> 1- Simple web application
> >> User a simple HelloServlet to try out the debugging process before
> >> applying you experience to wildfly.
> >>
> >> 1- Wildfly and eclipse
> >> Like Thomas mentioned, Make sure you active the debug property while
> >> starting wildfly. This is independent of keycloak, as keycloak is just
> >> another web application running on wildfly. So make sure you have a simple
> >> webapp running in wildfly standalone so you can get used to the debugging
> >> process.
> >>
> >> 2- Wildfly in a docker container
> >> Take your simple web application and wildfly into a docker container and
> >> try following:
> >> a) Make sure you start wildfly in the container in debug mode. Not matter
> >> how you manage the docker containers in your development environment, you
> >> will have to expose their ports so you can reach the container from and
> >> outside the docker host. "Exposing the port means mapping the defined
> >> wildfly ports to some other ports on the docker host. If you are using
> >> docker-composer you have to try something like: ports:\ - "8080:8080"\
> >> - "8787:8787". In this case see the docker-compose reference for details.
> >>
> >> 3- Accessing the docker container
> >> Once you wildfly docker container is startet in debug mode, make sure you
> >> can access you HelloServlet from a web browser on the same machine on
> >> which you have your eclipse installed. If this works, use the same hostname
> >> or ip to replace "localhost" in you eclipse debugging config. Generally
> >> this will default to: 192.168.99.100:8787.
> >>
> >> You did it right, you will be able to stop on the breakpoint inside your
> >> HelloServlet.
> >>
> >> 4- Keycloak
> >> Repeat the same procedure with your custom authenticator. Do not forget
> >> to download the keycloak sources and include them in your the source path
> >> so you can navigate and set break points.
> >>
> >>
> >> Best regards
> >> Mit freundlichen Grüßen
> >> Cordialement
> >>
> >> Francis Pouatcha
> >> Founder and Technical Lead Group Adorsys
> >>
> >> LinkedIn: http://www.linkedin.com/pub/francis-pouatcha/8/35a/542
> >> adorsys GmbH & Co. KG, Germany:
> >> http://www.youtube.com/watch?v=rVRkFGUNexo&authuser=0
> >> Adorsys S.A., Cameroon: "African Software Competence Center"
> >> Open https://github.com/adorsys
> >>
> >> Cell USA: +1 770 329 7026
> >> Cell Germany: +49 172 18 16 074
> >> Cell Cameroon: +237 51 74 71 99
> >>
> >>
> >> On Fri, Jul 1, 2016 at 2:39 AM, Rashmi Singh <singhrasster(a)gmail.com>
> >> wrote:
> >>
> >>> Thanks Thomas for your reply. I have a few questions on your response. I
> >>> am still very new to docker, so please bear with me.
> >>> when you say I can set env variables in docker container, would this be
> >>> sufficient?
> >>>
> >>> First connect to the docker container as:
> >>>
> >>> docker exec -i -t keycloak bash
> >>> Then, once I am in the container, I run the following to set env
> >>> variables?
> >>>
> >>> set DEBUG_MODE=true
> >>> set DEBUG_PORT=8787
> >>> exit
> >>> Then, restart the container as:
> >>> docker restart keycloak (keycloak is the name of my container)
> >>> Also, how can I make sure that the env variable got correctly set in the
> >>> docker container? From inside the container, if I run the command "env",
> >>> should it list these new env variables if they are added successfully?
> >>>
> >>> Then, when you say "......default on port 8787 which you need to expose
> >>> on your docker container or use the container interface...", what exactly
> >>> do you mean? Do you mean some sort of port forwarding? Could you tell me w
> >>> tohat exactly I need to do with my existing container named as "keycloak"
> >>>
> >>> Then, on eclipse, where you mentioned the settings for the Debug
> >>> configurations, what should be the hostname there? would it be localhost?
> >>> or the default machine IP of docker which is 192.168.99.100? Or it should
> >>> be something else?
> >>>
> >>>
> >>>
> >>> On Thu, Jun 30, 2016 at 6:29 PM, Thomas Darimont <
> >>> thomas.darimont(a)googlemail.com> wrote:
> >>>
> >>>> Hello,
> >>>>
> >>>> you could add -debug flag to the standalone.sh command-line or define
> >>>> the following env variables in your docker container:
> >>>> set DEBUG_MODE=true
> >>>> set DEBUG_PORT=8787
> >>>>
> >>>> this will start keycloak with remote debugging enabled by default on
> >>>> port 8787 which you need to expose on your docker container or use the
> >>>> container interface...
> >>>>
> >>>> you can then connect to the keycloak instance inside the docker
> >>>> container via the remote debugger from your IDE.
> >>>> For eclipse just go to "Debug configurations..." -> Remote Java
> >>>> Application -> select your project with the custom authenticator -> adjust
> >>>> hostname and port and click "debug".
> >>>>
> >>>> Cheers,
> >>>> Thomas
> >>>>
> >>>> 2016-07-01 0:26 GMT+02:00 Rashmi Singh <singhrasster(a)gmail.com>:
> >>>>
> >>>>> We have a Maven project setup on Eclipse that uses some keycloak
> >>>>> features and we generate a jar that contains our AuthenticationProvider
> >>>>> classes etc.
> >>>>> We use docker for the deployment. We basically run a jboss/keycloak
> >>>>> image there
> >>>>> We have a shell script that has a bunch of commands to copy our
> >>>>> project jars from local to the keycloak image on docker container like:
> >>>>>
> >>>>> docker cp /customauthenticator-1.0.0-SNAPSHOT.jar
> >>>>> keycloak:/home/modules/xxx.yyy.zz.keycloak.customizations
> >>>>> ....
> >>>>> docker restart keycloak
> >>>>>
> >>>>> Running this shell script deploys everything on keycloak on docker.
> >>>>> And so far we are just putting logs throughout our code to debug
> >>>>> issues.
> >>>>> We want to be able to setup a debugging environment on our eclipse. I
> >>>>> am not sure how to achieve this when we use keycloak. Because, here we
> >>>>> basically build our modules or authenticator jars etc and copy them to
> >>>>> keycloak directories. So, it's not a standalone project war file that we
> >>>>> are directly deploying to app server as such. So, then how do we put our
> >>>>> maven project (creating jars etc) in a debug mode in eclipse? Is it
> >>>>> possible? How?
> >>>>>
> >>>>> _______________________________________________
> >>>>> keycloak-dev mailing list
> >>>>> keycloak-dev(a)lists.jboss.org
> >>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>>>
> >>>>
> >>>>
> >>>
> >>> _______________________________________________
> >>> keycloak-dev mailing list
> >>> keycloak-dev(a)lists.jboss.org
> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >>>
> >>
> >>
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
--
abstractj
PGP: 0x84DC9914
8 years, 5 months
Why scope permission denial affects the whole resource avaiability?
by Artem Voskoboynick
I have a resource and a few scopes associated with the resource.
Both the resource and the scope have permissions associated with them.
It seems logical that if one of the resource permissions resolves to DENY,
the whole resource is denied for the user.
But why the same happens with scope permissions?
As I understood from the docuemntation, scopes are verbs that can act upon
a resource. So if an user isn't authorized to perform one of the verbs (one
of the scopes), the user still should have access to the resource itself,
if the resource permissions allow, but it doesn't to seem to work this way.
I expected to automaticlaly block users that are not authorized for the
resource. With the rest users I expected to check each scope
programmatically for avaiability of corresponding actions (resource:view,
resource:edit, etc).
I used the "hello-world-authz-service" example (Keycloak server
configuration and the application code) with a few changes (added scopes)
to check it. Didn't work - access denied if one of the scope permissions
fails.
8 years, 5 months
