How to stop the keycloak server from standalone sh
by Aritz Maeztu
Hello,
I'm running a keycloak instance from a docker image, so when I start the
container everything is up an running. Now I want to export the realms
and users to deploy it in production and I've got two chances:
1- Copy the values from the mysql database (I'm using the keycloak-mysql
image).
2- Run the standalone.sh export command.
I would like to go the second way, but I'm into trouble since the
widlfly server is launched with the docker container altogether. I can
browse in to it for the standalone.sh script, but still haven't found a
way to stop it (as the server is launched I get a "Address already in
use" error when I try to perform the export while the server is running).
Any ideas? Thanks in advance
--
Aritz Maeztu Otaño
Departamento Desarrollo de Software
<https://www.linkedin.com/in/aritz-maeztu-ota%C3%B1o-65891942>
<http://www.tesicnor.com>
Pol. Ind. Mocholi. C/Rio Elorz, Nave 13E 31110 Noain (Navarra)
Telf. Aritz Maeztu: 948 68 03 06
Telf. Secretaría: 948 21 40 40
Antes de imprimir este e-mail piense bien si es necesario hacerlo: El
medioambiente es cosa de todos.
6 years, 10 months
User session logout in Keycloak Console seems not to work if using User Federation Provider
by Juan Pablo Perata
Hello,
This issue seems application specific, but I could not reach to the root
yet.
I would like to know if someone faced this in Keycloak Admin Console or
some tips you could give me to see what is going on.
*Environment*
Web application running on Wildfly 10.1.0.Final and secured with Keycloak.
Keycloak 3.4.3.Final server running in <IP>:<PORT1>
Wildfly 10.1.0.Final server running in <IP>:<PORT2>
*Description*
Found that session logout from Keycloak admin does not have effect for
federated users in my web application.
Steps:
- develop your own user federation provider to connect to internal database
(implements interfaces _UserStorageProvider, CredentialInputValidator,
UserLookupProvider, OnUserCache_)
- properly configured user federation provider in keycloak realm
- configure and deploy a JSF based web OIDC client application in Wildfly
secured by Keycloak
- Go to: _<IP>:<PORT2>/<web-application_uri>_ and authenticate using
federation provider
Authentication succeeded
- Go to Keycloak Console -> Realm -> Sessions -> (select web application
client) -> Show sessions. Then select <user-authenticated> from displayed
table -> "Sessions" tab
- Click "Logout all sessions" or "Logout" the specific session. A success
message is displayed and session disappears from table.
- Go to _<IP>:<PORT2>/<web-application_uri>_ and check that session is
still alive and user is authenticated.
- Checked in a Filter in web application that
"org.keycloak.KeycloakSecurityContext" security context is present with
information from logged in user.
*To note:*
- (correct behaviour) If logout is performed from web application, single
sign on session is logged out properly (HttpRequest.logout()).
- (correct behaviour) Tested behaviour with [product-portal sample |
https://github.com/keycloak/keycloak/tree/master/examples/demo-template/p...]
application and *it works ok as expected*.
Tested with users loaded in "demo" json and also using my own user
federation provider and works well.
Thanks in advance,
Juan
6 years, 10 months
Authorization Services and UMA 2.0 changes
by Pedro Igor Silva
Hi All,
We are about to finish the initial round of changes to make Keycloak
Authorization Services compliant with UMA 2.0.
One of the main changes is related with a new OAuth2 Grant Type introduced
by UMA 2.0 [1] and how it will be used as a replacement for both
Entitlement and Authorization API. In UMA 2.0, there is no Authorization
API anymore, thus it will be removed on future versions of Keycloak.
Regarding Entitlement API, it will also be removed in favor of the new
grant type, but in this case we are using some extensions to UMA grant type
to provide the same functionality. One of the objectives of this change in
particular is to have a single endpoint from where permissions can be
obtained.
Another important change is also related with UMA where end-users should be
able now to manage their own resource and permissions via Account
Management Console. Users would be able to access a "Resource" page from
where they can:
* See the resources they own
* Check for pending permission requests (waiting for the owners approval).
As well options to grant/deny the request.
* Check for all "shared resources" / granted permissions. As well options
to revoke permissions
* Select an user they want to grant access to a resource and/or scope
Other changes are related with the Policy Enforcer, Authorization Client
Java API and configuration. For these areas in particular changes are
minimal, specially regarding policy enforcer configuration.
These changes are targeted to Keycloak v4 and we'll be updating docs
accordingly, specially on how to migrate to the new version.
Regards.
Pedro Igor
[1] https://docs.kantarainitiative.org/uma/wg/oauth-uma-grant-2.0-09.html
6 years, 10 months
Keycloak REST API
by Stephane Epardaud
Hi,
I'm trying to use the REST API of keycloak to seed an initial config for
tests that depend on keycloak, but I only found this doc:
http://www.keycloak.org/docs-api/3.3/rest-api/index.html
Are there better docs somewhere else?
If not: they barely explain what the entities are, and don't tell me
which parts are settable, required, or server-generated. They also
contain some links to types that are not documented (like Map), and
don't explain how to get a token to play along (found that somewhere
completely different). A set of examples with each endpoint and entity
type would be _greatly_ appreciated too. Otherwise there's a lot of
guesswork involved :(
Otherwise, pretty impressed with the rest of KeyCloak, so don't take
that issue harshly :)
Cheers.
6 years, 10 months
WebLogic and KeycloakOIDCFilter
by Thomas Isaksen
Does anyone have a working example of this setup on WebLogic? I am still having problems with the infinite loop after authentication. I don't know if my Client config might be wrong.
./t
6 years, 10 months
Offline tokens with external IDP
by Haim Vana
Hi,
We are using KeyCloak for a several weeks now, one of the flows is user script authentication with offline token:
1. The user log in to the UI
2. Generates offline token by entering his password again
3. Put the offline token in his script
4. Executes the script
Now we want to add external IDP support, first is it possible to generate offline tokens for extremal IDP in KeyCloak ? if so how ?
Second in section #2 above the user enters his password to generate the offline token, with external IDP we can't use his password, one alternative is to always generate the offline token in the login (add offline_access), however is it make sense to create offline token for every login ?
Thanks,
Haim.
The information contained in this message is proprietary to the sender, protected from disclosure, and may be privileged. The information is intended to be conveyed only to the designated recipient(s) of the message. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, use, distribution or copying of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.
6 years, 10 months
User impersonation - JWT
by Harry Trinta
Dears,
I need a help with user impersonation on keycloak.
I am authenticating users through the
"/realms/test/protocol/openid-connect/token". As expected, it returns a
token JWT.
In my app, all requests go through apiman, which validates the JWT.
Now, I need to personification of user. I'm calling the service
"/admin/realms/test/users/USER_ID/impersonation", sending the token in the
header (Authorization = Bearer eyJhbGciOiJSUzI1NiJ9 ...).
The service /impersonation creates the user session on keycloak, however
doesnt return a JWT, but 3 cookies. *I'd like to get the JWT of personified
user instead of cookie.* It's possible?
Best regards
Harry Costa
6 years, 10 months
Re: [keycloak-user] [keycloak-dev] Trojan in Keycloak Javascript Adapter?
by Ariel Carrera
Thanks Ramunas, I will check My Windows defender’s definition version to
compare with you. I have Windows 10 (64 bit) updated on December 2017.
El El mié, 3 ene. 2018 a las 17:45, Rumanas <ramunask(a)gmail.com> escribió:
> * just downloaded keycloak-js-adapter-dist-3.4.2.Final.zip file
> * extracted and scanned "keycloak-js-adapter-dist-3.4.2.Final" folder with
> Windows Defender on Windows 10 - no issues found
> * checked for Windows updates. New update "Definition Update for Windows
> Defender Antivirus - KB2267602 (Definition 1.259.1141.0)" was found and
> installed.
> * scanned again. No issues found.
>
> Ramūnas
>
--
Ariel Carrera
6 years, 10 months
getRoleMappings - please I need a help
by JOSE INACIO DA SILVA JUNIOR
Hi,
I'm changing PropertyFileUserStorageProvider example. And I need to override the method: Set<RoleModel> getRoleMappingsInternal(); of the class
AbstractUserAdapterFederatedStorage.class in order to retrive external roles based on a legacy system.
How can I do that?
I've tried:
protected Set<RoleModel> getRoleMappingsInternal() {
Set<RoleModel> roles = new HashSet<>();
RoleModel role = new MyRoleAdapter(realm,"role1","role1","role1 description", false);
roles.add(role);
return roles;
}
The code of MyRoleAdapter:
public class MyRoleAdapter implements RoleModel{
private String id;
private String name;
private String description;
private RealmModel container;
private boolean isClientRole;
public RoleProdesanAdapter(RealmModel container, String id, String name, String description, boolean isClientRole) {
this.id = id;
this.name = name;
this.description = description;
this.container = container;
this.isClientRole = isClientRole;
}
// getters
}
Please help me. I've tried a lot but without success!
Thanks in advance!
Inácio
6 years, 10 months
adding realm level configuration parameter
by Ori Doolman
Hi,
I want to perform some customization to Keycloak using existing SPIs.
For that, I need to store a configuration parameter (may be different value per realm).
What is the way to achieve that? Is there an SPI to extend the realm properties?
The only solution I can think of now is setting a custom attribute in the users group of the realm.
Thanks,
Ori Doolman
Lead Software Architect
Amdocs Optima
+972 9 778 6914 (office)
+972 50 9111442 (mobile)
[cid:image001.png@01D2C8DE.BFF33E10]
This message and the information contained herein is proprietary and confidential and subject to the Amdocs policy statement,
you may review at https://www.amdocs.com/about/email-disclaimer <https://www.amdocs.com/about/email-disclaimer>
6 years, 10 months
