September 2019 - keycloak-user - Jboss List Archives

How to configure my client for use ADMIN REST API [DELETE]: https://keycloaksrv.fr/auth/admin/realms/myclient/users/'

by Christophe Lehingue

Hello, how to configure a client so that the user can use the user removal API? [DELETE]: https://keycloaksrv.fr/auth/admin/realms/myclient/users/fdskgjdkdjkgjf-sd... Whenever I try to call this request REST => I get the following error message: "resulted in a 401/403 Unauthorized`" Can you help me ? Thank you

5 years, 1 month

4
4
0 / 0

Feature Request

by Sushil Singh

Hi, As of now there is support of only http-method-as-scope when policyEnforcer is enabled inorder to get the mapping between application scopes and keycloak defined scopes. But I want to use keycloak not only for rest api's but for other use cases where I can have application specific custom resources (independent of URI requested) and actions(scopes). i want some API to provide support for custom resources as well as scopes ex-: I have a pipeline to run and it can have actions like STOP ,RUN , RESTART and some actions like CREATE AND RESTART. So there can be one scope or a combination of multiple scopes for a resource to be accessed. So adding a functionality where user can use custom scopes would be of great help and extend its usability for non rest api's also. https://issues.jboss.org/browse/KEYCLOAK-11300 Thanks, Sushil Pratap Singh

5 years, 2 months

2
2
0 / 0

Keycloak Offline User Sessions and Online User Sessions

by Nagendra Darla

Hello Keycloak experts, We have below challenges in out project where we are building User Access Management using Keycloak. 1. *Offline User Sessions:* When a Offline token is used from two different machines, There is only one Session that will be created and session will have the IP address of the machine from where the User Session is first created. Because of this we cannot suspect any suspicious activity by hackers. Should n't we create different sessions even though same offline token is used from different machines. 2. *Why there is no separate REST end point to get only Online User Sessions: *Below REST end point returns all the User Sessions ie., both Offline and Online User Sessions. GET /{realm}/clients/{id}/user-sessions You help is much appreciated ! Thank you, Nagendra Darla

5 years, 2 months

1
1
0 / 0

resource ids

by Corentin Dupont

Hi guys, I discovered that you can provide your own id when creating resources: curl -X POST " http://localhost:8080/auth/realms/waziup/authz/protection/resource_set" -H "Authorization: Bearer $CLIENTTOKEN" -H "Content-Type: application/json" -d '{*"_id": "123-456"*, "type": "test", "name":"test", "scopes":["sensors:create","sensors:view","sensors:update","sensors:delete"],"owner":"cdupont", "ownerManagedAccess": true}' This is very practical for synchronizing the resources with my own database. After some investigation, I found: - the ID should be unique - the name should be unique Is that correct? The resource type is not used in the unicity. In my application database, resources with different types are stored in different collections, so two resources with different types *can* have the same ID. How do you suggest to solve this in Keycloak? Providing a keycloak ID of the form <type>-<ID> for example? e.g. sensor-123 and project-123 would not collide. Cheers

5 years, 2 months

3
10
0 / 0

Keycloak does not found SPI User Storage provider

by Alfonso Vidal García

Good morning, I have configured a Spring Boot project with connection to Keycloak, and also I want to install a Custom SPI User Provider external to Keycloak. I did all the steps to do the Provider and ProviderFactory, and also the file in META-INF/services, and when I try to deploy on Wildfly to connect with Keycloak, fails, 12:52:26,079 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.deployment.unit."focusoc-0.0.1-SNAPSHOT.jar".POST_MODULE: org.jboss.msc.service.StartException in service jboss.deployment.unit."focusoc-0.0.1-SNAPSHOT.jar".POST_MODULE: WFLYSRV0153: Failed to process phase POST_MODULE of deployment "focusoc-0.0.1-SNAPSHOT.jar" at org.jboss.as.server@9.0.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:183)<mailto:org.jboss.as.server@9.0.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:183)> at org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1737)<mailto:org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1737)> at org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1699)<mailto:org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1699)> at org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1557)<mailto:org.jboss.msc@1.4.8.Final//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1557)> at org.jboss.threads@2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)<mailto:org.jboss.threads@2.3.3.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)> at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)<mailto:org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)> at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)<mailto:org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)> at org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)<mailto:org.jboss.threads@2.3.3.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)> at java.base/java.lang.Thread.run(Thread.java:834) Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module "deployment.focusoc-0.0.1-SNAPSHOT.jar" from Service Module Loader] at org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.getEjbClass(BusinessViewAnnotationProcessor.java:240)<mailto:org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.getEjbClass(BusinessViewAnnotationProcessor.java:240)> at org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.deploy(BusinessViewAnnotationProcessor.java:89)<mailto:org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.deploy(BusinessViewAnnotationProcessor.java:89)> at org.jboss.as.server@9.0.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:176)<mailto:org.jboss.as.server@9.0.2.Final//org.jboss.as.server.deployment.DeploymentUnitPhaseService.start(DeploymentUnitPhaseService.java:176)> ... 8 more Caused by: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module "deployment.focusoc-0.0.1-SNAPSHOT.jar" from Service Module Loader] at org.jboss.modules.ModuleClassLoader.findClass(ModuleClassLoader.java:255) at org.jboss.modules.ConcurrentClassLoader.performLoadClassUnchecked(ConcurrentClassLoader.java:410) at org.jboss.modules.ConcurrentClassLoader.performLoadClass(ConcurrentClassLoader.java:398) at org.jboss.modules.ConcurrentClassLoader.loadClass(ConcurrentClassLoader.java:116) at org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.getEjbClass(BusinessViewAnnotationProcessor.java:238)<mailto:org.jboss.as.ejb3@17.0.1.Final//org.jboss.as.ejb3.deployment.processors.BusinessViewAnnotationProcessor.getEjbClass(BusinessViewAnnotationProcessor.java:238)> ... 10 more 12:52:26,081 ERROR [org.jboss.as.controller.management-operation] (management-handler-thread - 8) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "focusoc-0.0.1-SNAPSHOT.jar")]) - failure description: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"focusoc-0.0.1-SNAPSHOT.jar\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"focusoc-0.0.1-SNAPSHOT.jar\" Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module \"deployment.focusoc-0.0.1-SNAPSHOT.jar\" from Service Module Loader] Caused by: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module \"deployment.focusoc-0.0.1-SNAPSHOT.jar\" from Service Module Loader]"}} 12:52:26,082 ERROR [org.jboss.as.server] (management-handler-thread - 8) WFLYSRV0021: Deploy of deployment "focusoc-0.0.1-SNAPSHOT.jar" was rolled back with the following failure message: {"WFLYCTL0080: Failed services" => {"jboss.deployment.unit.\"focusoc-0.0.1-SNAPSHOT.jar\".POST_MODULE" => "WFLYSRV0153: Failed to process phase POST_MODULE of deployment \"focusoc-0.0.1-SNAPSHOT.jar\" Caused by: org.jboss.as.server.deployment.DeploymentUnitProcessingException: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module \"deployment.focusoc-0.0.1-SNAPSHOT.jar\" from Service Module Loader] Caused by: java.lang.ClassNotFoundException: gcs.fds.focusoc.keycloak.spi.LoginStorageProvider from [Module \"deployment.focusoc-0.0.1-SNAPSHOT.jar\" from Service Module Loader]"}} I try to search in all internet about solutions about that, and I am blocked, so If you could tell if anything is missing. Thank you. Alfonso Vidal. P Please consider the environment before printing this e-mail.

5 years, 2 months

2
3
0 / 0

Keycloack Multi -Tenancy question

by Litom Segal

We are considering using Keycloack in a multi-tenant fashion. Each of our customer's account has its own users, and applications installed, and we also provide services API's consumed by various clients. We will have a large number of tenants. I found an open issue from 2017 that mentions that Keycloak may have some scalability issues with a large number of realms. https://issues.jboss.org/browse/KEYCLOAK-4593 And also this thread from 2016, https://lists.jboss.org/pipermail/keycloak-user/2016-October/008033.html, that states that "Keycloak was not designed to support multi-tenancy directly."..."In that regards we have never tested with high amounts of realms as we expect there to be few realms (up to 10 most likely)." I was wonder if there was any progress on the multi-tenancy use case, and are there any best practices on how to setup Keycloack to support it. On the other hand, is there any other approach to handle our use-case? Thanks, Litom -- Litom Segal Software Engineer T: +972-74-700-4097 <https://www.linkedin.com/company/164748> <https://twitter.com/liveperson> <https://www.facebook.com/liveperson/?ref=bookmarks> Our mission is to make life easier by transforming how people communicate with brands. <https://liveperson.docsend.com/view/drieh2u> -- This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this on behalf of the addressee you must not use, copy, disclose or take action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply email and delete this message. Thank you.

5 years, 2 months

4
6
0 / 0

Account Management Rest API

by Corentin Dupont

Hello, I wanted know the status of the new account Console and API (see message copied bellow)? I have an application developed in ReactJS, which is using Keycloak account pages generated by Keycloak (4.4.0). I would like to add additional elements to the account page, that are not controlled by Keycloak. Notably, I need to access the Redux store and make some HTTP requests to an eternal API. What do you suggest? I was thinking to re-do completely the account pages with React, and retrieve the data from Keycloak using API. However I'm not sure the account management API is ready on Keycloak side. Thanks Corentin Stan Silvert wrote on Mon Apr 15 12:32:07 EDT 2019: Right now this API is in development and subject to change at any time. We are hoping to have it completed in the next few months. Also, we are working on a new Account Console that will use PatternFly 4 and React. It will be easy to extend, so you can add your own pages. It will work better on mobile devices. And of course, you will be able to change it around with different themes and such. So building your own console from this new Account Console might be a better option than building the whole thing from scratch. If you are interested, the code is here along with a readme that tells how to build and run. It's very much a work in progress:https://github.com/keycloak/keycloak/tree/master/themes/src/main... I still need to document how to create extensions, so let me know if you are interested in that. Stan On 4/15/2019 11:23 AM, Gabriele Rabbiosi wrote: >* Hi guys, *>* I'd like more information about the AccountRestService class *>* (https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o... <https://github.com/keycloak/keycloak/blob/master/services/src/main/java/o...>) *>>* 1. I noticed that there are still a couple of TODO (such as Identity *>* Providers management), is there a roadmap for the development of this *>* missing features? *>* 2. Are these API public or for internal use only? I'd like to use them *>* to implement a custom Account Management page for my application. *>* 3. How stable are they? How likely is it that they will change or *>* disappear in the (near) future? *>>* Thanky you. *>* Best regards *>>* -- *>>* GABRIELE RABBIOSI *>>* BeePMN Software Engineer *>>

5 years, 3 months

3
5
0 / 0

multiple reset credentials flows

by Arnault BESNARD

Hi, We're currently developing our own SPI authenticator. In case of authentication failure, we'd like allowing users to reset their credential following a specific scenario. Unfortunately, there is only one reset credentials flow per realm. So 'forgot password' and our SPI reset credential have to share the same scenario, which is not fit in our case. What is the best way to solve our issue? Thanks in advance, Arnault

5 years, 3 months

1
2
0 / 0

oidc token_type: "bearer" vs "Bearer"

by Christophe de Vienne

Hi everyone, While (unsuccessfully) attempting to connect a oidc service provider, I found out that the token_type set by keycloak is "bearer", while my service provider expects "Bearer". Digging the specifications it seems that "Bearer" is the right token_type (see https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse and https://tools.ietf.org/html/rfc6750#section-6.1.1). Should we consider this a keycloak bug? Would a PR fixing this be accepted? Cheers, Christophe

5 years, 3 months

2
1
0 / 0

Storing and using refresh tokens

by Marius Bozem

Hey everyone, I am working on using refresh tokens to get new access token when the old one expires. For that I would like to know the best practices regarding: - What is a secure and easy way of implementing the use of refresh tokens? In more detail, these are the questions I have: - How and where to store refresh tokens? We plan on storing them in our back end service. A user would then have a session with our service that would be used to get the refresh token for them. - Where and how will the use of the refresh token be triggered? At some point the access token will expire, should the front end then make a request to the back end to get a new token? - In this front end & back end setup how do you deal with the user having multiple tabs of the application open or using multiple browsers? Thanks in advance, Marius

5 years, 3 months

1
0
0 / 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

keycloak-user September 2019