Keycloak Groups vs. Roles vs. Composite Roles vs. Auth Scope?
by Melissa Palmer
Hi,
*Is it possible to explain the difference between "Keycloak Groups vs.
Roles vs. Composite Roles vs. Auth Scope" more detail? *
*I know there is the description here: *
https://www.keycloak.org/docs/latest/server_admin/index.html#groups-vs-roles
*From that I get *
- Groups should focus on collections of users and their roles in your
organization (Use groups to manage users. ). ☑
- Use composite roles to manage applications and services. ☑
- BUT previously said "Roles define a type of user and applications assign
permission and access control to roles"
& I don't see where you should maintain "access control to roles"
In other examples I see scopes being used for access control
- album:view
- album:delete
Some more explanation on these different concepts would be greatly
appreciated.
Thank You in Advance
Melissa
5 years, 5 months
Fine grained Permission
by abhishek raghav
Hi
Is it possible to implement fine grained permissions - which can restrict
an Admin user to assign a specific Realm Role to any group in that realm.
The way fine grained permissions works are little complex to understand as
there are so many moving parts. Any clues are highly appreciated.
Thanks.
*- Best*
Abhishek
5 years, 5 months
Standalone-ha Keycloak and ISPN000476: Timed out waiting for responses for request
by Rafael Weingärtner
Hello Keycloakers,
I am having some problems with Keycloak 4.5.0. I basically have set up two
nodes, and they see each other. I am using MPING (the default
configuration). The nodes are called “Keycloak-1” and “Keycloak-2”. In
front of these Keycloak nodes I have an HTTPD, which is using AJP to
connect and load balance them.
When the second server starts I can see:
> 2018-10-24 12:35:02,277 INFO [org.infinispan.CLUSTER] (MSC service thread
> 1-5) ISPN000094: Received new cluster view for channel ejb: [keycloak-1|1]
> (2) [keycloak-1, keycloak-2]
> 2018-10-24 12:35:02,277 INFO [org.infinispan.CLUSTER] (MSC service thread
> 1-2) ISPN000094: Received new cluster view for channel ejb: [keycloak-1|1]
> (2) [keycloak-1, keycloak-2]
> 2018-10-24 12:35:02,278 INFO [org.infinispan.CLUSTER] (MSC service thread
> 1-3) ISPN000094: Received new cluster view for channel ejb: [keycloak-1|1]
> (2) [keycloak-1, keycloak-2]
> 2018-10-24 12:35:02,279 INFO [org.infinispan.CLUSTER] (MSC service thread
> 1-8) ISPN000094: Received new cluster view for channel ejb: [keycloak-1|1]
> (2) [keycloak-1, keycloak-2]
> 2018-10-24 12:35:02,280 INFO [org.infinispan.CLUSTER] (MSC service thread
> 1-7) ISPN000094: Received new cluster view for channel ejb: [keycloak-1|1]
> (2) [keycloak-1, keycloak-2]
>
So, they are seeing/reaching each other. The problem happens when I try to
login. I then get the following:
> MSC000001: Failed to start service
> org.wildfly.clustering.infinispan.cache.keycloak.loginFailures:
> org.jboss.msc.service.StartException in service
> org.wildfly.clustering.infinispan.cache.keycloak.loginFailures:
> org.infinispan.commons.CacheException: Unable to invoke method public void
> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
> throws java.lang.Exception on object of type StateTransferManagerImpl
>
And errors like:
> Suppressed: java.util.concurrent.ExecutionException:
> org.infinispan.util.concurrent.TimeoutException: ISPN000476: Timed out
> waiting for responses for request 2 from keycloak-2
>
018-10-24 12:55:48,990 ERROR [org.jboss.as.controller.management-operation]
> (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([
> ("subsystem" => "infinispan"),
> ("cache-container" => "ejb"),
> ("thread-pool" => "transport")
> ]) - failure description: {
> "WFLYCTL0080: Failed services" =>
> {"org.wildfly.clustering.infinispan.cache.ejb.client-mappings" =>
> "org.infinispan.commons.CacheException: Unable to invoke method public void
> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
> throws java.lang.Exception on object of type StateTransferManagerImpl
> Caused by: org.infinispan.commons.CacheException: Unable to invoke
> method public void
> org.infinispan.statetransfer.StateTransferManagerImpl.waitForInitialStateTransferToComplete()
> throws java.lang.Exception on object of type StateTransferManagerImpl
> Caused by: org.infinispan.commons.CacheException: Initial state
> transfer timed out for cache client-mappings on keycloak-2"},
> "WFLYCTL0288: One or more services were unable to start due to one or
> more indirect dependencies not being available." => {
> "Services that were unable to start:" =>
> ["org.wildfly.clustering.cache.group.ejb.client-mappings"],
> "Services that may be the cause:" => [
> "jboss.clustering.web.route.default-server",
> "jboss.deployment.discovery.\"keycloak-server.war\"",
> "jboss.ejb.association",
> "jboss.ejb.remoting.connector.client-mappings",
> "jboss.iiop-openjdk.poa-service.rootpoa",
>
I am quite puzzled, there is not ports being blocked, and the system has no
load at all. Why would this timeout happen?
--
Rafael Weingärtner
5 years, 5 months
Advanced authorization
by Melissa Palmer
Hi,
I am trying to do something similar to the following:
- have a resource (say album) in app-authz-uma-photoz quickstart that
includes a status attribute against it.
- status such as: CREATED, APPROVED, DECLINED,
- a person can then be given a role that allows for permissions (via a
role) such as
- album:create
- album:approve
- album:decline
- BUT a person is not allowed to approve any albums they created themselves
Is there a keycloak-quickstarts/example I can start from?
Or a recommended way I should attempt to tackle this?
Thank You in advance,
Melissa
5 years, 5 months
Delete user
by Corentin Dupont
Hi guys,
I wonder if there is a way to allow a user to delete his own account from
the "account management console"?
Currently I see that users can setup their details and password, but I
don't see any option for deleting his account.
Thanks
Corentin
5 years, 5 months
Acquire access token using offline token
by Dheeraj Joshi
down vote
favorite
I am working on an offline NodeJS application which will call some REST API
to perform some operation. This has no web UI etc.
I was checking ways to get authentication token from keycloak using offline
token.
I can find method to get access token using grant object which uses
username and password.
GrantManager.prototype.obtainDirectly = function obtainDirectly (username,
password, callback, scopeParam) {
//Code
}
But I am looking a similar method which will take offline token and give me
back authentication token?
I see that ensureFreshness method does get a access_token for a
refresh_token but it needs grant object as an input.
Or somehow can I call all const in my NodeJS file and call nodeify method?
Kind Regards
Dheeraj Joshi
5 years, 5 months
Keycloak Docker image: unable to import a realm
by Anselme Ndeke
Hello,
It looks like the following documented docker import options are ignored:
docker run -e KEYCLOAK_USER=<USERNAME> -e KEYCLOAK_PASSWORD=<PASSWORD> \
-e KEYCLOAK_IMPORT=/tmp/example-realm.json -v
/tmp/example-realm.json:/tmp/example-realm.json jboss/keycloak
while importing the same file using GUI works. Am I missing something?
keycloak version is 4.5.0.final
--
Regards,
Anselme
5 years, 5 months
Java 11 (Docker container base)
by Pavel Micka
Hello everyone,
What is the plan for Java 11 support? The point is that current versions of Docker containers are based on OpenJDK 8, but the official Java 8 support will cease at the end of December. Will Keycloak use Java 11 by that time or will it rely on updates provided by the community.
This is important to us, as Keycloak is important part of our app security.
Thanks,
Pavel
// I have found this ticket in Jira, but it does not provide too many details: https://issues.jboss.org/browse/KEYCLOAK-7811
5 years, 5 months
[KeyCloak] - LDAP Query
by Vivek Aggarwal
Hi Team,
We've started exploring KeyCloak from Identity & Access Management
perspective & intended to integrate it with various other tools like
Jenkins Console, Mongo Console , Linux user administration etc.
But have related concern, currently we're unable to figure out that how can
we use KeyCloak as a LDAP for Linux machines , for instance can we
integrate it with our Linux Machines to manage SSH users ?
And related question , we've read somewhere in the community forums that
KeyCloak is not meant for LDAP ,well in that case how we're able to manage
users for Jenkins console using KeyCloak.Currently we've successfully
integrated Keycloak with Jenkins console . Is it not acting as LDAP for
Jenkins console ?
Kindly help in understand the above concerns & suggest if there are any
recommendations.
regards
Vivek
5 years, 5 months
Import/export realm : Getting Client secret not provided in request for imported realm
by Bruce Wings
I have exported realm from one keycloak server and imported into another
but I keep getting below error if authorization is enabled i.e. in case of
confidential client.
*failed to turn code into token*
*status from server: 400*
* {"error":"unauthorized_client","error_description":"Client secret not
provided in request"}*
*I made sure my keycloak.json contains the client secret same as that under
Realm->Client->Credentials. My client app is same i.e. same client app with
server-1 works fine but something has been missed in export step which
causes client app with server-2 to be not able to work.*
Is any additional step is required for exporting?
I have tried exporting both from Admin console GUI as well as this doc
(through standalone.sh)
https://www.keycloak.org/docs/4.5/server_admin/index.html#_export_import
5 years, 5 months
