docker quickstart example compilation is failing (keycloak 6.0.1) in photoz example
by Olivier Rivat
Hi,
Keyclaok 6.01 docker quickstart compilation is failing with error
java.lang.RuntimeException: Could not obtain configuration from server
[http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration
The instructions are taken from
https://hub.docker.com/r/abstractj/keycloak-quickstarts?ref=login
The endpoint
http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration
deos not exist.
The (real) endpoint is
http://localhost:8180/auth/realms/photoz/.well-known/uma2-configuration
This has to be fixed in the docker quickstart example
Regards,
Olivier Rivat
--------------------------------------------------------------------------------------------------------------------
DEBUG] No <id> element was found in the POM - Getting credentials from
CLI entry
[DEBUG] No <id> element was found in the POM - Getting credentials from
CLI entry
[DEBUG] Executing deployment
[INFO]
------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO]
------------------------------------------------------------------------
[INFO] Total time: 3.474 s
[INFO] Finished at: 2019-04-25T15:49:30+00:00
[INFO] Final Memory: 30M/366M
[INFO]
------------------------------------------------------------------------
[ERROR] Failed to execute goal
org.wildfly.plugins:wildfly-maven-plugin:1.2.0.Final:deploy
(default-cli) on project photoz-uma-restful-api: Failed to execute goal
deploy: {"WFLYCTL0062: Composite operatio
n failed and was rolled back. Steps that failed:" => {"Operation step-1"
=> {"WFLYCTL0080: Failed services" =>
{"jboss.deployment.unit.\"photoz-uma-restful-api.war\".undertow-deployment"
=> "java.lang.Run
timeException: Could not obtain configuration from server
[http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration].
[ERROR] Caused by: java.lang.RuntimeException: Could not obtain
configuration from server
[http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration].
[ERROR] Caused by: java.lang.RuntimeException: Error executing http
method [org.apache.http.client.methods.RequestBuilder@2c0b0edc].
Response : null
[ERROR] Caused by: java.net.ConnectException: Connection refused
(Connection refused)"}}}}
[ERROR] -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to
execute goal org.wildfly.plugins:wildfly-maven-plugin:1.2.0.Final:deploy
(default-cli) on project photoz-uma-restful-api: Failed to execut
e goal deploy: {"WFLYCTL0062: Composite operation failed and was rolled
back. Steps that failed:" => {"Operation step-1" => {"WFLYCTL0080:
Failed services" => {"jboss.deployment.unit.\"photoz-uma-restful-
api.war\".undertow-deployment" => "java.lang.RuntimeException: Could not
obtain configuration from server
[http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration].
Caused by: java.lang.RuntimeException: Could not obtain
configuration from server
[http://localhost:8180/auth/realms/photoz/.well-known/uma-configuration].
Caused by: java.lang.RuntimeException: Error executing http method
[org.apache.http.client.methods.RequestBuilder@2c0b0edc]. Response : null
Caused by: java.net.ConnectException: Connection refused
(Connection refused)"}}}}
at
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:212)
at
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
at
org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
at
org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:116)
at
org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:80)
at
org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:51)
------------------------------------------------------------------------------------------------------------------
5 years, 8 months
Keycloak generic authorization with patterns as role name
by Manfred Zingl
Hi.
I'm right now playing around with keycloak in order to evaluate if it is
suitable as an IAM and SSO solution at our company.
I learned that there are to main approaches to do authorization:
programmatic vs externalized authorization
http://lists.jboss.org/pipermail/keycloak-user/2018-October/015996.html
Externalized authorization is not possible in our case because our API is
not designed so fine grained that we could grant/restrict access on
resource level. Even if we change the API, the result for a get request
should be filtered by the roles defined in the access token transfered with
the request. So I think we have to follow the programmatic approach.
Also our Application and its resources are very generic, so I'm searching
for a solution where I can define permissions/roles very generic like by a
pattern.
for example:
"fixProductGroup:*::edit"
or
"fixProductGroup:/1|2|3/::view"
or even concatenated conditions
"fixProductGroup:/5|8|13/::pricingColumn::edit"
This is not very beautiful, maybe it would be better to define such roles
as json, in order to easier parsing and checking on resource server side.
Json content is currently (Keycloak 5.0.0) not possible as role names
(internal server error) and I'm not sure if this is a very good idea at all.
What do you think? Am I totally wrong here and in which direction should I
investigate.
Thank you very much,
Mane
5 years, 8 months
Any schema updates from 5.0.0 -> 6.0.1?
by Craig Setera
Given the discussion of the CVE that was fixed in 6.0.1, I'm thinking we
should probably jump to 6.0.1 from our current 5.0.0. Can anyone tell me
if there were database-related changes between those releases? From a more
general viewpoint where are those types of migrations documented? (I
checked the server install and server admin guides, but didn't see anything)
Thanks,
Craig
=================================
*Craig Setera*
*Chief Technology Officer*
5 years, 8 months
Docker compose change port
by Gonzalo Ferreyra Jofré
Hi guys,
I've been using keycloak for a while now but lately I've been trying to
change the HTTP PORT to XXXX through my docker-compose without success. The
server is always started on port 8080.
My docker-compose file looks something like this. Am I doing something
wrong?
version: '3'
services:
keycloak:
image: jboss/keycloak:6.0.1
environment:
KEYCLOAK_USER: admin
KEYCLOAK_PASSWORD: admin
*KEYCLOAK_HTTP_PORT*: 8888
KEYCLOAK_LOGLEVEL: DEBUG
ports:
- "8777:8888"
Thank you,
Gonzalo
5 years, 8 months
Seek for information on Keycloak adoption
by Paul Luk
Hi all,
i am doing a research on adoption of Keycloak.
Background - my company is a healthcare company (managed many hospitals
and offer 24x7x365 business) that run hundreds of in-house developed
systems, as well as acquire some 3rd party products.
Currently, for the in-house developed systems, they have their own
authentication/authorization mechanism, mostly:
1. user credentials & attributes stored in DB
2. active directory for authentication and DB for user attributes
There are dedicate support for maintenance and support of each system
and, when downtime is required, support will liaise with users to arrange
for downtime. There won't be a period that all systems can down for
maintenance.
To reduce repeated effort spent on authentication and authorization of
each systems, i am checking whether we can adopt Keycloak to help,
especially on:
1. OpenID Connect 1.0 + JWT (to achieve single sign on in the future)
2. OAuth 2.0 (password grant) + JWT (seems be a good path for legacy app
migration)
3. SAML2/Kerberos [mainly for backward compatibility / integration with
other party]
My concern on Keycloak adoption are:
1. Do Keycloak are flexible enough to extend to cater for different
authentication requirement? we will definitely requested to support custom
or standard authentication (e.g. specialized login form, FIDO2, RSA
hardware token, trust device check...etc).
Though there is a developer guide, but i found there is not much
information about:
1. Keycloak internal architecture or login/system flow which is useful
for developer to know more about how to extend Keycloak
2. how to create a custom login form (the keycloak theme is not suitable
for internal use, i want to write my own login form)
2. For high availability, in my company, the Keycloak service need at
least deployed to 2 or more datacenters, can you share your experience of
Keycloak high availability (in terms of maintenance and setup, stability,
performance...)
3. After adoption of Keycloak, all systems will make use of it/depends
on it, i am worry about the system update/patching as we cannot have a
period to shutdown all Keycloak instances for upgrade/patching (which will
impact ALL systems...vs currently, individual systems down for maintenance
will smaller impact to hospital operations).
Can you share you experience of system upgrade/patching? Do you have
experience to update Keycloak without downtime?
4. For version upgrade consideration, where can i find known security
issue/vulnerability of each Keycloak version?
5. In keycloak, the recommended way to restrict who (user from active
directory) can login which application? Use seperate realm for each
application?
Thank you.
5 years, 8 months
Non SSL backend servers through SSL loadbalancer
by Salih Gedik
Hello community,
We are running a Spring Boot app and app itself is not running HTTPS however our load balancers where requests are made SSL and passing traffic insecure to backend. However in this scenario I am unable to get the token verified after successful login. In log
I see that it says :: Adapter requires SSL. Request http://keycloakserver
Keycloak server is supposed to be on https url however it requests http as the app itself is http. How would you setup such configuration? What am I missing?
Thank you
Salih
5 years, 8 months
