Feature Request
by Sushil Singh
Hi,
As of now there is support of only http-method-as-scope when policyEnforcer is enabled inorder to get the mapping between application scopes and keycloak defined scopes. But I want to use keycloak not only for rest api's but for other use cases where I can have application specific custom resources (independent of URI requested) and actions(scopes). i want some API to provide support for custom resources as well as scopes
ex-: I have a pipeline to run and it can have actions like STOP ,RUN , RESTART and some actions like CREATE AND RESTART. So there can be one scope or a combination of multiple scopes for a resource to be accessed. So adding a functionality where user can use custom scopes would be of great help and extend its usability for non rest api's also.
https://issues.jboss.org/browse/KEYCLOAK-11300
Thanks,
Sushil Pratap Singh
5 years, 11 months
Keycloak Offline User Sessions and Online User Sessions
by Nagendra Darla
Hello Keycloak experts,
We have below challenges in out project where we are building User Access
Management using Keycloak.
1. *Offline User Sessions:* When a Offline token is used from two
different machines, There is only one Session that will be created and
session will have the IP address of the machine from where the User Session
is first created. Because of this we cannot suspect any suspicious activity
by hackers. Should n't we create different sessions even though same
offline token is used from different machines.
2. *Why there is no separate REST end point to get only Online User
Sessions: *Below REST end point returns all the User Sessions ie., both
Offline and Online User Sessions.
GET /{realm}/clients/{id}/user-sessions
You help is much appreciated !
Thank you,
Nagendra Darla
6 years
resource ids
by Corentin Dupont
Hi guys,
I discovered that you can provide your own id when creating resources:
curl -X POST "
http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" -H
"Authorization: Bearer $CLIENTTOKEN" -H "Content-Type: application/json" -d
'{*"_id": "123-456"*, "type": "test", "name":"test",
"scopes":["sensors:create","sensors:view","sensors:update","sensors:delete"],"owner":"cdupont",
"ownerManagedAccess": true}'
This is very practical for synchronizing the resources with my own database.
After some investigation, I found:
- the ID should be unique
- the name should be unique
Is that correct? The resource type is not used in the unicity.
In my application database, resources with different types are stored in
different collections, so two resources with different types *can* have the
same ID.
How do you suggest to solve this in Keycloak? Providing a keycloak ID of
the form <type>-<ID> for example? e.g. sensor-123 and project-123 would not
collide.
Cheers
6 years
Keycloak does not found SPI User Storage provider
by Alfonso Vidal García
Good morning,
I have configured a Spring Boot project with connection to Keycloak, and also I want to install a Custom SPI User Provider external to Keycloak.
I did all the steps to do the Provider and ProviderFactory, and also the file in META-INF/services, and when I try to deploy on Wildfly to connect with Keycloak, fails,
12:52:26,079 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.deployment.unit."focusoc-0.0.1-SNAPSHOT.jar".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.unit."focusoc-0.0.1-SNAPSHOT.jar".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment "focusoc-0.0.1-SNAPSHOT.jar"
at org.jboss.as.server@9.0.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:183)<mailto:org.jboss.as.server@9.0.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:183)>
at org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1737)<mailto:org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1737)>
at org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1699)<mailto:org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1699)>
at org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1557)<mailto:org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1557)>
at org.jboss.threads@2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)<mailto:org.jboss.threads@2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)>
at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)<mailto:org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)>
at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)<mailto:org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)>
at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)<mailto:org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)>
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module "deployment.focusoc-0.0.1-SNAPSHOT.jar" from Service Module Loader]
at org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.getEjbClass(BusinessViewAnnotationProcessor.java:240)<mailto:org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.getEjbClass(BusinessViewAnnotationProcessor.java:240)>
at org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.deploy(BusinessViewAnnotationProcessor.java:89)<mailto:org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.deploy(BusinessViewAnnotationProcessor.java:89)>
at org.jboss.as.server@9.0.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:176)<mailto:org.jboss.as.server@9.0.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:176)>
... 8 more
Caused by: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module "deployment.focusoc-0.0.1-SNAPSHOT.jar" from Service Module Loader]
at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:255)
at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410)
at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398)
at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116)
at org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.getEjbClass(BusinessViewAnnotationProcessor.java:238)<mailto:org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.getEjbClass(BusinessViewAnnotationProcessor.java:238)>
... 10 more
12:52:26,081 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 8) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "focusoc-0.0.1-SNAPSHOT.jar")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"focusoc-0.0.1-SNAPSHOT.jar\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"focusoc-0.0.1-SNAPSHOT.jar\"
Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module \"deployment.focusoc-0.0.1-SNAPSHOT.jar\" from Service Module Loader]
Caused by: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module \"deployment.focusoc-0.0.1-SNAPSHOT.jar\" from Service Module Loader]"}}
12:52:26,082 ERROR [org.jboss.as.server] (management-handler-thread - 8) WFLYSRV0021: Deploy of deployment "focusoc-0.0.1-SNAPSHOT.jar" was rolled back with the following failure message:
{"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"focusoc-0.0.1-SNAPSHOT.jar\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"focusoc-0.0.1-SNAPSHOT.jar\"
Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module \"deployment.focusoc-0.0.1-SNAPSHOT.jar\" from Service Module Loader]
Caused by: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module \"deployment.focusoc-0.0.1-SNAPSHOT.jar\" from Service Module Loader]"}}
I try to search in all internet about solutions about that, and I am blocked, so If you could tell if anything is missing.
Thank you. Alfonso Vidal.
P Please consider the environment before printing this e-mail.
6 years
Keycloack Multi -Tenancy question
by Litom Segal
We are considering using Keycloack in a multi-tenant fashion.
Each of our customer's account has its own users, and applications
installed, and we also provide services API's consumed by various clients.
We will have a large number of tenants.
I found an open issue from 2017 that mentions that Keycloak may have some
scalability issues with a large number of realms.
https://issues.jboss.org/browse/KEYCLOAK-4593
And also this thread from 2016,
https://lists.jboss.org/pipermail/keycloak-user/2016-October/008033.html,
that states that "Keycloak was not designed to support multi-tenancy
directly."..."In that regards we have never tested with high amounts of
realms as we expect there to be few realms (up to 10 most likely)."
I was wonder if there was any progress on the multi-tenancy use case, and
are there any best practices on how to setup Keycloack to support it.
On the other hand, is there any other approach to handle our use-case?
Thanks,
Litom
--
Litom Segal
Software Engineer
T: +972-74-700-4097
<https://www.linkedin.com/company/164748> <https://twitter.com/liveperson>
<https://www.facebook.com/liveperson/?ref=bookmarks>
Our mission is to make life easier by transforming how people communicate
with brands. <https://liveperson.docsend.com/view/drieh2u>
--
This message may contain confidential and/or privileged information.
If
you are not the addressee or authorized to receive this on behalf of the
addressee you must not use, copy, disclose or take action based on this
message or any information herein.
If you have received this message in
error, please advise the sender immediately by reply email and delete this
message. Thank you.
6 years
Account Management Rest API
by Corentin Dupont
Hello,
I wanted know the status of the new account Console and API (see
message copied bellow)?
I have an application developed in ReactJS, which is using Keycloak
account pages generated by Keycloak (4.4.0).
I would like to add additional elements to the account page, that are
not controlled by Keycloak.
Notably, I need to access the Redux store and make some HTTP requests
to an eternal API.
What do you suggest? I was thinking to re-do completely the account
pages with React, and retrieve the data from Keycloak using API.
However I'm not sure the account management API is ready on Keycloak side.
Thanks
Corentin
Stan Silvert wrote on Mon Apr 15 12:32:07 EDT 2019:
Right now this API is in development and subject to change at any time.
We are hoping to have it completed in the next few months.
Also, we are working on a new Account Console that will use PatternFly 4
and React. It will be easy to extend, so you can add your own pages.
It will work better on mobile devices. And of course, you will be able
to change it around with different themes and such.
So building your own console from this new Account Console might be a
better option than building the whole thing from scratch.
If you are interested, the code is here along with a readme that tells
how to build and run. It's very much a work in
progress:https://github.com/keycloak/keycloak/tree/master/themes/src/main...
I still need to document how to create extensions, so let me know if you
are interested in that.
Stan
On 4/15/2019 11:23 AM, Gabriele Rabbiosi wrote:
>* Hi guys,
*>* I'd like more information about the AccountRestService class
*>* (https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...
<https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...>)
*>>* 1. I noticed that there are still a couple of TODO (such as Identity
*>* Providers management), is there a roadmap for the development of this
*>* missing features?
*>* 2. Are these API public or for internal use only? I'd like to use them
*>* to implement a custom Account Management page for my application.
*>* 3. How stable are they? How likely is it that they will change or
*>* disappear in the (near) future?
*>>* Thanky you.
*>* Best regards
*>>* --
*>>* GABRIELE RABBIOSI
*>>* BeePMN Software Engineer
*>>
6 years
multiple reset credentials flows
by Arnault BESNARD
Hi,
We're currently developing our own SPI authenticator. In case of authentication failure, we'd like allowing users to reset their credential following a specific scenario.
Unfortunately, there is only one reset credentials flow per realm. So 'forgot password' and our SPI reset credential have to share the same scenario, which is not fit in our case.
What is the best way to solve our issue?
Thanks in advance,
Arnault
6 years
Storing and using refresh tokens
by Marius Bozem
Hey everyone,
I am working on using refresh tokens to get new access token when the old
one expires.
For that I would like to know the best practices regarding:
- What is a secure and easy way of implementing the use of refresh tokens?
In more detail, these are the questions I have:
- How and where to store refresh tokens? We plan on storing them in our
back end service. A user would then have a session with our service that
would be used to get the refresh token for them.
- Where and how will the use of the refresh token be triggered? At some
point the access token will expire, should the front end then make a
request to the back end to get a new token?
- In this front end & back end setup how do you deal with the user having
multiple tabs of the application open or using multiple browsers?
Thanks in advance,
Marius
6 years, 1 month
