Error while connecting postgres User Storage spi
by rohit chaudhary
Hi,
I am trying User storage spi with postgres db. It throws following error:
While running command *mvn clean install wildfly:deploy*
*Failed to execute goal
org.wildfly.plugins:wildfly-maven-plugin:1.1.0.Final:deploy (default-cli)
on project user-storage-jpa-example: Failed to execute goal deploy:
{"WFLYCTL0062: Composite operation failed and was rolled back. Steps that
failed:" => {"Operation step-1" => {"WFLYCTL0080: Failed services" =>
{"jboss.persistenceunit.\"user-storage-jpa-example.jar#user-storage-jpa-example\""
=> "org.jboss.msc.service.StartException in service
jboss.persistenceunit.\"user-storage-jpa-example.jar#user-storage-jpa-example\":
javax.persistence.PersistenceException: [PersistenceUnit:
user-storage-jpa-example] Unable to build Hibernate SessionFactory*
*[ERROR] Caused by: javax.persistence.PersistenceException:
[PersistenceUnit: user-storage-jpa-example] Unable to build Hibernate
SessionFactory*
*[ERROR] Caused by:
org.hibernate.tool.schema.spi.SchemaManagementException: Unable to execute
schema management to JDBC target [create table UserEntity (id varchar(255)
not null, email varchar(255), password varchar(255), phone varchar(255),
username varchar(255), primary key (id))]*
*[ERROR] Caused by: org.postgresql.util.PSQLException: ERROR: relation
\"userentity\" already exists"}}}}*
If i drop this table, it will create one but users are not imported.
And do I have to use UserEntity as my tablename or can I have a different
one?
Thanks,
Rohit
7 years
SAML parsing error
by Anders KK
Hi,
We have setup Keycloak as an identity broker with a SAML IdP. Keycloak
recieves a SAML response from the IdP and we can decrypt this response by
hand and it looks like we expect.
When the browser hits our SAML endpoint
(https://[domain]/auth/realms/[realm]/[client]/[IdP alias]/endpoint) we get
an exception:
org.keycloak.broker.provider.IdentityBrokerException: Could not process
response from SAML identity provider.
The log shows this error: PL00062: Parser : Unknown
tag:AuthnStatement::location=[row,col {unknown-source}]: [1,9341]
It seems that Keycloak do not know the tag AuthnStatement even though this
is part of the SAML 2.0 standard?
Are we missing something here?
Kind regards,
Ulrik and Anders
--
View this message in context: http://keycloak-user.88327.x6.nabble.com/SAML-parsing-error-tp3667.html
Sent from the keycloak-user mailing list archive at Nabble.com.
7 years
Keycloak Java adapter & ADFS
by Cat Mucius
Good day,
I'm trying to get Keycloak Java adapter (on SP side) working with Microsoft
ADFS (on IdP side).
As I understood, ADFS expects to receive <KeyInfo> element in <Signature> of
SAMLRequest in specific format:
"Importantly, then the SAML Signature Key Name field that shows after
enabling the Want AuthnRequests Signed option has to be set to CERT_SUBJECT
as AD FS expects the signing key name hint to be the subject of the signing
certificate."
blog.keycloak.org/2017/03/how-to-setup-ms-ad-fs-30-as-brokered.html
But the Java adapter sends <KeyInfo> in another format – the <KeyValue>
format:
<dsig:KeyInfo>
<dsig:KeyValue>
<dsig:RSAKeyValue>
<dsig:Modulus>gLOdl9d0CGelhcIkOa…s4Hj4N6xEjQG/bQ==</dsig:Modulus>
<dsig:Exponent>AQAB</dsig:Exponent>
</dsig:RSAKeyValue>
</dsig:KeyValue>
</dsig:KeyInfo>
So I have two questions:
a. Is it really a problem? Has anyone used the Java adapter successfully to
authenticate against ADFS?
b. If it is, is there a way to instruct the adapter to send <KeyInfo> in
some another format?
Thanks,
Mucius.
7 years
Vender is empty in config map when create user-storage provider from rest api.
by Nabeel Ahmed
Hi Everyone,
Keycloak - 3.0.Final
I am trying to create user-storage provider by calling POST on /components
with type UserStorageProvider.
I have set vender : ["ad"] as config parameter and able to save it. Also
able to import users.
But when i go to keycloak UI and try to edit it. All other fields are set
but the vender field is empty and readonly.
Since it's required field so cannot update my settings.
Please help...
Regards,
Nabeel Ahmed
Cell # +92 333 540 5542
7 years
Re: [keycloak-user] Multiple access types for a single Spring Boot application
by Sebastien Blanc
On Wed, Apr 26, 2017 at 7:23 PM, Jonathan D'Andries <
jonathandandries(a)gmail.com> wrote:
> Thank you Sebastien,
>
> This is SO close to a perfect solution. It appears that including "Accept:
> application/json" header allows the service to determine if bearer-only
> should be enabled based on well-known HTTP headers. Unfortunately, it still
> doesn't let me call the services via swagger without specifying the
> bearer-token explicitly. This is because swagger is calling the service as
> if it were a machine (by including the Accept header). In a perfect world,
> the auto-detect logic would allow me to use swagger to call the services as
> if it were a web browser even though it's including the headers that
> indicated it's a machine. My hope is that it would detect an existing
> session state that provides authentication/authorization info, and this
> would override the test for the HTTP headers.
>
> Here is how I would like "autodetect-bearer-only" to behave:
> - If you are accessing with a web browser and not specifying the detected
> headers, it works perfectly as-is. In this case, the user is redirected to
> a login page, and future access is authenticated with a session cookie.
> However,
> - If you are specifying the headers that indicate you are a machine (even
> if still in a web browser session), then the service will only
> authentication with the "Authentication: bearer ..." header. What I want is
> for this option to respect the session state if it happens to exist.
>
> I'm worried that I may be asking for a code change in the way the
> autodetect logic works. Instead of just looking for the typical headers
> "X-Requested-With, SOAPAction or Accept," could it also check if the user
> is already logged in with existing session state?
>
We have at least another use case where this would be needed (JSF app
making Ajax requests) and where the session state should be honored inside
a bearer-only request. So I think I will open a ticket for this
specifically so we can start planning and discussing around this
enhancement.
Unfortunately until then I don't see a real workaround for this.
>
>
> Is there a way to make this work? Or perhaps there is a reason this is a
> bad idea?
>
>
> Thanks,
>
> Jonathan
>
>
>
> On Wed, Apr 26, 2017 at 11:32 AM, Sebastien Blanc <sblanc(a)redhat.com>
> wrote:
>
>> Don't make your client "bearer-only" and instead in your config add :
>> "autodetect-bearer-only" : true
>>
>> That should solve your issue.
>>
>>
>>
>> On Wed, Apr 26, 2017 at 6:13 PM, Jonathan D'Andries <
>> jonathandandries(a)gmail.com> wrote:
>>
>>> Here is what I want to do:
>>>
>>> I have built REST services in Spring Boot. For the services themselves, I
>>> want to use "bearer-only" access type so that applications are NOT
>>> redirected to a login page if unauthenticated.
>>>
>>> However, I want the generated swagger documentation to use the
>>> "confidential" access type so that swagger-ui.html redirects the
>>> user/browser to a login page and capture the token that will then be
>>> passed
>>> to the services when testing things out.
>>>
>>> It seems like the best way to accomplish this is with two clients similar
>>> to the demo here:
>>>
>>> http://blog.keycloak.org/2015/10/getting-started-with-keyclo
>>> ak-securing.html
>>>
>>> My concern is that having two client configurations in my spring boot
>>> application.yml doesn't seem possible - am I missing something? I am
>>> aware
>>> of the multi-tenant options for Keycloak, but I don't actually want two
>>> different realms:
>>>
>>> https://keycloak.gitbooks.io/documentation/securing_apps/top
>>> ics/oidc/java/multi-tenancy.html
>>>
>>> For whatever configuration I come up with, I want the user's token to
>>> apply
>>> to both the swagger-ui and the services, but with two different access
>>> types.
>>>
>>> Here are some things I've learned so far:
>>>
>>> I'm aware that swagger-ui offers an option to authenticate it's services
>>> with a token. There are two limitations of this approach:
>>> 1. With springfox generated swagger, it doesn't seem to work. I'd have
>>> to
>>> put a lot of effort to fix this, and I'd rather not because
>>> 2. You would still need to get a token from somewhere, and that means
>>> pointing users to another login page that isn't automatically prompted
>>> when
>>> you go to swagger-ui. It just seems like a more annoying user experience
>>> to
>>> have to take extra steps to generate a token and then paste that into
>>> swagger-ui.
>>>
>>> I'm also aware that my spring boot configuration can be more restrictive
>>> than the keycloak client configuration. In other words, I can restrict to
>>> bearer-only in my service even if the client is configured for
>>> confidential
>>> access type. If there is a way for different values for
>>> keycloak.bearer-only based on URL pattern in the
>>> keycloak-spring-boot-adapter, this could be a real option.
>>>
>>>
>>> Thanks for any help/advice you may have.
>>>
>>> Jonathan
>>> _______________________________________________
>>> keycloak-user mailing list
>>> keycloak-user(a)lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>
>>
>>
>
7 years
Multiple access types for a single Spring Boot application
by Jonathan D'Andries
Here is what I want to do:
I have built REST services in Spring Boot. For the services themselves, I
want to use "bearer-only" access type so that applications are NOT
redirected to a login page if unauthenticated.
However, I want the generated swagger documentation to use the
"confidential" access type so that swagger-ui.html redirects the
user/browser to a login page and capture the token that will then be passed
to the services when testing things out.
It seems like the best way to accomplish this is with two clients similar
to the demo here:
http://blog.keycloak.org/2015/10/getting-started-with-keycloak-securing.html
My concern is that having two client configurations in my spring boot
application.yml doesn't seem possible - am I missing something? I am aware
of the multi-tenant options for Keycloak, but I don't actually want two
different realms:
https://keycloak.gitbooks.io/documentation/securing_apps/topics/oidc/java...
For whatever configuration I come up with, I want the user's token to apply
to both the swagger-ui and the services, but with two different access
types.
Here are some things I've learned so far:
I'm aware that swagger-ui offers an option to authenticate it's services
with a token. There are two limitations of this approach:
1. With springfox generated swagger, it doesn't seem to work. I'd have to
put a lot of effort to fix this, and I'd rather not because
2. You would still need to get a token from somewhere, and that means
pointing users to another login page that isn't automatically prompted when
you go to swagger-ui. It just seems like a more annoying user experience to
have to take extra steps to generate a token and then paste that into
swagger-ui.
I'm also aware that my spring boot configuration can be more restrictive
than the keycloak client configuration. In other words, I can restrict to
bearer-only in my service even if the client is configured for confidential
access type. If there is a way for different values for
keycloak.bearer-only based on URL pattern in the
keycloak-spring-boot-adapter, this could be a real option.
Thanks for any help/advice you may have.
Jonathan
7 years
Re: [keycloak-user] Why use keycloak-nodejs-connect instead of general OID client?
by Sebastien Blanc
(including the mailing list again)
tbh I'm not sure this is related to keycloak, isn't just a matter of using
the right IPs exposed by the container in your keycloak.json files ?
On Tue, Apr 25, 2017 at 6:25 PM, Alex Berg <chexxor(a)gmail.com> wrote:
> Here's my problem:
>
> I'm running keycloak, mysql, and my JS app locally in docker containers.
> From inside the container, keycloak is accessible at "keycloak:8080", but
> outside the container (from the browser on localhost), it's available at
> "localhost:8080". My "keycloak.json" file has "auth-server-url" =
> "localhost:8080", so when JS app gets the OIDC authorization token in a
> callback, the Keycloak middleware in my JS app tries to get an access token
> by requesting the auth token to "localhost:8080", but this request fails
> because localhost isn't serving on that port - the "keycloak" container is.
>
> On Sat, Apr 22, 2017 at 2:08 PM, Alex Berg <chexxor(a)gmail.com> wrote:
>
>> I can't find docs which answer the basic question of what it does and how
>> it is supposed to work. After spending a week trying to discover these
>> answers for myself by reading it's code, I still can't get it to work, so I
>> am curious what I would lose my using a better documented library. Thanks
>> for that answer!
>>
>> I'm doing a SPA-ish app and want to track session on a cookie, and this
>> library does exactly that, but knowing how the redirects should work and
>> what the responses should be is pretty tricky. The errors indicate deeper
>> complexity than just "install this middleware and the rest just works".
>>
>> I can make a PR for doc improvements. I know one of the errors I was
>> seeing is a response of "invalid authorization token", but I don't know why
>> that would be. I can only make a JIRA ticket if I know the problem isn't my
>> lack of knowledge.
>>
>> On Apr 22, 2017 02:32, "Sebastien Blanc" <sblanc(a)redhat.com> wrote:
>>
>>>
>>>
>>> On Fri, Apr 21, 2017 at 8:16 PM, Alex Berg <chexxor(a)gmail.com> wrote:
>>>
>>>> I am trying to install the keycloak-nodejs-connect middleware into my
>>>> app.
>>>> It isn't working well, so of course I'm thinking of trying a different
>>>> openid-connect client library.
>>>>
>>> What doesn't work well ? Have you opened tickets for this ?
>>>
>>>>
>>>> What does the keycloak-nodejs-connect library do that other
>>>> openid-connect
>>>> client libraries doesn't do? It looks like one unique thing is that it
>>>> listens for a logout request to be sent from the keycloak admin console,
>>>> but I'm not sure as docs don't exist.
>>>>
>>> It also handles the admin backend channel for revocation, it handles
>>> public key rotation retrieval, role-based authorization. This is documented
>>> in the docs that exists https://keycloak.gitbooks.io/d
>>> ocumentation/content/securing_apps/topics/oidc/nodejs-adapter.html
>>>
>>>> _______________________________________________
>>>> keycloak-user mailing list
>>>> keycloak-user(a)lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>>>
>>>
>>>
>
7 years
Admin user in Clustered Domain Mode
by Marc Tempelmeier
Hi,
We connected a Domain Controller and 2 Slaves. How can I create an admin user?
There is a "--domain" switch, but the users created with it don´t work. If I create a admin user on a slave it works and after that I can use him on the other slave, because he is in the db.
How is the intended workflow here?
Greetings
Marc
7 years
SAML response parsing failed
by Erwin Steffens | Rovecom
We are integrating Keycloak with a SAML identity provider (dutch government). We seem to receive a valid response from the other party but Keycloak does seam to be able to parse the SAML response.
The error we get is:
09:08:41,029 ERROR [io.undertow.request] (default task-14) UT005023: Exception handling request to /realms/datahub/login-actions/first-broker-login: org.jboss.resteasy.spi.UnhandledException: java.lang.RuntimeEx
ception: java.lang.RuntimeException: com.ctc.wstx.exc.WstxParsingException: Undeclared namespace prefix "ds"
When we run the received XML through a validation tool (https://www.samltool.com/validate_xml.php) it indicates that it is valid.
Can I somehow attach the XML here?
Erwin
-----------------------------
Rovecom
Erwin Steffens | Rovecom
softwareontwikkelaar
Elbe 2, 7908 HB Hoogeveen
Postbus 2126, 7900 BC Hoogeveen
0528 22 35 35
Voortdurend bezig met innoveren om beweging te stimuleren en groei te realiseren. Wij zijn Rovecom.
Disclaimer: http://www.rovecom.nl/maildisclaimer. Wanneer de link niet werkt, plak de link dan in uw internet browser.
-----------------------------
7 years
Loading user Through Rest Api
by Shaikh Asrafali Anwarali
Hi ,
Hope you are doing well.
I am currently trying to load as many user through Restapi , and check if there any performance degradation. Is there any example available?.
Thanks in advance.
Regards,
Asraf Shaikh
7 years
