gatekeeper: cannot download big files
by A. Ilchinger
Hello,
in our setup we secure a service via keycloak and access its web
frontend through a gatekeeper proxy. Access is done from two locations:
1) Inside the same network.
2) From an offsite location
While the first works fine, the latter has problems. Authenticating and
the access itself work fine, but retrieving large files from the web
application (we encountered this with a 16MB javascript file) fails.
The file is downloaded incomplete.
We checked the network. Connections speed is fine, there are no other
proxies or firewalls in between. So from all our investigation it looks
like gatekeeper is the pint of failure (logs look unsuspicious though).
Do you have any hints or ideas what else we could try? Are there maybe
some config options to try out?
4 years, 8 months
SPI For CAS Ticket Proxy
by ext.jose.luis.anton@altia.es
Good morning,
I am working with keycloak 5.0.0 and I'd need to make Keycloak act as Proxy
ticket service and proxy ticket validation as parto f the implementation of
CAS 2.0
Is there any SPI that I can consume or do I need to implement it?
Thanks in advance.
Best regards
4 years, 8 months
Using urn:ietf:wg:oauth:2.0:oob
by Frans van Niekerk
I am investigating the possibility to obtain the authorisation code from
another channel to hopefully remove the need to have the user log into
keycloak from a redirect the client initiated.
It does seem like section 2.4.5 Redirect URLs (specifically the use of
urn:ietf:wg:oauth:2.0:oob) allows for this.
Where in Keycloak can the the authorisation token be obtained in this case?
Can it be requested via API from another trusted application?
Is it possible for a user to setup consent beforehand, then when the client
asks for authorisation it is returned immediately instead of waiting for
user interaction?
4 years, 8 months
Disabling HTTPS Requirement
by Carrington Ellis
Reference: https://issues.jboss.org/browse/KEYCLOAK-9889
The reverse proxy in use has HTTPS enabled, “X-Forward-Proto along” with all it’s variants are set. Additionally I have enabled “PROXY_ADDRESS_FORWARDING” by setting this to true and “KEYCLOAK_ALWAYS_HTTPS” to false, yet attempting to access the Administration Console, I’m met with “We’re sorry: HTTPS required”. Despite having a HTTPS Proxy, the necessary headers set, Address Forwarding enabled, and Always HTTPS disabled, I’m still unable to access my Administration Console.
I’ve linked a reference to the bug which is eerie similar to the same thing I’m experiencing currently, except that report was filled back on Version 5.0, and we are currently on 6.0, with 8.0 right on the horizon. Is there something missing here to disable this HTTPS check that appears to not function properly? If reverse proxying IS unsupported (which it shouldn’t be by any means), then this should be explicitly written in the documentation to prevent anyone from further attempting applying TLS in this manner.
4 years, 8 months
mvn build of keycloak/6.0.1, with tests DISabled -- fails at tests ... missing flag? or bug?
by PGNet Dev
building keycloak release6,
git checkout 6.0.1
git log | head
commit 217e2ee4721c069bb977e40fd9a03dc08e2d42a9
Author: keycloak-bot <keycloak.bot(a)gmail.com>
Date: Wed Apr 24 06:22:09 2019 +0000
Set version to 6.0.1
commit 65326ce16af0901824ebd5635b1f6e9acbea1e66
Author: Hynek Mlnarik <hmlnarik(a)redhat.com>
Date: Mon Mar 11 09:48:10 2019 +0100
with
java -version
openjdk version "1.8.0_222"
OpenJDK Runtime Environment (IcedTea 3.13.0) (build 1.8.0_222-b10 suse-lp151.333.1-x86_64)
OpenJDK 64-Bit Server VM (build 25.222-b10, mixed mode)
mvn -version
Maven home: /usr/share/java/maven
Java version: 1.8.0_222, vendor: IcedTea, runtime: /usr/lib64/jvm/java-1.8.0-openjdk-1.8.0/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "5.2.9-25.g71d4424-default", arch: "amd64", family: "unix"
git --version
git version 2.23.0
build exec with tests intended to be DISabled,
mvn \
--errors \
--activate-profiles distribution \
-Dmaven.test.skip=true \
clean \
install
FAILs -- at tests:
"Failure to find org.keycloak.testsuite:integration-arquillian-tests-base",
in more detail,
...
[INFO] Tests .............................................. SUCCESS [ 0.208 s]
[INFO] Base TestSuite ..................................... SUCCESS [ 24.875 s]
[INFO] Other Tests Modules ................................ SUCCESS [ 0.036 s]
[INFO] Adapter Tests ...................................... SUCCESS [ 0.035 s]
[INFO] Adapter Tests - JBoss .............................. SUCCESS [ 0.034 s]
[INFO] Adapter Tests - Karaf .............................. SUCCESS [ 0.034 s]
[INFO] Adapter Tests - WAS ................................ SUCCESS [ 0.034 s]
[INFO] Adapter Tests - WLS ................................ SUCCESS [ 0.034 s]
[INFO] SSSD tests ......................................... FAILURE [ 0.305 s]
[INFO] integration-arquillian-tests-springboot ............ SKIPPED
[INFO] Keycloak AS7 / JBoss EAP 6 Adapter Distros ......... SKIPPED
[INFO] Distribution Parent ................................ SKIPPED
[INFO] Keycloak Distribution Licenses Common .............. SKIPPED
[INFO] Keycloak Distribution Maven Plugins Parent ......... SKIPPED
[INFO] Keycloak Licenses Processor Maven Plugin ........... SKIPPED
[INFO] Keycloak AS7 / JBoss EAP 6 Modules ................. SKIPPED
[INFO] Keycloak JBoss EAP 6 Adapter Distro ................ SKIPPED
[INFO] Keycloak AS7 Adapter Distro ........................ SKIPPED
[INFO] Keycloak OSGI Features ............................. SKIPPED
[INFO] Keycloak OSGI JAAS Realm Configuration ............. SKIPPED
[INFO] Keycloak Fuse Adapter Distro ....................... SKIPPED
[INFO] Keycloak JS Adapter Distribution ................... SKIPPED
[INFO] Keycloak OSGI Integration .......................... SKIPPED
[INFO] Feature Pack Builds ................................ SKIPPED
[INFO] Keycloak Feature Pack: Adapter ..................... SKIPPED
[INFO] Adapters Distribution Parent ....................... SKIPPED
[INFO] Keycloak Adapter Overlay Distribution .............. SKIPPED
[INFO] Keycloak Tomcat 6 Adapter Distro ................... SKIPPED
[INFO] Keycloak Tomcat 7 Adapter Distro ................... SKIPPED
[INFO] Keycloak Tomcat 8 Adapter Distro ................... SKIPPED
[INFO] Keycloak Jetty 9.2.x Adapter Distro ................ SKIPPED
[INFO] Keycloak Jetty 9.3.x Adapter Distro ................ SKIPPED
[INFO] Keycloak Jetty 9.4.x Adapter Distro ................ SKIPPED
[INFO] Keycloak Wildfly 8 Modules ......................... SKIPPED
[INFO] Keycloak Wildfly 8 Adapter Distro .................. SKIPPED
[INFO] Keycloak Wildfly 8 Adapter ......................... SKIPPED
[INFO] Keycloak JS Adapter NPM Distribution ............... SKIPPED
[INFO] Keycloak SAML Wildfly Modules ...................... SKIPPED
[INFO] Keycloak SAML Wildfly Adapter Distro ............... SKIPPED
[INFO] Keycloak Wildfly SAML Adapter ...................... SKIPPED
[INFO] Keycloak SAML AS7 / JBoss EAP 6 Adapter Distros .... SKIPPED
[INFO] Keycloak SAML AS7 / JBoss EAP 6 Modules ............ SKIPPED
[INFO] Keycloak SAML JBoss EAP 6 Adapter Distro ........... SKIPPED
[INFO] Keycloak SAML AS7 Adapter Distro ................... SKIPPED
[INFO] Keycloak SAML Jetty 9.2.x Adapter Distro ........... SKIPPED
[INFO] Keycloak SAML Jetty 9.3.x Adapter Distro ........... SKIPPED
[INFO] Keycloak SAML Jetty 9.4.x Adapter Distro ........... SKIPPED
[INFO] Keycloak SAML Tomcat 6 Adapter Distro .............. SKIPPED
[INFO] Keycloak SAML Tomcat 7 Adapter Distro .............. SKIPPED
[INFO] Keycloak SAML Tomcat 8 Adapter Distro .............. SKIPPED
[INFO] SAML Adapters Distribution Parent .................. SKIPPED
[INFO] Keycloak Feature Pack: Server ...................... SKIPPED
[INFO] Keycloak Server Distribution ....................... SKIPPED
[INFO] Keycloak Server Overlay Distribution ............... SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 03:19 min
[INFO] Finished at: 2019-08-21T14:09:52-07:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal on project integration-arquillian-tests-sssd: Could not resolve dependencies for project org.keycloak.testsuite:integration-arquillian-tests-sssd:jar:6.0.1: Failure to find org.keycloak.testsuite:integration-arquillian-tests-base:jar:tests:6.0.1 in https://repository.jboss.org/nexus/content/groups/public/ was cached in the local repository, resolution will not be reattempted until the update interval of jboss has elapsed or updates are forced -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal on project integration-arquillian-tests-sssd: Could not resolve dependencies for project org.keycloak.testsuite:integration-arquillian-tests-sssd:jar:6.0.1: Failure to find org.keycloak.testsuite:integration-arquillian-tests-base:jar:tests:6.0.1 in https://repository.jboss.org/nexus/content/groups/public/ was cached in the local repository, resolution will not be reattempted until the update interval of jboss has elapsed or updates are forced
at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.getDependencies (LifecycleDependencyResolver.java:269)
at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.resolveProjectDependencies (LifecycleDependencyResolver.java:147)
at org.apache.maven.lifecycle.internal.MojoExecutor.ensureDependenciesAreResolved (MojoExecutor.java:248)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:202)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: org.apache.maven.project.DependencyResolutionException: Could not resolve dependencies for project org.keycloak.testsuite:integration-arquillian-tests-sssd:jar:6.0.1: Failure to find org.keycloak.testsuite:integration-arquillian-tests-base:jar:tests:6.0.1 in https://repository.jboss.org/nexus/content/groups/public/ was cached in the local repository, resolution will not be reattempted until the update interval of jboss has elapsed or updates are forced
at org.apache.maven.project.DefaultProjectDependenciesResolver.resolve (DefaultProjectDependenciesResolver.java:209)
at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.getDependencies (LifecycleDependencyResolver.java:243)
at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.resolveProjectDependencies (LifecycleDependencyResolver.java:147)
at org.apache.maven.lifecycle.internal.MojoExecutor.ensureDependenciesAreResolved (MojoExecutor.java:248)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:202)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: org.eclipse.aether.resolution.DependencyResolutionException: Failure to find org.keycloak.testsuite:integration-arquillian-tests-base:jar:tests:6.0.1 in https://repository.jboss.org/nexus/content/groups/public/ was cached in the local repository, resolution will not be reattempted until the update interval of jboss has elapsed or updates are forced
at org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveDependencies (DefaultRepositorySystem.java:352)
at org.apache.maven.project.DefaultProjectDependenciesResolver.resolve (DefaultProjectDependenciesResolver.java:202)
at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.getDependencies (LifecycleDependencyResolver.java:243)
at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.resolveProjectDependencies (LifecycleDependencyResolver.java:147)
at org.apache.maven.lifecycle.internal.MojoExecutor.ensureDependenciesAreResolved (MojoExecutor.java:248)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:202)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: org.eclipse.aether.resolution.ArtifactResolutionException: Failure to find org.keycloak.testsuite:integration-arquillian-tests-base:jar:tests:6.0.1 in https://repository.jboss.org/nexus/content/groups/public/ was cached in the local repository, resolution will not be reattempted until the update interval of jboss has elapsed or updates are forced
at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve (DefaultArtifactResolver.java:423)
at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifacts (DefaultArtifactResolver.java:225)
at org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveDependencies (DefaultRepositorySystem.java:335)
at org.apache.maven.project.DefaultProjectDependenciesResolver.resolve (DefaultProjectDependenciesResolver.java:202)
at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.getDependencies (LifecycleDependencyResolver.java:243)
at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.resolveProjectDependencies (LifecycleDependencyResolver.java:147)
at org.apache.maven.lifecycle.internal.MojoExecutor.ensureDependenciesAreResolved (MojoExecutor.java:248)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:202)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
Caused by: org.eclipse.aether.transfer.ArtifactNotFoundException: Failure to find org.keycloak.testsuite:integration-arquillian-tests-base:jar:tests:6.0.1 in https://repository.jboss.org/nexus/content/groups/public/ was cached in the local repository, resolution will not be reattempted until the update interval of jboss has elapsed or updates are forced
at org.eclipse.aether.internal.impl.DefaultUpdateCheckManager.newException (DefaultUpdateCheckManager.java:219)
at org.eclipse.aether.internal.impl.DefaultUpdateCheckManager.checkArtifact (DefaultUpdateCheckManager.java:192)
at org.eclipse.aether.internal.impl.DefaultArtifactResolver.gatherDownloads (DefaultArtifactResolver.java:564)
at org.eclipse.aether.internal.impl.DefaultArtifactResolver.performDownloads (DefaultArtifactResolver.java:482)
at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolve (DefaultArtifactResolver.java:400)
at org.eclipse.aether.internal.impl.DefaultArtifactResolver.resolveArtifacts (DefaultArtifactResolver.java:225)
at org.eclipse.aether.internal.impl.DefaultRepositorySystem.resolveDependencies (DefaultRepositorySystem.java:335)
at org.apache.maven.project.DefaultProjectDependenciesResolver.resolve (DefaultProjectDependenciesResolver.java:202)
at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.getDependencies (LifecycleDependencyResolver.java:243)
at org.apache.maven.lifecycle.internal.LifecycleDependencyResolver.resolveProjectDependencies (LifecycleDependencyResolver.java:147)
at org.apache.maven.lifecycle.internal.MojoExecutor.ensureDependenciesAreResolved (MojoExecutor.java:248)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:202)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:156)
at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:148)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:305)
at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
at org.apache.maven.cli.MavenCli.execute (MavenCli.java:956)
at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:288)
at org.apache.maven.cli.MavenCli.main (MavenCli.java:192)
at sun.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke (Method.java:498)
at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
[ERROR]
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionExce...
[ERROR]
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR] mvn <goals> -rf :integration-arquillian-tests-sssd
At this stage, my goal is just a successful full dist, release build -- without tests.
What 'mvn' flags fully DISable _all_ tests -- &/or specifically, the "arquillian" test suite?
4 years, 8 months
Pure OAuth2.0 provider
by bob sheknowdas
Can keycloak handle a pure OAuth2.0 identity provider?
I know that an OIDC-IDP can be used as an external identity provider.
But what about providers, that dont support identity tokens but only access
tokens?
Does anyone have any experience with that?
Best regards
Bob
4 years, 8 months
Java Adapter - Claim body removes content
by Felipe Roca
Hi Guys,
I was creating a small PEP for a third party service API using the
keycloak authorization service.
My idea was to check whether an user is allowed to perform certain
operation based on some body parameters, but it turns out that the body
claim left the body content unsusable for the proxy application.
What do you think? Is this a bug or an expected behavior?
For a better understanding, here you can find my configuration file and
controller class. I am using keycloak-spring-boot-starter and
keycloak-authz-client version 6.0.0 maven modules but I tried also with
6.0.1 and same results.
keycloak.realm=spring-boot-quickstart keycloak.auth-server-url=http://example.local/keycloak/auth keycloak.ssl-required=external keycloak.resource=app keycloak.bearer-only=true keycloak.credentials.secret=c23a55c0-0c96-4e28-8922-c47f918c2102
keycloak.securityConstraints[0].authRoles[0]=user keycloak.securityConstraints[0].securityCollections[0].name=protected keycloak.securityConstraints[0].securityCollections[0].patterns[0]=/version keycloak.securityConstraints[0].securityCollections[0].patterns[1]=/admin/* keycloak.securityConstraints[0].securityCollections[0].patterns[2]=/v1/* keycloak.securityConstraints[0].securityCollections[0].patterns[3]=/v2/* keycloak.policy-enforcer-config.enforcement-mode=ENFORCING
keycloak.policy-enforcer-config.claimInformationPointConfig.claims[http.uri]={request.relativePath}
keycloak.policy-enforcer-config.claimInformationPointConfig.claims[http.fiware-service]={request.header['service']}
keycloak.policy-enforcer-config.claimInformationPointConfig.claims[http.fiware-servicepath]={request.header['servicepath']}
keycloak.policy-enforcer-config.claimInformationPointConfig.claims[http.id]={request.body['/id']}
@RestController public class ProxyController {
@Value("${proxy.schema}")
private Stringschema;
@Value("${proxy.host}")
private Stringhost;
@Value("${proxy.port}")
private int port;
private RestTemplaterestTemplate;
@Autowired public ProxyController() {
restTemplate =new RestTemplate();
restTemplate.setRequestFactory(new HttpComponentsClientHttpRequestFactory());
restTemplate.setErrorHandler(new BlankResponseErrorHandler());
}
@RequestMapping(value ="/login", produces ="application/json", method =POST)
public ResponseEntity<Login> login(@RequestBody Login login) {
return ResponseEntity.ok().body(login);
}
@RequestMapping(value ="/**", produces ="application/json", method = {GET,DELETE,HEAD,OPTIONS})
public ResponseEntity<String> proxyRequestWithoutBody(HttpMethod method, HttpServletRequest request)throws URISyntaxException {
return restTemplate.exchange(buildUri(request), method,new HttpEntity<String>(copyHeaders(request)), String.class);
}
@RequestMapping(value ="/**", produces ="application/json", method = {POST,PUT,PATCH})
public ResponseEntity<String> proxyRequest(@RequestBody String body, HttpMethod method, HttpServletRequest request)throws URISyntaxException {
return restTemplate.exchange(buildUri(request), method,new HttpEntity<>(body, copyHeaders(request)), String.class);
}
private URI buildUri(HttpServletRequest request)throws URISyntaxException {
return new URI(schema,null,host,port, request.getRequestURI(), request.getQueryString(),null);
}
private HttpHeaders copyHeaders(HttpServletRequest request) {
HttpHeaders httpHeaders =new HttpHeaders();
for (String headerName : Collections.list(request.getHeaderNames())) {
if (!headerName.equals("host"))
httpHeaders.add(headerName, request.getHeader(headerName));
}
return httpHeaders;
}
}
Thank you in advance,
Best regards,
Felipe
--
Felipe Roca Blaya
Software Engineer
-
HOP Ubiquitous S.L.
www.hopu.eu <http://www.hopu.eu>
C/Luis Buñuel 6
30562, Ceutí, Murcia.
Spain
-
logo_hop <http://www.hopu.eu/>
-
face <https://www.facebook.com/hopubiquitous/> Twitter
<https://twitter.com/HOPUbiquitous> google
<https://plus.google.com/+HOPUbiquitousCeut%C3%AD?hl=es> vimeo
<https://vimeo.com/hopu> linkedin
<https://www.linkedin.com/company-beta/3810080/>
4 years, 8 months
UMA and large resource sets
by Asbjørn Dyhrberg Thegler
Hello there,
I am implementing a Node.js resource server and I currently struggle with
figuring out how to let a user list all their resources from a specifict
resource set.
For example, a user can GET /activities and get all their own activities,
but not other users. I am not certain of how to create a UMA permission
ticket for that request, since don't already know the IDs of the users
activities. Further, the user could have access to other users activities
through resource sharing. This list is potentially very large, (as in
thousands of IDs), and I don't imagine putting that large a JWT in a header
is a good idea either.
What is the recommended way to handle this?
I am wondering if I should let the resource server itself query KeyCloak
for a list of IDs for all its own activities and activities shared with the
user - but I can't seem to figure out what API endpoint that lets me do
this in KeyCloak 6.0.1, since the Entitlement API has been deprecated.
Thanks for your help, I really enjoy working with KeyCloak so far. :)
Regards, Asbjørn
4 years, 8 months
Is there clear x509 configuration in a domain clustered environment using external DB
by JTK
I've stood up a stand-alone version to use x509 and with the help off this
list I was able to get it working, but the configuration documentation is
not clear for setting it up in a domain clustered environment.
For example ssl-realm is added to standalone.xml to get it to work in
conjunction with the https-listener and browser flow, but in the clustered
domain setup, you don't configure domain.xml with the additional ssl-realm
information.
i.e.
<security-realm name="ssl-realm">
<server-identities>
<ssl>
<keystore path="keystore.jks"
relative-to="jboss.server.config.dir" keystore-password="mypass"/>
</ssl>
</server-identities>
<authentication>
<truststore path="truststore.jks"
relative-to="jboss.server.config.dir" keystore-password="mypass"/>
</authentication>
&
<https-listener name="https" socket-binding="https"
security-realm="ssl-realm" enabled-protocols="TLSv1.2"
verify-client="REQUESTED" enable-http2="true"/>
I did add that information to the host.xml and even the host-master.xml
file, but I'm not getting prompted for my cert.
This is what I'm running to launch KeyCloak with the debug setup for
SSL,handshake
/opt/keycloak/bin/domain.sh --host-config=host-master.xml
-Djboss.bind.address=0.0.0.0 -Djboss.bind.address.management=10.10.10.7
-Djboss.bind.address=10.10.10.7 -Djboss.bind.address.private=10.10.10.7
-Djboss.https.port=443 -Djboss.tx.node.id=dev-master
-Djboss.node.name=dev-master
-Djava.security.egd=file:/dev/./urandom -Djavax.net.debug=ssl,handshake
I also have this enabled in domain.xml
<logger category="org.keycloak.authentication.authenticators.x509">
<level name="TRACE"/>
</logger>
<logger category="org.keycloak.services.x509">
<level name="TRACE"/>
</logger>
Do I need to enable debug for console below in domain.xml to get more
detailed info? Right now it's set to INFO
<console-handler name="CONSOLE">
<level name="DEBUG"/>
I have the Root CA and the intermediate loaded for the x509 cert which I am
presenting. I've double checked the Browser Flow, which is setup just like
the working standalone.
I just want to make sure there isn't something else I'm missing because
there seems to be a lack of clarity from the standalone setup vs the domain
clustered setup. For now, I'm using just the master node, to ensure I'm not
hitting the slave node when testing.
Thanks
4 years, 8 months
Per-client authorization
by Chris Boot
Hi all,
I'm trying to restrict which OIDC clients users can login to based on
roles or group membership. I can't believe this isn't something
built-into Keycloak yet, but it seems that way.
I had previously experimented with per-client Authorization settings,
applying policies to Resources. I could have sworn this worked at some
point, but it doesn't now. AIUI it seems to require the use of the
Keycloak Gatekeeper or other Keycloak-specific code, so it's not going
to work for most of my applications.
As far as I can tell, the only way to make this work is using a custom
authentication flow: https://stackoverflow.com/a/54384513/9531301
Is this indeed the only way to make this work?
Is there a way of stopping such clients from being shown on the Account
Management => Applications screen without globally removing the
offline_access role for all users?
Thanks,
Chris
--
Chris Boot
bootc(a)boo.tc
4 years, 8 months
