Re: [keycloak-user] keycloak-user Digest, Vol 61, Issue 39

------------------------------ Message: 3 Date: Mon, 28 Jan 2019 16:16:20 +0000 From: "Edgar Vonk - Info.nl" <Edgar(a)info.nl&gt; Subject: Re: [keycloak-user] Keycloak Identity provider SAML LogoutRequest not working with NetIQ Access Manager because it is not signed? To: keycloak-user <keycloak-user(a)lists.jboss.org&gt; Message-ID: <B72F6570-E06C-4292-969D-0B0359230CA4(a)info.nl&gt; Content-Type: text/plain; charset="utf-8" Thanks Hans! :-) Unfortunately with "Want AuthnRequests Signed? enabled we can no longer log in to the external IdP.. I will check with the NetIQ provider people to check. ------------------------------ Message: 4 Date: Mon, 28 Jan 2019 14:51:26 -0200 From: Wagner <wagnerspi(a)gmail.com&gt; Subject: [keycloak-user] Keycloak integration with django To: keycloak-user(a)lists.jboss.org Message-ID: <CAO0ino= wK-opo1H7cc4XgH5U012jN2eCUvvE8_6qoFv+ZKQ5MA(a)mail.gmail.com&gt; Content-Type: text/plain; charset="UTF-8" Hi there, I've been looking for ways to integrate keycloak with django, and have found the django-keycloak project, but the docs are kind of limited. Can anyone point me in the direction of integrating it with an existing django project? I don't want to use the django admin web interface to configure it, but haven't found any other way to do so. Thanks, Wagner ------------------------------ Message: 5 Date: Mon, 28 Jan 2019 13:04:58 -0500 From: Nhut Thai Le <ntle(a)castortech.com&gt; Subject: [keycloak-user] OsgiJaxrsBearerTokenFilterImpl init resolver class on every request To: keycloak-user <keycloak-user(a)lists.jboss.org&gt; Message-ID: <CAJVRZt9SmNO0jmt9jAFMB9eD+ZMSjJij+=EO1j7F= iE6nGV0JQ(a)mail.gmail.com&gt; Content-Type: text/plain; charset="UTF-8" Hello, We are using OsgiJaxrsBearerTokenFilterImpl of keycloak 4.6 in our OSGI env to filter requests to our REST service as follow: @Component( service = { ContainerRequestFilter.class, ContainerResponseFilter.class }, scope = ServiceScope.PROTOTYPE, property = { "osgi.jaxrs.extension=true", JAX_RS_NAME + "=DiagramRestFilter", DiagramConstants.REST_APP_SELECT } ) @PreMatching @Priority(Priorities.AUTHENTICATION) public final class DiagramRestFilter extends OsgiJaxrsBearerTokenFilterImpl implements ContainerResponseFilter { private static final String REFERER_HEADER = "Referer"; //$NON-NLS-1$ private static final String UTF_8_CHARSET = "UTF-8"; //$NON-NLS-1$ private final Logger log = LoggerFactory.getLogger(getClass()); @Reference private SessionService sessionService; @Activate public void activate(BundleContext bundleContext) { log.trace("Activating {}", getClass()); //$NON-NLS-1$ setKeycloakConfigResolverClass("com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver"); //$NON-NLS-1$ setBundleContext(bundleContext); } As you can see, we set the filter scope to Prototype as recommended by OSGI compedium ( https://osgi.org/specification/osgi.cmpn/7.0.0/service.jaxrs.html#d0e133685 ) but we see a lot of the following line got printed when the server started INFO: Using com.castortech.iris.ba.web.filters.BundleBasedKeycloakConfigResolver@738e48f7 to resolve Keycloak configuration on a per-request basis. Does that means the config resolver is being instantiate for each request ? Since the the configuration never change, would it make sense to instantiate this config resolver only once? Thai Le ------------------------------ Message: 6 Date: Mon, 28 Jan 2019 21:00:02 +0100 From: Marek Posolda <mposolda(a)redhat.com&gt; Subject: Re: [keycloak-user] User sessions in DB To: Lukasz Lech <l.lech(a)ringler.ch&gt;, &quot;keycloak-user(a)lists.jboss.org&quot; <keycloak-user(a)lists.jboss.org&gt; Message-ID: <1bd70dc9-7dd2-6006-9950-1c2a4b5c1d01(a)redhat.com&gt; Content-Type: text/plain; charset=utf-8; format=flowed On 28/01/2019 16:30, Lukasz Lech wrote: > Hello, > > I'm using Keycloak docker image for 4.8.1 > > I have logged in users, but in DB, I see no entries in user_session. That is expected. The USER_SESSION table is probably something like a tombstone of some previous implementation. User sessions are not saved in the DB. > > Additionally, after some time server run, I've got NPE in RealmAdminResource.getClientSessionStats:614 when trying to navigate to Sessions position in Menu in Admin Console. Looks like a bug. Feel free to create JIRA (with stacktrace and ideally exact steps to reproduce). Thanks, Marek > > Are there any issues with JPA cache? > > Best regards, > Lukasz Lech > > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user ------------------------------ Message: 7 Date: Mon, 28 Jan 2019 21:07:05 +0100 From: Marek Posolda <mposolda(a)redhat.com&gt; Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain To: Dmitry Telegin <dt(a)acutus.pro&gt;, Chris Smith <chris.smith(a)cmfirstgroup.com&gt;, &quot;keycloak-user(a)lists.jboss.org&quot; <keycloak-user(a)lists.jboss.org&gt; Message-ID: <8eb89cb9-f64f-c9c9-a681-4f2a775eaf67(a)redhat.com&gt; Content-Type: text/plain; charset=utf-8; format=flowed +1 GSSCredential is used just during SPNEGO authentication. You may possibly change the built-in authentication flows or userStorage provider, so that after verification with username/password, the GSSCredential will be somehow obtained from the JAAS Subject used for the authentication (See class KerberosUsernamePasswordAuthenticator for the details). However I am not sure if this is really possible and it will require some more deep-dive into the Keycloak codebase and Kerberos implementation in JDK... Just a hint... Marek On 28/01/2019 07:21, Dmitry Telegin wrote: > Hello Chris, > > AFAIK GSSCredential is something very specific to Kerberos, so I'm not sure it's possible at all to obtain it outside of Kerberos context, like e.g. via pure LDAP authentication. > > Cheers, > Dmitry > > On Mon, 2019-01-28 at 03:04 +0000, Chris Smith wrote: >> Does anyone have feedback about getting a delegated GSSCredential? >> >> -----Original Message----- >>> From: keycloak-user-bounces(a)lists.jboss.org < keycloak-user-bounces(a)lists.jboss.org&gt; On Behalf Of Chris Smith >> Sent: Wednesday, January 23, 2019 10:12 PM >> To: keycloak-user(a)lists.jboss.org >> Subject: Re: [keycloak-user] Get a GSSCredential when user browser is not in Active Directory domain >> >> Here is a Diagram of what I'm trying to do >> >> From: Chris Smith >> Sent: Wednesday, January 23, 2019 8:08 AM >>>> To: &#39;keycloak-user(a)lists.jboss.org&#39; <keycloak-user(a)lists.jboss.org&gt; >> Subject: Get a GSSCredential when user browser is not in Active Directory domain >> >> I have setup my servlet to authenticate a user my web app using Keycloak Active Directory ldap user federation >> >> I can get a Delegated GSSCredential when the SPNEGO enabled browser??runs on a workstation in the AD domain. >> When the browser workstation is not a member of the AD Domain, Keycloak will authenticate the user id and password entered on the keycloak login page, but there will not be a Delegated GSSCredential in the Access Token in my servlet. >> >> I have a requirement to use the GSSCredential to call programs on an IBM i (AS/400) and JDBC to the IBM i.??My IBM i is configured to accept a Kerberos Ticket from Active Directory as an authenticated credential (aka EIM, Enterprise Identity Mapping). >> >> Less than 1% of the users will be using browsers on workstations in the Active Directory domain. >> >> Can Keycloak put a GSSCredential for the logged in user??in the Access Token when SPNEGO is not available from the browser? >> >> >> >> _______________________________________________ >> keycloak-user mailing list >> keycloak-user(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-user > _______________________________________________ > keycloak-user mailing list > keycloak-user(a)lists.jboss.org > https://lists.jboss.org/mailman/listinfo/keycloak-user ------------------------------ _______________________________________________ keycloak-user mailing list keycloak-user(a)lists.jboss.org https://lists.jboss.org/mailman/listinfo/keycloak-user End of keycloak-user Digest, Vol 61, Issue 39 *********************************************