May 2017 - keycloak-user - Jboss List Archives

by Liat Rudner

Hi, We need a way to map users to existing KeyCloak groups. * In LDAP user federation - define a hardcoded group and an LDAP filter to apply the group to all the users under this filter * In SAML identity provider - pass a list of hardcoded group paths as an attribute inside the SAML assertion Is there an easy way to do it? Thanks, Liat

8 years, 11 months

1
0
0 / 0

3.1.0.Final not found in Maven repository

by Stephane Granger

Hello, this morning I changed the Keycloak version from 3.0.0.Final to 3.1.0.Final in my pom file but maven could not resolve the dependencies. Could not find artifact org.keycloak:keycloak-adapter-core:jar:3.1.0.Final in central (https://repo.maven.apache.org/maven2) Stephane

8 years, 11 months

2
1
0 / 0

Migration to keycloak 3

by Aritz Maeztu

I've read that keycloak 3.1 is already available. We're still using 2.2.1 in production and can see the migration steps for 2.5.1 in the docs: https://keycloak.gitbooks.io/documentation/server_admin/topics/MigrationF... However, where are the 3.0 migration steps? Isn't there any requirement or do we need to do a fresh product install? Thanks! -- Aritz Maeztu Otaño Departamento Desarrollo de Software <https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942> <http://www.tesicnor.com> Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra) Telf. Aritz Maeztu: 948 68 03 06 Telf. Secretaría: 948 21 40 40 Antes de imprimir este e-mail piense bien si es necesario hacerlo: El medioambiente es cosa de todos.

8 years, 11 months

1
0
0 / 0

Package custom REST endpoint in EAR/WAR

by Ulrik Lejon

According to the documentation it should be possible to drop an ear/war file in the keycloak standalone/deployment folder. I created my own rest endpoint in this repo <https://github.com/ulejon/keycloak-custom-rest-provider-ear> to try this out. However, when I deploy it I get the below errors. What am I doing wrong? Has Anyone successfully packaged custom keycloak code in an ear or war? 20:23:09,192 INFO [org.jboss.as.server.deployment] (MSC service thread 1-4) WFLYSRV0027: Starting deployment of "custom-ear.ear" (runtime-name: "custom-ear.ear") 20:23:10,344 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry provider-1.0-SNAPSHOT.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,345 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/keycloak-core-2.5.4.Final.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,345 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/keycloak-common-2.5.4.Final.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,345 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/bcprov-jdk15on-1.52.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,346 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/bcpkix-jdk15on-1.52.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,346 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/jackson-core-2.5.4.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,347 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/jackson-databind-2.5.4.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,347 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/keycloak-services-2.5.4.Final.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,347 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/javax.mail-api-1.5.5.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,348 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/jboss-servlet-api_3.0_spec-1.0.2.Final.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,348 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/twitter4j-core-4.0.4.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,348 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/resteasy-jaxrs-3.0.14.Final.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,349 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/jboss-annotations-api_1.2_spec-1.0.0.Final.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,349 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/activation-1.1.1.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,350 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/commons-io-2.1.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,351 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/jcip-annotations-1.0.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,352 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/jboss-transaction-api_1.2_spec-1.0.0.Final.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,352 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/resteasy-multipart-provider-3.0.14.Final.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,353 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/resteasy-client-3.0.14.Final.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,353 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/resteasy-jaxb-provider-3.0.14.Final.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,354 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-impl-2.2.7.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,354 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-core-2.2.7.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,354 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/jaxb-api-2.2.7.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,355 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/istack-commons-runtime-2.16.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,355 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/FastInfoset-1.2.12.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,355 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/jsr173_api-1.0.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,356 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/mail-1.5.0-b01.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,356 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/apache-mime4j-0.6.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,356 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/jackson-annotations-2.5.4.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,356 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/javase-3.2.1.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,357 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/core-3.2.1.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,357 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/jcommander-1.48.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,357 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/keycloak-server-spi-2.5.4.Final.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,357 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/keycloak-server-spi-private-2.5.4.Final.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,357 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/jboss-logging-3.3.0.Final.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,357 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/jboss-jaxrs-api_2.0_spec-1.0.0.Final.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,357 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/httpclient-4.3.6.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,358 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/httpcore-4.3.3.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,358 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/commons-logging-1.1.3.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,358 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry lib/commons-codec-1.6.jar in /content/custom-ear.ear does not point to a valid jar for a Class-Path reference. 20:23:10,368 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry jaxb-api.jar in /content/custom-ear.ear/lib/jaxb-impl-2.2.7.jar does not point to a valid jar for a Class-Path reference. 20:23:10,368 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry jaxb-core.jar in /content/custom-ear.ear/lib/jaxb-impl-2.2.7.jar does not point to a valid jar for a Class-Path reference. 20:23:10,437 WARN [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0059: Class Path entry jaxb-api.jar in /content/custom-ear.ear/lib/jaxb-core-2.2.7.jar does not point to a valid jar for a Class-Path reference. 20:23:10,439 INFO [org.jboss.as.server.deployment] (MSC service thread 1-2) WFLYSRV0207: Starting subdeployment (runtime-name: "provider-1.0-SNAPSHOT.jar") 20:23:10,619 INFO [org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor] (MSC service thread 1-6) Deploying Keycloak provider: {0} 20:23:10,625 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-6) MSC000001: Failed to start service jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment "provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear" at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:154) at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.util.ServiceConfigurationError: org.keycloak.email.EmailSenderProviderFactory: Provider org.keycloak.email.DefaultEmailSenderProviderFactory not a subtype at java.util.ServiceLoader.fail(ServiceLoader.java:239) at java.util.ServiceLoader.access$300(ServiceLoader.java:185) at java.util.ServiceLoader$LazyIterator.nextService(ServiceLoader.java:376) at java.util.ServiceLoader$LazyIterator.next(ServiceLoader.java:404) at java.util.ServiceLoader$1.next(ServiceLoader.java:480) at org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:47) at org.keycloak.provider.ProviderManager.load(ProviderManager.java:93) at org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:206) at org.keycloak.services.DefaultKeycloakSessionFactory.deploy(DefaultKeycloakSessionFactory.java:112) at org.keycloak.provider.ProviderManagerRegistry.deploy(ProviderManagerRegistry.java:42) at org.keycloak.subsystem.server.extension.KeycloakProviderDeploymentProcessor.deploy(KeycloakProviderDeploymentProcessor.java:54) at org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:147) ... 5 more 20:23:10,635 ERROR [org.jboss.as.controller.management-operation] (DeploymentScanner-threads - 1) WFLYCTL0013: Operation ("deploy") failed - address: ([("deployment" => "custom-ear.ear")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE" => "org.jboss.msc.service.StartException in service jboss.deployment.subunit.\"custom-ear.ear\".\"provider-1.0-SNAPSHOT.jar\".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment \"provider-1.0-SNAPSHOT.jar\" of deployment \"custom-ear.ear\" Caused by: java.util.ServiceConfigurationError: org.keycloak.email.EmailSenderProviderFactory: Provider org.keycloak.email.DefaultEmailSenderProviderFactory not a subtype"}} 20:23:10,698 ERROR [stderr] (DeploymentScanner-threads - 1) java.io.IOException: Mount point not found 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1) at sun.nio.fs.LinuxFileStore.findMountEntry(LinuxFileStore.java:91) 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1) at sun.nio.fs.UnixFileStore.<init>(UnixFileStore.java:65) 20:23:10,699 ERROR [stderr] (DeploymentScanner-threads - 1) at sun.nio.fs.LinuxFileStore.<init>(LinuxFileStore.java:44) 20:23:10,700 ERROR [stderr] (DeploymentScanner-threads - 1) at sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvider.java:51) 20:23:10,700 ERROR [stderr] (DeploymentScanner-threads - 1) at sun.nio.fs.LinuxFileSystemProvider.getFileStore(LinuxFileSystemProvider.java:39) 20:23:10,701 ERROR [stderr] (DeploymentScanner-threads - 1) at sun.nio.fs.UnixFileSystemProvider.getFileStore(UnixFileSystemProvider.java:368) 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1) at java.nio.file.Files.getFileStore(Files.java:1461) 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1) at org.jboss.as.controller.persistence.FilePersistenceUtils.getPosixAttributes(FilePersistenceUtils.java:129) 20:23:10,702 ERROR [stderr] (DeploymentScanner-threads - 1) at org.jboss.as.controller.persistence.FilePersistenceUtils.createTempFileWithAttributes(FilePersistenceUtils.java:117) 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1) at org.jboss.as.controller.persistence.FilePersistenceUtils.writeToTempFile(FilePersistenceUtils.java:104) 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1) at org.jboss.as.controller.persistence.ConfigurationFilePersistenceResource.doCommit(ConfigurationFilePersistenceResource.java:55) 20:23:10,703 ERROR [stderr] (DeploymentScanner-threads - 1) at org.jboss.as.controller.persistence.AbstractFilePersistenceResource.commit(AbstractFilePersistenceResource.java:58) 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1) at org.jboss.as.controller.ModelControllerImpl$4.commit(ModelControllerImpl.java:781) 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1) at org.jboss.as.controller.AbstractOperationContext.executeDoneStage(AbstractOperationContext.java:743) 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1) at org.jboss.as.controller.AbstractOperationContext.processStages(AbstractOperationContext.java:680) 20:23:10,704 ERROR [stderr] (DeploymentScanner-threads - 1) at org.jboss.as.controller.AbstractOperationContext.executeOperation(AbstractOperationContext.java:370) 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1) at org.jboss.as.controller.OperationContextImpl.executeOperation(OperationContextImpl.java:1344) 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1) at org.jboss.as.controller.ModelControllerImpl.internalExecute(ModelControllerImpl.java:392) 20:23:10,705 ERROR [stderr] (DeploymentScanner-threads - 1) at org.jboss.as.controller.ModelControllerImpl.execute(ModelControllerImpl.java:217) 20:23:10,706 ERROR [stderr] (DeploymentScanner-threads - 1) at org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelControllerImpl.java:748) 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1) at org.jboss.as.controller.ModelControllerImpl$3$1$1.run(ModelControllerImpl.java:742) 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1) at java.security.AccessController.doPrivileged(Native Method) 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1) at org.jboss.as.controller.ModelControllerImpl$3$1.run(ModelControllerImpl.java:742) 20:23:10,707 ERROR [stderr] (DeploymentScanner-threads - 1) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) 20:23:10,708 ERROR [stderr] (DeploymentScanner-threads - 1) at java.util.concurrent.FutureTask.run(FutureTask.java:266) 20:23:10,708 ERROR [stderr] (DeploymentScanner-threads - 1) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(ScheduledThreadPoolExecutor.java:180) 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1) at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:293) 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) 20:23:10,709 ERROR [stderr] (DeploymentScanner-threads - 1) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) 20:23:10,710 ERROR [stderr] (DeploymentScanner-threads - 1) at java.lang.Thread.run(Thread.java:745) 20:23:10,710 ERROR [stderr] (DeploymentScanner-threads - 1) at org.jboss.threads.JBossThread.run(JBossThread.java:320) 20:23:10,713 INFO [org.jboss.as.server] (DeploymentScanner-threads - 1) WFLYSRV0010: Deployed "custom-ear.ear" (runtime-name : "custom-ear.ear") 20:23:10,714 INFO [org.jboss.as.controller] (DeploymentScanner-threads - 1) WFLYCTL0183: Service status report WFLYCTL0186: Services which failed to start: service jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.subunit."custom-ear.ear"."provider-1.0-SNAPSHOT.jar".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of subdeployment "provider-1.0-SNAPSHOT.jar" of deployment "custom-ear.ear"

8 years, 11 months

3
6
0 / 0

LDAP Group Mapper Two Way Mapping

by Travis De Silva

Hi, I am having a strange issue and was wondering if anyone else experienced this same issue. We use MSAD as a federation provider and when I used the Group Mapper, I get all the relevant groups from MDAD into Keyclaok and that works fine. Then when I go into Keycloak groups and look at the members, I can see all the members associated with that group which was imported from MSAD. So that is also fine. But when I click on a user and then click on the groups' tab, I don't see anything populated under the group membership. Generally, if we do this directly, you see the members of a group and the group membership under a user. (two way mapping) Any ideas what I might be doing wrong? Cheers Travis

8 years, 11 months

1
0
0 / 0

Granting client access to just certain users

by Rashiq

Dear all, we're struggling a bit with understanding how Keycloak's Client Authorization works and setting up a Client Authorization. What we would like to achieve for now is to be able to let only certain users with Keycloak accounts to access certain clients. Let's say we have a client called `files.example.org`, a simple, read-only file hosting. And that we have 2 users in our Keycloak, `eligible(a)example.org` and `not.eligible(a)example.org`. We would like to configure Keycloak to *deny* the latter user (`not.eligible(a)example.org`) access to *any and all* resources on `files.example.org`. This preferably would happen based on client roles, if possible. The `files.example.org` resource server uses a Lua-based OAuth2 proxy to authenticate requests against Keycloak. So, the question is: is it possible to tell Keycloak *not* to let `not.eligible(a)example.org` log-in to `files.example.org` *at all*? As in, "this user does not have access to this client"? Or, better yet, "users with/without certain client roles do not have access to these clients"? Or will we have to make the Lua-based proxy in front of it check claims in tokens received from Keycloak? We appreciate your help! -- Pozdravi, rashiq

8 years, 11 months

1
0
0 / 0

Architecture for Multiple DB

by rohit chaudhary

Hi, I implemented Custom User Storage Spi, connected users db(postgresql) and also changed keycloakDS to mysql. So, I have a doubt that now my users will be stored in mysql or postgresql? And if I want to add one more user db, how the users will be merged and in which db they will be? And how about sync of all db? Thanks in advance Regards, Rohit

8 years, 11 months

2
1
0 / 0

Kerberos/SPNEGO Problem with Keycloak 3.0.0

by Hendrik Dev

Hi, I try to get Kerberos/SPNEGO up and running with Keycloak 3.0.0. Purpose is to provide single sign on for users logging in via IE from a windows domain. Keycloak itself is running on centOS, Kerberos server is Active Directory. The setup is working so far because i can login via 'curl --negotiate'. There are also several other java applications running in this environment which are capable of doing SPNEGO over Kerberos authentication successfully. If the user access a Keycloak protected application the SPNEGO login does not work and the Keycloak login page is displayed instead. In the logs i see "Defective token detected (Mechanism level: GSSHeader did not find the right tag)" and thats totally right because the browser sends 'Negotiate: TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==' which is a SPENEGO-NTLM token (and not a SPNEGO-Kerberos token). For me it looks like the browser never gets either a 'WWW-Authenticate: Negotiate' header or a 401 status from Keycloak. In other words: The browser seems to never gets challenged to do SPNEGO over Kerberos. I already tried to fix it (https://github.com/salyh/keycloak/commit/c860e31a3fe3005b4487363ad2ae25ce...) but this oddly just ends up in a Basic Auth popup from the browser. For the client app the standard flow as well as direct access grants is enabled. Keycloak is deployed as HA with 3 nodes and runs behind a HW loadbalancer and Kerberos is setup within the LDAP Federation () Any ideas? Thanks Hendrik -- Hendrik Saly (salyh, hendrikdev22) @hendrikdev22 PGP: 0x22D7F6EC

8 years, 11 months

2
4
0 / 0

keycloak spring-security adapter cookie token-store

by Jimena Garbarino

Hi, I am using spring-security adapter, client configured with token-store=cookie, and after a keycloak successful login and redirect to app, I don't se the KEYCLOAK_ADAPTER_STATE cookie set. Does token-store=cookie work with spring-security adapter? Thanks,

8 years, 11 months

1
0
0 / 0

Offline Tokens Become Useless When SSO Session Max is Reached - 2.0

by Heide, Marc

Hi, We try to use Keycloak with offline tokens for end users, but in contradiction to https://lists.jboss.org/pipermail/keycloak-user/2017-January/009096.html where the Admin API is requested, we try to access the UserInfo enpoint. As soon as the user session died, which has created the offline token, the UserInfo endpoint returns a 401 with: { "error": "invalid_request", "error_description": "User session not found" } By looking at https://issues.jboss.org/browse/KEYCLOAK-4201 and https://issues.jboss.org/browse/KEYCLOAK-4371 and without really knowing the internals, but could it be the same problem here in the UserInfoEndpoint class line 142 ? It obviously does not consider offline sessions at all. Is that a wanted behavior? According to the OIDC spec the UserInfo endpoint should be usable with a valid offline access token even if the user session has been ended. (http://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess) Best Regards Marc

8 years, 11 months

1
1
0 / 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user May 2017