November 2017 - keycloak-user - Jboss List Archives

by Matthew Broadhead

org.keycloak.representations.idm.UserRepresentation (https://github.com/keycloak/keycloak/blob/master/core/src/main/java/org/k...) has a property enabled which is of type java.lang.Boolean. Technically this should have getters and setters of getEnabled and setEnabled. A type boolean would have isEnabled and setEnabled. This stops it from working with JSF (https://stackoverflow.com/questions/14400222/boolean-properties-starting-...) This also applies to totp and emailVerified in the same class.

6 years, 10 months

2
3
0 / 0

Keycloak realm detection from email domain

by Scott Hezzell

Hi I am building a multi-tenant mobile application that uses keycloak as a SSO server. We will pre-load users in keycloak using their email address as their username with a separate realm for each tenant. When a user logs into the mobile app I need to detect the realm from a user's email domain and redirect to the appropriate authorisation end point for the realm. Has anyone faced a similar problem? My thoughts at the moment is to build a proxy api that the mobile application redirects to that prompts the user for their email address, look up the configured tenant form the email domain and redirects to the appropriate realm's login page passing the mobile app credentials it passes to the proxy api and the entered user email as a login_hint. Can anyone see any issues with this approach? Or a suggest a better approach? Thanks Scott

7 years, 4 months

3
2
0 / 0

Organization Based Accounts and Permissions

by Charles Henck

Hello all,I’m working on an organization-based service and want to have resource-specific permissions that are restricted by (from a user perspective) organization-specific roles. Since I’m not familiar with the specific terminology, I’m thinking of something similar to how GitHub manages their permissions:- A single user can be a member of multiple organizations- A user can have a different roles with different organizations that grant them access to all of an organization's resources- A user can have access to a specific resource- That organization-specific role determines access to different organization resourcesAre there any best practices or patterns for this model? Thanks!Justin

7 years, 5 months

6
19
0 / 0

LDAP user group membership not syncing

by Luiz Carlos

Hi everyone I'm trying to sync the LDAP groups into Keycloak but it doesn't update the membership if I add or remove it from a group in LDAP. I was able to sync the groups and its users into Keycloak correctly if those wasn't provisioned before. For example, if the user already exists in Keycloak DB (provisioned from LDAP) and I remove it from a LDAP group (also provisioned from LDAP), the user in Keycloak continues to being a member of the group in the Groups tab of user's details screen and in client's group mappers. However, if I open the Members tab of group's details screen the user was removed from the group. Is there any way to solve this problem? Because of my company policy I can't use Keycloak to manage the groups. I'm using Keycloak 2.5.1. Thanks for the help -- Luiz Carlos

7 years, 5 months

3
2
0 / 0

user storage ldap or keycloak

by Istvan Orban

Dear Keycloak users. I am very new to keycloak and I really like it. it is great. I am currently migrating a legacy app ( using it's own user management ) to support SSO. I have set-up keycloak with openid connect and it works very well. At this point we need to decide if we will use keycloak as our main user store or we will set-up an LDAP. My question is that. Is keycloak designed in a way that it can fullfil all the responsibilities of the main user store? Any risk with this at all? ps: our userbase is small and at this point I am not sure if we want to add ldap just for this. -- Kind Regards, *----------------------------------------------------------------------------------------------------------------* *Istvan Orban* *I *Skype: istvan_o *I *Mobile: +44 (0) 7956 122 144 *I *

7 years, 6 months

3
2
0 / 0

Keycloak & Okta

by John D. Ament

Hi Just wondering, has anyone setup Keycloak w/ Okta? Every time I try to authenticate (both SP initiated and IdP initiated) it fails with this error 01:40:54,626 WARN [org.keycloak.events] (default task-7) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=tenant1, clientId=null, userId=null, ipAddress=172.17.0.1, error=staleCodeMessage 01:40:54,627 ERROR [org.keycloak.services.resources.IdentityBrokerService] (default task-7) staleCodeMessage I suspect its a setup issue on my side, so was hoping someone else has tried this and can give tips. I even tried the import feature, no luck. John

7 years, 9 months

3
6
0 / 0

Additional attributes for an authorization request

by Scott Elliott

Would therebe any way to pass additional attributes (say, something from a REST API call's headers or body) to an authorization request, and access it in a Javascript or rules based policy? I see that what is available in the Evaluation API currently is pretty limited.

7 years, 10 months

3
5
0 / 0

Best setup to extend Keycloak

by Francis Zabala

Hello, What is the best setup to develop custom SPI for Keycloak. I just skimmed the example codes in github and wondered on how to test my codes. Not TDD way of testing but a simple, hey, will this run properly? Anyway, the reason I need to extend this is to create an authentication flow that will use your internal SMS api for subscriber verification. Regards,Francis

8 years

1
1
0 / 0

How to stop the keycloak server from standalone sh

by Aritz Maeztu

Hello, I'm running a keycloak instance from a docker image, so when I start the container everything is up an running. Now I want to export the realms and users to deploy it in production and I've got two chances: 1- Copy the values from the mysql database (I'm using the keycloak-mysql image). 2- Run the standalone.sh export command. I would like to go the second way, but I'm into trouble since the widlfly server is launched with the docker container altogether. I can browse in to it for the standalone.sh script, but still haven't found a way to stop it (as the server is launched I get a "Address already in use" error when I try to perform the export while the server is running). Any ideas? Thanks in advance -- Aritz Maeztu Otaño Departamento Desarrollo de Software <https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942> <http://www.tesicnor.com> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf. Aritz Maeztu: 948 68 03 06 Telf. Secretaría: 948 21 40 40 Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos.

8 years, 1 month

4
4
0 / 0

Keycloak REST API

by Stephane Epardaud

Hi, I'm trying to use the REST API of keycloak to seed an initial config for tests that depend on keycloak, but I only found this doc: http://www.keycloak.org/docs-api/3.3/rest-api/index.html Are there better docs somewhere else? If not: they barely explain what the entities are, and don't tell me which parts are settable, required, or server-generated. They also contain some links to types that are not documented (like Map), and don't explain how to get a token to play along (found that somewhere completely different). A set of examples with each endpoint and entity type would be _greatly_ appreciated too. Otherwise there's a lot of guesswork involved :( Otherwise, pretty impressed with the rest of KeyCloak, so don't take that issue harshly :) Cheers.

8 years, 1 month

3
3
0 / 0

Offline tokens with external IDP

by Haim Vana

Hi, We are using KeyCloak for a several weeks now, one of the flows is user script authentication with offline token: 1. The user log in to the UI 2. Generates offline token by entering his password again 3. Put the offline token in his script 4. Executes the script Now we want to add external IDP support, first is it possible to generate offline tokens for extremal IDP in KeyCloak ? if so how ? Second in section #2 above the user enters his password to generate the offline token, with external IDP we can't use his password, one alternative is to always generate the offline token in the login (add offline_access), however is it make sense to create offline token for every login ? Thanks, Haim. The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.

8 years, 1 month

3
6
0 / 0

User impersonation - JWT

by Harry Trinta

Dears, I need a help with user impersonation on keycloak. I am authenticating users through the "/realms/test/protocol/openid-connect/token". As expected, it returns a token JWT. In my app, all requests go through apiman, which validates the JWT. Now, I need to personification of user. I'm calling the service "/admin/realms/test/users/USER_ID/impersonation", sending the token in the header (Authorization = Bearer eyJhbGciOiJSUzI1NiJ9 ...). The service /impersonation creates the user session on keycloak, however doesnt return a JWT, but 3 cookies. *I'd like to get the JWT of personified user instead of cookie.* It's possible? Best regards Harry Costa

8 years, 1 month

3
4
0 / 0

Refreshing Tokens

by Christopher Davies

I adding keycloak into a legacy application that uses GWT and Jetty. I have managed to get add Keycloak application using Spring-security. Because this is GWT I am doing the authorisation in the application myself. Sping just provides a way to get access to the KeycloakSecurityContext. The issue I have is refreshing the token. I can get hold of a RefreshableKeycloakSecurityContext instance and use that to get a refresh token. What surprised me is that I cannot refresh a token if the roles have changed. Is this correct. I was hoping that the application could notice the role changes and adapt itself on the fly. I do not want to have to logout to get the new roles it at all possible. Is there something that I have overlooked that will allow me to use the idToken to get a new accessToken given that the authentication of the user is still valid, it is just the roles the user is in that have changed. Thanks Chris

8 years, 2 months

3
5
0 / 0

No state cookie returned from the keycloak adapter

by Sarp Kaya

Hello, A use case I have noticed is: 1) User tries to use the web application. Say http://www.app.com 2) The application redirects you to the login page http://www.keycloaklogin.com/auth/realms/realm-name/protocol… 3) Before logging in, user bookmarks this page. 4) User logs in and then gets redirected to http://www.app.com 5) All works fine up till now Now user logs out, closes browser etc. Now user starts the workflow from bookmarked page (http://www.keycloaklogin.com/auth…) 1) User sees a login page 2) User logs in 3) User gets redirected to http://www.app.com?state=… 4) At this point this below code: https://github.com/keycloak/keycloak/blob/master/adapters/oidc/adapter-co... is executed and user sees a 400 page due not having OAuth_Token_Request_State . So far you can argue that, well we didn’t want user not to have OAuth_Token_Request_State in the first place, but the next step that user can do is: 5) User goes to http://www.app.com page and then gets a redirect back to the login page http://www.keycloaklogin.com/auth/realms/realm-name/protocol… 6) Keycloak sees that user is already logged in so redirects back to the same page 7) User now can see http://www.app.com<http://www.app.com/> due to the OAuth_Token_Request_State created in step 5 So to me it seems like this check is obsolete, however I’m curious whether this has a user case or prevents anything. If not, then it might be worth fixing at the step 4 where user actually gets to see the page (or re issue OAuth_Token_Request_State ) instead of showing 400 page. Thanks, Sarp

8 years, 2 months

3
2
0 / 0

get Authorization reasons

by Corentin Dupont

Hi, I'm using the entitlement API to protect the resources of my API. Sometimes the user gets a "not authorized" message, and it's hard for him to known why. Is there any way to provide the user why more information with why it was rejected? Something similar with the infos provided by the "evaluate" panel, but with the API. Thanks Corentin

8 years, 2 months

2
3
0 / 0

offlineSessions data in cache vs db

by Tonnis Wildeboer

Hello Keycloak Users, Ultimately, what we want to do is have three nodes in one Kubernetes namespace that define a cluster. Then be able to add three more nodes to the cluster in a new namespace that shares the same subnet and database, then kill off the original three nodes, effectively migrating the cluster to the new namespace and do all this without anyone being logged out. The namespace distinction is invisible to Keycloak, as far as I can tell. What we have tried: * Start with 3 standalone-ha mode instances clustered with JGroups/JDBC_PING. * Set the number of cache owners for sessions to 6. * Start the three new instances in the new Kubernetes namespace, configured exactly the same as the first three - that is, same db, same number of cache owners. * Kill the original three But it seems this caused offlineSession tokens to be expired immediately. I found this in the online documentation (http://www.keycloak.org/docs/latest/server_installation/index.html#server...): > The second type of cache handles managing user sessions, offline tokens, and keeping track of login failures... The data held in these caches is temporary, in memory only, but is possibly replicated across the cluster. > The sessions, authenticationSessions, offlineSessions and loginFailures caches are the only caches that may perform replication. Entries are not replicated to every single node, but instead one or more nodes is chosen as an owner of that data. If a node is not the owner of a specific cache entry it queries the cluster to obtain it. What this means for failover is that if all the nodes that own a piece of data go down, that data is lost forever. By default, Keycloak only specifies one owner for data. So if that one node goes down that data is lost. This usually means that users will be logged out and will have to login again. It appears, based on these documentation comments and our experience, that the "source of truth" regarding offlineSessions is the data in the "owner" caches, is NOT the database, as I would have expected. It also seems to be the case that if a node joins the cluster (as defined by JGroups/JDBC_PING), it will NOT be able to populate its offlineSessions cache from the database, but must rely on replication from one of the owner nodes. Questions: 1. Is the above understanding regarding the db vs cache correct? 2. If so, please explain the design/reasoning behind this behavior. Otherwise, please correct my understanding. 3. Is there a way to perform this simple migration without losing any sessions? Thanks, --Tonnis

8 years, 2 months

3
7
0 / 0

Blog post about cross-datacenter replication in Keycloak 3.3.CR1

by Thomas Darimont

Hello, in case you missed it (as I did...), there is an interesting blog post about cross-datacenter replication in Keycloak 3.3.CR1 http://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html @keycloak-Team Would be great if you could drop a mail to the mailing list for articles like this :) Cheers, Thomas

8 years, 2 months

3
2
0 / 0

JS adapter constantly refreshing page

by sesnor.silva＠sapo.pt

Hello, I'm trying to integrate keycloak's JS adapater into an application. However for some reason the page keeps refreshing (every 5 seconds or so?) after successfully logging in. I managed to reproduce the problem with the following minimal code:  <!DOCTYPE html> <html> <head> <title></title> </head> <body> <script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/angularjs/1.6.4/angular.min.js"></script> <script type="text/javascript" src="<MY KEYCLOAK SERVER>/auth/js/keycloak.js"></script> <script type="text/javascript"> angular.element(document).ready(function() { var keycloakAuth = Keycloak('keycloak.json'); keycloakAuth.init({ onLoad: 'login-required' }).success(function(authenticated) { keycloakAuth.loadUserInfo().success(function (userInfo) { console.log(userInfo) }); }).error(function() { var error = "There was an error initializing the authentication module."; console.error(error); }); }); </script> </body> </html> I tried searching around but I didn't find too many answers. I tried to base my implementation around: https://github.com/bandrzejczak/keycloak-angular-akka-http/blob/master/cl... and https://github.com/keycloak/keycloak/tree/master/examples/demo-template/a... But I get the same behavior every time: The page just keeps refreshing. It seems to be related to blocking third-party cookies on the browser. I use Firefox 53. Since my Keycloak isn't on the same host as the application, I think the browser rejects the keycloak's cookies. If this is the case, what could be a workaround for this? Is there any option on the adapter's side? I'm worried some browser might block third-party cookies by default (Opera and Brave Browser come to mind). Thank you, My best regards, Silva

8 years, 3 months

3
2
0 / 0

How to display user information from keycloak SAML adapter assertions/session?

by ken edward

Hello, I have configured a tomcat Keycloak SAML adapter with ADFS as my Idp. I created a simple web app with a protected /saml directory. It seems to work. BUT how can I display the logged in user information after the user is authenticated? org.keycloak.adapters.saml.SamlSession : org.keycloak.adapters.saml.SamlSession@13a50bc9 Ken

8 years, 3 months

3
4
0 / 0

Credential Representation TOTP example

by Maximiliano

I'm trying to add a TOTP for an user with Admin Client API. Someone has an CredentialRepresentation setup for TOTP? -- View this message in context: http://keycloak-user.88327.x6.nabble.com/Credential-Representation-TOTP-e... Sent from the keycloak-user mailing list archive at Nabble.com.

8 years, 4 months

2
6
0 / 0

Re: [keycloak-user] Impersonate user feature stop working after 3.2.0.Final

by Diego Diez

After clicking the button I can see the account of the impersonated user, but the SSO doesn't seem to work. When I go to another app, the login form is prompt again instead of a new redirect with the user logged in to the app automatically. That's the issue I meant in the first place. Sorry for the lack of details. PD: the app I used to reproduce the problem was secured using the spring security adapter for spring boot El 29 nov. 2017 9:33 p. m., "Stian Thorgersen" <sthorger(a)redhat.com> escribió: Oh and we do have tests as well for it ;) On 29 November 2017 at 21:33, Stian Thorgersen <sthorger(a)redhat.com> wrote: > Just tried it here and works just fine for me. > > On 29 November 2017 at 18:24, Diego Diez <diegodiez.ddr(a)gmail.com> wrote: > >> Hi Keycloak Community, >> >> >> After successfully upgrade our servers from keycloak 2.5.4.Final to >> 3.4.0.Final, we have notice that the impersonation feature isn't >> working anymore. >> >> We have tested other versions with a vanilla install and the first >> version with this problem is 3.2.0.Final. >> >> Are you experiencing this problem? Impersonation is a quite useful >> feature to us, so any workaround until next release would be great. >> >> >> Regards, >> >> Diego Díez >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > > >

8 years, 4 months

3
4
0 / 0

sessions are lost after restart - 3.3.0.CR2

by shop24＠wolke7.net

Hi, as we plan to update to 3.3.0.Final, I already started to play with the current CR2 and check the features we use. We save our sessions in the file based infinispan cache <local-cache name="sessions" xmlns="urn:jboss:domain:infinispan:4.0"> <file-store passivation="false" fetch-state="true" purge="false" relative-to="jboss.home.dir" path="/infinistate/session" /> </local-cache> I can see the session.dat file there growing on the amount of sessions, and as long as the server stays alive, the sessions can be counted. But when I restart the server, no sessions are visible on the admin console neither by the REST API. Those things worked at least until 3.1.0.Final. Is this a bug or can I configure this some how different now? Are you working on it and it is one of the point, that are not final? Regards, Marie

8 years, 4 months

3
3
0 / 0

session timeout behavior when using the Spring Security adapter

by Sud Ramasamy

It looks like when using Keycloak and Spring Security with the OIDC Client protocol there is a way to hose the application session unintentionally when the Keycloak SSO session timeout setting is lower than the application (ie. Client) session timeout value. If the user accesses any parts of the application which are protected by the Keycloak adapter after the access token has expired (configured for 5 minutes) without first ending the application session, Spring Security still has the authentication object. But as part of the authentication flow in the application, the Keycloak adapter checks to see if the Access token is active which it won't be at this point. So the Keycloak adapter (RefreshableKeycloakSecurityContext.java) attempts to get a new Access token using the refresh token it has. Since the refresh token has been invalidated in Keycloak the adapter receives a "Stale refresh token" error response from Keycloak. The "no access token" is propagated to the Keycloak adapter's OAuthRequestAuthenticator.java which proceeds to trigger a login redirect to Keycloak. Once the user is successfully authenticated in Keycloak and control is returned to the KeycloakAuthenticationProcessingFilter.java as a final step it attempts to store the KeycloakAuthenticationToken in the Spring SecurityContextHolder (see SpringSecurityTokenStore.saveAccountInfo). Here the code throws an exception because there is already an existing KeycloakAuthenticationToken in the SecurityContextHolder from the earlier login that wasn't cleared. At this point SSO login into the application is hosed. A potential fix is to trigger a call to the application’s logout endpoint which will clear the Spring SecurityContextHolder object prior to fetching a new access token. I was wondering if anyone has run into this behavior. It seems like when using the OIDC Client protocol by it’s very nature of using short lived Access tokens and Refresh tokens that are tied to the Keycloak session we will have to set the Keycloak Session timeout to be the same or higher than the Client session timeout. But we do not necessarily have control over the clients. So we will have to set the Keycloak session timeout to the highest session timeout across all Clients since this is realm level setting and not a per Client setting. But this breaks another use case since we are using Identity Brokering. We want the user to be bounced to the external Identity Provider when their application session timeouts. If the Keycloak session timeout is higher than their application session timeout then they wouldn’t be bounced to the external Identity Provider for authentication. Looks like we might need to force Keycloak to initiate the authentication when we detect an application timeout. -sud

8 years, 4 months

2
3
0 / 0

Services behind a Proxy that offloads SSL

by Malte Finsterwalder

Hi there, I have a service running in a JBoss server, that I want to secure via the keycloak adapter. The server is behind a proxy, that offloads SSL, so the server itself gets traffic as http. When the server redirects to keycloak for authentication, the redirect URL supplied to keycloak is http, not https. How can I ensure, that a redirect URL is an https URL? Greetings, Malte

8 years, 4 months

5
9
0 / 0

SAML login via python when using Keycloak as Identity broker

by Pieter Lukasse

Hi, I have Keycloak as an identity broker for the a SAML SSO service. Login via the browser works great. Now, I want to call the APIs of the SP's application directly using python or java. Are these steps documented somewhere? Should my python script send 2 authentication requests (e.g. first to Keycloak and then to the real IDP)? Thanks, Pieter www.thehyve.nl E pieter(a)thehyve.nl We empower scientists by building on open source software

8 years, 4 months

2
5
0 / 0

kc_idp_hint parameter is being ignored

by Jeremy Michael

Hello all, I’m trying to do something that looks like it should be very easy, but is not working for me. Hopefully someone can help me figure out what I’m doing wrong. We have an application secured by Keycloak and have two Identity Providers set up. Clicking the buttons on the standard Keycloak login screen works fine for both Identity Providers. We can also set up either provider as a default (in the browser Authentication flow) to bypass the login screen, and that works fine. However, in some cases, we want to bypass the login screen and use Identity Provider 1, and in others we want to bypass the login screen and use Identity Provider 2. It looks like we should be able to achieve what we want by using the kc_idp_hint parameter. But, when I try to test it out, the kc_idp_hint seems to be ignored. I tried the following, where the URL is the address of my app secured by Keycloak, and idp1alias is the alias of the Identity Provider I want to use: https://www.myapp.com?kc_idp_hint=idp1alias <https://www.myapp.com/?kc_idp_hint=idp1alias> However, instead of bypassing the login screen and automatically beginning the authentication process with Identity Provider 1, I am landing on the standard Keycloak login screen. As another test, I tried just going to the built in, “/auth/realms/<realm>/account” with the "kc_idp_hint" parameter added and I got the same behavior (i.e., I saw the Keycloak login screen): https://mykeycloakurl.com/auth/realms/myrealm/account?kc_idp_hint=idp1alias. I’m clearly missing something, or misunderstanding how this should work. Can someone help get me pointed in the right direction? Thanks! Jeremy

8 years, 4 months

2
5
0 / 0

Session state iframe doesn't work reliably

by Виталий Ищенко

Hello I'm trying to setup seamless logout flow for SPA, but falling into issue in the following scenario User is logged-in with a public client using code grant and check login iframe enabled. I see that KEYCLOAK_SESSION cookie is set during code exchange phase, and later used in iframe to validate user session Application refreshes token using refresh_token when access_token is close to expiration Now I log user out from application using Keycloak admin app I do not expect that user should be logged-out immediately. But what I do expect is to get error response from a token endpoint, when I will try to refresh token next time. Response, returned by OP, doesn't have Cors Headers, so application can't access any information from response that will allow distinguishing between network error and cors related errors Other option may be to clear cookie in response to token endpoint call Any help will be appreciated

8 years, 4 months

1
1
0 / 0

Idp thumbnail?

by Byte Flinger

When adding a new identity provider to Keycloak, such as a SAML IDP, is it possible to setup so the button you click to login with that provider has a nice icon/thumbnail instead of text (or both)? Regards Byte

8 years, 4 months

2
4
0 / 0

Keycloak 3.4.1.CR1 released

by Stian Thorgersen

We've just released Keycloak 3.4.1.CR1. To download the release go to the Keycloak homepage <http://www.keycloak.org/downloads>. Highlights Cross DC A lot of work has gone into finishing the Cross DC support and it should now be ready to use. Database Replication We're now testing database replication with MySQL Galera and Oracle RAC. This is related to Cross DC support which requires a master node in each DC. Loads more.. - Loads and loads of fixes The full list of resolved issues is available in JIRA <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...> . Upgrading Before you upgrade remember to backup your database and check the upgrade guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for anything that may have changed. Release candidates are not recommended in production and we do not support upgrading from release candidates.

8 years, 4 months

1
0
0 / 0

wildfly-adapter install over wildfly 9

by philippe ventrillon

Hello every one, I am new to keycloak and I may have missed an obvious point but, as i don't see any other search to perform, I am going to ask. I am simply trying to make a keycloak quickstart j2ee vanilla equivalent for wildfly 9. I have been able to make the keycloak provided quickstart work ontop of WF10. But I don't manage with WF 9. Following section 2.1.2 of "Securing Apps" i have : - installed a brand new wildfly 9 - unzipped |keycloak-wildfly-adapter-dist-3.4.0.Final.zip | into WF9 install directory - Executed the offline cli From WF9\bin directory C:\java\wildfly-9.0.2.Final-withKC\bin>.\jboss-cli.bat --file=adapter-install-offline.cli {"outcome" => "success"} {"outcome" => "success"} { "outcome" => "failed", "failure-description" => "WFLYCTL0158: Operation handler failed: org.jboss.modules.ModuleLoadError: org.wildfly.security.elytron:main", "rolled-back" => true } Press any key to continue . . . Is there something I am missing ? Please point me to the piece of information i am lacking. Thanks in advance for help and advises. -- Philippe Ventrillon / Software architect Actility ---

8 years, 4 months

2
5
0 / 0

How to register new users without using admin API

by Eickhold Johannes (e)

Does Keycloak provide a public REST API to create new users besides the admin API (http://www.keycloak.org/docs-api/3.4/rest-api/index.html#_users_resource)? I know about the Keycloak registration form that is part of the OpenID Connect flow, but I don't want to use the redirects required during the OpenID Connect flows. We considered using OpenID Connect using the implicit flow and "Resource Owner Password Credential Grant" from within an Angular SPA but do not see a possibility to let users create their own accounts in this scenario. What would be the recommended way to let users register themselves here? In the previous mentioned scenario, I know that it's possible to authenticate a user using the "authorization_endpoint" which can be retrieved from the following endpoint: /auth/realms/<real-name>/.well-known/openid-configuration Is there an equivalent endpoint to register respectively to create a new user? Other question: How does Keycloak prevent attackers from excessively creating user accounts using the OpenID Connect flows if captchas are not activated? Thanks in advance, Johannes. ------------------------------------------------ [cid:image001.jpg@01D369E9.31D42700] Leading Business IT Solutions Bison Schweiz AG Allee 1A CH-6210 Sursee Phone direct +41 58 226 02 31 Phone +41 58 226 00 00 Fax +41 58 226 00 50 johannes.eickhold(a)bison-group.com <mailto:johannes.eickhold@bison-group.com> www.bison-group.com<http://www.bison-group.com/>

8 years, 4 months

1
0
0 / 0

nonce parameter not send when authorize with OIDC on Identity Provider

by Jérôme Blanchard

Hi all, I have configured an external IDP for my keycloak. This IDP is using openid connect protocol but when I try to identify throught this IDP from the login form, the nonce parameter is not included in request and the IDP reject it. According to this JIRA : https://issues.jboss.org/browse/KEYCLOAK-5032?jql=project%20%3D%20KEYCLOA... I was thinking it will be fixed in the 3.4.0.Final but I face the same problem. Did I missed something or misconfigured ? Thanks for your support, Best regards, Jérôme PS : the external I try to use if 'France Connect'

8 years, 4 months

1
0
0 / 0

Setting up KC 3.1.0 in a HA cluster

by Gavin Howard

KC group, I am currently in the process of deploying Keycloak (KC) at my firm in a highly available cluster and I have been following your documentation here: http://www.keycloak.org/docs/3.1/server_installation/topics/clustering.html My setup is that I am using HAproxy (HAP) to provide the reverse proxy and balancing component and two KC nodes behind it connecting to an Oracle database. Previously I had KC working correctly as a single standalone node. I have followed your documentation to ensure the client IP address is forwarded correctly from HAP to my backend servers and confirmed this by following the steps mentioned under "Verify Connection" here: http://www.keycloak.org/docs/3.1/server_installation/topics/clustering/lo... and also that the domain is correctly rendered in my equivalent of : https://acme.com/auth/realms/master/.well-known/openid-configuration Upon testing my cluster get some quite strange behavior upon entering valid login credentials that I get either a message that either my session has been restarted as I was taking too long to login or I get passed around a redirect loop. Either way the setup is not working as I expected. The documentation goes on to describe multicast settings: http://www.keycloak.org/docs/3.1/server_installation/topics/clustering/mu... but it is not quite clear if this is needed in my setup. Is it a requirement of ALL of the possible clustering configurations that multicast is set and working between the nodes? Or is it possible to setup the KC nodes as their own instances, without knowledge of the other nodes, and have the load balancer stick the user session to an individual node whilst authentication takes place? If so, how can this be achieved? Many thanks, Gavin

8 years, 4 months

1
0
0 / 0

Using keycloak-spring-boot-starter throws NullPointerException when “keycloak.enabled = false” in spring boot application.properties

by Pharande Rahul

Hi, While using “keycloak-spring-boot-starter v3.4.0.Final” with “spring-boot-starter-security V1.5.8.RELEASE”, I’m getting NullPointerException as described below. Please let me know if anyone has suggestion on this, OR this is really defect in keycloak adapter. Precondition – · Application configured to use spring-security with KeycloakWebSecurityConfigurerAdapter. As shows below class SecurityConfig in Example section (A). · Disable keycloak in spring boot’s Application property as “keycloak.enabled = false” Expected Result – · When Keycloak is disabled, spring security should handle authentication OR should not perform authentication. Actual Result – java.lang.NullPointerException: null at org.keycloak.adapters.KeycloakDeploymentBuilder.internalBuild(KeycloakDeploymentBuilder.java:55) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final] at org.keycloak.adapters.KeycloakDeploymentBuilder.build(KeycloakDeploymentBuilder.java:164) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final] at org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver.resolve(KeycloakSpringBootConfigResolver.java:37) ~[keycloak-spring-boot-adapter-3.4.0.Final.jar!/:3.4.0.Final] at org.keycloak.adapters.AdapterDeploymentContext.resolveDeployment(AdapterDeploymentContext.java:88) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.preflightCors(PreAuthActionsHandler.java:107) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final] at org.keycloak.adapters.PreAuthActionsHandler.handleRequest(PreAuthActionsHandler.java:79) ~[keycloak-adapter-core-3.4.0.Final.jar!/:3.4.0.Final] at org.keycloak.adapters.springsecurity.filter.KeycloakPreAuthActionsFilter.doFilter(KeycloakPreAuthActionsFilter.java:81) ~[keycloak-spring-security-adapter-3.4.0.Final.jar!/:3.4. at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) ~[spring-security-web-4.2.3.RELEASE.jar!/:4.2.3.RELEASE] at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:100) ~[spring-security-web-4.2.3.RELEASE.jar!/:4.2.3.RELEASE] at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) ~[spring-web-4.3.12.RELEASE.jar!/:4.3.12.RELEASE] What can be done here: · Ideal Option: Keycloak adapter classes like “KeycloakWebSecurityConfigurerAdapter” should avoid registering it’s filters when “keycloak.enabled” property is false. · Temporary Option: we can handle this at application config level by defining on SecurityConfig class o @ConditionalOnProperty(name = "keycloak.enabled", havingValue = "true") Example Section A: @KeycloakConfiguration public class SecurityConfig extends KeycloakWebSecurityConfigurerAdapter { @Autowired public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception { KeycloakAuthenticationProvider keyCloakAuthProvider = keycloakAuthenticationProvider(); keyCloakAuthProvider.setGrantedAuthoritiesMapper(new SimpleAuthorityMapper()); auth.authenticationProvider(keyCloakAuthProvider); } @Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); http .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) .sessionAuthenticationStrategy(sessionAuthenticationStrategy()) .and() .authorizeRequests() .antMatchers("/test*").hasRole("ADMIN") .anyRequest().permitAll(); } @Override protected SessionAuthenticationStrategy sessionAuthenticationStrategy() { return new NullAuthenticatedSessionStrategy(); } @Bean public KeycloakConfigResolver KeyCloakConfigResolver(){ return new KeycloakSpringBootConfigResolver(); } } Thanks and Regards. Rahul Pharande

8 years, 4 months

2
5
0 / 0

keycloak-spring-security-adapter : KeycloakAuthenticationProcessingFilter doesn’t skip user authentication if it's already authenticated

by Pharande Rahul

Hi, While evaluating keycloak spring security adapter for one of my requirement (as below) I realized KeycloakAuthenticationProcessingFilter doesn’t skip authentication if user is already authenticated in other/prev filters. Requirement I’ve – · Service-to-service authentication. · Support multiple authentication schemes in fallback o OAuth (Using keycloak) o Basic (Application maintains username/password) Problems I see – · KeycloakAuthenticationProcessingFilter doesn’t have mechanism to skip authentication if user already authenticated. Like – protected boolean requiresAuthentication(HttpServletRequest request, HttpServletResponse response) { Authentication existingAuth = SecurityContextHolder.getContext() .getAuthentication(); if (existingAuth == null || !existingAuth.isAuthenticated()) { return true; } return false; } Please suggest me If there is any configuration in keycloak to support it? Thanks, Rahul Pharande

8 years, 4 months

1
0
0 / 0

Notify application about

by Kevin Hirschmann

Hello, when having a user federation with an active directory server I would like to trigger some logic in my application if a periodic synch has completed. I hoped I could use the Event Listener SPI to do so. I have taken the example "sysout" to check if there is an event fired but I could only see an event for manually starting a user synch. What is the recommended approach here? Have I missed something? Thx Kevin Hirschmann HUEBINET Informationsmanagement GmbH & Co. KG Telefon: +49 (0) 261 / 5 00 86 - 17 Telefax: +49 (0) 261 / 5 00 86 - 29 E-Mail: kevin.hirschmann(a)huebinet.de<mailto:kevin.hirschmann@huebinet.de> Internet: www.huebinet.de<http://www.huebinet.de/> HUEBINET Informationsmanagement GmbH & Co. KG An der Königsbach 8 56075 Koblenz Sitz und Registergericht: Koblenz HRA 5329 Persönlich haftender Gesellschafter der KG: HUEBINET GmbH; Sitz und Registergericht: Koblenz HRB 6857 Geschäftsführung: Dr. Carsten Schöpp; Michael Biemer; Michael Ewertz ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG, Koblenz via E-Mail dient lediglich zu Informationszwecken. Rechtsgeschäftliche Erklärungen mit verbindlichem Inhalt können über dieses Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch Dritte nicht ausgeschlossen werden kann. Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is only intended to provide information of a general kind, and shall not be used for any statement with binding contents in respect to legal relations. It is not totally possible to prevent a third party from manipulating emails and email contents.

8 years, 4 months

1
0
0 / 0

nodejs keycloak connect

by Olivier Refalo

Hi everyone, I am playing with KeyCloak in order to protect my nodeJS API. Looking at the node connector, there are areas which I don't understand.... First and foremost, why does the connector creates a SessionStore??? I mean it makes perfect sense when it's a web application, but for a stateless API (protected by a BearerToken), it sounds overkill to think in terms of "session" Directly related, I see a BearerStore, which I don't know how to use.. Should I use it as the store to protect an API? Last but not least, and this is a broader question, How would you protect a GraphQL Schema? FYI, a typical GraphQL API only has one endpoint. authorization would be defined in the data schema itself, using some @directives. Thanks for the help, Sincerely, Olivier

8 years, 4 months

1
0
0 / 0

Impersonate user feature stop working after 3.2.0.Final

by Diego Diez

Hi Keycloak Community, After successfully upgrade our servers from keycloak 2.5.4.Final to 3.4.0.Final, we have notice that the impersonation feature isn't working anymore. We have tested other versions with a vanilla install and the first version with this problem is 3.2.0.Final. Are you experiencing this problem? Impersonation is a quite useful feature to us, so any workaround until next release would be great. Regards, Diego Díez

8 years, 4 months

2
2
0 / 0

Re: [keycloak-user] IDP initiated login redirect loop

by Drew Weirshousky

Hi Marek, Thanks, I was just looking at the commits and see some fixes for issues I have run into. Is there a timeline for a 3.4.1 release yet? Drew ----- Original Message ----- From: "Marek Posolda" <mposolda(a)redhat.com> To: "Drew Weirshousky" <d.weirshousky(a)xsb.com>, "keycloak-user" <keycloak-user(a)lists.jboss.org> Sent: Wednesday, November 29, 2017 8:36:55 AM Subject: Re: [keycloak-user] IDP initiated login redirect loop I think it's going to be fixed in 3.4.1 release. You can try with latest Keycloak master, I think it's already fixed there (not 100% sure). Marek On 27/11/17 15:53, Drew Weirshousky wrote: > Hi, > > I'm having issues trying to get IDP inititated login to work. I am currently running Keycloak 2.5.5 but have tried 3.2.1 and 3.4 also. The IDP is Okta and Keycloak is the SP. Currently the user can register with keycloak and the user is registered with the IDP and a session is created but an error is displayed to the user. "An error occurred, please login again through your application." I suspect this is a configuration issue but I am not sure. 3.2.1 - 3.4 seem to have other SAML related bugs that I have run into while trying to configure this which is why I am current;y working with 2.5.5. > > Thanks > Drew > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user

8 years, 4 months

2
1
0 / 0

Migration to Keycloak from WSO2 IS

by Sinan Mustafov

Hi, Has anyone migrated from WSO2 IS to Keycloak? If yes, what actions did you take to migrate tenants, users, groups and authentication? I'd like to know if anyone done this or have some experience and whether some major issues arised which introduced a lot of difficulties and even stopped them from migrating to Keycloak*.* Any advise and feedback would be very appreciated. Regards, Sinan.

8 years, 4 months

1
0
0 / 0

IDP initiated login redirect loop

by Drew Weirshousky

Hi, I'm having issues trying to get IDP inititated login to work. I am currently running Keycloak 2.5.5 but have tried 3.2.1 and 3.4 also. The IDP is Okta and Keycloak is the SP. Currently the user can register with keycloak and the user is registered with the IDP and a session is created but an error is displayed to the user. "An error occurred, please login again through your application." I suspect this is a configuration issue but I am not sure. 3.2.1 - 3.4 seem to have other SAML related bugs that I have run into while trying to configure this which is why I am current;y working with 2.5.5. Thanks Drew

8 years, 4 months

2
1
0 / 0

Re: [keycloak-user] Importing big realms

by Buda, Mikolaj

I managed to fix the problem by exporting users to separate files each 5000 and then perform a partialImport on imported realm. On Wed, Nov 29, 2017 at 12:16 PM, Stian Thorgersen <sthorger(a)redhat.com> wrote: > Please don't drop the mailing list > > On 29 November 2017 at 11:08, Buda, Mikolaj <mikolaj.buda@contractors. > roche.com> wrote: > >> The problem is, we cannot use this Export/Import functionality as it >> requires to restart the Keycloak. I managed to build the same json file >> using many GET requests and now I would like to upload it on another >> instance without restarting the application. >> >> On Wed, Nov 29, 2017 at 11:00 AM, Stian Thorgersen <sthorger(a)redhat.com> >> wrote: >> >>> How many users and how long time? >>> >>> With a large amount of users you should split the user into separate >>> files, see http://www.keycloak.org/docs/latest/server_admin/index.h >>> tml#_export_import for more details. >>> >>> On 29 November 2017 at 10:31, Buda, Mikolaj < >>> mikolaj.buda(a)contractors.roche.com> wrote: >>> >>>> Hi, >>>> >>>> I've just created a tool that prepares a full backup of realm in json >>>> (the >>>> same as during export at standalone startup). Sometime it is 60MB of >>>> data >>>> (many users). Import process takes a long time. Do you have any ideas >>>> how >>>> to speed up this process? >>>> _______________________________________________ >>>> keycloak-user mailing list >>>> keycloak-user(a)lists.jboss.org >>>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>>> >>> >>> >> >

8 years, 4 months

2
1
0 / 0

Issue with RH-SSO 7.1 domain clustered mode example deployment (Cannot authenticate)

by Olivier Rivat

Hi, I have an issue authenticating againt the RH-SSO installed in domain cluster mode. I have am using RH-SSO server 7.1, and have just deployed a fresh new install of the rh-sso ZIP file I am following step-by-step https://access.redhat.com/documentation/en-us/red_hat_single_sign-on/7.1/... 1) I have first created master and and slaves in teh domain ~/redhat/cluster_rh_7.1/rh-sso-7.1/domain/configuration$ ../../bin/domain.sh --host-config=host-master.xml ~/redhat/cluster_rh_7.1/rh-sso-7.1/domain/configuration$ ../../bin/domain.sh --host-config=host-slave.xml 2) I have added the admin user user running add-user.sh ~/redhat/cluster_rh_7.1/rh-sso-7.1/bin$ ./add-user.sh Quel type d'utilisateur souhaitez-vous ajouter ? a) Management User (mgmt-users.properties) b) Application User (application-users.properties) (a): Saisir les informations sur le nouvel utilisateur Utiliser le domaine 'ManagementRealm' selon les fichiers de propriétés existants. Nom d'utilisateur : admin Le nom d'utilisateur 'admin' est facile à deviner Êtes-vous certain de vouloir ajouter l'utilisateur 'admin' oui/non ? oui Les recommandations de mot de passe sont énumérés ci-dessous. Pour modifier ces restrictions, modifier le fichier de configuration add-user.properties. - Le mot de passe doit être différent du nom d'utilisateur - Le mot de passe doit correspondre à une des valeurs limitées suivantes {root, admin, administrator} - Le mot de passe doit contenir au moins 8 caractères, 1 caractère(s) alphabétique(s), 1 chiffre (s), 1 symbole(s) non alpha-numériques Mot de passe : Saisir mot de passe à nouveau : Quels groupes souhaitez-vous impartir à cet utilisateur ? (Veuillez saisir une liste séparée par des virgules, ou laisser vide)[ ]: L'utilisateur 'admin' va être ajouté pour le domaine 'ManagementRealm' Est-ce correct ? oui/non? oui Utilisateur 'admin' ajouté au fichier '/home/orivat/redhat/cluster_rh_7.1/rh-sso-7.1/standalone/configuration/mgmt-users.properties' Utilisateur 'admin' ajouté au fichier '/home/orivat/redhat/cluster_rh_7.1/rh-sso-7.1/domain/configuration/mgmt-users.properties' Utilisateur 'admin' ajouté aux groupes dans le fichier '/home/orivat/redhat/cluster_rh_7.1/rh-sso-7.1/standalone/configuration/mgmt-groups.properties' Utilisateur 'admin' ajouté aux groupes dans le fichier '/home/orivat/redhat/cluster_rh_7.1/rh-sso-7.1/domain/configuration/mgmt-groups.properties' Est-ce que ce nouvel utilisateur va être utilisé pour qu'un processus AS puisse se connecter à un autre processus AS, comme par exemple pour qu'un contrôleur d'hôte esclave se connecte au master ou pour une connexion distante de serveur à serveur pour les appels EJB. oui/non ? oui Pour représenter l'utilisateur, ajouter ce qui suit à la définition des identités du serveur <secret value="IXRhS2V6bzkw" /> 3) I have added <secret value="IXRhS2V6bzkw" /> to host-slave.xml 4) I have restarted both servers 5) The issue: When I connecting to http://localhost:8080/auth with admin and the password, I obtain the message Server:server-one] 18:41:37,959 WARN [org.keycloak.events] (default task-15) type=LOGIN_ERROR, realmId=master, clientId=security-admin-console, userId=null, ipAddress=127.0.0.1, error=user_not_found, auth_method=openid-connect, auth_type=code, redirect_uri=http://localhost:8080/auth/admin/master/console/, code_id=c66df7c9-1bba-47f4-b7ff-280905d53185, username=admin 6)Further troubleshooting: Only thing missing is that I have not found where to grab keycloak-server.json to copy it to server-one/configuration/keycloak-server.json (as descrined in RH-SSO 7.1 ). But is really needed ? I am a little bit confused If it is really missing and the reason why I am failing on this example, where can it be found, as it is not described in teh RH-SSO 7.1 where to grab it ? (I have also found following POST: http://blog.keycloak.org/2016/09/keycloak-serverjson-rip.html >>>>>>>>>>>>>>>>>>>>>>> We have moved configuration of the Keycloak server from keycloak-server.json to standalone.xml, standalone-ha.xml, or domain.xml. Which xml file you use will depend on how you run your server. I'll reference standalone.xml from here on out, but configuration is the same for each file. As of version 2.2.0, keycloak-server.json will no longer be shipped with Keycloak. We do provide a conversion tool to help you make the switch. So now, you can configure the entire server from a single xml file. Keycloak server configuration is done in the same file where you configure data sources, socket bindings, logging, and clustering. But there are other advantages... >>>>>>>>>>>>>>>>>>>>>>> 7) So, from all what I have described, how is it possible to overcome this ? Is it a mistake of mine ? Is it due to something not being clearly documented ? or other ? Waiting for your comments and suggestions, Regards, Olivier Rivat

8 years, 4 months

2
1
0 / 0

Importing big realms

by Buda, Mikolaj

Hi, I've just created a tool that prepares a full backup of realm in json (the same as during export at standalone startup). Sometime it is 60MB of data (many users). Import process takes a long time. Do you have any ideas how to speed up this process?

8 years, 4 months

2
1
0 / 0

Convert Keycloak tokens to "cookies" for a Spring-boot app

by Hylton Peimer

I have a backend server secured using Keycloak Spring web security adaptor. The UI uses the cookies to store the session reference. Now another website would like to implement "SSO" - have a link in their page to connect directly into my application. This other website is able to obtain access/refresh tokens directly from the Keycloak. How can I "convert" the access token to a cookie, which will be recognized by my Spring backend?

8 years, 4 months

1
0
0 / 0

Re: [keycloak-user] bug in keycloak-quickstarts/app-profile-jee-vanilla aquillian - tests?

by Bruno Oliveira

There are some possibilities that I can think for "Connection refused" 1. Not having services-jaxrs deployed. Or deployed in the incorrect port. Most of the quickstarts require this service 2. Trying to follow the instructions to deploy the quickstarts without -DskipTests This was already fixed in this PR https://github.com/keycloak/keycloak-quickstarts/pull/70/files The reason why you *must* use -DskipTests for deployment, is because Arquillian will run integration tests and deploy on the same port. If you don't like it, there are two options: change Arquillian port or start WildFly in a different port. On 2017-11-25, Bodo Teichmann wrote: > -Pwildfly-managed didn’t work either, just got other errors: > > …. > Started 332 of 578 services (393 services are lazy, passive or on-demand) > Tests run: 2, Failures: 0, Errors: 2, Skipped: 0, Time elapsed: 6.892 sec <<< FAILURE! - in org.keycloak.quickstart.ArquillianProfileJeeVanillaTest > org.keycloak.quickstart.ArquillianProfileJeeVanillaTest Time elapsed: 6.891 sec <<< ERROR! > java.lang.ExceptionInInitializerError > at org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.<clinit>(ArquillianProfileJeeVanillaTest.java:81) > Caused by: java.net.ConnectException: Connection refused (Connection refused) > at org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.<clinit>(ArquillianProfileJeeVanillaTest.java:81) > > org.keycloak.quickstart.ArquillianProfileJeeVanillaTest Time elapsed: 6.892 sec <<< ERROR! > java.lang.NoClassDefFoundError: Could not initialize class org.keycloak.quickstart.ArquillianProfileJeeVanillaTest > > Nov 25, 2017 7:06:11 PM org.jboss.arquillian.core.impl.ObserverImpl resolveArguments > WARNUNG: Argument 2 for ArquillianServiceDeployer.undeploy is null. It won't be invoked. > 19:06:11,395 INFO [org.jboss.as.server] (management-handler-thread - 1) WFLYSRV0236: Suspending server with no timeout. > 19:06:11,402 INFO [org.jboss.as.server] (Management Triggered Shutdown) WFLYSRV0241: Shutting down in response to management operation 'shutdown' > 19:06:11,429 INFO [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-7) WFLYJCA0010: Unbound data source [java:jboss/datasources/ExampleDS] > 19:06:11,431 INFO [org.wildfly.extension.undertow] (MSC service thread 1-5) WFLYUT0019: Host default-host stopping > 19:06:11,432 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0008: Undertow HTTPS listener https suspending > 19:06:11,436 INFO [org.wildfly.extension.undertow] (MSC service thread 1-2) WFLYUT0007: Undertow HTTPS listener https stopped, was bound to 127.0.0.1:8443 > 19:06:11,441 INFO [org.jboss.as.connector.deployers.jdbc] (MSC service thread 1-3) WFLYJCA0019: Stopped Driver service with driver-name = h2 > 19:06:11,442 INFO [org.wildfly.extension.undertow] (MSC service thread 1-7) WFLYUT0008: Undertow HTTP listener default suspending > 19:06:11,443 INFO [org.wildfly.extension.undertow] (MSC service thread 1-7) WFLYUT0007: Undertow HTTP listener default stopped, was bound to 127.0.0.1:8080 > 19:06:11,443 INFO [org.wildfly.extension.undertow] (MSC service thread 1-5) WFLYUT0004: Undertow 1.4.0.Final stopping > 19:06:11,533 INFO [org.jboss.as] (MSC service thread 1-5) WFLYSRV0050: WildFly Full 10.1.0.Final (WildFly Core 2.2.0.Final) stopped in 118ms > > Results : > > Tests in error: > org.keycloak.quickstart.ArquillianProfileJeeVanillaTest.org.keycloak.quickstart.ArquillianProfileJeeVanillaTest > Run 1: ArquillianProfileJeeVanillaTest.org<http://ArquillianProfileJeeVanillaTest.org>.keycloak.quickstart.ArquillianProfileJeeVanillaTest » ExceptionInInitializer > Run 2: ArquillianProfileJeeVanillaTest.org<http://ArquillianProfileJeeVanillaTest.org>.keycloak.quickstart.ArquillianProfileJeeVanillaTest » NoClassDefFound > > > Tests run: 1, Failures: 0, Errors: 1, Skipped: 0 > > [INFO] ------------------------------------------------------------------------ > [INFO] BUILD FAILURE > [INFO] ------------------------------------------------------------------------ > > > Am 25.11.2017 um 18:55 schrieb Bruno Oliveira <bruno(a)abstractj.org<mailto:bruno@abstractj.org>>: > > > Try to pass -Pwildfly-managed, it should work. We have some jiras to fix the docs. > > On Sat, Nov 25, 2017, 12:59 PM Bodo Teichmann <Bodo.Teichmann(a)brandad-systems.de<mailto:Bodo.Teichmann@brandad-systems.de>> wrote: > i just followed the "Getting Started" Dokumentation 3.4. > Everything ok until it comes to : > Chapter 4.3.: > after git-clone and > >cd keycloak-quickstarts/app-profile-jee-vanilla > i tried: > >mvn clean wildfly:deploy > but got the error: > > ------------------------------------------------------------------------------- > Test set: org.keycloak.quickstart.ArquillianProfileJeeVanillaTest > ------------------------------------------------------------------------------- > Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.908 sec <<< FAILURE! > org.keycloak.quickstart.ArquillianProfileJeeVanillaTest Time elapsed: 0.907 sec <<< ERROR! > java.lang.RuntimeException: Could not create new instance of class org.jboss.arquillian.test.impl.EventTestRunnerAdaptor > at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:166) > at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:103) > at org.jboss.arquillian.test.spi.TestRunnerAdaptorBuilder.build(TestRunnerAdaptorBuilder.java:52) > at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:114) > at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252) > at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141) > at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189) > at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165) > at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85) > at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115) > at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75) > Caused by: java.lang.reflect.InvocationTargetException > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) > at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:162) > ... 15 more > Caused by: org.jboss.arquillian.container.impl.ContainerCreationException: Could not create Container jboss > at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:85) > at org.jboss.arquillian.container.impl.client.container.ContainerRegistryCreator.createRegistry(ContainerRegistryCreator.java:78) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96) > at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99) > at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81) > at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145) > at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116) > at org.jboss.arquillian.core.impl.ManagerImpl.bindAndFire(ManagerImpl.java:265) > at org.jboss.arquillian.core.impl.InstanceImpl.set(InstanceImpl.java:74) > at org.jboss.arquillian.config.impl.extension.ConfigurationRegistrar.loadConfiguration(ConfigurationRegistrar.java:73) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96) > at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99) > at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81) > at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145) > at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116) > at org.jboss.arquillian.core.impl.ManagerImpl.start(ManagerImpl.java:290) > at org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.<init>(EventTestRunnerAdaptor.java:63) > ... 20 more > Caused by: java.lang.IllegalArgumentException: DeployableContainer must be specified > at org.jboss.arquillian.core.spi.Validate.notNull(Validate.java:44) > at org.jboss.arquillian.container.impl.ContainerImpl.<init>(ContainerImpl.java:71) > at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:80) > ... 44 more > > > until it tried > > >mvn clean wildfly:deploy -DskipTests > > which worked. > > Do I need any other prerequisites in order to run the arquillian tests other than those described in the "Getting Started“? > > bodo > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org<mailto:keycloak-user@lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- abstractj

8 years, 4 months

1
0
0 / 0

Keycloak 3.4.0 cross datacenter issue with external Infinispan

by Vikrant Singh

Hi All, We are running Cross dc setup with 2 data centers. In this setup we are using external infinispan server 9.1.2.Final. Each dc will have its own external infinispan cluster. And cross dc infinispan cluster is formed using Relay2 protocol. We haven't faced any issues till 3.2.1.Final. When we trying to upgrade Keycloak to 3.4.0.Final we are facing the following issue: Keycloak in first data center are starting up fine but keycloak in second data center fails to start with below error 16:18:58,473 WARN [org.infinispan.client.hotrod.impl.protocol.Codec21] (pool-13-thread-1) ISPN004005: Error received from the server: java.lang.ClassNotFoundException: org.keycloak.models.sessions.infinispan.changes.SessionEntityWrapper from [Module "org.infinispan.commons:main" from local module loader @1c2c22f3 (finder: local module finder @18e8568 (roots: /opt/jboss/infinispan-server/modules,/opt/jboss/infinispan-server/modules/system/layers/base))] 2017-11-28 16:18:58,473 DEBG 'Keycloak' stdout output: 16:18:58,473 WARN [org.infinispan.client.hotrod.impl.protocol.Codec21] (pool-13-thread-1) ISPN004005: Error received from the server: java.lang.ClassNotFoundException: org.keycloak.models.sessions.infinispan.changes.SessionEntityWrapper from [Module "org.infinispan.commons:main" from local module loader @1c2c22f3 (finder: local module finder @18e8568 (roots: /opt/jboss/infinispan-server/modules,/opt/jboss/infinispan-server/modules/system/layers/base))] 16:18:58,474 ERROR [org.keycloak.models.sessions.infinispan.initializer.InfinispanCacheInitializer] (ServerService Thread Pool -- 57) ExecutionException when computed future. Errors: 1: java.util.concurrent.ExecutionException: org.infinispan.client.hotrod.exceptions.HotRodClientException:Request for messageId=23 returned server error (status=0x85): java.lang.ClassNotFoundException: org.keycloak.models.sessions.infinispan.changes.SessionEntityWrapper from [Module "org.infinispan.commons:main" from local module loader @1c2c22f3 (finder: local module finder @18e8568 (roots: /opt/jboss/infinispan-server/modules,/opt/jboss/infinispan-server/modules/system/layers/base))] at java.util.concurrent.FutureTask.report(Unknown Source) at java.util.concurrent.FutureTask.get(Unknown Source) at org.infinispan.commons.util.concurrent.NotifyingFutureImpl.get(NotifyingFutureImpl.java:88) at org.infinispan.distexec.DefaultExecutorService$LocalDistributedTaskPart.getResult(DefaultExecutorService.java:1083) at org.infinispan.distexec.DefaultExecutorService$DistributedTaskPart.innerGet(DefaultExecutorService.java:868) at org.infinispan.distexec.DefaultExecutorService$DistributedTaskPart.get(DefaultExecutorService.java:848) at org.keycloak.models.sessions.infinispan.initializer.InfinispanCacheInitializer.startLoading(InfinispanCacheInitializer.java:102) at org.keycloak.models.sessions.infinispan.initializer.CacheInitializer.loadSessions(CacheInitializer.java:41) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$7.run(InfinispanUserSessionProviderFactory.java:273) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:229) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadSessionsFromRemoteCache(InfinispanUserSessionProviderFactory.java:263) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.loadSessionsFromRemoteCaches(InfinispanUserSessionProviderFactory.java:255) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory.access$200(InfinispanUserSessionProviderFactory.java:62) at org.keycloak.models.sessions.infinispan.InfinispanUserSessionProviderFactory$1.onEvent(InfinispanUserSessionProviderFactory.java:110) at org.keycloak.services.DefaultKeycloakSessionFactory.publish(DefaultKeycloakSessionFactory.java:68) at org.keycloak.services.resources.KeycloakApplication$2.run(KeycloakApplication.java:165) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:229) at org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:158) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) at java.lang.reflect.Constructor.newInstance(Unknown Source) at org.jboss.resteasy.core.ConstructorInjectorImpl.construct(ConstructorInjectorImpl.java:150) at org.jboss.resteasy.spi.ResteasyProviderFactory.createProviderInstance(ResteasyProviderFactory.java:2298) at org.jboss.resteasy.spi.ResteasyDeployment.createApplication(ResteasyDeployment.java:340) at org.jboss.resteasy.spi.ResteasyDeployment.start(ResteasyDeployment.java:253) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.init(ServletContainerDispatcher.java:120) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.init(HttpServletDispatcher.java:36) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:117) at org.wildfly.extension.undertow.security.RunAsLifecycleInterceptor.init(RunAsLifecycleInterceptor.java:78) at io.undertow.servlet.core.LifecyleInterceptorInvocation.proceed(LifecyleInterceptorInvocation.java:103) at io.undertow.servlet.core.ManagedServlet$DefaultInstanceStrategy.start(ManagedServlet.java:265) at io.undertow.servlet.core.ManagedServlet.createServlet(ManagedServlet.java:133) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:565) at io.undertow.servlet.core.DeploymentManagerImpl$2.call(DeploymentManagerImpl.java:536) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:42) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.core.DeploymentManagerImpl.start(DeploymentManagerImpl.java:578) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService.startContext(UndertowDeploymentService.java:100) at org.wildfly.extension.undertow.deployment.UndertowDeploymentService$1.run(UndertowDeploymentService.java:81) at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) at java.lang.Thread.run(Unknown Source) at org.jboss.threads.JBossThread.run(JBossThread.java:320) Caused by: org.infinispan.client.hotrod.exceptions.HotRodClientException:Request for messageId=23 returned server error (status=0x85): java.lang.ClassNotFoundException: org.keycloak.models.sessions.infinispan.changes.SessionEntityWrapper from [Module "org.infinispan.commons:main" from local module loader @1c2c22f3 (finder: local module finder @18e8568 (roots: /opt/jboss/infinispan-server/modules,/opt/jboss/infinispan-server/modules/system/layers/base))] at org.infinispan.client.hotrod.impl.protocol.Codec20.checkForErrorsInResponseStatus(Codec20.java:350) at org.infinispan.client.hotrod.impl.protocol.Codec20.readPartialHeader(Codec20.java:139) at org.infinispan.client.hotrod.impl.protocol.Codec20.readHeader(Codec20.java:125) at org.infinispan.client.hotrod.impl.operations.HotRodOperation.readHeaderAndValidate(HotRodOperation.java:56) at org.infinispan.client.hotrod.impl.operations.ExecuteOperation.executeOperation(ExecuteOperation.java:48) at org.infinispan.client.hotrod.impl.operations.RetryOnFailureOperation.execute(RetryOnFailureOperation.java:54) at org.infinispan.client.hotrod.impl.RemoteCacheImpl.execute(RemoteCacheImpl.java:724) at org.keycloak.models.sessions.infinispan.remotestore.RemoteCacheSessionsLoader.loadSessions(RemoteCacheSessionsLoader.java:109) at org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker$1.run(SessionInitializerWorker.java:74) at org.keycloak.models.utils.KeycloakModelUtils.runJobInTransaction(KeycloakModelUtils.java:229) at org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker.call(SessionInitializerWorker.java:70) at org.keycloak.models.sessions.infinispan.initializer.SessionInitializerWorker.call(SessionInitializerWorker.java:34) at org.infinispan.commands.read.DistributedExecuteCommand.perform(DistributedExecuteCommand.java:107) at org.infinispan.distexec.DefaultExecutorService$LocalDistributedTaskPart$1.doLocalInvoke(DefaultExecutorService.java:1112) at org.infinispan.distexec.DefaultExecutorService$LocalDistributedTaskPart$1.call(DefaultExecutorService.java:1102) at java.util.concurrent.FutureTask.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) At the same time we are getting below in external Infinispan 2017-11-28 16:51:37,357 DEBUG [org.infinispan.server.hotrod.HotRodExceptionHandler] (HotRod-ServerWorker-9-3) Exception caught: org.infinispan.commons.CacheException: java.lang.ClassNotFoundException: org.keycloak.models.sessions.infinispan.changes.SessionEntityWrapper from [Module "org.infinispan.commons:main" from local module loader @1c2c22f3 (finder: local module finder @18e8568 (roo ts: /opt/jboss/infinispan-server/modules,/opt/jboss/infinispan-server/modules/system/layers/base))] at org.infinispan.commons.dataconversion.MarshallerEncoder.fromStorage(MarshallerEncoder.java:36) at org.infinispan.cache.impl.EncoderEntryMapper.decode(EncoderEntryMapper.java:43) at org.infinispan.cache.impl.EncoderEntryMapper.apply(EncoderEntryMapper.java:57) at org.infinispan.cache.impl.EncoderEntryMapper.apply(EncoderEntryMapper.java:23) at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) at java.util.Spliterators$IteratorSpliterator.tryAdvance(Spliterators.java:1812) at org.infinispan.commons.util.Closeables$SpliteratorAsCloseableSpliterator.tryAdvance(Closeables.java:143) at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126) at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:498) at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:485) at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:708) at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:499) at org.infinispan.stream.impl.local.LocalCacheStream.collect(LocalCacheStream.java:258) at org.infinispan.util.AbstractDelegatingCacheStream.collect(AbstractDelegatingCacheStream.java:273) at jdk.nashorn.internal.scripts.Script$Recompilation$1$58$\^eval\_.loadSessions(<eval>:5) at jdk.nashorn.internal.scripts.Script$\^eval\_.:program(<eval>:22) at jdk.nashorn.internal.runtime.ScriptFunctionData.invoke(ScriptFunctionData.java:637) at jdk.nashorn.internal.runtime.ScriptFunction.invoke(ScriptFunction.java:494) at jdk.nashorn.internal.runtime.ScriptRuntime.apply(ScriptRuntime.java:393) at jdk.nashorn.api.scripting.NashornScriptEngine.evalImpl(NashornScriptEngine.java:421) at jdk.nashorn.api.scripting.NashornScriptEngine.access$300(NashornScriptEngine.java:73) at jdk.nashorn.api.scripting.NashornScriptEngine$3.eval(NashornScriptEngine.java:514) at javax.script.CompiledScript.eval(CompiledScript.java:92) at org.infinispan.scripting.impl.ScriptingManagerImpl.execute(ScriptingManagerImpl.java:239) at org.infinispan.scripting.impl.LocalRunner.runScript(LocalRunner.java:19) at org.infinispan.scripting.impl.ScriptingManagerImpl.runScript(ScriptingManagerImpl.java:222) at org.infinispan.scripting.impl.ScriptingTaskEngine.runTask(ScriptingTaskEngine.java:44) at org.infinispan.tasks.impl.TaskManagerImpl.runTask(TaskManagerImpl.java:99) at org.infinispan.server.hotrod.ContextHandler.realRead(ContextHandler.java:120) at org.infinispan.server.hotrod.ContextHandler.lambda$channelRead0$0(ContextHandler.java:52) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:144) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.ClassNotFoundException: org.keycloak.models.sessions.infinispan.changes.SessionEntityWrapper from [Module "org.infinispan.commons:main" from local module loader @1c2c22f3 (finder: local module finder @18e8568 (roots: /opt/jboss/infinispan-server/modules,/opt/jboss/infinispan-server/modules/system/layers/base))] at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:198) at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:363) at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:351) at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:93) at java.lang.Class.forName0(Native Method) at java.lang.Class.forName(Class.java:348) at org.jboss.marshalling.AbstractClassResolver.loadClass(AbstractClassResolver.java:131) at org.jboss.marshalling.AbstractClassResolver.resolveClass(AbstractClassResolver.java:112) at org.jboss.marshalling.river.RiverUnmarshaller.doReadClassDescriptor(RiverUnmarshaller.java:1087) at org.jboss.marshalling.river.RiverUnmarshaller.doReadNewObject(RiverUnmarshaller.java:1354) at org.jboss.marshalling.river.RiverUnmarshaller.doReadObject(RiverUnmarshaller.java:275) at org.jboss.marshalling.river.RiverUnmarshaller.doReadObject(RiverUnmarshaller.java:208) at org.jboss.marshalling.AbstractObjectInput.readObject(AbstractObjectInput.java:41) at org.infinispan.commons.marshall.jboss.AbstractJBossMarshaller.objectFromObjectStream(AbstractJBossMarshaller.java:134) at org.infinispan.commons.marshall.jboss.AbstractJBossMarshaller.objectFromByteBuffer(AbstractJBossMarshaller.java:112) at org.infinispan.commons.marshall.AbstractMarshaller.objectFromByteBuffer(AbstractMarshaller.java:82) at org.infinispan.commons.dataconversion.MarshallerEncoder.fromStorage(MarshallerEncoder.java:34) ... 35 more I believe the error might be due to the latest code addition for supporting cross dc. Any help on this issue is appreciated. Thanks, Vikrant

8 years, 4 months

1
0
0 / 0

bug in keycloak-quickstarts/app-profile-jee-vanilla aquillian - tests?

by Bodo Teichmann

i just followed the "Getting Started" Dokumentation 3.4. Everything ok until it comes to : Chapter 4.3.: after git-clone and >cd keycloak-quickstarts/app-profile-jee-vanilla i tried: >mvn clean wildfly:deploy but got the error: ------------------------------------------------------------------------------- Test set: org.keycloak.quickstart.ArquillianProfileJeeVanillaTest ------------------------------------------------------------------------------- Tests run: 1, Failures: 0, Errors: 1, Skipped: 0, Time elapsed: 0.908 sec <<< FAILURE! org.keycloak.quickstart.ArquillianProfileJeeVanillaTest Time elapsed: 0.907 sec <<< ERROR! java.lang.RuntimeException: Could not create new instance of class org.jboss.arquillian.test.impl.EventTestRunnerAdaptor at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:166) at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:103) at org.jboss.arquillian.test.spi.TestRunnerAdaptorBuilder.build(TestRunnerAdaptorBuilder.java:52) at org.jboss.arquillian.junit.Arquillian.run(Arquillian.java:114) at org.apache.maven.surefire.junit4.JUnit4Provider.execute(JUnit4Provider.java:252) at org.apache.maven.surefire.junit4.JUnit4Provider.executeTestSet(JUnit4Provider.java:141) at org.apache.maven.surefire.junit4.JUnit4Provider.invoke(JUnit4Provider.java:112) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.maven.surefire.util.ReflectionUtils.invokeMethodWithArray(ReflectionUtils.java:189) at org.apache.maven.surefire.booter.ProviderFactory$ProviderProxy.invoke(ProviderFactory.java:165) at org.apache.maven.surefire.booter.ProviderFactory.invokeProvider(ProviderFactory.java:85) at org.apache.maven.surefire.booter.ForkedBooter.runSuitesInProcess(ForkedBooter.java:115) at org.apache.maven.surefire.booter.ForkedBooter.main(ForkedBooter.java:75) Caused by: java.lang.reflect.InvocationTargetException at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at org.jboss.arquillian.test.spi.SecurityActions.newInstance(SecurityActions.java:162) ... 15 more Caused by: org.jboss.arquillian.container.impl.ContainerCreationException: Could not create Container jboss at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:85) at org.jboss.arquillian.container.impl.client.container.ContainerRegistryCreator.createRegistry(ContainerRegistryCreator.java:78) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96) at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116) at org.jboss.arquillian.core.impl.ManagerImpl.bindAndFire(ManagerImpl.java:265) at org.jboss.arquillian.core.impl.InstanceImpl.set(InstanceImpl.java:74) at org.jboss.arquillian.config.impl.extension.ConfigurationRegistrar.loadConfiguration(ConfigurationRegistrar.java:73) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.arquillian.core.impl.ObserverImpl.invoke(ObserverImpl.java:96) at org.jboss.arquillian.core.impl.EventContextImpl.invokeObservers(EventContextImpl.java:99) at org.jboss.arquillian.core.impl.EventContextImpl.proceed(EventContextImpl.java:81) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:145) at org.jboss.arquillian.core.impl.ManagerImpl.fire(ManagerImpl.java:116) at org.jboss.arquillian.core.impl.ManagerImpl.start(ManagerImpl.java:290) at org.jboss.arquillian.test.impl.EventTestRunnerAdaptor.<init>(EventTestRunnerAdaptor.java:63) ... 20 more Caused by: java.lang.IllegalArgumentException: DeployableContainer must be specified at org.jboss.arquillian.core.spi.Validate.notNull(Validate.java:44) at org.jboss.arquillian.container.impl.ContainerImpl.<init>(ContainerImpl.java:71) at org.jboss.arquillian.container.impl.LocalContainerRegistry.create(LocalContainerRegistry.java:80) ... 44 more until it tried >mvn clean wildfly:deploy -DskipTests which worked. Do I need any other prerequisites in order to run the arquillian tests other than those described in the "Getting Started“? bodo

8 years, 4 months

3
7
0 / 0

Operations through keycloak-spring-security-adapter produce status 500 when token is expired

by Dmitry Korchemkin

Hello, We're facing a problem with operations performed through a gateway (using keycloak spring-security-adapter 3.4.0.Final). They result in "org.keycloak.exceptions.TokenNotActiveException: Token is not active" if attempted with expired token. Unlike "token is almost expired" error, which correctly returns 401, this one throws NullPointerException and as a result produces 500 status code, not 401: Caused by: java.lang.NullPointerException: null at org.keycloak.adapters.rotation.AdapterRSATokenVerifier.getPublicKey(AdapterRSATokenVerifier.java:44) This is observed even when accessing keycloak's own endponts (/users). I've seen an issue on JIRA https://issues.jboss.org/browse/KEYCLOAK-5195 which looks like it describes exactly out problem, but it's supposed to be fixed in 3.4.0.Final. Here's relevant part of our http security config (requestMatcher filters some requests bound for IdP itself) from the gateway: @Override @Bean @Primary protected KeycloakAuthenticationProcessingFilter keycloakAuthenticationProcessingFilter() throws Exception { return new KeycloakAuthenticationProcessingFilter(authenticationManagerBean(), new NeedValidateJwtTokenRequestMatcher(gatewayRoute)); } @Bean public HttpSecurityConfigurer getHttpSecurityConfigurer() { return httpSecurity -> { httpSecurity.authorizeRequests() .anyRequest().permitAll(); httpSecurity.addFilterBefore(traceMethodFilter, CorsFilter.class); httpSecurity.addFilterBefore(corsFilter, KeycloakAuthenticationProcessingFilter.class); }; } Is it something with how we use the adapter in the gateway or the fix from KEYCLOAK-5195 is missing from 3.4.0.Final (or maybe it is not even relevant in this case)? Best regards, Dmitry

8 years, 4 months

1
0
0 / 0

domain-extension example not working OOTB, need admin-cli scope tweaking

by Dmitry Telegin

Hi, The domain-extension example used to work out of the box as of KC 3.1.0, but no longer works with KC >= 3.2.0. That's because in 3.1.0 the "admin-cli" client's scope had the "admin" role mapped by default, which is no longer the case for 3.2.0+, hence no "realm_access" field in the JWT token, hence null auth.getToken().getRealmAccess() in ExampleRestResource::checkRealmAdmin(), hence non-working authorization. I think either the 3.1.0 behavior should be restored, or the domain- extension readme should contain a line about the necessary manual tweak to the admin-cli scope. What do you think? Dmitry

8 years, 4 months

1
1
0 / 0

Token exchange in java client

by Jean-François HEROUARD

Hi, I am using the token exchange feature of Keycloak 3.4, which is really great and useful in my REST backoffice (before the only way i found was to do a lot of 302 in browser to get needed access tokens). Everything is documented for server configuration, but in java client is there a new function to exchange a token ? I wrote some code extending the current AuthzClient if anybody is looking for the same thing : public AccessTokenResponse exchangeAccessToken(String bearer, String bearerIdpName) { return this.http.<AccessTokenResponse>post(authzClient.getServerConfiguration().getTokenEndpoint()) .authentication() .client() .param("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange") .param("subject_token", bearer) .param("subject_issuer", bearerIdpName) .param("subject_token_type", "urn:ietf:params:oauth:token-type:access_token") .param("audience", authzClient.getConfiguration().getResource()) .response() .json(AccessTokenResponse.class) .execute(); } Thanks

8 years, 4 months

1
0
0 / 0

Keycloak plugin using keycloak-services

by Anton Mazkovoi

Hi, I have a small plugin that adds a simple REST service to keycloak, which I would like to restrict access to members of the admin role. I am following the example: https://github.com/keycloak/keycloak/blob/3.2.1.Final/examples/providers/... I am deploying the plugin by copying into the "standalone/deployments” directory. The plugin errors out with: java.lang.NoClassDefFoundError: org/keycloak/services/managers/AppAuthManager How do I declare the dependency on "keycloak-services”? Or is there a simpler way to restrict access to a REST service to admin role members? Cheers, Anton

8 years, 4 months

2
1
0 / 0

KC-SERVICES0047: my-registration-action (test.extension.MyRegistrationFormActionFactory) is implementing the internal SPI form-action. This SPI is internal and may chang e without notice ---> Should I be concerned?

by SW

I created my own KeycloakRegistrationAction and it gives me this warning. Should I be concerned when upgrading to newer versions in the future? -- Sent from: http://keycloak-user.88327.x6.nabble.com/

8 years, 4 months

1
0
0 / 0

AuthzClient.create() for Spring Boot usage

by Niko Köbler

Hi, the „keycloak-authz-client“ package provides the AuthzClient class, which can be created by calling „AuthzClient.create()“. This automatically detects a „keycloak.json“ file and reads values for the „Configuration“ object. This is all good. But when it comes to Spring Boot apps using the Spring Boot Adapter, there is no „keycloak.json“ file and instead the values are provided via the „application.properties“ (or .yml, or else). I would appreciate, that „AuthzClient.create()“ would also be possible to detect the Spring Boot Property configuration and use it from there. Was this already discussed? Is it planned? Should I create a ticket for it? If you already have any ideas, share them with me, I could do a PR for it. Currently, I’m using a workaround like this: https://gist.github.com/dasniko/2c64393da0bca89434670908141914c4 <https://gist.github.com/dasniko/2c64393da0bca89434670908141914c4> So I can inject the AuthzClient everywhere I like and the KeycloakSpringBootProperties object is injected in the Bean definition. It’s not a nice way, although it works. The classes „Configuration“ and „KeycloakSpringBootProperties“ both extend „AdapterConfig“. Perhaps AuthzClient could also use AdapterConfig, instead of only Configuration!? Regards, - Niko

8 years, 4 months

2
1
0 / 0

Keycloak Facebook Social Login

by Madhan Kumar S P

Hello All, I am trying to integrate the Keycloak with Facebook social plugin. I had gone through the examples and documentation. This works fine if I use the Keycloak hosted Login Page. What I need is that we want to host our own login page and use the Keycloak APIs to register the user and login. I mean, I want to host our Sign Up/Login Page. When the user clicks on the Login with Facebook, we want to redirect the user to FB and get the approval and collect the details, create the user details that we need for our application. Then register the user on the Keycloak. I don’t see any documentation for this. I would be really grateful if you can shed some light on this and point to the documentation that would help me in achieving this. Thanks & Regards, Madhan Kumar S P

8 years, 4 months

3
2
0 / 0

When KeycloakSecurityContext is initialized and available?

by Sinan Mustafov

Hello, I have backend with JAX-RS REST endpoint secured with bearer token and angular2 app as frontend (everything is the same like in the quickstarts). What Im trying to do is to get the KeycloakSecurityContext in ServletRequestListener, so I can get the authenticated user and initialize my own context in the backend for the current request. Here is the code: @WebListener public class RequestListener implements ServletRequestListener { @Override public void requestInitialized(ServletRequestEvent event) { ServletRequest servletRequest = event.getServletRequest(); Object keycloakContext = servletRequest.getAttribute( KeycloakSecurityContext.class.getName()); System.out.println("INIT: " + keycloakContext); } @Override public void requestDestroyed(ServletRequestEvent event) { ServletRequest servletRequest = event.getServletRequest(); Object keycloakContext = servletRequest.getAttribute( KeycloakSecurityContext.class.getName()); System.out.println("DESTROY: " + keycloakContext); } } What happens: In requestInitialized method the context is null, but its available in requestDestroyed method. Do you have any idea why is this happening or when the KeycloakSecurityContext is added to the request? Regards.

8 years, 4 months

1
0
0 / 0

Admin initiated login-actions emails with action tokens no longer redirect user to proper screen since upgrading to 3.4.0.Final

by Edgar Vonk - Info.nl

Since upgrading from Keycloak 3.2.0.Final to 3.4.0.Final the links in the admin initiated login-actions emails no longer work for us. We use such emails e.g. to require the user to set his/her password before their account can be used. Such login action links in the 'change password’ emails are of the format: https://HOSTNAME/auth/realms/graydon-customers/login-actions/action-token... when the user clicks this link Keycloak 3.2.0 redirected the user to: https://HOSTNAME/auth/realms/graydon-customers/login-actions/required-act... However since we upgraded to Keycloak 3.4.0.Final this is no longer the case and the user is not redirected to the required action page at all.. Does anyone have tips on what may be the issue? Was there anything changed from 3.2.0 to 3.4.0 that could explain this? Or is it perhaps a bug in Keycloak? PS: we run Keycloak in a cluster with a persistent clustered Infinispan cache. So far we have not emptied our Keycloak database nor completely removed this cache when upgrading Keycloak. cheers

8 years, 4 months

1
0
0 / 0

[spring-adapter] Changing the redirect_uri parameter sent to Keycloak

by Christophe Tafani-Dereeper

Hi, I'm using Keycloak with the Spring Boot Adapter. Is there any way to customize the redirect_uri parameter being sent to Keycloak when initiating a login? I went through the docs but couldn't find anything on the topic. Thank you, Christophe

8 years, 4 months

1
0
0 / 0

Putting password update form on account update page

by Loïc Lambrichts

Hi guys, Im currently working on a project where we are using Keycloak as offsite SSO. To improve the user journey we are trying to put the password update form on the account update page. The idea is to have the password update on the same page where the user can change his email, first name and last name. We tried to copy paste the code from the password template (the form only) to he account template but it didn't work. Any idea how can I do that ? Or maybe it’s no possible… Thanks. Have a good day.

8 years, 4 months

1
0
0 / 0

Help with docker compose

by juanignacioborda＠gmail.com

Hi there I'm having some issues setting up a docker-compose file my file is as folows: version: "3" services: ########################### ##### Mysql server DB #### ########################### mysql: image: mysql:5 environment: MYSQL_ROOT_PASSWORD: developer MYSQL_DATABASE: keycloack MYSQL_USER: keycloak MYSQL_PASSWORD: developer volumes: - ./backups:/backups ############################### ##### KEYCLOAK server #### ############################### server: image: jboss/keycloak depends_on: - mysql ports: - "9081:8080" environment: DB_VENDOR: MYSQL MYSQL_DATABASE: keycloak MYSQL_USERNAME: root MYSQL_PASSWORD: developer KEYCLOAK_USER: admin KEYCLOAK_PASSWORD: keycloak VIRTUAL_HOST: keycloack.lab links: - mysql:mysql But server refuses to start and throw db cant connect errors Any help would be very appreciated Thanks!

8 years, 4 months

3
3
0 / 0

Error in resource

by Corentin Dupont

Hi, after creating a resource through the API, the "resources" panel on the UI will not open anymore: *Error!* An unexpected server error has occurred In the keycloak traces there is: keycloak_1 | 16:15:00,037 ERROR [io.undertow.request] (default task-27) UT005023: Exception handling request to /auth/admin/realms/waziup/clients/0892e431-5daf-413e-b4cf-eaee121ee447/authz/resource-s erver/resource: org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException: Could not find the user [guest] who owns the Resource [062e4b4f-d931-42c1-8c88-117766797ecd]. The user guest exists... I created the resource with something similar to: curl -X POST " http://localhost:8080/auth/realms/myrealm/authz/protection/resource_set" -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{ "name": "My house", "uri": "/houses/123", "scopes": ["view"], "owner": "guest" }' Thanks Corentin

8 years, 4 months

2
2
0 / 0

Corrupted policies

by Corentin Dupont

I guys, I encountered this bug: https://issues.jboss.org/browse/KEYCLOAK-4340 Basically after exporting, my policies are inaccessible. My keycloak version is 3.1.0.Final. Is there a workaround? Can I delete the policies via API? Should I edit the database? I connected to H2 database but there is no tables. What is the login/password when logging to H2? Cheers

8 years, 4 months

2
3
0 / 0

org.keycloak.keys.FailsafeAesKeyProvider] errors.

by Maurice Mahieu

Hello, Since I upgraded my cluster consisting of 2 instances from 3.2.0 to 3.4.0 I get the following messages in the log. 2017-11-23 13:31:09,460 ERROR [org.keycloak.keys.FailsafeAesKeyProvider] (default task-6) No active keys found, using failsafe provider, please login to admin console to add keys. Clustering is not supported. 2017-11-23 13:31:09,460 ERROR [org.keycloak.keys.FailsafeAesKeyProvider] (default task-59) No active keys found, using failsafe provider, please login to admin console to add keys. Clustering is not supported. 2017-11-23 13:31:27,239 ERROR [org.keycloak.keys.FailsafeAesKeyProvider] (default task-10) No active keys found, using failsafe provider, please login to admin console to add keys. Clustering is not supported. etc. On the admin console of both serves there are 2 active keys. One RSA and on Hmac and the servers seem to be in sync if I compare the user sessions on both servers. Does anybody know how I can I resolve this / get rid of the messages ? Regards, -- Met vriendelijke groet, Maurice Mahieu system engineer maurice(a)info.nl <mailto:maurice@info.nl> | LinkedIn <http://www.linkedin.com/in/maurice-mahieu-224a1821> | +31 (0)20 530 9111 <tel:+31205309111> info.nl <http://www.info.nl> Sint Antoniesbreestraat 16 | 1011 HB Amsterdam | +31 (0)20 530 9100 <tel:+31205309100>

8 years, 4 months

1
0
0 / 0

spring-social-keycloak

by ali akbar

Hi I have more than 20 application that launch in private cloud with spring security framework,after some search i decide to create IAM (SSO) for these application after search in google ,i found Keycloak project that one of best project for do that . all my apps in organization have own user management and do not want to change that . my idea is to launch Keycloak in our organization and each user in organization have account in Keycloak,but both user have same email . when user want to login in app can login with app user and Keycloak user .in this way Keycloak is like google for Github or Facebook that each user can login with Github user or google account. after read Keycloak documentation i do not see library that make this for combining local authentication and keycloak authentication.i want when kecloak authentication do success i setAuthentication with app authentication . after some google i found spring social project and i decide to create spring-social-keycloak .but i do not see good documentation for request response . or any sample for curl that i know how can use that in my project https://github.com/azizkhani/spring-social-keycloak it is my idea is correct? is any sample that show curl for authorization code flow and get user info ? is keycloak is active in gitter.im for online question ?

8 years, 4 months

1
0
0 / 0

Using Rest Services managed by another Realm and account linking issue

by Gael THIABAUD

Dear Keycloak team, Please find below : • Use case description • GOALS • What I tried • Question and Proposals Is the approach described the good one? Does-it exists another one? What is your preferred proposal? Do you have another ? Use case description : All applications and rest services secured by OpenID (Keycloak) User (Realm A) → Web application Front end 1 (Realm A) --> Application Back End 1 (Realm A)→ Rest Service 1 (Realm B) → Rest Service 2 (Realm C) GOALS: The solution must permit to identify the user himself into each component. The User in Realm B must be linked to the User in Realm A. What I tried: By using the "Internal Token to External Token Exchange" features of Keycloak it works if the user is existing in all the realms and if the account(s) are linked between them. And it works, thank you for the job ! The current issue is that I want that the application back end 1 creates the account(s) into the required realms when it try to use the Rest Service in the other realm. I try to implement the following use case: User (Realm A) → Web application Front end 1 (Realm A) --> Application Back End 1 (Realm A) -- Request account creation and linking → Keycloak Realm B -- Internal Token to External Token Exchange → Keycloak Realm B → Rest Service 1 (Realm B) -- Request account creation and linking → Keycloak Realm C -- Internal Token to External Token Exchange → Keycloak Realm C → Rest Service 2 (Realm C) I take a look into the chapter 5.2. Client Initiated Account Linking but it involve that it must be the user browser that trigger the http request. I take look into IdentityBrokerService.clientInitiatedAccountLinking and it seems that all the secure mechanism used is related to the cookie and the Keycloak user session. The approach that I try cannot work with the current implementation of clientInitiatedAccountLinking. Question and Proposals: Is the call flow that I try the right approach for achieving the goals ? If yes and assuming that: 1) the account creation and auto-linking must be included into the Keycloak solution in standard for managing the use case described (think about micro services) 2) the OIDC Tokens are enough for securing the creation of new account into other realms, if a trusted relation exists between the realms of course ! Proposal 1: clientInitiatedAccountLinking proposes 2 mode of securization, the current one based on the cookie and a new one based onto the Bearer token. Proposal 2: A complete new HTTP request using the bearer token can be used for the account creation and linking. Proposal 3: Keycloak exposes a new Rest method permitting to create and link account by using the Token Bearer only Proposal 4: Keycloak exposes a new Rest method permitting to create an account into a realm by using the Token Bearer only. Keycloak exposes a new Rest method permitting to link two accounts into a realm by using the Token Bearer only. Comment: For being able to create an account into an other realm without entering in conflict with an existing account we can propose to used the UUID of the account from the realm used for original authentication. >From my point of view it could be a decision that must be done during the design of the security policy of the IT system. For example the administrator can decide to use the email like a common ID between the realms or the UUID or any value that he can apply onto the preferred_username like currently implemented for the account linking feature.

8 years, 4 months

1
0
0 / 0

How to escape dot symbol in Token Claim Name

by Alexander Ionov

Greetings, When specifying Token Claim Name in a mapper, user can write claim name in dot notation in order to create nested JSON objects. The problem is, that I should do completley the opposite. I need a token name that looks like "http://domain.name/claims/customer_number". Keycloak sees the dot in the name and creates the following claim: { "http://domain": { "name/claims/customer_number": "value" } } Is there any way to escape this dot in the claim name? I've tried the backslash character but it didn't work. And I didn't find the information about this anywhere. Thanks, Alexander

8 years, 4 months

1
0
0 / 0

Authorization: proof of ownership

by Corentin Dupont

In my use case, the user can "claim" resources. But to do that, he need to prove that he is the rightful owner. In practice, the user possess objects called "sensor nodes". Those are just little boxes with a tag on it. The tag has a number that the user can transmit to prove that he is owning physically the object. So my idea was to provide an endpoint able to change the owner of the resource, based on the tag number. Using our example, the endpoint to claim a resource could look like: curl -X PUT http://www.example.com/api/v1/houses/MyHouse/owner -d '{ "owner": "smith" "proof": "XXXXXXX" }' A policy would check that the proof is valid, by matching it against a database. If accepted, then the resource owner should be changed. Do you think this is a good protocol? How to write the policy to authorize the owner change at Keycloak level? I don't see how to transmit the proof number when performing the authorization request (with the entitlement API).

8 years, 4 months

2
2
0 / 0

client certificate authentication using HAProxy and Keycloak

by Wei Li

Hi, We are using HAProxy as the reverse proxy for the Keycloak server, and we are terminating the SSL connection at HAProxy. Now we want to enable client certificate authentication. Because the SSL is terminated at HAProxy, we can't use the existing CCA feature provided by Keycloak. But we can get the client cert info in HAProxy and pass them onto Keycloak in headers. So is there a way to allow Keycloak to get the user info from the headers and perform authentication? Thanks for your help in advance! -- WEI LI SENIOR SOFTWARE ENGINEER Red Hat Mobile <https://www.redhat.com/> weil(a)redhat.com M: +353862393272 <https://red.ht/sig>

8 years, 4 months

2
3
0 / 0

BeerCloak update

by Dmitry Telegin

Hi everyone, BeerCloak[1] has just got a substantial update. Highlights are: - EAR packaging. This is probably the most important item, as I remember people here asking many times how to package providers into an EAR together with external dependencies, so finally here is a complete working example; - more reliable initial data population; - update to Keycloak 3.4.0.Final; - minor fixes & refactoring; - doc updates, especially on the installation procedure. It still lacks tests, so I'd appreciate much if someone more experienced would recommend me what exactly to test and how, or probably even would help me with writing tests. BeerCloak is a comprehensive Keycloak extension example, which comprises different techniques, sometimes undocumented, to build a complete real-life Keycloak extension. From the technical point of view, it includes a custom JPA entity, custom admin REST resource, admin GUI extensions and everything else needed to glue that together. I'd be happy to see it as a semi-official blueprint, or a starting point for those interested in extending Keycloak. Cheers, Dmitry [1] https://github.com/dteleguin/beercloak

8 years, 4 months

1
0
0 / 0

extend theme with some extra text

by mj

Hi, We are trying to display some extra static text to the two pages where a password can be changed: - the login theme (sunrise) - the account theme (address) We're trying to add text, to inform the users of *all* configured password requirements at once. Something like: > Kindly be advised to use: > - min. 8 characters > - min. one lower case > - min. one upper case > - min. one special character In the current situation during a password change, the user initially is not informed about the minimum requirements, and 'learns' a new requirement on each password rejection. We know that this should be possible by editing the (in our case) themes "sunrise" and "address". But could someone point out where and how we can add some new extra text to these pages? MJ

8 years, 4 months

2
2
0 / 0

keycloak 3.4.0 - Missing relation

by Kevin Hirschmann

Hello everybody, I am setting up a new keycloak instance (3.4.0) resulting in the following error (Relation does not exist): INFO [org.keycloak.connections.jpa.updater.liquibase.LiquibaseJpaUpdaterProvider] (ServerService Thread Pool -- 78) Updating database. Using changelog META-INF/jpa-changelog-master.xml ERROR [org.keycloak.connections.jpa.updater.liquibase.conn.DefaultLiquibaseConnectionProvider] (ServerService Thread Pool -- 78) Change Set META-INF/jpa-changelog-authz-3.4.0.CR1.xml::authz-3.4.0.CR1-resource-server-pk-change-part2::glavoie@gmail.com failed. Error: FEHLER: Relation Ųesource_server_policyӠexistiert nicht Position: 8 [Failed SQL: UPDATE RESOURCE_SERVER_POLICY p SET RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE s.ID = p.RESOURCE_SERVER_ID)]: liquibase.exception.DatabaseException: FEHLER: Relation Ųesource_server_policyӠexistiert nicht Position: 8 [Failed SQL: UPDATE RESOURCE_SERVER_POLICY p SET RESOURCE_SERVER_CLIENT_ID = (SELECT CLIENT_ID FROM RESOURCE_SERVER s WHERE s.ID = p.RESOURCE_SERVER_ID)] The problem only occurs, if I do NOT use the default schema. If I use the default schema everything is great. How can I work around this problem? Thx for your help Kevin Hirschmann HUEBINET Informationsmanagement GmbH & Co. KG Telefon: +49 (0) 261 / 5 00 86 - 17 Telefax: +49 (0) 261 / 5 00 86 - 29 E-Mail: kevin.hirschmann(a)huebinet.de<mailto:kevin.hirschmann@huebinet.de> Internet: www.huebinet.de<http://www.huebinet.de/> HUEBINET Informationsmanagement GmbH & Co. KG An der Königsbach 8 56075 Koblenz Sitz und Registergericht: Koblenz HRA 5329 Persönlich haftender Gesellschafter der KG: HUEBINET GmbH; Sitz und Registergericht: Koblenz HRB 6857 Geschäftsführung: Dr. Carsten Schöpp; Michael Biemer; Michael Ewertz ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Der Nachrichtenaustausch mit HUEBINET Informationsmanagement GmbH & Co. KG, Koblenz via E-Mail dient lediglich zu Informationszwecken. Rechtsgeschäftliche Erklärungen mit verbindlichem Inhalt können über dieses Medium nicht ausgetauscht werden, da die Manipulation von E-Mails durch Dritte nicht ausgeschlossen werden kann. Email communication with HUEBINET Informationsmanagement GmbH & Co. KG is only intended to provide information of a general kind, and shall not be used for any statement with binding contents in respect to legal relations. It is not totally possible to prevent a third party from manipulating emails and email contents.

8 years, 4 months

3
6
0 / 0

Re: [keycloak-user] Authorization transfer

by Corentin Dupont

I see, so I need to create "mydomain" as a resource. But what should be the type for both "mydomain" and "myhouse"? Should it be something like "domain:mydomain"? What I would like is to grant different access to users to that domain. For example: user Bob can only view resources in domain "mydomain". User Alice can view and delete resources in "mydomain". Should I create a "User Policy" with the list of users that have access? If I understand, I need to use the "resource-based" permission. However it does not seem to let me select the scopes (as in my example: Bob can only view, but Alice can delete). Another question: how to invoke the API for typed resources? I have: curl -X POST -H "Content-Type: application/json" -H "Authorization: Bearer $TOKEN" -d '{ "permissions" : [ { "resource_set_name" : "Sensors", "scopes" : [ "view" ] } ] }' "http://localhost:8080/auth/realms/waziup/authz/entitlement/waziup" But this uses the name of the resource, so I am not sure. Is there a reference for this API? Thanks a lot PS. I found some minor bugs related to the API, should I report them here or create a JIRA? On Tue, Nov 21, 2017 at 1:51 PM, Pedro Igor Silva <psilva(a)redhat.com> wrote: > Resources have a *type* field that can be used to group resources. > Permissions granted to a "typed resource" (which is created with the > resource server itself as the owner) applies to any other resource with the > same type and owned by an user. Think about a "typed resource" as a > general/parent resource. > > If you have a "mydomain" typed resource and a "myhouse" resource, sharing > the same type, any permission you apply to "mydomain" is going to be > applied to "myhouse". > > Does it makes sense ? > > On Mon, Nov 20, 2017 at 9:10 AM, Corentin Dupont < > corentin.dupont(a)gmail.com> wrote: > >> Thanks for the answer. >> My plan is to make authorizations based on groups of resources, that we >> call "domains". >> Basically, when a user creates a resource, he can decide to put it in an >> existing domain. >> The URL reflects that domain: >> >> http://www.example.com/api/v1/domains/mydomain/houses/myhouse >> >> The user can also create domains with the domains endpoint: >> >> POST http://www.example.com/api/v1/domains/ >> >> What is not clear for me is how users can get access to domains. >> Probably users can have an attribute "domains", with the list of domains >> they have access to? >> Or should a domain be represented in Keycloak as a resource? >> In this case, should we create roles to access that domain? >> For example, the role "admin-mydomain" ? >> >> Or should it be implemented with user groups in Keycloak? Or with User >> policies? >> >> >> >> On Fri, Nov 17, 2017 at 9:06 PM, Pedro Igor Silva <psilva(a)redhat.com> >> wrote: >> >>> Right now you can't do it. This is all about the work we are doing to >>> better support UMA protocol. Soon you'll be able to let your users to >>> manage their resources (and their policies) from Keycloak Account Service, >>> grant and revoke access to other users, authorization flows. We are really >>> missing this. >>> >>> However, I think you can try to use the Policy Management API. It >>> provides a RESTful API that you can use to manage permissions and policies. >>> As an example https://github.com/pedroigor/keycloak/blob/cedc095a9 >>> c50a1d16482acbbc9876de1730c9fb1/testsuite/integration-arquil >>> lian/tests/base/src/test/java/org/keycloak/testsuite/admin/ >>> client/authorization/UserPolicyManagementTest.java. There are other >>> tests in the same package for other permission and policy types. >>> >>> Please, let me know about your achievements if you start doing something >>> with the Policy Management API. Any feedback is welcome and will probably >>> help with the work I mentioned before around UMA. >>> >>> On Fri, Nov 17, 2017 at 4:59 PM, Corentin Dupont < >>> corentin.dupont(a)gmail.com> wrote: >>> >>>> Hi guys, >>>> is it possible for an application user to grant some authorizations to >>>> another user? >>>> For example in the photoz example, how can I give access to my albums >>>> to another user? >>>> What would be the mechanism? >>>> >>>> Thanks a lot >>>> Corentin >>>> >>> >>> >> >

8 years, 4 months

2
3
0 / 0

NumberFormat exception on update password in self developed user-federation

by Edwin Snorre Lothar von Gohren

Hi guys, to keep my mail short i have an issue I struggle to solve. So I have created posts on both stackoverflow, and on the JIRA, because I don’t know if it is a bug or not. But here are the links: https://issues.jboss.org/browse/KEYCLOAK-5874?jql=project%20%3D%20KEYCLOA... https://stackoverflow.com/questions/47388978/keycloak-update-password-wit... Greetings Tech-lead on Entur www.entur.org

8 years, 4 months

1
0
0 / 0

Unable to use Implicit Flow in Spring Security

by HALLEGUEN, Roderic

Hi, I followed the two articles on the blog (https://developers.redhat.com/video/youtube/O5ePCWON08Y/) to make Keycoak work with Spring Security. It works nice, but I'm only able to use the standard flow. Is there something to configure in Spring Security to make it work with the Implicit flow ? I didn't find anything about this in the documentations. Thank's for your help ! This message contains information that may be privileged or confidential and is the property of the Capgemini Group. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain, copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message.

8 years, 4 months

2
1
0 / 0

UMA Authorization

by Damian Czaja

Hello guys, AFAIK Keycloak currently does not have full UMA support and for e.x. it's not possible for users to manage resources they own. There already a PR for KEYCLOAK-3169 on that. First question: How is the "owner" of the resource set when using the Resource Registration Endpoint ( https://docs.kantarainitiative.org/uma/rec-oauth-resource-reg-v1_0_1.html)? Is it set to the "subject" of the PAT token used to register the resource or is it always the Resource Server, who registered it? Second question: >From what I know in UMA to get the Permission Ticket you need to use the PAT of the Resource Owner. In case the Resource Owner is an End-User does it mean the Resource Server will need to perform OAuth2 with the End-user and store the PAT somewhere to be able to issue Permission Tickets to Requesting Parties anytime, without the active present of the End-user? Best regards, Damian

8 years, 4 months

1
0
0 / 0

Is it possible that you delete not activated User after some time?

by SW

I am thinking of an option, where you can decide, that after some time (24 Hours or so), the not activated user will be deleted. Is this possible? regards & tia SW -- Sent from: http://keycloak-user.88327.x6.nabble.com/

8 years, 4 months

1
0
0 / 0

Possible to configure CustomizedEmailSender for specific realm?

by SW

Is it possible to configure a CustomizedEmailSender just for a specific realm, so that other realms use the default one? I am thinking of something like this: <spi name="emailSender"> <provider name="customized" realm="MyAwesomeRealm"/> </spi> -- Sent from: http://keycloak-user.88327.x6.nabble.com/

8 years, 4 months

1
0
0 / 0

org.hibernate.LazyInitializationException (could not initialize proxy - no Session) when getting user attributes

by Ilya Korol

Hi. I've wrote some implementation of org.keycloak.timer.ScheduledTask that should periodically conditionally delete some users, depending on their attribute values: @Override public void run(KeycloakSession session) { long currentTime = TimeUnit.MILLISECONDS.toSeconds(Time.currentTimeMillis()); RealmModel realm; // appropriate realm was set GroupModel group; // appropriate group was set session.userLocalStorage() .getGroupMembers(realm, group).stream() .filter(user -> isNotVerified(user) && isExpired(user, currentTime)) .forEach(user -> { session.userLocalStorage().removeUser(realm, user); }); } private boolean isNotVerified(UserModel user) { return user.getFirstAttribute(UserAttributes.STATUS) != null && user.getFirstAttribute(UserAttributes.STATUS).equals(UserStatuses.NOT_VERIFIED); } private boolean isExpired(UserModel user, long currentTime) { return TimeUnit.MILLISECONDS.toSeconds(user.getCreatedTimestamp()) + expirationTimeout < currentTime; } When it runs i got following exception in method isNotVerified(UserModel user) for users that don't have any attributes. (For users with any attributes this will work) 2017-11-21 14:51:31,030 ERROR [org.keycloak.services] (Timer-2) KC-SERVICES0089: Failed to run scheduled task ClearExpiredOnboardingUsers: org.hibernate.LazyInitializationException: failed to lazily initialize a collection of role: org.keycloak.models.jpa.entities.UserEntity.attributes, could not initialize proxy - no Session at org.hibernate.collection.internal.AbstractPersistentCollection.throwLazyInitializationException(AbstractPersistentCollection.java:567) at org.hibernate.collection.internal.AbstractPersistentCollection.withTemporarySessionIfNeeded(AbstractPersistentCollection.java:205) at org.hibernate.collection.internal.AbstractPersistentCollection.initialize(AbstractPersistentCollection.java:546) at org.hibernate.collection.internal.AbstractPersistentCollection.read(AbstractPersistentCollection.java:133) at org.hibernate.collection.internal.PersistentBag.iterator(PersistentBag.java:277) at org.keycloak.models.jpa.UserAdapter.getFirstAttribute(UserAdapter.java:176) at company.utils.ClearExpiredOnboardingUsers.isNotVerified(ClearExpiredOnboardingUsers.java:50) at company.utils.ClearExpiredOnboardingUsers.lambda$run$0(ClearExpiredOnboardingUsers.java:41) at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174) at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1380) at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:151) at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:174) at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) at java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:418) at company.utils.ClearExpiredOnboardingUsers.run(ClearExpiredOnboardingUsers.java:42) at org.keycloak.services.scheduled.ScheduledTaskRunner.runTask(ScheduledTaskRunner.java:61) at org.keycloak.services.scheduled.ScheduledTaskRunner.run(ScheduledTaskRunner.java:45) at org.keycloak.timer.basic.BasicTimerProvider$1.run(BasicTimerProvider.java:51) at java.util.TimerThread.mainLoop(Timer.java:555) at java.util.TimerThread.run(Timer.java:505) I found a workaround by surrounding attributes verification with try/catch RuntimeException. In debugger i checked that session.getTransactionManager.isActive() returns true. So i'm interesting in possible problems here. Do i have any mistakes in my code or there is a some kind of bug? Should it be moved to Jira?

8 years, 4 months

1
0
0 / 0

User registration outside of Keycloak login form

by Ilya Korol

You should use your custom Authenticator (see docs for Server development -> Authentication SPI). So the idea is to put this authenticator (Optional requirement) inside browser flow right after Cookie. It will check whether user is authenticated or not (if user was authenticated it means that Cookie worked). Then it will show form that you described via its challenge() method, and process user reaction in action() method. If you don't fully understand what i've wrote check docs and you definitely should get the idea. Cheers.

8 years, 4 months

1
0
0 / 0

Integrating Login With Facebook

by Madhan Kumar S P

Hello, I am trying to integrate the Keycloak with Facebook social plugin. I had gone through the examples and documentation. This works fine if I use the Keycloak hosted Login Page. What I need is that we want to host our own login page and use the Keycloak APIs to register the user and login. I mean, I want to host our Sign Up/Login Page. When the user clicks on the Login with Facebook, we want to redirect the user to FB and get the approval and collect the details, create the user details that we need for our application. Then register the user on the Keycloak. I don’t see any documentation for this. I would be really grateful if you can shed some light on this and point to the documentation that would help me in achieving this. Thanks & Regards, Madhan Kumar S P

8 years, 4 months

1
0
0 / 0

default permissions

by Corentin Dupont

Another question: how to apply default authorizations? I want to protect my API with authorization in Keycloak. However some resources should be open to the public, accessible without any bearer token. My idea was: - create an "unregistered_user" composite role, containing some basic roles - create a "guest" user, with the unregistered_user role - on the API server, if there is no token in the request I will get the roles of the guest user and user them. If there is a token, I'll use that user permissions. What do you think of that process? Thanks

8 years, 4 months

3
13
0 / 0

Authorization transfer

by Corentin Dupont

Hi guys, is it possible for an application user to grant some authorizations to another user? For example in the photoz example, how can I give access to my albums to another user? What would be the mechanism? Thanks a lot Corentin

8 years, 4 months

2
3
0 / 0

SAML Logout url

by Min Han Lee

Hello, can anyone shed some light on how to configure SAML single log out, please, I postfixed the POST binding by adding ?GLO=true but it didn't work. Kind Regards

8 years, 4 months

2
1
0 / 0

Keycloak OpenID Endpoint Configuration

by Lilith Saer

Hi there. I am looking to change the default URL that an unauthenticated user is directed to (by default, the KC login page) after attempting to access a resource that require authentication. How can I do this? Thank you!

8 years, 4 months

1
0
0 / 0

Java EE server compatibility and JSR-375

by Robert .

Is it possible to implement JSR-375 using Keycloak? Will this allow you to use Keycloak on any Java EE server without the Spring adapter and any of the server specific keycloak adapters? Are there any plans to do something with Keycloak and JSR-375? The Keycloak documentation gives a warning about the Java Servlet Filter Adapter. It states that: "Backchannel logout works a bit differently than the standard adapters. Instead of invalidating the HTTP session it marks the session id as logged out." What are the implications of this? Will something not work properly? Will the web application still think the user is logged in? Or is the http session not cleaned up from memory?

8 years, 4 months

1
0
0 / 0

logout not working with IDPs

by Nijo Johny

Hello, My use case - Enables users SSO with multiple IDPs such as okta, one login, adfs etc. I have single sign on working with all IDPs, no problems. But logout is now working. Here is my setup. Our front end (Single Page) application is configured with OICD client to keycloak. Keycloak acts as broker to all external IDPs using SAML. Okta, ADFS and One login are configured as Identity provides under the realm. To enable logout on Okta side there an option "Allow application to initiate Single Logout" But for this, I need to provide 3 parameteres 1. Single Logout url (The location of where the logout response will be sent) 2. SP Issuer (The issuer of the service provider) 3. Signature Certificate. (Determines the public key certificate used to verify the digital signature). I need help with 2 and 3. Keycloak Documentation says Realm Keys are used to sign, but how to export this from keycloak to import to Okta? Okta only allows to import it. What should I provide for SP Issuer? Note: Back channel logout is not enabled. Regards, NJ

8 years, 4 months

1
0
0 / 0

Error in base64 decoding saml message

by Alex Zeleznikov

Hello, we are using keycloak as a local IDP, currently the keycloak server if being served to SPs via simplesamlphp, the connection to the simplesaml server works, a user can login and logout without issues, however, when a user tries to authneicate via an SP, the keycloak server login page shows "invalid request". Looking at the logs I see: `2017-11-19 08:13:31,218 ERROR [org.keycloak.saml.common] (default task-2) Error in base64 decoding saml message: java.lang.RuntimeException: PL00064: Parser: Unknown Start Element: Scoping::location=org.codehaus.stax2.XMLStreamLocation2$1@5917b7e5` Here is the saml data when authenticate only via simplesaml (this works): <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_c1f8cff7fd9f03bac28dc34402ae2f128a59ac45f5" Version="2.0" IssueInstant="2017-11-16T07:28:00Z" Destination="https://iuccidp.iucc.ac.il/auth/realms/IUCCIDP/protocol/saml" AssertionConsumerServiceURL="https://iif.iucc.ac.il/idp/module.php/saml/sp/saml2-acs.php/default-sp" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > <saml:Issuer>https://iif.iucc.ac.il/idp/module.php/saml/sp/metadata.php/default-sp</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#_c1f8cff7fd9f03bac28dc34402ae2f128a59ac45f5"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>lQF9e0r3X8T4QbyUU9r0pjaWyPk=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>MIdx3PVLBZqUYkkg9GGUQRlpdOo8p1ajmGoUYm29JcYkPE7FYiVfgEpSj6GQ97MStUOiVJHEggFp201a40ucORqG2YG9VD7rhH0Ac7FGkO0AcqfPaVzDk+jXxiEtQZKAdTWj8UDVUtHjSg52ZKwmXyPru84gOevPgr+zs6XU7r0fWCQniwg6Dqc4E1dB5QThpj04iaMMeIHLf0dyQWPALQUtW4URMWhwLog6swGrTig/4vPh/hI7jiXB45okGjcvBJZvRLXPsS7+M6Jeu+XLK9/wCUGc05vxpK7Yn9AHnkZDer5P1b5ZaOoo0yLMe/x5tLlfWYmOO0oec4dE/5C6mw==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIFKzCCBBOgAwIBAgIQBVCwaVElAxhYhZHwR0xGhzANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzAeFw0xNzEwMzEwMDAwMDBaFw0yMDExMDQxMjAwMDBaMHQxCzAJBgNVBAYTAklMMREwDwYDVQQHEwhUZWwgQXZpdjEsMCoGA1UEChMjSW50ZXIgVW5pdmVyc2l0eSBDb21wdXRhdGlvbiBDZW50ZXIxCzAJBgNVBAsTAklUMRcwFQYDVQQDEw5paWYuaXVjYy5hYy5pbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCuGsVeVyl6ognK6FDnZZk0VLuA8vF0eQrOZmIyHMXV0O9tFdy5lap6cB4VvOrzUjU2vfX3baWjfy1H/9WWzb3dH2++2vBsTJ38Z5l1ot3FkjBUix9Tm7gm8IZfIRu1UMMqZ945a2I5QJWqEiXEQTCIqSxB9I2Gs9hmHmZxb+BIA3jdWOfjKCNn/gToP7WZ2ks2BfhM3NhwkMVWwE8Lnds/m8MKRoKGMDWdsuhN9nSy0Qq1A7hPhnTClFEl7Nw8eUx1pbgk8DZMJIxVq0X4h1ogeno1AJhCSpaClsVUCiGQpC9DFsB1mctnVj+gR+LOaPQPuWpXWU00u8H3GcKp59MCAwEAAaOCAccwggHDMB8GA1UdIwQYMBaAFGf9iCAUJ5jHCdIlGbvpURFjdVBiMB0GA1UdDgQWBBRzclwqDCt2YJuQzNL7Q6xQSMFYvjAZBgNVHREEEjAQgg5paWYuaXVjYy5hYy5pbDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3JsMC+gLaArhilodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjBuBggrBgEFBQcBAQRiMGAwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA4BggrBgEFBQcwAoYsaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL1RFUkVOQVNTTENBMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAPT+syBAyrz97u7zvxk2JUjlvD5IdpXNuEwuO3hxmj8RAJ1HNKcelNi53UOGmc+bfug3BrwN4tm8e70lWbePKhLZ/wmZ0GtmC3hrQK9g6NalncY3Qq5P7mvFohWInUaXnVM0AhDNj+IzbBHT+kKiKySeDUBhE7me7Qf/g/wcICV7ukJEKwkkIs/eQgeUn20qLHSrD9ADMuMR1ezyTFDFNKGiHEN7QvlK2nXHHsYjnjs/GucT1zMYH9wRI3/HBOTvBRWNTYcUB9eHJvWC0Gscbo9itMwR6/xDaKLM3afHos4lAvlXfvLKMoW4/miNfqn1MOrmts5WJbfIlZ+4KxsMB7Q==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> </samlp:AuthnRequest> And here is the SAML data when authenticating vis an SP (this doesn't work): <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_c327a0622c69920a4bdefa8a2fd98847b67cf18473" Version="2.0" IssueInstant="2017-11-16T07:09:05Z" Destination="https://iuccidp.iucc.ac.il/auth/realms/IUCCIDP/protocol/saml" AssertionConsumerServiceURL="https://iif.iucc.ac.il/idp/module.php/saml/sp/saml2-acs.php/default-sp" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" > <saml:Issuer>https://iif.iucc.ac.il/idp/module.php/saml/sp/metadata.php/default-sp</saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:Reference URI="#_c327a0622c69920a4bdefa8a2fd98847b67cf18473"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" /> <ds:DigestValue>lss9SZraPBlGe6oR6EbuUe9bbrE=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>YFtlgSogdf4itNcckDhylaQNMx+nLi1MCndwvFsx9wBZFb4RTEZ05uYdK9lsIQBFIxjFnYmIil4h6CNLVoLzvdDKFZUdnY3Fpmz3p/Oo+0+ho/8gSp7bm1NlXJarMwHc36tFSKmFZb5fsGElX/1mH6NfsD2S46EmZiK7b7jYkbQVq4UaWVJ5ihvvil8FXTas5/JEUJai3X94/viglVhc5uptoBy/spRjdAnlUFSJKqmmgHWH/Dd/2ElOJiyi+z04O5lVvC5pjTWVHRxHwLlwKF/QjC3Z16cFKR4Y0Bm7uDxvQiGt5eH5Qvm96GYpLk5mV4cTlGELQbKRbECatnuS1Q==</ds:SignatureValue> <ds:KeyInfo> <ds:X509Data> <ds:X509Certificate>MIIFKzCCBBOgAwIBAgIQBVCwaVElAxhYhZHwR0xGhzANBgkqhkiG9w0BAQsFADBkMQswCQYDVQQGEwJOTDEWMBQGA1UECBMNTm9vcmQtSG9sbGFuZDESMBAGA1UEBxMJQW1zdGVyZGFtMQ8wDQYDVQQKEwZURVJFTkExGDAWBgNVBAMTD1RFUkVOQSBTU0wgQ0EgMzAeFw0xNzEwMzEwMDAwMDBaFw0yMDExMDQxMjAwMDBaMHQxCzAJBgNVBAYTAklMMREwDwYDVQQHEwhUZWwgQXZpdjEsMCoGA1UEChMjSW50ZXIgVW5pdmVyc2l0eSBDb21wdXRhdGlvbiBDZW50ZXIxCzAJBgNVBAsTAklUMRcwFQYDVQQDEw5paWYuaXVjYy5hYy5pbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANCuGsVeVyl6ognK6FDnZZk0VLuA8vF0eQrOZmIyHMXV0O9tFdy5lap6cB4VvOrzUjU2vfX3baWjfy1H/9WWzb3dH2++2vBsTJ38Z5l1ot3FkjBUix9Tm7gm8IZfIRu1UMMqZ945a2I5QJWqEiXEQTCIqSxB9I2Gs9hmHmZxb+BIA3jdWOfjKCNn/gToP7WZ2ks2BfhM3NhwkMVWwE8Lnds/m8MKRoKGMDWdsuhN9nSy0Qq1A7hPhnTClFEl7Nw8eUx1pbgk8DZMJIxVq0X4h1ogeno1AJhCSpaClsVUCiGQpC9DFsB1mctnVj+gR+LOaPQPuWpXWU00u8H3GcKp59MCAwEAAaOCAccwggHDMB8GA1UdIwQYMBaAFGf9iCAUJ5jHCdIlGbvpURFjdVBiMB0GA1UdDgQWBBRzclwqDCt2YJuQzNL7Q6xQSMFYvjAZBgNVHREEEjAQgg5paWYuaXVjYy5hYy5pbDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGsGA1UdHwRkMGIwL6AtoCuGKWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9URVJFTkFTU0xDQTMuY3JsMC+gLaArhilodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vVEVSRU5BU1NMQ0EzLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjBuBggrBgEFBQcBAQRiMGAwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTA4BggrBgEFBQcwAoYsaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL1RFUkVOQVNTTENBMy5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAPT+syBAyrz97u7zvxk2JUjlvD5IdpXNuEwuO3hxmj8RAJ1HNKcelNi53UOGmc+bfug3BrwN4tm8e70lWbePKhLZ/wmZ0GtmC3hrQK9g6NalncY3Qq5P7mvFohWInUaXnVM0AhDNj+IzbBHT+kKiKySeDUBhE7me7Qf/g/wcICV7ukJEKwkkIs/eQgeUn20qLHSrD9ADMuMR1ezyTFDFNKGiHEN7QvlK2nXHHsYjnjs/GucT1zMYH9wRI3/HBOTvBRWNTYcUB9eHJvWC0Gscbo9itMwR6/xDaKLM3afHos4lAvlXfvLKMoW4/miNfqn1MOrmts5WJbfIlZ+4KxsMB7Q==</ds:X509Certificate> </ds:X509Data> </ds:KeyInfo> </ds:Signature> <samlp:Scoping> <samlp:RequesterID>https://terena.org/sp</samlp:RequesterID> </samlp:Scoping> </samlp:AuthnRequest>

8 years, 4 months

2
1
0 / 0

Detecting login attempt from a new "location"

by The Fredo

Hi all, My requirement is to be able to detect a user's attempt to login from a new "location" Which "location"-related (IP or user agent) infos does KC store in his database that would make it possible to detect such event ? Where is the history of closed user's sessions (if there is one) ? If not, is it possible to add the user agent somewhere ? Thanks ! PS : I'm currently using KC 2.5.4 + (KC proxy) but no problem to upgrade if necessary.

8 years, 4 months

1
0
0 / 0

Error when using bookmarked login page

by RickT153 .

Hello, I am trying to secure a single page application with Keycloak. The setup is the following: There are a few microservices and Keycloak behind an Apache Reverse Proxy, which has mod_auth_openidc installed. The authentication works fine. When a user visits my page www.example.com he will be redirected to www.example.com/auth/realms/myrealm/protocol/openidc- connect/auth?response_type=code&many_more=parameters. The Keycloak login-page is presented to the user and when he enters his credentials correctly he is redirected to my page www.example.com/main and can use the application. So far, so good. Now the problem is, that a user might want to bookmark my site right after visiting it. That means that he will bookmark the Keycloak login-page. But there are some parameters (like state and nonce) in the login-page url that are only valid for the initial login-session. Therefore, visiting the bookmarked page at a later time will cause an error and the user will not be able to access my page. Do you have any tips on how I can fix this problem? Are there common ways to allow a user to visit a bookmarked login page without breaking the authentication flow? Thanks, Patrick

8 years, 4 months

1
0
0 / 0

how to force (kind-of) re-activation when user has logged in from a new location ?

by The Fredo

Hi all, I'd like : - to detect that a user has just logged in from a new "location" (e.g. userAgent, IP, etc..). - If such event happens, I'd like to make him perform a new account activation, like he did when he registered, i.e. send an activation email. I read in the doc that Keycloak is open and offers the possibility to add custom behavior through plugins.But I don't know where to start exactly ie. - how/where to intercept the login flow to add by own code (i.e. just after the successful authentication) - how to trigger this kind of new activation (probably by adding a required action, but how exactly?) Any leads would be appreciated since I'm discovering Keycloak. I'm currently using KC 2.5.4 + (KC proxy) but no problem to upgrade if necessary. Thanks !

8 years, 4 months

1
0
0 / 0

Re: [keycloak-user] loggin saml requests/responses

by Phillip Fleischer

Turns out I was adding the logging level to the console but was viewing the log through docker which shows the file So i just needed to add the log level to the file handler. I didn’t want to add to the root logger cause it was too noisy… with it set this way everything looks perfect. <console-handler name="CONSOLE"> <level name="DEBUG"/> <formatter> <named-formatter name="COLOR-PATTERN"/> </formatter> </console-handler> <periodic-rotating-file-handler name="FILE" autoflush="true"> <level name="DEBUG"/> <formatter> <named-formatter name="PATTERN"/> </formatter> <file relative-to="jboss.server.log.dir" path="server.log"/> <suffix value=".yyyy-MM-dd"/> <append value="true"/> </periodic-rotating-file-handler> On Nov 14, 2017, at 12:06 PM, Phillip Fleischer <pcfleischer(a)outlook.com<mailto:pcfleischer@outlook.com>> wrote: Hi, I’m trying to debug using the saml clients and identity brokering, in the docs and several messages say that this can be done by turning on debug or trace. I added the following to my standalone.xml but I’m not seeing anything. I also tried on a remote host by using jboss-cli.sh command to add the logger to no avail. Is there something I’m missing? <logger category="org.keycloak.saml"> <level name="TRACE"/> </logger>

8 years, 4 months

1
0
0 / 0

Keycloak 3.4.0.Final released

by Stian Thorgersen

We've just released Keycloak 3.4.0.Final. To download the release go to the Keycloak homepage <http://www.keycloak.org/downloads>. The full list of resolved issues is available in JIRA <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...> . Upgrading Before you upgrade remember to backup your database and check the upgrade guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for anything that may have changed.

8 years, 4 months

2
2
0 / 0

Re: [keycloak-user] upgrade to 3.4 issue

by mj

Hi Martin, And that fixed it! :-) BTW we don't need the nocanon I guess. We don't see obvious style issues... :-) Thanks! MJ On 11/17/2017 03:33 PM, mph(a)tecbakery.com wrote: > Hi > > sound familiar to me :-) > guess you forgot to add > > <socket-binding name="proxy-https" port="443"/> > in > <socket-binding-group name="standard-sockets" [...] > > in my standalone.xml at the very bottom. > > in your apache conf you need these lines: > > RequestHeader set X-Forwarded-Proto "https" > RequestHeader set X-Forwarded-Port "443" > > [...] > > ProxyPass / http://localhost:[port]/ nocanon > > (nocanon solved a style loading issue for me) > > > Hope it helps > > Martin > > > > On 17.11.2017 14:38, mj wrote: >> Hi Stian, list, >> >> So, manually editing standalone.xml got me further, but not yet 100% >> succes. :-) >> >> I edited standalone.xml by hand, and have things working on port 8080. >> But we have been using keycloak 2.x / 3.x through apache2 reverse https >> proxy, requiring the following config in standalone.xml: >> >>> <http-listener name="default" socket-binding="http" redirect-socket="proxy-https" proxy-address-forwarding="true" enable-http2="true"/> >> However, keycloak 3.4 complains with this config: >> >>> 14:34:18,158 ERROR [org.jboss.as.controller] (Controller Boot Thread) WFLYCTL0362: Capabilities required by resource '/subsystem=undertow/server=default-server/http-listener=default' are not available: >>> org.wildfly.network.socket-binding.proxy-https; Possible registration points for this capability: >>> /socket-binding-group=*/socket-binding=* >>> 14:34:18,161 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. >>> 14:34:18,189 INFO [org.jboss.as] (MSC service thread 1-3) WFLYSRV0050: Keycloak 3.4.0.Final (WildFly Core 3.0.1.Final) stopped in 6ms >> Some advise would be appreciated, as we are not that experienced in >> wildfly / java, etc. >> >> Or is there perhaps another (new?) way to have keycloak running on https >> with an lets encrypt ssl certificate? >> >> Using the apache2 reverse proxy way has served us very well, the last years. >> >> Thanks! >> MJ >> >> On 11/15/2017 09:26 AM, Stian Thorgersen wrote: >>> That seems like it could be an issue caused by the fact that KC 3.3 was >>> based on WildFly 11 Beta. You'll probably have to manually update the >>> standalone file (or grab the one from 3.2 release if you still have that). >>> >>> On 14 November 2017 at 11:17, lists <lists(a)merit.unu.edu >>> <mailto:lists@merit.unu.edu>> wrote: >>> >>> Hi, >>> >>> Today we tried to upgrade our standalone 3.3 install to 3.4, following >>> the docs: >>> >>> - copied 3.3 /standalone/ over the 3.4 install, replacing all >>> - copied mysql connector in modules/system/layers/keycloak/org >>> >>> But then, the standalone upgrade script doesn't work: >>> >>> > root@server:/opt/keycloak-3.4.0.Final# bin/jboss-cli.sh >>> --file=bin/migrate-standalone.cli >>> > Cannot start embedded server: WFLYEMB0021: Cannot start embedded >>> process: Operation failed: WFLYSRV0056: Server boot has failed in an >>> unrecoverable manner; exiting. See previous messages for details. >>> > root@server:/opt/keycloak-3.4.0.Final# >>> >>> When starting the 3.4 server without having run the upgrade script, we >>> see what the actual problem appears to be: >>> >>> > OPVDX001: Validation error in standalone.xml >>> ----------------------------------- >>> > | >>> > | 470: </spi> >>> > | 471: </subsystem> >>> > | 472: <subsystem xmlns="urn:wildfly:elytron:1.2" >>> final-providers="combined-providers" >>> disallowed-providers="OracleUcrypto"> >>> > | ^^^^ Unexpected element '{urn:wildfly:elytron:1.2}subsystem' >>> > | >>> > | 473: <providers> >>> > | 474: <aggregate-providers name="combined-providers"> >>> > | 475: <providers name="elytron"/> >>> > | >>> > | The primary underlying error message was: >>> > | > ParseError at [row,col]:[472,9] >>> > | > Message: Unexpected element '{urn:wildfly:elytron:1.2}subsystem' >>> > | >>> > >>> |------------------------------------------------------------------------------- >>> >>> The same standalone.xml still works in the keycloak 3.3, so it basically >>> seems to be ok, or not corrupt at least. This install has been upgraded >>> from: >>> 3.0 -> 3.1 -> 3.3 (we skipped 3.2) >>> >>> It seems that our config has to be migrated using the script, but the >>> upgrade-standalone.cli script will not run... >>> >>> What to do? >>> >>> MJ >>> _______________________________________________ >>> keycloak-user mailing list >>> keycloak-user(a)lists.jboss.org <mailto:keycloak-user@lists.jboss.org> >>> https://lists.jboss.org/mailman/listinfo/keycloak-user >>> <https://lists.jboss.org/mailman/listinfo/keycloak-user> >>> >>> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user >

8 years, 4 months

1
0
0 / 0

keycloak upgrade 3.3 to 3.4

by mph＠tecbakery.com

Hi I tried to upgrade our installation from 3.3 to 3.4, following the guide at http://www.keycloak.org/docs/latest/upgrading/index.html, and am receiving the following error on startup. Comparing both default standalone.xml I found that in 3.3 the urn:wildfly:elytron: was 1.2, in 3.4 it is 1.0... Any help is highly appreciated. Martin /opt/keycloak/keycloak-3.4.0# bin/standalone.sh -Djboss.socket.binding.port-offset=9100 -b 0.0.0.0 ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /opt/keycloak/keycloak-3.4.0 JAVA: /usr/lib/jvm/java-8-oracle/bin/java JAVA_OPTS: -server -Xms64m -Xmx512m -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true ========================================================================= 13:55:39,468 INFO [org.jboss.modules] (main) JBoss Modules version 1.6.0.Final 13:55:40,161 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1 13:55:40,462 INFO [org.jboss.as] (MSC service thread 1-8) WFLYSRV0049: Keycloak 3.4.0.Final (WildFly Core 3.0.1.Final) starting 13:55:42,484 ERROR [org.jboss.as.controller] (Controller Boot Thread) OPVDX001: Validation error in standalone.xml ----------------------------------- | | 322: </deployment-permissions> | 323: </subsystem> | 324: <subsystem xmlns="urn:wildfly:elytron:1.2" final-providers="combined-providers" disallowed-providers="OracleUcrypto"> | ^^^^ Unexpected element '{urn:wildfly:elytron:1.2}subsystem' | | 325: <providers> | 326: <aggregate-providers name="combined-providers"> | 327: <providers name="elytron"/> | | The primary underlying error message was: | > ParseError at [row,col]:[324,9] | > Message: Unexpected element '{urn:wildfly:elytron:1.2}subsystem' | |------------------------------------------------------------------------------- 13:55:42,487 ERROR [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0055: Caught exception during boot: org.jboss.as.controller.persistence.ConfigurationPersistenceException: WFLYCTL0085: Failed to parse configuration at org.jboss.as.controller.persistence.XmlConfigurationPersister.load(XmlConfigurationPersister.java:143) at org.jboss.as.server.ServerService.boot(ServerService.java:387) at org.jboss.as.controller.AbstractControllerService$1.run(AbstractControllerService.java:370) at java.lang.Thread.run(Thread.java:748) 13:55:42,491 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.

8 years, 4 months

4
7
0 / 0

how to customize IDP initiated SSO login

by Snehalata Nagaje

Hi Team, I have requirement to customize the IDP initiated SSO login. is it possible this using custom authenticator Thanks, Snehalata Disclaimer: This e-mail may contain Privileged/Confidential information and is intended only for the individual(s) named. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. Please notify the sender, if you have received this e-mail by mistake and delete it from your system. Information in this message that does not relate to the official business of the company shall be understood as neither given nor endorsed by it. E-mail transmission cannot be guaranteed to be secure or error-free. The sender does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission.If verification is required please request a hard-copy version. Visit us at http://www.harbingergroup.com/

8 years, 4 months

1
0
0 / 0

upgrade to 3.4 issue

by lists

Hi, Today we tried to upgrade our standalone 3.3 install to 3.4, following the docs: - copied 3.3 /standalone/ over the 3.4 install, replacing all - copied mysql connector in modules/system/layers/keycloak/org But then, the standalone upgrade script doesn't work: > root@server:/opt/keycloak-3.4.0.Final# bin/jboss-cli.sh --file=bin/migrate-standalone.cli > Cannot start embedded server: WFLYEMB0021: Cannot start embedded process: Operation failed: WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details. > root@server:/opt/keycloak-3.4.0.Final# When starting the 3.4 server without having run the upgrade script, we see what the actual problem appears to be: > OPVDX001: Validation error in standalone.xml ----------------------------------- > | > | 470: </spi> > | 471: </subsystem> > | 472: <subsystem xmlns="urn:wildfly:elytron:1.2" final-providers="combined-providers" disallowed-providers="OracleUcrypto"> > | ^^^^ Unexpected element '{urn:wildfly:elytron:1.2}subsystem' > | > | 473: <providers> > | 474: <aggregate-providers name="combined-providers"> > | 475: <providers name="elytron"/> > | > | The primary underlying error message was: > | > ParseError at [row,col]:[472,9] > | > Message: Unexpected element '{urn:wildfly:elytron:1.2}subsystem' > | > |------------------------------------------------------------------------------- The same standalone.xml still works in the keycloak 3.3, so it basically seems to be ok, or not corrupt at least. This install has been upgraded from: 3.0 -> 3.1 -> 3.3 (we skipped 3.2) It seems that our config has to be migrated using the script, but the upgrade-standalone.cli script will not run... What to do? MJ

8 years, 4 months

3
2
0 / 0

UserRepresentation error in calling userResource.search(...) apis using keycloak-admin-client 3.4.0

by Subhrajyoti Moitra

Hello Friends, I am getting the below exception when I call userResource.search(..) api in keycloak-admin-client. I am using wildfly-swarm to secure my rest services. One of the stateless beans requires user details. So I am using keycloak-admin-client to get user info from the Keycloak Server (standalone 3.2.1.Final) . I have tried with admin-client 3.2.1.Final. I get the same error. What am i doing wrong? I think some deps are messed. But which ones? UserRepresentation is part of keycloak-core jar. I see the 3.4.0.Final jar as expected. Wildfly-swarm- 2017.11.0 keycloak-admin-client-3.4.0.Final keycloak server- 3.2.1.Final Please help. I am stuck and not able to proceed. Some pointers on the same would be very helpful. 2017-11-17 12:43:10,542 [default task-1 ] ERROR stderr - javax.ws.rs.client.ResponseProcessingException: javax.ws.rs.ProcessingException: com.fasterxml.jackson.databind.exc.UnrecognizedPropertyException: Unrecognized field "access" (class org.keycloak.representations.idm.UserRepresentation), not marked as ignorable (24 known properties: "disableableCredentialTypes", "enabled", "emailVerified", "origin", "self", "applicationRoles", "createdTimestamp", "clientRoles", "groups", "username", "totp", "id", "email", "federationLink", "serviceAccountClientId", "lastName", "clientConsents", "socialLinks", "realmRoles", "attributes", "firstName", "credentials", "requiredActions", "federatedIdentities"]) 2017-11-17 12:43:10,542 [default task-1 ] ERROR stderr - at [Source: org.apache.http.conn.EofSensorInputStream@519efa33; line: 1, column: 300] (through reference chain: java.util.ArrayList[0]->org.keycloak.representations.idm.UserRepresentation["access"]) Thanks a lot, Subhro.

8 years, 4 months

1
0
0 / 0

Users -- Live lookup to AD

by Y Levine

I have Keycloak which imported users from AD (with periodic sync). Is it possible to leverage OIDC without importing users into Keycloak --- hence when user authenticates, Keycloak will perform a live lookup on credentials/attributes against AD?

8 years, 4 months

1
0
0 / 0

SP initiate SAML Logout

by Min Han Lee

Hello, Does anybody know the SAML logout URL for the Keyclock please? The SSO SAML IDPSSO descriptor on the installation tab is not really helpful. I have an issue where my logout SAML is redirecting back to login SAML Please, can anyone shed some lights on this? Kind Regards

8 years, 4 months

1
0
0 / 0

API Authorization: on request or response?

by Corentin Dupont

Hi guys, another small question :) Suppose you have an API looking like this: http://www.example.com/api/v1/cars Cars have an owner: { name: "my car" owner: "smith" } How to make sure that you can only get cars that are yours (you can have several cars)? If you make a simple GET on this endpoint, should I: 1. just reply with a "Access denied" because the request is too large: it could yield cars that are not yours, 2. reply with "Access denied" if the response list contains some cars that are not yours, 3. filter the response car list with only yours? It seems that 1. is the simplest because it uses only the request to make decisions. 2. uses the response to make decision, while 3. requires the collaboration of the response handler in my API server, in order to implement the filtering. What is the most standard way? I have also some trouble understanding how to implement that with Keycloak protect in NodeJS. Cheers!! Corentin

8 years, 4 months

3
18
0 / 0

Fwd: Keycloak 3.2.1 Final not working in cluster

by mahendra sonawale

Hi Team, We are facing similar problem where kelcloak is not running in cluster and giving the same error log as mentioned by Subash in jira. https://issues.jboss.org/browse/KEYCLOAK-5013 I tried to use the private interface as suggested into the document but still no luck. am I missing anything else? CAN YOU please help?? I am using Keycloak - Version 3.2.1.Final. I have load balancer configured above 2 keycloak nodes (nodes are running in on different VMs) Start command : nohup ./bin/standalone.sh --server-config=standalone-ha.xml -b $HOSTNAME -u 230.0.0.4 & HA configuration : <interface name="private"> <inet-address value="$ {jboss.bind.address.private:(node1 IP address and on second node that IP address)} " /> </interface> </interfaces> <socket-binding-group name="standard-sockets" default-interface="public" port-offset="$ {jboss.socket.binding.port-offset:0} "> <socket-binding name="management-http" interface="private" port="$ {jboss.management.http.port:9990} " /> <socket-binding name="management-https" interface="private" port="$ {jboss.management.https.port:9993} " /> <socket-binding name="ajp" port="$ {jboss.ajp.port:8009} " /> <socket-binding name="http" port="$ {jboss.http.port:8080} " /> <socket-binding name="https" port="$ {jboss.https.port:8443} " /> <socket-binding name="proxy-https" port="443"/> <socket-binding name="jgroups-mping" interface="private" port="0" multicast-address="$ {jboss.default.multicast.address:230.0.0.4} " multicast-port="45700" /> <socket-binding name="jgroups-tcp" interface="private" port="7600" /> <socket-binding name="jgroups-tcp-fd" interface="private" port="57600" /> <socket-binding name="jgroups-udp" interface="private" port="55200" multicast-address="$ {jboss.default.multicast.address:230.0.0.4} " multicast-port="45688" /> <socket-binding name="jgroups-udp-fd" interface="private" port="54200" /> <socket-binding name="modcluster" port="0" multicast-address="224.0.1.105" multicast-port="23364" /> <socket-binding name="txn-recovery-environment" port="4712" /> <socket-binding name="txn-status-manager" port="4713" /> <outbound-socket-binding name="mail-smtp"> <remote-destination host="localhost" port="25" /> </outbound-socket-binding> </socket-binding-group> Log : 2017-11-09 04:38:22,749 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-3) ISPN000094: Received new cluster view for channel hibernate: [keycloak2|0] (1) [keycloak2] 2017-11-09 04:38:22,750 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000094: Received new cluster view for channel keycloak: [keycloak2|0] (1) [keycloak2] 2017-11-09 04:38:22,749 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-4) ISPN000094: Received new cluster view for channel ejb: [keycloak2|0] (1) [keycloak2] 2017-11-09 04:38:22,750 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-7) ISPN000094: Received new cluster view for channel server: [keycloak2|0] (1) [keycloak2] 2017-11-09 04:38:22,749 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000094: Received new cluster view for channel web: [keycloak2|0] (1) [keycloak2] 2017-11-09 04:38:22,761 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-2) ISPN000079: Channel keycloak local address is keycloak2, physical addresses are [**.**.**.**] 2017-11-09 04:38:22,763 INFO [org.infinispan.remoting.transport.jgroups.JGroupsTransport] (MSC service thread 1-1) ISPN000079: Channel web local address is keycloak2, physical addresses are [**.**.**.**] -- Sent from: http://keycloak-user.88327.x6.nabble.com/

8 years, 4 months

4
12
0 / 0

Registration when already logged in

by Gregor Tudan

Hello, we recently upgraded Keycloak from version 3.0 to 3.2, and now we have run into a small problem, perhaps someone knows a clever solution… In Keycloak 3.0, if a user registers while already being signed in, he would STILL be able to register a new user (with another user-name and e-mail), and would automatically be logged in to the NEW user. After the Keycloak update, this no longer works. The user gets an error message AFTER registering a new user, stating he is already logged in as someone else, and can't go on. I guess this was introduced by https://issues.jboss.org/browse/KEYCLOAK-4626 We redirect to the registration page using the javascript adapter. Is there some kind of parameter we can pass to: a) get the old behaviour (user get’s logged in to the newly created account) or b) see the error message on the registration page, instead of after registration has been completed? Our application allows a user to have more than one account, so it’s not enough to just skip over the registration and log the user in under the old account. Or is there another way that I’m missing? Thanks, Gregor!

8 years, 4 months

2
1
0 / 0

Authenticate to Google Compute Cloud admin console using Open ID Connect.

by Georgijs Radovs

Hello, everyone! My current setup: Keycloak Version - 3.0.0.Final Keycloak Server Profile - Community A single test project in Google Compute Cloud. My question: Is this SSO scenario is possible: * A User authenticates at Keycloak server and initiates configured Open ID Connect client. * Initiated Open ID Connect client sends a code request to Google, requesting access token * Google sends back the access token, Keycloak receives the access token, redirects user to Google, and Google authenticates user by email attribute. ? Basically, I want to create this kind of workflow: * A user logs into Keycloak server and initiates Open ID Connect client * After the access code and token exchange has been completed, Keycloak redirects user to Google, and user gains access to Google Cloud Compute admin console. Any help will be appriciated. Thank you. -- Georgijs Radovs Sysadmin Scandiweb.com <http://www.scandiweb.com> LinkedIn <https://www.linkedin.com/company/scandiweb> Facebook <https://www.facebook.com/scandiweb> Twitter <https://twitter.com/scandiweb> Dropbox <https://www.flickr.com/photos/126968098@N04/> Youtube <https://www.youtube.com/channel/UCQKucH_fDghjSM43QBX0itg/videos> -- <https://scandiweb.com/portfolio#pins-mobile-app>

8 years, 4 months

1
0
0 / 0

Mutual Trust via Identity Brokering

by Michael Poettgen

Hello Everyone, We would like to set up two (or more) Keycloak systems (in different, remote locations) and would like to establish something like mutual trust between them using Identity Brokering. For two IdPs A and B, each of the two should have their own accounts and should be set up to broker to the other IdP, e.g. via 'Keycloak OpenID Connect'. This would have the advantage that a client of A could be used by a user of B and vice versa. Is this something that * Definitely works * Works, but with pitfalls ... * Should work * Doesn't work, because ... Interesting situation may be, if a user tries to use a client and is redirect to IdP A, where he then clicks on "Authenticate via IdP B", where he then clicks on "Authenticate via IdP A", where he then clicks on "Authenticate via IdP B" and so on. Can this be avoided? Thanks, Michael This message is for the designated recipient only and may contain privileged or confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.

8 years, 4 months

1
0
0 / 0

Authentication SPI implementation for RADIUS

by John Franey

I'm not finding an implementation of Keycloak Authentication SPI for RADIUS. Am I crazy just for looking? I mean, is the absence of such a warning for folks? Or has it simply not been tried? I don't find much of a demand for one either. So maybe that is the case, I hope. I think we'll have to write one to satisfy internal customer request. Is there anyone willing to claim they attempted such? I'd like to hear from you regarding approach and success. Thanks, John

8 years, 4 months

1
0
0 / 0

loggin saml requests/responses

by Phillip Fleischer

Hi, I’m trying to debug using the saml clients and identity brokering, in the docs and several messages say that this can be done by turning on debug or trace. I added the following to my standalone.xml but I’m not seeing anything. I also tried on a remote host by using jboss-cli.sh command to add the logger to no avail. Is there something I’m missing? <logger category="org.keycloak.saml"> <level name="TRACE"/> </logger>

8 years, 4 months

1
0
0 / 0

API Keys

by O'Callaghan, John

Hi I’m trying to understand if it is possible to generate an API Key for a particular user in keycloak ? What I would like to be able to do is to generate a key that is associated with a user (and their realm roles). I’d like to then be able to use that key at some later date (days, weeks, months later) to generate an access token which I can then use as per normal. I would also like to be able to manage api keys created in the past – revoking them if needs be. Is this something that is possible? Thanks! John ________________________________ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. ______________________________________________________________________________________ www.accenture.com

8 years, 4 months

1
0
0 / 0

Re: [keycloak-user] Keycloak as SAML Service Provider problem

by Drew Weirshousky

Hi Hynek, The signature algorithm is set to RSA_SHA256 in okta and keycloak. I tried validating the XML response using https://www.samltool.com/validate_response.php and it fails with "Signature validation failed. Reference validation failed". Which some googling made me change Okta to use SHA1 for the Digest Algorithm. I received the same results using SHA1. I can't seem to find a digest setting for Keycloak so I would assume SHA256 is being used? I've attached the data from SAML trace. These are both test servers setup to figure out how to do this. Thanks Drew Weirshousky ----- Original Message ----- From: "Hynek Mlnarik" <hmlnarik(a)redhat.com> To: "Drew Weirshousky" <d.weirshousky(a)xsb.com> Cc: "keycloak-user" <keycloak-user(a)lists.jboss.org> Sent: Tuesday, November 14, 2017 5:34:12 AM Subject: Re: [keycloak-user] Keycloak as SAML Service Provider problem It's hard to say. Make sure the settings of signature algorithms match in Okta and Keycloak. If you get nowhere, a dump of SAML communication (e.g. via SAML Tracer or similar tool) would help. --Hynek On Mon, Nov 13, 2017 at 9:57 PM, Drew Weirshousky <d.weirshousky(a)xsb.com> wrote: > Hi, > I have Keycloak 3.2.1 setup to act as a SP and Okta as a SAML IDP. I am > trying to initiate login from Okta. After the initial user registration > keycloak seems to fail while validating the signature on one of the SAML > Responses. The error in the browser is invalidFederatedIdentityActionMessage > and the stack trace is below. > > 20:53:59,161 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default > task-18) validation failed: org.keycloak.common.VerificationException: > Invalid signature on document > at org.keycloak.protocol.saml.SamlProtocolUtils. > verifyDocumentSignature(SamlProtocolUtils.java:83) > at org.keycloak.broker.saml.SAMLEndpoint$PostBinding. > verifySignature(SAMLEndpoint.java:533) > at org.keycloak.broker.saml.SAMLEndpoint$Binding. > handleSamlResponse(SAMLEndpoint.java:471) > at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute( > SAMLEndpoint.java:239) > at org.keycloak.broker.saml.SAMLEndpoint.postBinding( > SAMLEndpoint.java:159) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:62) > at sun.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.jboss.resteasy.core.MethodInjectorImpl.invoke( > MethodInjectorImpl.java:139) > at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget( > ResourceMethodInvoker.java:295) > > The X509 certificate is the same on both ends. Am I missing a > configuration setting some place else? Any help would be apprectated. > Some googling brings up some old bugs but I believe they are all fixed in > 3.2.1. > > Thanks > Drew Weirshousky > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user > -- --Hynek

8 years, 4 months

1
0
0 / 0

Fwd: keycloak-preview

by Andrei Karabach

Hello. How to install keycloak-preview theme from https://github.com/ keycloak/keycloak/tree/master/themes/src/main/resources/ theme/keycloak-preview/account

8 years, 4 months

4
4
0 / 0

Keycloak as SAML Service Provider problem

by Drew Weirshousky

Hi, I have Keycloak 3.2.1 setup to act as a SP and Okta as a SAML IDP. I am trying to initiate login from Okta. After the initial user registration keycloak seems to fail while validating the signature on one of the SAML Responses. The error in the browser is invalidFederatedIdentityActionMessage and the stack trace is below. 20:53:59,161 ERROR [org.keycloak.broker.saml.SAMLEndpoint] (default task-18) validation failed: org.keycloak.common.VerificationException: Invalid signature on document at org.keycloak.protocol.saml.SamlProtocolUtils.verifyDocumentSignature(SamlProtocolUtils.java:83) at org.keycloak.broker.saml.SAMLEndpoint$PostBinding.verifySignature(SAMLEndpoint.java:533) at org.keycloak.broker.saml.SAMLEndpoint$Binding.handleSamlResponse(SAMLEndpoint.java:471) at org.keycloak.broker.saml.SAMLEndpoint$Binding.execute(SAMLEndpoint.java:239) at org.keycloak.broker.saml.SAMLEndpoint.postBinding(SAMLEndpoint.java:159) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:139) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) The X509 certificate is the same on both ends. Am I missing a configuration setting some place else? Any help would be apprectated. Some googling brings up some old bugs but I believe they are all fixed in 3.2.1. Thanks Drew Weirshousky

8 years, 4 months

2
1
0 / 0

OTP Policy updates not reflects in Google Authenticator

by forums.akurathi＠gmail.com

Dear all, We are running into a weird problem i.e., updates to OTP policy does not reflect at google authenticator app. We wonder is there any special instructions needed to get this working. A sequence of steps : 1) create realm, create user 2) enable OTP 3) login with the newly created user 4) system asks you to configure OTP 5) update OTP policy such as number of digits from 6 to 8 6) try login again 7) system asks you to enter OTP but authentication fails We expect the system should route the user to configure OTP page rather than prompting to enter OTP which anyways fails. Your response is highly appreciated !!! Thanks in advance Regards Krishna Kumar Akurathi

8 years, 4 months

2
2
0 / 0

access token valid for more than expiry time by milli seconds

by Rahul R

Hi, We have a keycloak set up where the Access Token Lifespan is set to 5 minutes. Now we get the access token using the following command : curl -d "client_id=admin-cli" -d "username=admin_user" -d "password=admin_user" -d "grant_type=password" " http://192.168.56.101:8080/auth/realms/REALM/protocol/openid-connect/token" Now if we use the following command to get the user details curl -H "Authorization: bearer "access token value got earlier" " http://192.168.56.101:8080/auth/realms/REALM/protocol/ openid-connect/userinfo" The expectation is that the second command works till the token expiry time which is 5 minutes and after 5 minutes the token not valid error should be seen. But while running the tests multiple times, we are seeing that sometimes the token is valid for more than 5 minutes by almost 500 milliseconds. Has anyone seen such a behaviour ? Is this is a keycloak bug or a behaviour only seen in my machine? Thanks Rahul

8 years, 4 months

1
1
0 / 0

LDAP user federation keycloak with .net core

by Athulya Pillai

Hello, Please help me to user keycload LDAP provider in .net core Thanks and Regards Athulya

8 years, 4 months

1
0
0 / 0

Configuring keycloak SAML adapter on tomcat with clockSkew

by Elias Glareff

Hello, I am trying to track down the information whether it is possible to set the clockSkew in the keycloak tomcat adapter. The problem is that Identity Provider is some time ahead of the Service Provider, so whenever the SAML response arrives, the NotBefore time is ahead of the SP clock, so the response is considered expired on arrival. This is a known problem, described in https://medium.com/@PrakhashS/saml-assertion-condition-notbefore-notonora.... In the keycloak source code in AssertionUtil there is a method hasExpired to which you can provide a clockSkew variable which would remedy this problem. The issue is that I see absolutely no place where I could let the keycloak SAML adapter on the service provider know that I want to use a clock skew and set it's value. The only configuration from my side I see is the keycloak-saml.xml in the WEB-INF folder of the application, but in the documentation for this configuration it does not mention any possibility to set the clock skew. Kindly share your knowledge on this issue if you can help. Thanks, Elias

8 years, 4 months

2
1
0 / 0

AuthZ with realm roles

by Corentin Dupont

Hi guys, yet another question... AuthZ is quite mysterious! I am trying to protect my API with realm roles. I have an API looking like this: http://www.example.com/api/v1/cities/rome/houses http://www.example.com/api/v1/cities/rome/streets Each endpoint supports GET/PUT/POST/DELETE. Each role must have the form: <view|manage>:<asset>[:<city>[:<resource filter>]] For example roles can be: - view:houses - view:houses:rome - view:houses:rome:owner==smith - manage:houses:rome "manage": gives you all CRUD operations, while with "view" you can only read resources. Do you think this design is correct? Any other suggestion? What is not practical is that I have to force my users to use this role format. The resource filter part is also hard to implement, has it requires to check the content of the responses...

8 years, 4 months

2
1
0 / 0

example authz photos not working

by Max Bruchmann

Hi, maybe I'm doing something wrong but it looks like instructions of the photoz example are not working. When importing the Authorization Setting "examples/authz/photoz/photoz-restful-api/src/main/resources/photoz-restful-api-authz-service.json" the "Only Owner Policy" entry contains "${project.version}" which leads to a failed import. It works with the processed version in target/classes since it is replaced during the build. Also as the "Only Owner Policy" is a maven entry and its pom depends on the parent and the parent on its parent you need to do mvn install in the root example folder. The only thing I was not able to work arround was the deploying is the actual deployment of the photoz-restful-api When I execute: cd examples/authz/photoz/photoz-restful-api mvn clean package wildfly:deploy It results in: [ERROR] Failed to execute goal org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Final:deploy (default-cli) on project photoz-restful-api: Failed to execute goal deploy: {"WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" => {"jboss.module.service.\"deployment.photoz-restful-api.war\".main" => "WFLYSRV0179: Failed to load module: deployment.photoz-restful-api.war [ERROR] Caused by: org.jboss.modules.ModuleNotFoundException: org.keycloak.keycloak-authz-client"}}}} And the log on the server side: 00:20:22,098 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.module.service."deployment.photoz-restful-api.war".main: org.jboss.msc.service.StartException in service jboss.module.service."deployment.photoz-restful-api.war".main: WFLYSRV0179: Failed to load module: deployment.photoz-restful-api.war at org.jboss.as.server.moduleservice.ModuleLoadService.start(ModuleLoadService.java:91) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:2032) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1955) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: org.jboss.modules.ModuleNotFoundException: org.keycloak.keycloak-authz-client at org.jboss.modules.Module.addPaths(Module.java:1217) at org.jboss.modules.Module.link(Module.java:1573) at org.jboss.modules.Module.relinkIfNecessary(Module.java:1601) at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:287) at org.jboss.modules.ModuleLoader.loadModule(ModuleLoader.java:271) at org.jboss.as.server.moduleservice.ModuleLoadService.start(ModuleLoadService.java:68) ... 5 more So if I understand it correctly there is no authz client module installed on keycloak. How do I solve this? Kind Regards, Max

8 years, 4 months

2
1
0 / 0

Required user actions dropdown no longer working for user admin users because of missing select2.css

by Edgar Vonk - Info.nl

Hi, I think in a recent upgrade of Keycloak (we are now using 3.2.0.Final) the following issue was introduced: When a ‘user admin user’ (this is a realm user who has permissions to manage and view users in Keycloak) logs in to Keycloak and this persion tries to add a new user the ‘required user actions’ dropdown is mangled and does not function properly. This seems to be caused by a permission issue or something regarding the ‘select2.css’ resource. In the browser I see that the select2.css file cannot be loaded. However when an overall Keycloak admin logs in this dropdown just works fine. Shall I report a JIRA issue for this? I do not really know what causes this but my guess is that the manage / view user roles in Keycloak are missing some permissions somewhere. These are the permissions the user admin user has: - manage-users - view-clients - view-realm - view-users cheers Edgar

8 years, 4 months

1
1
0 / 0

Geeting user mapped attributes

by Atienzar Navarro, Marcial

Hello, I've configure wildfly adapter, and I'm trying to get access to user mapped atriubutes with this code: private String getDniFromAccessToken() { String dni = null; Principal httpPrincipal = request.getUserPrincipal(); if (httpPrincipal instanceof KeycloakPrincipal) { KeycloakPrincipal<KeycloakSecurityContext> kp = (KeycloakPrincipal<KeycloakSecurityContext>) httpPrincipal; AccessToken token = kp.getKeycloakSecurityContext().getToken(); LOGGER.info("JWT {}",kp.getKeycloakSecurityContext().getTokenString()); LOGGER.info("JWT ID {}",kp.getKeycloakSecurityContext().getIdTokenString()); // Puede que no tengamos todavÃa el token if (token != null) { // LOGGER.info("Email {}",token.getEmail()); LOGGER.info("Tenemos un token de keycloak con el que podemos consultar sus atributos"); Map<String, Object> atributos = token.getOtherClaims(); if (atributos != null && !atributos.isEmpty()) { if(LOGGER.isInfoEnabled()){ for(Map.Entry<String,Object> atts : atributos.entrySet()){ LOGGER.info("Atributos del token {} - {}",atts.getKey(),atts.getValue()); } } if (atributos.containsKey("dni")) { dni = String.valueOf(atributos.get("dni")); LOGGER.info("DINI recuperado de keycloak {}", dni); } } else { LOGGER.info("No nos llegan atributos de keycloak"); } } else { LOGGER.info("No tenemos el ID del token de Keycloak"); } } return dni; } I've try with getIdToken and getToken, but I only retrieve client_session. Is it possible to get this user mapped attributes? -- Marcial Atiénzar Navarro Desarrollo Avda. Real Monasterio de Poblet, 20 46930 Quart de Poblet (Valencia) Tél.: +34 96 184 92 49 (corto 1249) Móvil: +34 629 201 240 (corto 44249) matienzar(a)umivale.es<mailto:matienzar@umivale.es> www.umivale.es<http://www.umivale.es>

8 years, 4 months

1
0
0 / 0

keycloak client protocol mapper (script mapper) to add request header into token

by Shane Rowatt

When I'm requesting a token from keycloak I want a specific header value (or extra form data) that was supplied in the request to be put in the JWT payload of the generated token. I've tried using a Script Mapper to get access to header values but I can't see how to get access to header values or data in the form data sent in any of the available script variables: user, realm, userSession, keyclockSession. I was hoping I could use a script something like this: httpRequest.getHeader('X-CID');

8 years, 5 months

1
0
0 / 0

Keycloak as SSO

by Stephen Henrie

When running a Keycloak instance as a localhost using the default H2 database backend, I have been successful at configuring SSO identity providers across Keycloak realms, so that one primary realm acts as the identity provider and the other realms are authenticating against that primary realm using an IP link. However, when I try to do the same thing in our cloud environment using a Postgres database backend, I am getting the generic "Invalid username or password." error which happens during the default first broker login authorization sequence. I have some debugging info below. Can someone help me understand what it is trying to tell me? I believe that I have things configured exactly the same in both my localhost and in the cloud instances, so I am struggling to understand the source of the problem. Any help is appreciated. Thanks Stephen 21:42:30,974 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-50) processFlow 21:42:30,974 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-50) check execution: idp-review-profile requirement: DISABLED 21:42:30,974 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-50) execution is processed 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-50) check execution: idp-create-user-if-unique requirement: ALTERNATIVE 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-50) authenticator: idp-create-user-if-unique 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-50) invoke authenticator.authenticate: idp-create-user-if-unique 21:42:30,975 WARN [org.keycloak.services] (default task-50) KC-SERVICES0020: Email is null. Reset flow and enforce showing reviewProfile page 21:42:30,975 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-50) RESET FLOW 21:42:30,975 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-50) AUTHENTICATE 21:42:30,975 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-50) AUTHENTICATE ONLY 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-50) processFlow 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-50) check execution: idp-review-profile requirement: DISABLED 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-50) execution is processed 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-50) check execution: idp-create-user-if-unique requirement: ALTERNATIVE 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-50) authenticator: idp-create-user-if-unique 21:42:30,975 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-50) invoke authenticator.authenticate: idp-create-user-if-unique 21:42:30,975 WARN [org.keycloak.services] (default task-50) KC-SERVICES0013: Failed authentication: org.keycloak.authentication.AuthenticationFlowException: Not found serialized context in clientSession at org.keycloak.authentication.authenticators.broker.AbstractIdpAuthenticator.authenticate(AbstractIdpAuthenticator.java:66) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:200) at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:843) at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:714) at org.keycloak.authentication.DefaultAuthenticationFlow.processResult(DefaultAuthenticationFlow.java:264) at org.keycloak.authentication.DefaultAuthenticationFlow.processFlow(DefaultAuthenticationFlow.java:201) at org.keycloak.authentication.AuthenticationProcessor.authenticateOnly(AuthenticationProcessor.java:843) at org.keycloak.authentication.AuthenticationProcessor.authenticate(AuthenticationProcessor.java:714) at org.keycloak.services.resources.LoginActionsService.processFlow(LoginActionsService.java:279) at org.keycloak.services.resources.LoginActionsService.brokerLoginFlow(LoginActionsService.java:713) at org.keycloak.services.resources.LoginActionsService.firstBrokerLoginGet(LoginActionsService.java:632) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) 21:42:30,976 WARN [org.keycloak.events] (default task-50) type=IDENTITY_PROVIDER_FIRST_LOGIN_ERROR, realmId=experiment, clientId=chassi-web-app, userId=null, ipAddress=172.17.0.1, error=invalid_user_credentials, identity_provider=chassi-oidc, auth_method=openid-connect, redirect_uri=http://localhost:3000/, identity_provider_identity=abfa50e5-57ad-4b53-ab72-7cbd6fca8465, code_id=60963d99-cf55-4e0a-8e28-df0ddacadf5f 21:4

8 years, 5 months

1
1
0 / 0

Enabling User Caching from Custom UserStorageProvider leads to MORE requests

by Rob Shepherd

Hi, I’m having trouble getting UserModel caching to work properly. It seems like a bug. I have a successful implementation of a UserStorageProvider using HTTP/REST calls to fetch user data. This has been working well in trials. I have just enabled caching in the Realm > User Federation > Cache Settings > Cache Policy and selected a MAX_LIFESPAN time of 300’000ms (5mins) I have found that for a test loop (1. login, 2. delete app session cookie, 3. authenticate by SSO cookie) this leads to MORE requests to the backend. Below is the logging output which demonstrates this. My question: Could this be a bug? or are there particular UserModel classes/interfaces that must be used to permit caching? it seems like even for an object loaded in memory for a running thread/request it is not being found in the cache and lookup happens everytime the user object is required. Here is the fetching and caching over that time…. with caching enabled first…… 19:13:29,102 INFO [org.me.MyCustomUserStorageProvider] (default task-32) UserStorageProvider#getUserByEmail(): r...(a)gmail.com 19:13:34,637 INFO [org.me.MyCustomUserStorageProvider] (default task-43) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 19:13:34,706 INFO [org.me.MyCustomUserStorageProvider] (default task-38) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 19:13:34,746 INFO [org.me.MyCustomUserStorageProvider] (default task-38) Caching for delegate: MyUserAdapter:f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 19:13:34,754 INFO [org.me.MyCustomUserStorageProvider] (default task-38) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 19:13:34,783 INFO [org.me.MyCustomUserStorageProvider] (default task-38) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 19:13:37,454 INFO [org.me.MyCustomUserStorageProvider] (default task-45) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 19:13:37,496 INFO [org.me.MyCustomUserStorageProvider] (default task-45) Caching for delegate: MyUserAdapter:f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 19:13:37,501 INFO [org.me.MyCustomUserStorageProvider] (default task-45) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 19:13:37,540 INFO [org.me.MyCustomUserStorageProvider] (default task-45) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 19:13:37,570 INFO [org.me.MyCustomUserStorageProvider] (default task-45) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 19:13:37,605 INFO [org.me.MyCustomUserStorageProvider] (default task-45) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 19:13:37,631 INFO [org.me.MyCustomUserStorageProvider] (default task-45) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 19:13:37,661 INFO [org.me.MyCustomUserStorageProvider] (default task-45) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 19:13:37,689 INFO [org.me.MyCustomUserStorageProvider] (default task-45) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 19:13:37,714 INFO [org.me.MyCustomUserStorageProvider] (default task-45) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 19:13:37,751 INFO [org.me.MyCustomUserStorageProvider] (default task-45) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 19:13:37,832 INFO [org.me.MyCustomUserStorageProvider] (default task-50) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 19:13:37,882 INFO [org.me.MyCustomUserStorageProvider] (default task-50) Caching for delegate: MyUserAdapter:f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df That’s a total of 3 cache writes from 16 lookups for the same user in less than 1 minute, involving 3 requests to Keycloak in this session. And now with the cache turned off and the cache flushed….. 18:57:45,343 INFO [org.me.MyCustomUserStorageProvider] (default task-58) UserStorageProvider#getUserByEmail(): r...(a)gmail.com 18:57:45,534 INFO [org.me.MyCustomUserStorageProvider] (default task-56) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 18:57:45,662 INFO [org.me.MyCustomUserStorageProvider] (default task-61) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 18:57:56,208 INFO [org.me.MyCustomUserStorageProvider] (default task-64) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 18:57:56,270 INFO [org.me.MyCustomUserStorageProvider] (default task-60) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 18:58:01,186 INFO [org.me.MyCustomUserStorageProvider] (default task-7) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 18:58:01,265 INFO [org.me.MyCustomUserStorageProvider] (default task-9) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df 18:58:01,354 INFO [org.me.MyCustomUserStorageProvider] (default task-12) UserStorageProvider#getUserById(): f:d0c27624-05e4-4574-bc59-1911e9853917:5a04cf428c6bda1d05dbe0df Thats a total of 8 lookups for the same user in less than 1 minute, involving 3 requests to Keycloak in this session.

8 years, 5 months

1
0
0 / 0

docker image and database - 3 starts?

by Rob Shepherd

Hi, I’m running kc 3.3.0.FINAL using the docker image. I’ve setup my database using the POSTGRES_* env vars. I notice that everytime the server is started, there are actually 3 starts I’m guessing the issue with WFLYCTL0212 is that the batch CLI change is attempting to set the jdbc driver parameters that already exists. But why does it attempt it a second time before finally starting properly? Presumably the way to workaround this is to just overwrite the parameters in standalone.xml directly, avoiding POSTGRES_* style env vars which will then ignore the change-database stuff? here are the pertinent snippets… 1. 10:53:47,050 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server 10:53:47,054 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 3.3.0.Final (WildFly Core 3.0.8.Final) started in 7188ms - Started 67 of 79 services (23 services are lazy, passive or on-demand) The batch failed with the following error: : WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed: Step: step-9 Operation: /subsystem=datasources/jdbc-driver=postgresql:add(driver-name=postgresql, driver-module-name=org.postgresql.jdbc, driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource) Failure: WFLYCTL0212: Duplicate resource [ ("subsystem" => "datasources"), ("jdbc-driver" => "postgresql") ] 10:53:47,388 INFO [org.jboss.as] (MSC service thread 1-4) WFLYSRV0050: Keycloak 3.3.0.Final (WildFly Core 3.0.8.Final) stopped in 25ms 2. 10:54:00,061 INFO [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0212: Resuming server 10:54:00,067 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0025: Keycloak 3.3.0.Final (WildFly Core 3.0.8.Final) started in 10751ms - Started 65 of 84 services (30 services are lazy, passive or on-demand) The batch failed with the following error: : WFLYCTL0062: Composite operation failed and was rolled back. Steps that failed: Step: step-9 Operation: /subsystem=datasources/jdbc-driver=postgresql:add(driver-name=postgresql, driver-module-name=org.postgresql.jdbc, driver-xa-datasource-class-name=org.postgresql.xa.PGXADataSource) Failure: WFLYCTL0212: Duplicate resource [ ("subsystem" => "datasources"), ("jdbc-driver" => "postgresql") ] 10:54:00,720 INFO [org.jboss.as] (MSC service thread 1-3) WFLYSRV0050: Keycloak 3.3.0.Final (WildFly Core 3.0.8.Final) stopped in 49ms 3.rd time lucky… ========================================================================= JBoss Bootstrap Environment JBOSS_HOME: /opt/jboss/keycloak JAVA: /usr/lib/jvm/java/bin/java JAVA_OPTS: -server -Djava.security.egd=file:/dev/./urandom -Djava.net.preferIPv4Stack=true -XX:MaxPermSize=256m ========================================================================= OpenJDK 64-Bit Server VM warning: ignoring option MaxPermSize=256m; support was removed in 8.0 10:54:03,396 INFO [org.jboss.modules] (main) JBoss Modules version 1.6.1.Final 10:54:04,483 INFO [org.jboss.msc] (main) JBoss MSC version 1.2.7.SP1 10:54:04,989 INFO [org.jboss.as] (MSC service thread 1-1) WFLYSRV0049: Keycloak 3.3.0.Final (WildFly Core 3.0.8.Final) starting

8 years, 5 months

1
0
0 / 0

Complete export of a realm without shutdown

by Bart Smits

Hello, I need to migrate a realm from a running Keycloak server. I have been looking at the REST API, the command line and finally the startup options. The startup option provide the best way to export a realm but it requires a restart. Am I missing something or is this not yet supported? Would it be possible to use bits and pieces of the command line or REST API to construct a complete export? Kind regards, Bart

8 years, 5 months

2
1
0 / 0

Re: [keycloak-user] Access Token getting truncated when apache HTTPD is in front

by Pharande Rahul

Hi, Any updates/hints on this issue? Thanks Rahul -----Original Message----- From: Shaikh Asrafali Anwarali Sent: Thursday, November 09, 2017 10:02 AM To: stian(a)redhat.com; Pharande Rahul Subject: RE: [keycloak-user] Access Token getting truncated when apache HTTPD is in front Hi Stian, Could you please share your views on the below issue, it's a blocker for us. We have also posted this on keyclaok users forum, but we are still waiting for some kind of response. Scroll downwards for issue detail. Thanks in advance. Regards, Asraf Shaikh -----Original Message----- From: keycloak-user-bounces(a)lists.jboss.org [mailto:keycloak-user-bounces@lists.jboss.org] On Behalf Of Pharande Rahul Sent: Wednesday, November 08, 2017 4:50 PM To: keycloak-user(a)lists.jboss.org Subject: [keycloak-user] Access Token getting truncated when apache HTTPD is in front Hello Team, I'm facing issue of "Access Token getting truncated when apache HTTPD is in front". Though this issue is not directly associated/related to Keycloak but in combination with Apache HTTPD + Keycloak, I would like to take help from experts here :) Below are more details on same. Environnent : o Server : Keycloak v3.x o Proxy server : Apache HTTPD 2.4.x o Client: Angular2 application using OIDC library. Issue Description / Steps to reproduce: * Create realm in Keycloak * Create client for realm along with redirect url etc. * Create ~70 role/permissions for client with longer names ~25 characters in permission name. * Create user and assign all above permissions for newly created client. * Access Angular2 application running in browser, and for protected resources Keycloak login page displayed where redirect_uri parameter is given/supplied. * After entering valid user credentials, keycloak redirects to Application's redirect URL * However error shown on browser console that, "failed at_hash". o This is because incomplete/truncated token returned and OIDC client library in Angular application tries to validate token received. Important point here: * Defect mentioned only occurs when Apache is in front and used as proxy/load balancer server. My analysis: * As per my analysis, I see Keycloak returns access_token information in response header during redirect * Apache has restriction of handling response header or cookies of size upto 8k * Even after setting, various parameters in Apache HTTPD like - "LimitRequestFieldSize", "LimitRequestLine" we are still getting this error. Please let me know if anyone already experienced such issue OR has any alternative on using/configuring Keycloak to redirect using part response.. Thanks and Regards. Rahul Pharande _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user

8 years, 5 months

1
0
0 / 0

Bug squashing time

by Stian Thorgersen

We're not accepting any contributions for new features until we start on Keycloak 4.x. Most likely that'll be mid-December. Any PRs for new features until then will not be reviewed or merged, but feel free to send if you want. We do however have a fair amount of outstanding bugs and would love help from the community to get as many as possible resolved in the next month! If you'd like to help take a look at https://issues.jboss.org/projects/KEYCLOAK/versions/12333692 look for issues that are not assigned to someone. Remember we want tests as well.

8 years, 5 months

1
0
0 / 0

Re: [keycloak-user] Authz with nodejs

by Corentin Dupont

OK problem solved: I forgot to check "Full Scope Allowed" in the client... On Tue, Nov 7, 2017 at 10:03 PM, Corentin Dupont <corentin.dupont(a)gmail.com> wrote: > Hi guys, > I created a REST API that I would like to protect with keycloak. > However, I don't find any example/tutorial on Internet that suits. > > At the moment I use keycloak-nodejs-connect: > https://github.com/keycloak/keycloak-nodejs-connect/blob/mas > ter/example/index.js > > This is the basic example given: > > var Keycloak = require('keycloak-connect'); > var express = require('express'); > var session = require('express-session'); > > var app = express(); > var server = app.listen(3000, function () {}); > var memoryStore = new session.MemoryStore(); > > app.use(session({ > secret: 'mySecret', > resave: false, > saveUninitialized: true, > store: memoryStore, > })); > > var keycloak = new Keycloak({ > store: memoryStore > }); > > app.use(keycloak.middleware({ > logout: '/logout', > admin: '/' > })); > > app.get('/login', keycloak.protect(), function (req, res) { > res.render('index', { > result: JSON.stringify(JSON.parse(req.session['keycloak-token']), > null, 4), > event: '1. Authentication\n2. Login' > }); > }); > > But that doesn't corresponds to my need: in a REST API I have no login or > logout and no memory. > I think the user should always make requests with a bearer token. Based on > that token I can identify the user and get his roles. > Then I could use keycloak.protect('realm:myendpoint') to protect each of > my endpoints. If the user have got that role, he is authorized. > Did I understood correctly the flow? > Is there some example or REST API with authz, using nodeJS? > > Thanks a lot!!! > Corentin >

8 years, 5 months

1
0
0 / 0

Is bearer token auth supported in commonly used REST client libraries?

by Vlastimil Elias

Hi, is bearer token auth method supported in commonly used REST client libraries (eg. RESTEasy and HttpClient in java)? I tried to google around this, but no success. I was not able to find anything useful (except stuff implemented inside of Keycloak Admin Client). You know, http basic auth and ssl client cert auth is commonly available and (relatively) easy to use, so it is widely used. I believe good, easy to use, support of bearer token auth in client libraries is crucial to drive adoption of this technology, including OpenID Connect protocol, which then can drive use of Keycloak itself. By "good, easy to use, support" I mean things like automatic obtaining of access token based on the config (using OIDC "Client Credentials Grant" and "Direct Access Grants"), its automatic renewal, and automatic use of this token in REST calls performed by the client library, without any complicated coding. Any references to existing libraries? Any plans in Keycloak project itself? Vlastimil -- Vlastimil Elias Principal Software Engineer, Middleware Engineering Services Red Hat

8 years, 5 months

1
0
0 / 0

Can we map each realm into different URL?

by Min Han Lee

Hello Guys, As title, does keycloak has out of the box functionality to do so? or do we need to use a reverse proxy to execute this? Any help is much appreciated Kind Regards

8 years, 5 months

1
0
0 / 0

Federated and Dynamic Users/Attributes

by Andreas Tell

Hi! In an upcoming system we aim to use Keycloak as a "OIDC/OAuth security proxy/broker". All information basically resides in other systems (federated); * An external IdP provides ID federation via SAML v2 * Permissions are fetched dynamically each time the user authenticates from an external system via a web service call. KC is not the system of record for this information. After the user is authenticated, the client (web app) retrieves the full set of permissions info via the /userinfo endpoint by providing an Access Token (resource owner credentials grant). My first question is; is this approach at all advisable? Can it be done using KC? I got a clue from this ; https://stackoverflow.com/ questions/44014260/how-to-programmatically-assign-particular-roles-at-user- registration-in-keycloak If so I assume we'd have to extend KC using one of the SPIs. The documentation on the SPIs don't give me much confidence on where to best put such extensions. Where would I put a web service call? How can I dynamically assign roles and/or attributes to a provisioned user? Should I use the Authentication SPI, User Federation SPI, User Storage SPI or possibly piggyback on a callback event of Event Listener SPI ? Best Regards Andreas Tell

8 years, 5 months

1
0
0 / 0

identity broker role mapping bug?

by Simon Payne

Hi, i think i may have found a bug in the identity provider mapping of claims to roles. it appears that if i have an identity provider with claims in the token, which i want to map to a role in the identity broker, then it only does this once during the first time login. if i remove the claim from the identity provider token, then this successfully removes it from the broker - but never remaps if i then add it again. the scenario i am trying to create here is that the identity provider is responsible for authentication where active directory groups appears as claim in the token. the broker then map this claim to the role providing the authorization. this behaviour appears to be the same whether i map a broker role to a custom claim or a realm role in the provider token. hope this makes sense, thanks Simon.

8 years, 5 months

2
4
0 / 0

Keycloak adapter hijacks all URL's ending in /saml

by Chris Brandhorst

We are having a problem with the Keycloak SAML Jetty adapter (8.1). We have an application which currently does its own SAML handling, for which we want to migrate all the authentication logic to Keycloak. So we have an existing SAML endpoint to which a large number of third-party applications connect. This endpoint is placed at /sso/saml. It seems that the Keycloak adapter hijacks all request coming to any URL ending in /saml, breaking the existing endpoint, which needs to be kept functional for a while (for future migration). How can we make sure this existing endpoint is not affected by the adapter? Thanks, Chris Brandhorst

8 years, 5 months

1
0
0 / 0

Keycloak with Snowflake DB

by Matthew Koken

Has anybody tried using Snowflake DB as a datasource for Keycloak? I'm attempting to set this up using Snowflake's snowflake-jdbc jar but I'm having trouble adding the module following the guide in http://www.keycloak.org/docs/latest/server_installation/index.html#_ rdbms-setup-checklist

8 years, 5 months

1
0
0 / 0

JWS Client Assertion On Client Authentication

by 乗松隆志 / NORIMATSU，TAKASHI

Hello. I'm interested in Client Authentication in JWS Client Assertion. It seems that keycloak only support this using private key signing of which "private_key_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication . I've expected that keycloak has also supported "client_secret_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication . In org.keycloak.protocol.oidc.OIDCLoginProtocol // Client authentication methods public static final String CLIENT_SECRET_BASIC = "client_secret_basic"; public static final String CLIENT_SECRET_POST = "client_secret_post"; public static final String CLIENT_SECRET_JWT = "client_secret_jwt"; public static final String PRIVATE_KEY_JWT = "private_key_jwt"; PRIVATE_KEY_JWT is referred from org.keycloak.authentication.authenticators.client.JWTClientAuthenticator::getProtocolAuthenticatorMethods(). Only PRIVATE_KEY_JWT are added for authentication method, while CLIENT_SECRET_JWT is referred from no classes. Does somebody know why keycloak does not support "client_secret_jwt" method in http://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication ? (ex. security concerns, etc ...) And, does someone know whether there is any plan to implement this "client_secret_jwt" method for Client Authentication in JWS Client Assertion? Best Regards Takashi Norimatsu Hitachi, Ltd.

8 years, 5 months

2
2
0 / 0

Fuse Keycloak Adapter not performing Log out

by Pana

Hi We are using JBOSS Fuse Keycloak adapter 2.5.5-final-redhat. We observed that at each authorization request the adapter creates sessions on the Keycloak Server which are not released. As a result the number of sessions is ever increasing impacting the performance on Keycloak Server. In looking in the code, we saw that in many cases, the authorization flow requests a token from the Keycloak Server but eventually it does not call log out or does not cache the token in the deployment in order not to call again. For example: KeycloakAdapterPolicyEnforcer::requestAuthorizationToken. if configuration is User Managed Access, it will create a token with this statement: authzClient.protection().permission().forResource(permissionRequest); At the end, it will not call log out and session will remain in the SSO Server Cache. -- Sent from: http://keycloak-user.88327.x6.nabble.com/

8 years, 5 months

1
0
0 / 0

Keycloak 3.4.0.CR1 released

by Stian Thorgersen

We've just released Keycloak 3.4.0.CR1. To download the release go to the Keycloak homepage <http://www.keycloak.org/downloads>. HighlightsToken exchange The token exchange service allows clients to exchange tokens for different tokens. There's quite a few options available so check out the docs <http://www.keycloak.org/docs/latest/securing_apps/index.html#_token-exchange> for more details. Fine-grained permissions for admin endpoints By leveraging our authorization services we've made it possible to control permissions in the admin endpoints almost exactly how you want. For more details check the docs <http://www.keycloak.org/docs/latest/server_admin/index.html#_fine_grain_p...> . Cross DC A lot more work has gone into this release around cross DC support. Docs are still not ready and there's still some minor polish left. This will come soon. Upgraded to WildFly 11 Final We've upgraded the underlying container to WildFly 11 Final. Support MySQL and PostgreSQL in main Keycloak Docker image We used to have separate Docker images for MySQL and PostgreSQL, but now we have one that supports them all. AsciiDoctor Our docs used to be built and hosted on GitBook. We've recently moved to using pure AsciiDoctor to build the docs. The main reason behind this move was to closer align with how we build documentation for the productized version of Keycloak (RH-SSO). Loads more.. - Script based protocol mapper for OIDC - thanks to thomasdarimont <https://github.com/thomasdarimont> - Blacklisted password policy- thanks to thomasdarimont <https://github.com/thomasdarimont> - Login with PayPal - thanks to petlys <https://github.com/petlys> - Almost 200 - we almost resolved 200 issues for this one (197!) The full list of resolved issues is available in JIRA <https://issues.jboss.org/issues/?jql=project%20%3D%20keycloak%20and%20fix...> . Upgrading Before you upgrade remember to backup your database and check the upgrade guide <http://www.keycloak.org/docs/latest/upgrading/index.html> for anything that may have changed. Release candidates are not recommended in production and we do not support upgrading from release candidates.

8 years, 5 months

1
0
0 / 0

Keycloak via reverse proxy: Mixed Mode errors.

by Dominik Guhr

Hey all, I've tried to set up keycloak to work behind a reverse proxy (via a kong route on openshift 3) today , but sadly I can't get it to work after trying many things. Here's a stackoverflow-post I've created with the exact problem definition: https://stackoverflow.com/questions/47181821/using-keycloak-behind-a-reve... It would be absolutely great if someone could help me out here, because I am out of ideas for now. Best regards, Dominik

8 years, 5 months

1
0
0 / 0

Access Token getting truncated when apache HTTPD is in front

by Pharande Rahul

Hello Team, I'm facing issue of "Access Token getting truncated when apache HTTPD is in front". Though this issue is not directly associated/related to Keycloak but in combination with Apache HTTPD + Keycloak, I would like to take help from experts here :) Below are more details on same. Environnent : o Server : Keycloak v3.x o Proxy server : Apache HTTPD 2.4.x o Client: Angular2 application using OIDC library. Issue Description / Steps to reproduce: * Create realm in Keycloak * Create client for realm along with redirect url etc. * Create ~70 role/permissions for client with longer names ~25 characters in permission name. * Create user and assign all above permissions for newly created client. * Access Angular2 application running in browser, and for protected resources Keycloak login page displayed where redirect_uri parameter is given/supplied. * After entering valid user credentials, keycloak redirects to Application's redirect URL * However error shown on browser console that, "failed at_hash". o This is because incomplete/truncated token returned and OIDC client library in Angular application tries to validate token received. Important point here: * Defect mentioned only occurs when Apache is in front and used as proxy/load balancer server. My analysis: * As per my analysis, I see Keycloak returns access_token information in response header during redirect * Apache has restriction of handling response header or cookies of size upto 8k * Even after setting, various parameters in Apache HTTPD like - "LimitRequestFieldSize", "LimitRequestLine" we are still getting this error. Please let me know if anyone already experienced such issue OR has any alternative on using/configuring Keycloak to redirect using part response.. Thanks and Regards. Rahul Pharande

8 years, 5 months

1
0
0 / 0

SAML IdP and ADFS trust

by Ben Redahan

Hi all, I'm configuring a SAML Identity Provider in Keycloak to allow single sign on with a customer ADFS server. I'm following this guide: http://blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html I'm working in a development environment with a test ADFS server using a self-signed Service Communications certificate (I had to install and configure this myself so I could have gone wrong here). Keycloak is running on an AWS instance behind a load balancer, incoming https is handled by that. I've configured the Relying Party Trust on ADFS and the FederationMetadata.xml in the Keycloak identity provider. During testing I deployed a Keycloak image without a truststore or Service Communications certificate, but the redirect still works. When I click the SSO button from the Keycloak login page I am redirected to the ADFS login page, though from my understanding the outbound https request to the ADFS endpoint should fail, since Keycloak doesn't trust the ADFS server. Shouldn't the first redirect fail if there's no truststore or SSL certificate? I'm a novice at this so there's almost certainly a gap in my understanding, but I've searched through all the documentation I can find and can't make sense of it. Can anyone help? Thanks, Ben -- *Ben Redahan | Software Engineer* *Phone **+353 1 539 8744 <%2B353%201%20539%208744>* *TRIMBLE RAILWAY ASSET SOLUTIONS | NEXALA* *www.trimble.com/rail-assets* <http://www.trimble.com/rail-assets>*| * *www.nexala.com* <http://www.nexala.com/>* | **www.trimble.com/rail* <http://www.trimble.com/rail> *Newsletter Sign Up* <http://infogeospatial.trimble.com/rail-asset-newsletter-signup.html>* | **Request Demo* <http://infogeospatial.trimble.com/rail-asset-newsletter-signup.html>* | **LinkedIn <https://www.linkedin.com/company/trimble-railway-solutions>*

8 years, 5 months

1
0
0 / 0

create admin user to control other users, but at the same time making him/her unable to change his/her own permissions

by pavlos kaimakis

Hi there, Is there any way we can configure a user that will have the rights to view/edit/delete/assign other users' roles, but will NOT be able to change the setting for him/herself. Reason asking is I want a user as admin to deal with the rest of the users, but at the same time i don't want that user to be able to grant permissions to him/herself to access some other clients. The default 'admin' role gives him/her this option. Waiting for your response BRs Lefteris

8 years, 5 months

2
1
0 / 0

Set CreatedTimestamp

by zitrone＠gmx-topmail.de

Hi, i'm currently trying to migrate users from an old system to keycloak (3.1.0). Im using the java implementation of the keycloak admin api to create the accounts, building a UserRepresentation and sending it to realm.users().create(). Now i have the problem, that i want to migrate the creation date of the accounts from the old system. Although i can set the createdTimestamp for the userRepresentation, it will not be stored in keycloak. Instead the current time is set for the createdTimestamp. Is there a way to modify the createdTimestamp? I understand that this is something you usually dont want to happen, but during migration of already existing accounts, it would be kind of handy. If there is no other way i have to use a custom attribute, storing the old creation date, but that means additional code to retrieve it. Second question: What is the best way to iterate over all accounts in keycloak? Currently i'm using something like this: Integer userCount = keyCloakClient.realm(realmname).users().count(); int processed = 0; List<String> userIds = new ArrayList<>(); int fetchsize = 100; while (processed < userCount) { keyCloakClient .realm(realmname) .users() .search("", processed, fetchsize) .stream() //some filters .forEach(user -> userIds.add(user.getId())); processed += fetchsize; } If i put the fetchsize to big, i get problems processing the json response. But i'm worried that the result from the empty search will not be stable and i'll miss accounts. regards zitrone

8 years, 5 months

1
0
0 / 0

Keycloak 3.3.0 fails Google Social Registration with NPE

by Niels Bertram

I unzipped Keycloak 3.3.0.Final and configured a localhost:8080 instance realm "play" to use Google Identity Provider for sozial. Navigating to http://localhost:8080/auth/realms/play/account will get me to the login page as expected, then I click on the Google logo and it takes me to google login. Login is all good but then I get back to the Keycloak server and I see this stack trace in the web browser and logs. Anynone seen this before? I got exact setup behind a proper DNS with SSL and it works fine. In the "Play" realm I configured Require SSL to none and cant really think of any other thing that could cause this. Anyone seen this error or has any suggestions for configuration? 14:47:05,845 ERROR [io.undertow.request] (default task-14) UT005023: Exception handling request to /auth/realms/play/login-actions/first-broker-login: org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeException: No ident ifier provider for identity. at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:78) at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:222) at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:179) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:422) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:90) at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:131) at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at io.undertow.security.handlers.NotificationReceiverHandler.handleRequest(NotificationReceiverHandler.java:50) at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:68) at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow.security.SecurityContextThreadSetupAction.lambda$create$0(SecurityContextThreadSetupAction.java:105) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1508) at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at io.undertow.server.Connectors.executeRootHandler(Connectors.java:326) at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:812) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748) Caused by: java.lang.RuntimeException: No identifier provider for identity. at org.keycloak.broker.provider.BrokeredIdentityContext.<init>(BrokeredIdentityContext.java:53) at org.keycloak.authentication.authenticators.broker.util.SerializedBrokeredIdentityContext.deserialize(SerializedBrokeredIdentityContext.java:250) at org.keycloak.services.resources.LoginActionsService.brokerLoginFlow(LoginActionsService.java:697) at org.keycloak.services.resources.LoginActionsService.firstBrokerLoginGet(LoginActionsService.java:650) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249) at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:138) at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:101) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406) ... 48 more

8 years, 5 months

1
0
0 / 0

Fwd: Authz with nodejs

by Corentin Dupont

Hi guys, I created a REST API that I would like to protect with keycloak. However, I don't find any example/tutorial on Internet that suits. At the moment I use keycloak-nodejs-connect: https://github.com/keycloak/ke ycloak-nodejs-connect/blob/master/example/index.js This is the basic example given: var Keycloak = require('keycloak-connect'); var express = require('express'); var session = require('express-session'); var app = express(); var server = app.listen(3000, function () {}); var memoryStore = new session.MemoryStore(); app.use(session({ secret: 'mySecret', resave: false, saveUninitialized: true, store: memoryStore, })); var keycloak = new Keycloak({ store: memoryStore }); app.use(keycloak.middleware({ logout: '/logout', admin: '/' })); app.get('/login', keycloak.protect(), function (req, res) { res.render('index', { result: JSON.stringify(JSON.parse(req.session['keycloak-token']), null, 4), event: '1. Authentication\n2. Login' }); }); But that doesn't corresponds to my need: in a REST API I have no login or logout and no memory. I think the user should always make requests with a bearer token. Based on that token I can identify the user and get his roles. Then I could use keycloak.protect('realm:myendpoint') to protect each of my endpoints. If the user have got that role, he is authorized. Did I understood correctly the flow? Is there some example or REST API with authz, using nodeJS? Thanks a lot!!! Corentin

8 years, 5 months

1
0
0 / 0

Role revocation after a specified date and time

by Leonel Freire

Is there anyway to revocate a role after a specified date and time? -- Leonel Freire *Have you tried turning it off and on again?*

8 years, 5 months

2
3
0 / 0

Use RestAPI to add roles to groups

by O'Callaghan, John

Hi all A similar question to before. Am trying to use the rest api to add existing access roles to an existing group. I have tried to use: PUT /auth/admin/realms/REALM_NAME/groups/GROUP_ID With data {'realmRoles': [LIST_OF_ROLES], 'id': gid} Am getting a 204 back from PUT but when I look in the webui I am not seeing the assigned roles table getting updated for the group. This is similar to a previous question I had (thanks again Marko for the response) and for fun I did try : PUT /auth/admin/realms/REALM_ID/groups/GROUP_ID/roles/ROLE_ID With data {'roleId': ROLE_ID, 'id': GROUP_ID, ‘realm’: REALM_NAME} But that gave a 404. Anyone else had this problem? Any help would be much appreciated! Thanks John ________________________________ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. ______________________________________________________________________________________ www.accenture.com

8 years, 5 months

2
2
0 / 0

Keycloak SAML IDP configuration problems

by Drew Weirshousky

I am having a problem setting up Okta as an IDP with keycloak as the SP using SAML. We are using keycloak 3.2.1. What we want: We want to prepopulate the users from Okta in keycloak (only a handful of users are involved). So that when a user comes from Okta to our application no registration info has to be entered or confirmed. The user will be authenticated with Okta, click on the application link. Keycloak will handle the SAML authentication and then redirect the user to our application. What I have so far: I am initiating login to the application from Okta. When the user comes from Okta they are prompted to update account information. Then a message appears stating that the account already exists, click add to existing account. The user receives the verify email and confirms linking. Then the user goes back to the browser window and continues and is redirected to a page that doesn't exist. Link from SP: https://myHost/auth/realms/myRealm/login-actions/first-broker-login?code=... Link it redirects to: https://myHost/auth/realms/myRealm/broker/null The user is linked to the identity provider and a session is created. At this point I am starting to think that we shouldn't use this version of Keycloak and wondering if this is a bug or configuration issue. Any help would be appreciated. Thanks Drew

8 years, 5 months

1
0
0 / 0

Re: [keycloak-user] Adding users to groups using restapi

by O'Callaghan, John

Hi Marko That worked perfectly. Thanks for the help! John ________________________________ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. ______________________________________________________________________________________ www.accenture.com

8 years, 5 months

1
0
0 / 0

Automatically disable inactive users

by James Rowe

Hi all, is there a way in Keycloak to automatically disable a users account after a configurable period of inactivity? For example, if a user has been inactive (e.g. not authenticated) for 60 days then his account is automatically disabled meaning he can no longer login. If it is not possible then i plan to add a feature request. I don't see anything like this in the existing JIRA requests. Thanks, Jim. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient, please note that any review, dissemination, disclosure, alteration, printing, circulation, retention or transmission of this e-mail and/or any file or attachment transmitted with it, is prohibited and may be unlawful. If you have received this e-mail or any file or attachment transmitted with it in error please notify postmaster(a)openet.com. Although Openet has taken reasonable precautions to ensure no viruses are present in this email, we cannot accept responsibility for any loss or damage arising from the use of this email or attachments.

8 years, 5 months

1
0
0 / 0

Adding users to groups using restapi

by O'Callaghan, John

Hi All Im trying to use the rest api to update an existing user to add them to an existing group. The url that I am using is /auth/admin/realms/MY_REALM/users/USER_ID Where MY_REALM is equal to my realm name and USER_ID is equal to an existing users id. I am sending a json doc in the PUT body and in here I have { “groups”: [“admin”], “enabled”: True } But when I look at the users info using the WebUI I am not seeing the admin group listed in their “Group Membership” table. I do see it listed in their “Available Groups” table. I do see that the users “enabled” flag is going from False to True after the PUT so I believe the permission to update the user is correct. But shouldn’t I see the admin group added to the Group Membership table too? Has anyone come across this problem? Any help would be really appreciated. Thanks John ________________________________ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. ______________________________________________________________________________________ www.accenture.com

8 years, 5 months

2
1
0 / 0

populating phone number in IDToken

by Sud Ramasamy

Hi Keycloak team, We were wondering if and how the phone number property in IDToken is populated. We are using OIDC between the client and Keycloak we came across the org.keycloak.protocol.oidc.OIDCLoginProtocolFactory.java class which seems to be responsible for populating some of the properties of IDToken but phone number isn’t one of them. Regards -sud

8 years, 5 months

1
0
0 / 0

Issue with not enabling sticky session

by Narendra Kadali

Hello All, We configured an external SAML based identity provider in a realm and. When user coming back to Keycloak after successful authentication at external IdP Keycloak giving either "Page expired" or "Not found serialized context in authenticationSession " error. The process of reproducing the issue is as follows: 1. Access the corresponding realm login page and then click on the identity provider link to login using external IdP. 2. This will take us to the external identity provider. After successful authentication at external IdP, the user will be redirected back to Keycloak instance with a valid SAMLResponse. 3. Then there might be a chance that instead of either showing first-broker-login flow or profile page you might be presented with 'page expired' error or 'Not found serialized context in authenticationSession' error. Some information about my environment: 1. Three Keycloak instances running in a standalone mode. All of them connected to common DB and external Infinispan cluster. We are running Keycloak 3.2.1.Final 2. Three Infinispan instances are deployed as a single cluster. Our Keycloakc instances connected to this external Infinispan cluster. 3. We don't have any session stickiness enabled at the load balancer 1. Below is the configuration we are using for autehtnicationSessions cache in standalone.xml file. <local-cache name="authenticationSessions"> <remote-store cache="authenticationSessions" remote-servers="remote-cache" fetch-state="false" passivation="false" preload="false" purge="false" shared="true"> <property name="rawValues"> true </property> <property name="marshaller"> org.keycloak.cluster.infinispan.KeycloakHotRodMarshallerFactory </property> </remote-store> </local-cache> Some findings on this issue: 1. Since session stickiness is not there the first time when login page rendered it can go to Keycloak node 1 and when user come back to Keycloak with valid SMAL Response request can be forwarded to Keycloak node2. So requests can be spread across all Keycloak nodes. 2. The error log observed for 'Not found serialized context in authenticationSession' message is: ERROR [org.keycloak.services] (default task-17) KC-SERVICES0068: Not found serialized context in clientSession under note 'BROKERED_CONTEXT' 3. If we run only one single Keycloak node, we are not seeing this error. Any of you seen a similar issue? Thanks!

8 years, 5 months

2
1
0 / 0

User registration outside of Keycloak login form

by Niels Bertram

Hi Keycloak users, a strange question for the community ... I have a customer that wants to have SSO but does not want to use the Keycloak registration screens (themed or otherwise) but requires the user to be "logged in" to Keycloak after user registration. My understanding is that to get the SSO magic to work, a user agent must be redirected to the Keycloak server so the KEYCLOAK_SESSION? cookie can be set so that when the user navigates to another SSO enabled site after user registration, they would be identified in the auth flow of this client. Is there any way to create a valid SSO session without using the registration forms of Keycloak server itself? Like doing an XHR request that would create a user registration and also sets the required server side cookies in the user agent? Interested to hear your thoughts. Many thanks, Niels

8 years, 5 months

2
1
0 / 0

Roles from UserStorageSPI

by Rob Shepherd

Hi, I have successfully authenticated users from a custom User Storage Provider. I cannot find how I map roles to the users that come from this provider. I am able to include the user's roles in the UserModel, and i have created ClientRoles which match, but I can’t find how I attribute Roles to my users. Furthermore, I have a default realm role, but this never appears in the ID token or userInfo object. Any pointers appreciated. Thanks Rob

8 years, 5 months

2
1
0 / 0

Extract kc_locale from a redirect URI

by Valerij Timofeev

Hi, we are extracting kc_locale parameter from redirect URIs and appending it to the Keycloak login form URI using NGINX rewrite rule at the moment. Extracting locale from redirect URI is indispensable for example when using deep links in emails or linking to protected resources from a public site. I wonder whether there is more simple method to extract kc_locale parameter from redirect URI and set according locale in the Keycloak login form. Best regards, Valerij

8 years, 5 months

1
0
0 / 0

Login Confirmation every time

by Rob Shepherd

Hi, I have a requirement where multiple users use shared terminals. I would like to have a “Continue to ${client} as ${username}?” prompt page that occurs after every (unprompted) authentication. (I.e. if cookie auth was successful, but no login form) So this would always be present when processing of a login that can occur without interaction if a cookie is still valid. When prompted, and it appears to the user that it is an old login from previous person, then I will present the option to “Login as someone else" (What I describe is different to the consent screen that occurs once per client per user.) Doe this already exist? Otherwise, should I be thinking of a RequiredAction for this, or an Authentication flow? Pointers appreciated. Thanks Rob

8 years, 5 months

1
0
0 / 0

Keycloak & Large # of Realms

by John D. Ament

Hi All Looking for some more insight, haven't heard about this issue in a while. The specific endpoint I'm having issues with is the /auth/admin/realms endpoint -> https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o... For what Keycloak is doing in the UI for the list realms, is it necessary to provide all realm details or can it use a simplified version of the realm representation to populate the drop down in the top left navigation (at least I'm assuming that's where it's being fetched to be populated into)? I'm seeing this endpoint perform particularly slowly. Some of the key spots (I have 125 - 750 calls to select authentica0_.ID as ID1_3_0_, authentica0_.ALIAS as ALIAS2_3_0_, authentica0_.BUILT_IN as BUILT_IN3_3_0_, authentica0_.DESCRIPTION as DESCRIPT4_3_0_, authentica0_.PROVIDER_ID as PROVIDER5_3_0_, authentica0_.REALM_ID as REALM_ID7_3_0_, authentica0_.TOP_LEVEL as TOP_LEVE6_3_0_ from AUTHENTICATION_FLOW authentica0_ where authentica0_.ID='15249ca1-1be3-4b59-a0e0-80bf00a107a4' (the ID changes per request, looks like you're loading auth flows per ID) - 250 calls to get client entities - 125 calls for groups, locales, enabled events, required actions, roles, smtp config, idps, attributes, roles, role mappers, etc. I suspect the 125 calls are needed, we don't want to load those in a larger batch. However, if there's a simpler use for realms that would be beneficial from a loading standpoint. John

8 years, 5 months

2
3
0 / 0

Backup of config and users

by Knurr, Michael

In the documentation I can see that the whole domain configuration and all user information can be exported by the "startup" export functionality. http://www.keycloak.org/docs/latest/server_admin/topics/export-import.html Unfortunately this method requires us to stop the server to do the export. What is the recommended procedure to export domain configuration and users in an actively running keycloak instance?

8 years, 5 months

3
5
0 / 0

Keycloak startup fails when Widlfly running in Standalone-HA mode

by Narendra Kadali

I am trying to deploy Keycloak cluster in standalone-ha mode in our Openshift environment. I followed following blog post: http://blog.keycloak.org/2017/09/cross-datacenter-support-in-keycloak.html and made changes to standalone-ha.xml configuration file. When I am deploying Keycloak in our environment, deployment is failing and I am seeing below error message. 21:53:01,694 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: Keycloak 3.2.1.Final (WildFly Core 2.0.10.Final) started (with errors) in 3413ms - Started 523 of 918 services (3 services failed or missing dependencies, 651 services are lazy, passive or on-demand) Apart from this I don't see any errors in the logs. In fact in logs, I see Keycloak deployed successfully but when I am trying to access Keycloak getting HTTP 404 error. Below is the snippet of the log. 21:53:01,612 INFO [org.jboss.as.server] (ServerService Thread Pool -- 51) WFLYSRV0010: Deployed "keycloak-server.war" (runtime-name : "keycloak-server.war") 21:53:01,694 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0060: Http management interface listening on http://127.0.0.1:9990/management 21:53:01,694 INFO [org.jboss.as] (Controller Boot Thread) WFLYSRV0051: Admin console listening on http://127.0.0.1:9990 21:53:01,694 ERROR [org.jboss.as] (Controller Boot Thread) WFLYSRV0026: Keycloak 3.2.1.Final (WildFly Core 2.0.10.Final) started (with errors) in 3413ms - Started 523 of 918 services (3 services failed or missing dependencies, 651 services are lazy, passive or on-demand) When I accessed Wildfly management console and looked under deployments section, I realized that keycloak war file deployment failed. For some reason Keycloak deployment failing and it is not outputting any error logs. In our environment UDP - Multicast doesn't work. So we are relaying on TCPPING protocol for node discovery process. Can it cause any such issues? Attached the complete server startup log and ha configuration we are using. On a side note, when we are running Keycloak in standalone mode we are not facing any such issues. Have you any of you came across this issue? Any help on this issue is appreciated. Thanks!

8 years, 5 months

1
0
0 / 0

Hot (re)deployment breaks EntityProviders

by Dmitry Telegin

Hi, Seems like EntityProviders containing JPA entities can be neither hot deployed nor "cold" deployed and hot redeployed afterwards. In both cases, the result is non-working JPA. Please see https://issues.jboss.org/browse/KEYCLOAK-5782 and its corresponding subtasks, as things are a bit different for the two cases. Regards, Dmitry

8 years, 5 months

1
0
0 / 0

NoSuchMethodError when storing the user into Keycloak's cache

by Kruti Parmar

Hi, I have created a custom storage provider which will migrate user from legacy app to keycloak's local storage on demand. That is achieved. Now I want to modify this functionality and store the user in to keycloak's cache instead of keycloak's local storage. For that I have used the following code : @Override public void onCache(RealmModel realm, CachedUserModel user, UserModel delegate) { String password = ((UserAdapter)delegate).getPassword(); if (password != null) { user.getCachedWith().put(PASSWORD_CACHE_KEY, password); } } But I am getting an error saying - "org.jboss.resteasy.spi.UnhandledException: java.lang.NoSuchMethodError: org.keycloak.models.cache.CachedUserModel.getCachedWith()Ljava/util/concurrent/ConcurrentMap;". Can anyone please help me to resolve this? PS : I am using keycloak 3.1.0 Final version. Thanks & regards, Kruti ***** Email confidentiality ***** This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. The dissemination, copying or distribution of this message, or related files, by anyone other than the intended recipient is strictly prohibited. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Advanced Computer Software Group Limited. ***** Email monitoring ***** Advanced Computer Software Group Limited may monitor email traffic data and also the content of email for the purposes of security and staff training. ***** Email security ***** In keeping with good computing practice, the recipient of this email should ensure that it is virus-free. Advanced Computer Software Group Limited does not accept responsibility for any virus that may be transferred by way of this email. Email may be susceptible to data corruption, interception and/or unauthorised amendment. Advanced Computer Software Group Limited does not accept liability for any such corruption, interception or amendment or any consequences thereof. This email has been scanned for viruses by the Symantec Email Security.cloud service. Advanced Computer Software Group Limited Registered office: Ditton Park, Riding Court Road, Datchet, Berkshire, SL3 9LL, UK Registered in England under number 5965280 ________________________________ Please consider the environment: Think before you print! This message has been scanned for malware by Websense. www.websense.com

8 years, 5 months

1
0
0 / 0

Keycloak Spring Boot Adapter does not populate security context principal

by Niels Bertram

Hi Keycloak Users, I tried to configure a dead simple Spring Boot CXF REST endpoint with Keycloak Spring Boot Adapter in Bearer Only mode without any luck. It appears the Keycloak Tomcat Valve fails authorization even before the keycloak adapter ever gets a chance to parse the Bearer token and setup the session. I would have thought that with AutoConfig it would just be that ... auto config. I added the below keycloak adapter configuration to the application.yml file and made sure all required jars are on the classpath. Does anyone have any suggestions or a link to a working example that shows how to use Spring Boot with Keycloak *AND* CXF ? Many thanks, Niels Example: https://github.com/bertramn/keycloak-secured-rest-endpoint application.yml configuration: keycloak: realm: demo authServerUrl: 'http://localhost:8080/auth' realmKey: 'MIIBIjANBgDAQAB' sslRequired: external resource: test-client bearerOnly: true securityConstraints: - authRoles: [ '*' ] securityCollections: - name: authed patterns: [ '/v1/secured' ]

8 years, 5 months

3
4
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user November 2017