Admin console permissions vs. UMA Policies
by Lamina, Marco
Hi,
I am unsure if my understanding of Keycloaks permission evaluation engine is flawed, or if there’s a bug in the system. I have a resource that is protected by multiple permissions. What is the expected behavior if one permission decides to DENY and another decides to PERMIT? I would expect that the overall decision would be PERMIT.
However, I can create both scenarios – overall decision PERMIT / DENY – depending on which permissions I set (see screenshots for details). I wasn’t able to find a detailed explanation in the docs, so I would be grateful for some clarity.
Thanks,
Marco
[cid:image001.png@01D485A1.1D536320][cid:image002.png@01D485A1.1D536320]
5 years, 5 months
custom cache
by Sud Ramasamy
Hi,
We’ve developed a custom authenticator that we’ve been able o plugin into Keycloak to handle a custom authentication mechanism. The authenticator has some state that needs to be available across the cluster. We could store the state in the database and thereby make it available to other nodes in the cluster. But this seems a little heavy weight.
Instead we were hoping to be able to use the Infinispan capabilities in the Keycloak/Wildfly distribution to cache and distribute the state to nodes in the cluster. Is this possible without forking the Keycloak codebase? We noticed that the Keycloak infinispan model module provides the existing caching mechanism for the User, Realm and Session cache. Was wondering if there is a way to possibly plugin our own infinispan Cache Provider for our custom object and thereby use this cache in our custom authenticator in a similar way that the User, Realm and Session caches are used.
Or what our alternatives might we have.
Thanks in advance.
-sud
5 years, 5 months
Script Mapper can not create json arrays?
by Lengenfeld, Jan
Hello,
we want to add groups and their ids in the following format to the token:
{
// ... other values omitted for readability ...
"userGroups": [
{
"id": "b6ebc9af-3355-462b-ab1e-583a24f094aa",
"name": "my-group"
},
{
"id": "92b0c111-510c-4da9-a978-d980c3893eac",
"name": "my-other-group"
}
]
}
But all we get is:
{
// ... other values omitted for readability ...
"userGroups": {
"0": {
"id": "b6ebc9af-3355-462b-ab1e-583a24f094aa",
"name": "my-group"
},
"1": {
"id": "92b0c111-510c-4da9-a978-d980c3893eac",
"name": "my-other-group"
}
}
}
We are using the Script Mapper with the following code:
var groups = user.groups;
var simplifiedGroupsForToken = [];
for each (var group in groups) {
simplifiedGroupsForToken.push({"id": group.id, "name": group.name});
}
simplifiedGroupsForToken;
Do you have any suggestions how to solve our problem? Thanks in advance.
Best regards,
Jan Lengenfeld
5 years, 5 months
Event-listener-sysout example not working , v4.6.0.Final
by abhilashreddy abhi
Hello,
I am using 4.6.0.Final keycloak version and trying out event-sysout
example (
https://github.com/keycloak/keycloak/tree/master/examples/providers/event...)
,but i am unable to make it work and getting following errors
1) I have created a spring boot application with following classes
--Application.class (Contains Main method)
--SysoutEventListenerProvider
---SysoutEventListenerProviderFactory
I have placed org.keycloak.events.EventListenerProviderFactory file in
src/main/resources/META-INF/services which points to my
SysoutEventListenerProviderFactory.
Did a maven clean install and took the jar from target folder and tried
placing it any one of standalone/deployments folder ,
Keycloak_Home/providers folder and also created as a module as per
instructions in documentation but all of the above methods throws the
following error.
Caused by: java.util.ServiceConfigurationError:
org.keycloak.events.EventListenerProviderFactory: Provider
com.example.demo.springboot.SysoutEventListenerProviderFactory not found
at java.util.ServiceLoader.fail(Unknown Source)
at java.util.ServiceLoader.access$300(Unknown Source)
at java.util.ServiceLoader$LazyIterator.nextService(Unknown Source)
at java.util.ServiceLoader$LazyIterator.next(Unknown Source)
at java.util.ServiceLoader$1.next(Unknown Source)
at
org.keycloak.provider.DefaultProviderLoader.load(DefaultProviderLoader.java:60)
at
org.keycloak.provider.ProviderManager.load(ProviderManager.java:92)
at
org.keycloak.services.DefaultKeycloakSessionFactory.loadFactories(DefaultKeycloakSessionFactory.java:214)
at
org.keycloak.services.DefaultKeycloakSessionFactory.init(DefaultKeycloakSessionFactory.java:80)
at
org.keycloak.services.resources.KeycloakApplication.createSessionFactory(KeycloakApplication.java:331)
at
org.keycloak.services.resources.KeycloakApplication.<init>(KeycloakApplication.java:118)
2) This time, I have removed Application.class and exported the jar using
export->jar in eclipse and tried placing it in deployment folder or
providers or as a module and the application starts but throws the
following log.
ERROR [org.keycloak.events.EventBuilder] (default task-1)
Event listener 'sysout' registered, but provider not found
Can you please help me what I am missing?
Thanks
Abhilash
5 years, 5 months
Client Registration performance
by Eivind Larsen
Hello Keycloak Users!
We are planning on using the Client Registration flow for setting up
clients on login.
This is mainly to more clearly identify each individual device a user
has logged in with.
Are there anyone using this feature in production with a large number
of clients?
With our current stats, we would probably end up with a few million
clients by the end of the year.
1. Will this scale well with the way Keycloak works?
2. If a user loses their device, how should a full revoke & logout be performed?
3. Is there an alternative approach to give each user more control
over their device and session?
Thanks,
Eivind Larsen
5 years, 5 months
Clients purely for namespacing, makes sense?
by Geoffrey Cleaves
Hi, looking for a little advise. I have a typical SPA front end and REST
API.
Each customer can have multiple users with different roles like admin or
user. It's conceivable for a single user to belong to two different
customer accounts.
Because a single user could be an admin to account A and only a user in
account B, I thought of using Keycloak clients for namespacing the roles. I
would create a disabled client for each account purely to namespace the
roles.
Make sense?
I believe I would continue to use a single public client for the SPA and
single bearer only client for the API resource server.
I've read that keycloak has issues with large numbers of clients, but I
only expect to reach a few hundred.
5 years, 5 months
Theoretical max number of clients Kecyloak can handle
by Andrea Pasqualini
Hi Daniel
Unfortunately as you can see here https://issues.jboss.org/browse/KEYCLOAK-8275
keycloak does not properly handle large numbers of clients.
Vote the issue if you are interested.
Regards
Andrea
>Hi All,
>
>What's the theoretical max number of clients Keycloak can handle
>efficiently?
>
>I'm doing some tests where I created around 10000 clients (saml &
>openid, all under the same realm) and now every operation that has to do
>with clients (list them, create new one, get one by ID, etc) became
>extremely slow and sometimes they even timeout. The other API endpoints
>seem to perform just fine.
>
>I'm using 4.6.0.Final and MySQL DB as a data store.
>
>Are there some options I can tweak to improve the performance with a few
>thousands clients (ideally around 50K)? Will postgres perform better?
>
>Thanks a lot,
>
>Daniel.
5 years, 5 months
can't use refresh token with keycloak-gatekeeper
by Andrey Kozichev
Hello!
has anyone come across use of refresh tokens with keyckloak-gatekeeper?
I've got a Web app running behind keycloak-gatekeeper. Currently session
expires after 5 minutes of inactivity. In the logs I see "session expired
and access token refreshing is disabled".
To avoid this, I am trying to enable "refresh tokens" on my gatekeeper
proxy by adding "*--enable-refresh-tokens=true"* , the full list of
configuration options:
- --client-id=my_clientid
- --discovery-url=<keycloak_url>
- --enable-default-deny=false
- --enable-json-logging=true
- --enable-logging=true
- --enable-request-id=true
- --enable-encrypted-token=true
- --encryption-key=<secret>
* - --enable-refresh-tokens=true*
- --enable-security-filter=true
- --listen=0.0.0.0:8080
- --preserve-host=true
- --redirection-url=http://my-public-url
- --resources=uri=/*|roles=user-role
- --upstream-url=myservice.svc.cluster.local:8080
However after adding "*enable-refresh-tokens=true*" - I get 502 when trying
to login.
In the Gatekeeper logs I see below lines. Has anyone came across this? I
must be missing something obvious.
{"level":"info","ts":1542757702.835068,"msg":"issuing access token for
user","email":"myemail(a)gmail.com
","expires":"2018-11-20T23:53:22Z","duration":"4m59.164934314s"}
{"level":"info","ts":1542757702.8363702,"msg":"client
request","latency":0.05726285,"status":307,"bytes":37,"client_ip":"
10.44.1.32:60746","method":"GET","path":"/oauth/callback"}
*{"level":"error","ts":1542757702.8891447,"msg":"no session found in
request, redirecting for authorization","error":"authentication session not
found"}*
{"level":"info","ts":1542757702.8892436,"msg":"client
request","latency":0.000152955,"status":307,"bytes":75,"client_ip":"
10.44.1.32:60752","method":"GET","path":"/favicon.ico"}
{"level":"info","ts":1542757703.03116,"msg":"client
request","latency":0.001002773,"status":307,"bytes":319,"client_ip":"
10.44.1.32:60754","method":"GET","path":"/oauth/authorize"}
{"level":"info","ts":1542757703.108161,"msg":"issuing access token for
user","email":"myemail(a)gmail.com
","expires":"2018-11-20T23:53:23Z","duration":"4m59.891841634s"}
{"level":"info","ts":1542757703.109042,"msg":"client
request","latency":0.021427778,"status":307,"bytes":48,"client_ip":"
10.44.1.32:60758","method":"GET","path":"/oauth/callback"}
Regards,
Andrey
5 years, 5 months