From slaskawi at redhat.com  Mon Oct  1 08:22:37 2018
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Mon, 1 Oct 2018 14:22:37 +0200
Subject: [keycloak-dev] Latest changes with JGroups discovery in
 4.5.0.Final Docker Image
In-Reply-To: <eaf8c8d352454958985a382a03755b1b@bosch-si.com>
References: <24738023a02b48f2b974d5f211fdf96c@bosch-si.com>
	<eaf8c8d352454958985a382a03755b1b@bosch-si.com>
Message-ID: <CAA9R9O7QmeDOotemLKnH7pMTw27URuYe18rCXJD935HCjWsVyQ@mail.gmail.com>

Hey Sebastian,

Thanks a lot for the comment. Let me give you some more insight on this
change...

One of our goals was to make Keycloak more Cloud-friendly (especially with
the regards to OpenShift). One of the first steps is to make it clustered
by default. This requires making both `jboss.bind.address` and
`jboss.bind.address.private` pointing to the eth0 of the container and
bootstrapping the `standalone-ha.xml` configuration by default. As you
already noticed, you can easily override this behavior by specifying `-c
standalone.xml` configuration and (if you wish) specifying `BIND`
environmental variable pointing to `127.0.0.1`.

Now, why JGroups bind to the `jboss.bind.address.private` instead of
`jboss.bind.address` by default is not obvious to me. I will ask the
Wildfly Team why they decided to take this direction. I personally would do
the opposite.

As for the patch you suggested, I totally agree with you - we should also
scan for `--server-config`. May I ask you for a pull request?

Thanks,
Sebastian

On Fri, Sep 28, 2018 at 6:11 PM Schuster Sebastian (INST-CSS/BSV-OS) <
Sebastian.Schuster at bosch-si.com> wrote:

> Maybe this snippet is helpful:
>
> if echo "$@" | egrep -v -- '-c |-c=|--server-config |--server-config=';
> then
>     SYS_PROPS+=" -c=standalone-ha.xml"
> fi
>
> Best regards,
> Sebastian
>
> Mit freundlichen Gr??en / Best regards
>
> Dr.-Ing.  Sebastian Schuster
>
> Open Source Services (INST-CSS/BSV-OS)
> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> GERMANY
> <https://maps.google.com/?q=Ullsteinstr.+128+%7C+12109+Berlin+%7C+GERMANY&entry=gmail&source=g>
> | www.bosch-si.com
> Tel. +49 30 726112-485 <+49%2030%20726112485> | Fax +49 30 726112-100
> <+49%2030%20726112100> | Sebastian.Schuster at bosch-si.com
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr.
> Stefan Ferber, Michael Hahn
>
>
>
>
> -----Original Message-----
> From: keycloak-dev-bounces at lists.jboss.org <
> keycloak-dev-bounces at lists.jboss.org> On Behalf Of Schuster Sebastian
> (INST-CSS/BSV-OS)
> Sent: Freitag, 28. September 2018 16:00
> To: keycloak-dev <keycloak-dev at lists.jboss.org>
> Subject: [keycloak-dev] Latest changes with JGroups discovery in
> 4.5.0.Final Docker Image
>
> Hi everybody,
>
> I think there are some minor issues with the changes in the 4.5.0 Docker
> image. In docker-entrypoint.sh per default if nothing is specified the
> jboss.bind.address and jboss.bind.address.private are both set to hostname
> ?i and if nothing is specified standalone-ha mode is used. I find that at
> least questionable, I think running standalone is a safer default compared
> to opening JGroups communication on a public interface. However, the
> default works for us in Kubernetes.
>
> However, the detection whether a profile was specified (if echo "$@" |
> egrep -v -- "-c "; then)  should be improved,  only looking for ?-c? does
> not work as ??server-config? is equally possible. Wildfly will die with an
> error if both are present?
>
> Best regards,
> Sebastian
>
>
> Mit freundlichen Gr??en / Best regards
>
> Dr.-Ing. Sebastian Schuster
>
> Open Source Services (INST-CSS/BSV-OS)
> Bosch Software Innovations GmbH | Ullsteinstr. 128 | 12109 Berlin |
> GERMANY
> <https://maps.google.com/?q=Ullsteinstr.+128+%7C+12109+Berlin+%7C+GERMANY&entry=gmail&source=g>
> | www.bosch-si.com<http://www.bosch-si.com>
> Tel. +49 30 726112-485 <+49%2030%20726112485> | Fax +49 30 726112-100
> <+49%2030%20726112100> | Sebastian.Schuster at bosch-si.com<mailto:
> Sebastian.Schuster at bosch-si.com>
>
> Sitz: Berlin, Registergericht: Amtsgericht Charlottenburg; HRB 148411 B
> Aufsichtsratsvorsitzender: Dr.-Ing. Thorsten L?cke; Gesch?ftsf?hrung: Dr.
> Stefan Ferber, Michael Hahn
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

From dchrzascik at novomatic-tech.com  Mon Oct  1 10:50:09 2018
From: dchrzascik at novomatic-tech.com (Dariusz Chrzascik)
Date: Mon, 01 Oct 2018 16:50:09 +0200
Subject: [keycloak-dev] Partial import - problem with client's default roles
Message-ID: <5BB2504102000086000C23E9@gwia-internal01.atsisa.com>

Hi,
I've encountered an issue when using Admin Console's partial import.
I've enclosed simplified realm configuration that demonstrates the case.
Importing that realm results in exception:


15:45:43,675 ERROR [org.keycloak.services] (default task-103)
KC-SERVICES0038: Error importing roles:
org.keycloak.models.ModelDuplicateException
	at
org.keycloak.models.jpa.JpaRealmProvider.addClientRole(JpaRealmProvider.java:228)
	at
org.keycloak.models.cache.infinispan.RealmCacheSession.addClientRole(RealmCacheSession.java:683)
	at
org.keycloak.models.jpa.ClientAdapter.addRole(ClientAdapter.java:626)
	at
org.keycloak.models.utils.RepresentationToModel.importRoles(RepresentationToModel.java:504)
	at
org.keycloak.partialimport.RolesPartialImport.doImport(RolesPartialImport.java:98)
	at
org.keycloak.partialimport.PartialImportManager.saveResources(PartialImportManager.java:77)
	at
org.keycloak.services.resources.admin.RealmAdminResource.partialImport(RealmAdminResource.java:1064)


I've observed that it is caused by importing a realm where client has
roles and some of them are default for that client. This results in
creating a client with default roles first and then creating a roles.
This fails as client creation is accompanied by creating default roles.
Perhaps, it can be solved by making argument "addDefaultRoles" in
RepresentationToModel.createClient configurable from the partialImport.
Currently it is always set to true (see ClientPartialImport.create).

Has anyone encountered that issue or maybe has suggestion how to fix it?

PS:
The workaround is to run partial import twice:
1. for clients only
2. for roles
but in my case it is not an option.

Regards,
Dariusz Chrz??cik



CONFIDENTIALITY NOTICE
------------------------------------
This E-mail is intended only to be read or used by the addressee. The information contained in this E-mail message may be confidential information. If you are not the intended recipient, any use, interference with, distribution, disclosure or copying of this material is unauthorized and prohibited. Confidentiality attached to this communication is not waived or lost by reason of the mistaken delivery to you.
If you have received this message in error, please delete it and notify us by return E-mail or telephone NOVOMATIC Technologies Poland S.A. +48 12 258 00 50. Any E-mail attachment may contain software viruses which could damage your own computer system. Whilst reasonable precaution has been taken to minimize this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should therefore carry out your own virus checks before opening any attachments.
------------------------------------
NOVOMATIC Technologies Poland S.A., Poland, Krakowska 368, 32-080 Zabierz?w


From dchrzascik at novomatic-tech.com  Mon Oct  1 11:00:12 2018
From: dchrzascik at novomatic-tech.com (Dariusz Chrzascik)
Date: Mon, 01 Oct 2018 17:00:12 +0200
Subject: [keycloak-dev] Partial import - problem with client's default
 roles
In-Reply-To: <5BB2504102000086000C23E9@gwia-internal01.atsisa.com>
References: <5BB2504102000086000C23E9@gwia-internal01.atsisa.com>
Message-ID: <5BB2529C02000086000C23F4@gwia-internal01.atsisa.com>

+ realm defnition 

>>> "Dariusz Chrzascik" <dchrzascik at novomatic-tech.com> 10/01/18 4:58 PM
>>>
Hi,
I've encountered an issue when using Admin Console's partial import.
I've enclosed simplified realm configuration that demonstrates the case.
Importing that realm results in exception:


15:45:43,675 ERROR [org.keycloak.services] (default task-103)
KC-SERVICES0038: Error importing roles:
org.keycloak.models.ModelDuplicateException
    at
org.keycloak.models.jpa.JpaRealmProvider.addClientRole(JpaRealmProvider.java:228)
    at
org.keycloak.models.cache.infinispan.RealmCacheSession.addClientRole(RealmCacheSession.java:683)
    at
org.keycloak.models.jpa.ClientAdapter.addRole(ClientAdapter.java:626)
    at
org.keycloak.models.utils.RepresentationToModel.importRoles(RepresentationToModel.java:504)
    at
org.keycloak.partialimport.RolesPartialImport.doImport(RolesPartialImport.java:98)
    at
org.keycloak.partialimport.PartialImportManager.saveResources(PartialImportManager.java:77)
    at
org.keycloak.services.resources.admin.RealmAdminResource.partialImport(RealmAdminResource.java:1064)


I've observed that it is caused by importing a realm where client has
roles and some of them are default for that client. This results in
creating a client with default roles first and then creating a roles.
This fails as client creation is accompanied by creating default roles.
Perhaps, it can be solved by making argument "addDefaultRoles" in
RepresentationToModel.createClient configurable from the partialImport.
Currently it is always set to true (see ClientPartialImport.create).

Has anyone encountered that issue or maybe has suggestion how to fix it?

PS:
The workaround is to run partial import twice:
1. for clients only
2. for roles
but in my case it is not an option.

Regards,
Dariusz Chrz??cik



CONFIDENTIALITY NOTICE
------------------------------------
This E-mail is intended only to be read or used by the addressee. The
information contained in this E-mail message may be confidential
information. If you are not the intended recipient, any use,
interference with, distribution, disclosure or copying of this material
is unauthorized and prohibited. Confidentiality attached to this
communication is not waived or lost by reason of the mistaken delivery
to you.
If you have received this message in error, please delete it and notify
us by return E-mail or telephone NOVOMATIC Technologies Poland S.A. +48
12 258 00 50. Any E-mail attachment may contain software viruses which
could damage your own computer system. Whilst reasonable precaution has
been taken to minimize this risk, we cannot accept liability for any
damage which you sustain as a result of software viruses. You should
therefore carry out your own virus checks before opening any
attachments.
------------------------------------
NOVOMATIC Technologies Poland S.A., Poland, Krakowska 368, 32-080
Zabierz?w





CONFIDENTIALITY NOTICE
------------------------------------
This E-mail is intended only to be read or used by the addressee. The information contained in this E-mail message may be confidential information. If you are not the intended recipient, any use, interference with, distribution, disclosure or copying of this material is unauthorized and prohibited. Confidentiality attached to this communication is not waived or lost by reason of the mistaken delivery to you.
If you have received this message in error, please delete it and notify us by return E-mail or telephone NOVOMATIC Technologies Poland S.A. +48 12 258 00 50. Any E-mail attachment may contain software viruses which could damage your own computer system. Whilst reasonable precaution has been taken to minimize this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should therefore carry out your own virus checks before opening any attachments.
------------------------------------
NOVOMATIC Technologies Poland S.A., Poland, Krakowska 368, 32-080 Zabierz?w

-------------- next part --------------
A non-text attachment was scrubbed...
Name: defaultRolesInClient.json
Type: application/octet-stream
Size: 1256 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-dev/attachments/20181001/43d5738c/attachment.obj 

From oneal.kevin at gmail.com  Mon Oct  1 21:05:29 2018
From: oneal.kevin at gmail.com (KevinO)
Date: Mon, 1 Oct 2018 20:05:29 -0500
Subject: [keycloak-dev] Column Sorting
Message-ID: <CAF9RioTnTGAwFejPkHxQ5UtkRXw2pgifPxkhwC0bfQVJD5qH5A@mail.gmail.com>

Is there any opposition to me adding column sorting? There is the ticket
for it:
https://issues.jboss.org/browse/KEYCLOAK-4676

I've tested a solution that uses standard angular ordering. I don't want to
update all the tables if this is a feature that is not wanted.

Here is what one option of sorting would look like using Font-Awesoms
chevron as the clickable item.
[image: image.png]
[image: image.png]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 27122 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-dev/attachments/20181001/0ba54059/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 22330 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-dev/attachments/20181001/0ba54059/attachment-0003.png 

From nielsbne at gmail.com  Tue Oct  2 02:24:20 2018
From: nielsbne at gmail.com (Niels Bertram)
Date: Tue, 2 Oct 2018 16:24:20 +1000
Subject: [keycloak-dev] Create "online session" from offline session
Message-ID: <CAPLPyg=MqBHWsA0E2-Sd=UbYh-E+mHAb33F=cOUv9xSkxzPhxg@mail.gmail.com>

Hi devs,

we are trying to turn an offline session back into an "online session" for
which we can generate cookies and send them to the clients browser.

I tried to create a user session with AuthenticationManager but for some
reason the created session is not showing up as a proper in the user
account management section. Is there anything that needs to happen after
this session is created to make it a normal user session?

AuthenticatedClientSessionModel clientSession =
session.sessions().createClientSession(realm, client, offlineSession);

We have a mobile app that uses offline_access to create an "always logged"
in experience for the app user. However when we open a SSO-enabled website
in the app (WebView), there is no KEYCLOAK_SESSION cookie to allow the web
page to initiate a successful pre-auth check.

We wrote a custom resource which we call in our webview to "redirect" the
user to an SSO enabled site:

1. authenticate the user

AuthResult auth = new AppAuthManager().authenticateBearerToken(session)

2. load a valid userSession

UserSessionModel userSession = session.sessions().getUserSession(realm,
token.getSessionState());

3. create the session cookies

AuthenticationManager.createLoginCookie(session, realm, user, userSession,
ctx.getUri(), ctx.getConnection());

4. forward the user to the SSO enabled website

5. SSO enabled website would do a normal pre-auth check with prompt=none

There was a similar conversation about the "lost" session in KEYCLOAK-4201
<https://issues.jboss.org/browse/KEYCLOAK-420>, but that one did not go as
far as creating a new session.

Anyone of you got any clever idea on how do "preload" a valid SSO session
into a WebView?

Cheers,
Niels

PS. we are on RH-SSO 7.2.4 so roughly Keycloak 3.4.3

From ssilvert at redhat.com  Tue Oct  2 06:58:20 2018
From: ssilvert at redhat.com (Stan Silvert)
Date: Tue, 2 Oct 2018 06:58:20 -0400
Subject: [keycloak-dev] Column Sorting
In-Reply-To: <CAF9RioTnTGAwFejPkHxQ5UtkRXw2pgifPxkhwC0bfQVJD5qH5A@mail.gmail.com>
References: <CAF9RioTnTGAwFejPkHxQ5UtkRXw2pgifPxkhwC0bfQVJD5qH5A@mail.gmail.com>
Message-ID: <fcc562ce-4a46-f9a6-09ff-c21c48490cd9@redhat.com>

If you have a PR for this we would welcome it.? However, it might be 
quite awhile before it can be merged into the code base because we are 
fast approaching an extended feature freeze.

Stan

On 10/1/2018 9:05 PM, KevinO wrote:
> Is there any opposition to me adding column sorting? There is the ticket
> for it:
> https://issues.jboss.org/browse/KEYCLOAK-4676
>
> I've tested a solution that uses standard angular ordering. I don't want to
> update all the tables if this is a feature that is not wanted.
>
> Here is what one option of sorting would look like using Font-Awesoms
> chevron as the clickable item.
> [image: image.png]
> [image: image.png]
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



From mposolda at redhat.com  Tue Oct  2 10:33:00 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 2 Oct 2018 16:33:00 +0200
Subject: [keycloak-dev] Create "online session" from offline session
In-Reply-To: <CAPLPyg=MqBHWsA0E2-Sd=UbYh-E+mHAb33F=cOUv9xSkxzPhxg@mail.gmail.com>
References: <CAPLPyg=MqBHWsA0E2-Sd=UbYh-E+mHAb33F=cOUv9xSkxzPhxg@mail.gmail.com>
Message-ID: <0ca41d60-abd2-f716-91ae-9ac0ba00444d@redhat.com>

I suggest to use the flow like this:
1) Exchange the offline token for the 3 tokens, which will include the 
triplet of (access token, id token, offline token).

2) Then you can pass the just retrieved IDToken in the authentication 
request in the "id_token_hint" parameter.

3) Then you will need to create Authenticator (see our docs/quickstarts 
for more details), which will be able to see if "id_token_hint" was sent 
and then verify this token and authenticate user if it was ok. You can 
probably use some existing code from IDToken introspection endpoint. If 
parameter is not used, authenticator can be just ignored during the 
authentication flow.

4) As last step, you will need to add this authenticator to the browser 
authentication flow.

This will cause that if IDToken is sent, it will be able to use it to 
authenticate the user and hence new UserSessionModel (+cookies and all 
of this) will be properly created by Keycloak itself.

If you manage to make this working, we will be happy if you contribute 
it in the PR :) As this is described in the OIDC specification (see 
https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest ), but 
we don't yet implement it.

If you don't want to send PR, you may implement it a bit easier and 
differently in a non-OIDC standard way (EG. pass the offline_token 
directly instead of IDToken in step 2).

Marek

On 02/10/18 08:24, Niels Bertram wrote:
> Hi devs,
>
> we are trying to turn an offline session back into an "online session" for
> which we can generate cookies and send them to the clients browser.
>
> I tried to create a user session with AuthenticationManager but for some
> reason the created session is not showing up as a proper in the user
> account management section. Is there anything that needs to happen after
> this session is created to make it a normal user session?
>
> AuthenticatedClientSessionModel clientSession =
> session.sessions().createClientSession(realm, client, offlineSession);
>
> We have a mobile app that uses offline_access to create an "always logged"
> in experience for the app user. However when we open a SSO-enabled website
> in the app (WebView), there is no KEYCLOAK_SESSION cookie to allow the web
> page to initiate a successful pre-auth check.
>
> We wrote a custom resource which we call in our webview to "redirect" the
> user to an SSO enabled site:
>
> 1. authenticate the user
>
> AuthResult auth = new AppAuthManager().authenticateBearerToken(session)
>
> 2. load a valid userSession
>
> UserSessionModel userSession = session.sessions().getUserSession(realm,
> token.getSessionState());
>
> 3. create the session cookies
>
> AuthenticationManager.createLoginCookie(session, realm, user, userSession,
> ctx.getUri(), ctx.getConnection());
>
> 4. forward the user to the SSO enabled website
>
> 5. SSO enabled website would do a normal pre-auth check with prompt=none
>
> There was a similar conversation about the "lost" session in KEYCLOAK-4201
> <https://issues.jboss.org/browse/KEYCLOAK-420>, but that one did not go as
> far as creating a new session.
>
> Anyone of you got any clever idea on how do "preload" a valid SSO session
> into a WebView?
>
> Cheers,
> Niels
>
> PS. we are on RH-SSO 7.2.4 so roughly Keycloak 3.4.3
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



From nielsbne at gmail.com  Tue Oct  2 11:15:05 2018
From: nielsbne at gmail.com (Niels Bertram)
Date: Wed, 3 Oct 2018 01:15:05 +1000
Subject: [keycloak-dev] Create "online session" from offline session
In-Reply-To: <0ca41d60-abd2-f716-91ae-9ac0ba00444d@redhat.com>
References: <CAPLPyg=MqBHWsA0E2-Sd=UbYh-E+mHAb33F=cOUv9xSkxzPhxg@mail.gmail.com>
	<0ca41d60-abd2-f716-91ae-9ac0ba00444d@redhat.com>
Message-ID: <CAPLPygkndifFFNXr27ic8MPiy_oc7Z3wM72UMGHGMnamfducHA@mail.gmail.com>

Thanks for the response Marek. I implemented a custom authenticator before
so that makes all total sense. The parts I am a bit worried about is:

a) the GET implementation would require use to send the IDToken unprotected
in the URL (POST is fine)

b) a mobile app from which we want to initiate the "sign me in and then
redirect me to another website" would effectively need to whitelist every
possible URL that it can redirect to.

If I send a PR to latest Keycloak, any chance that can be patched into
current or next version of RH-SSO?

Cheers,
Niels

On Wed, Oct 3, 2018 at 12:33 AM Marek Posolda <mposolda at redhat.com> wrote:

> I suggest to use the flow like this:
> 1) Exchange the offline token for the 3 tokens, which will include the
> triplet of (access token, id token, offline token).
>
> 2) Then you can pass the just retrieved IDToken in the authentication
> request in the "id_token_hint" parameter.
>
> 3) Then you will need to create Authenticator (see our docs/quickstarts
> for more details), which will be able to see if "id_token_hint" was sent
> and then verify this token and authenticate user if it was ok. You can
> probably use some existing code from IDToken introspection endpoint. If
> parameter is not used, authenticator can be just ignored during the
> authentication flow.
>
> 4) As last step, you will need to add this authenticator to the browser
> authentication flow.
>
> This will cause that if IDToken is sent, it will be able to use it to
> authenticate the user and hence new UserSessionModel (+cookies and all
> of this) will be properly created by Keycloak itself.
>
> If you manage to make this working, we will be happy if you contribute
> it in the PR :) As this is described in the OIDC specification (see
> https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest ), but
> we don't yet implement it.
>
> If you don't want to send PR, you may implement it a bit easier and
> differently in a non-OIDC standard way (EG. pass the offline_token
> directly instead of IDToken in step 2).
>
> Marek
>
> On 02/10/18 08:24, Niels Bertram wrote:
> > Hi devs,
> >
> > we are trying to turn an offline session back into an "online session"
> for
> > which we can generate cookies and send them to the clients browser.
> >
> > I tried to create a user session with AuthenticationManager but for some
> > reason the created session is not showing up as a proper in the user
> > account management section. Is there anything that needs to happen after
> > this session is created to make it a normal user session?
> >
> > AuthenticatedClientSessionModel clientSession =
> > session.sessions().createClientSession(realm, client, offlineSession);
> >
> > We have a mobile app that uses offline_access to create an "always
> logged"
> > in experience for the app user. However when we open a SSO-enabled
> website
> > in the app (WebView), there is no KEYCLOAK_SESSION cookie to allow the
> web
> > page to initiate a successful pre-auth check.
> >
> > We wrote a custom resource which we call in our webview to "redirect" the
> > user to an SSO enabled site:
> >
> > 1. authenticate the user
> >
> > AuthResult auth = new AppAuthManager().authenticateBearerToken(session)
> >
> > 2. load a valid userSession
> >
> > UserSessionModel userSession = session.sessions().getUserSession(realm,
> > token.getSessionState());
> >
> > 3. create the session cookies
> >
> > AuthenticationManager.createLoginCookie(session, realm, user,
> userSession,
> > ctx.getUri(), ctx.getConnection());
> >
> > 4. forward the user to the SSO enabled website
> >
> > 5. SSO enabled website would do a normal pre-auth check with prompt=none
> >
> > There was a similar conversation about the "lost" session in
> KEYCLOAK-4201
> > <https://issues.jboss.org/browse/KEYCLOAK-420>, but that one did not go
> as
> > far as creating a new session.
> >
> > Anyone of you got any clever idea on how do "preload" a valid SSO session
> > into a WebView?
> >
> > Cheers,
> > Niels
> >
> > PS. we are on RH-SSO 7.2.4 so roughly Keycloak 3.4.3
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
>

From mposolda at redhat.com  Tue Oct  2 15:25:34 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Tue, 2 Oct 2018 21:25:34 +0200
Subject: [keycloak-dev] PR for adding 'roles' and 'web-origins' client scopes
Message-ID: <c06346c8-e686-4049-c744-5467da8fd7b4@redhat.com>

I've sent PR https://github.com/keycloak/keycloak/pull/5602 . Summary of 
changes:

- The roles and allowed-origins are not added automatically to the 
access tokens now. Instead of it, the PR introduces 2 default client 
scopes: 'roles' and 'web-origins' which adds them

- Client scope 'web-origins' adds allowed-origins to the access token 
similarly like it was before. So the only advantage is, that it is 
possible to remove clientScope/protocolMapper if you don't need web 
origins in the token

- Client scope 'roles' contains protocol mappers for add roles to the 
access tokens. By default, they are added to the claims "realm_access" 
and "resource_access" exactly as it was before. However it is easier to 
move to completely different claims. The PR doesn't introduce new 
protocol mapper implementation for roles, but uses the existing 
implementations UserRealmRoleMappingMapper and 
UserClientRoleMappingMapper. As a side-effect, it fixes some bug in 
those mappers claimed by many community users - 
https://issues.jboss.org/browse/KEYCLOAK-5259

- PR introduces new protocol mapper implementation 
AudienceResolveProtocolMapper, which adds audience of all the clients, 
for which at least one client role is available in the token. This is 
added by default to the 'roles' client scope

- There is new switch "Include in Token Scope" on the Client Scope. It 
is applicable only for OIDC clients. When it is off, the client scope is 
not added to the "scope" in the access token. It is used for both 
'roles' and 'web-origins' scopes, so those are not in the token by 
default now.

- There is some minor addition to ProtocolMapper SPI. Protocol mapper 
implementations has "priority" now. This is needed, so that it is 
ensured that for example we first "compute" the roles to be put in the 
token (including composite roles etc), then eventually add/move some 
roles through HardcodedRoleMapper or RoleNameMapper, then figure the 
audiences and finally move the roles to proper place in the token (which 
is not necessarily hardcoded to "realm_access" and "resource_access" 
claims as it was before).

- Migration is handled, so that 'roles' and 'web-origins' scopes are 
automatically added during migration and they are added to all the OIDC 
confidential/public clients.

WDYT?

Marek


From mposolda at redhat.com  Wed Oct  3 03:10:31 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 3 Oct 2018 09:10:31 +0200
Subject: [keycloak-dev] Create "online session" from offline session
In-Reply-To: <CAPLPygkndifFFNXr27ic8MPiy_oc7Z3wM72UMGHGMnamfducHA@mail.gmail.com>
References: <CAPLPyg=MqBHWsA0E2-Sd=UbYh-E+mHAb33F=cOUv9xSkxzPhxg@mail.gmail.com>
	<0ca41d60-abd2-f716-91ae-9ac0ba00444d@redhat.com>
	<CAPLPygkndifFFNXr27ic8MPiy_oc7Z3wM72UMGHGMnamfducHA@mail.gmail.com>
Message-ID: <fd2a86b5-0550-2c13-d4f4-e9cbbea62864@redhat.com>

On 02/10/18 17:15, Niels Bertram wrote:
> Thanks for the response Marek. I implemented a custom authenticator 
> before so that makes all total sense. The parts I am a bit worried 
> about is:
>
> a) the GET implementation would require use to send the IDToken 
> unprotected in the URL (POST is fine)
I see. This makes sense and we support sending POST request to the 
initial Authentication endpoint. Maybe you can add a flag to the 
authenticator like "Allow POST method only" to specify if it accepts 
just POST or allow both POST and GET? Flag can be set to ON by default 
(hence accept only POST).
>
> b) a mobile app from which we want to initiate the "sign me in and 
> then redirect me to another website" would effectively need to 
> whitelist every possible URL that it can redirect to.
>
> If I send a PR to latest Keycloak, any chance that can be patched into 
> current or next version of RH-SSO?
Yes, once the PR is accepted, it always go to the latest Keycloak 
upstream and latest Keycloak always "turns" after some time to RH-SSO. 
Some details about this https://www.keycloak.org/support.html .

Just a note that we're close to feature freeze for Keycloak 4.x (RHSSO 
7.3), so if you want it in RHSSO 7.3, you need to be a bit quick though 
:) And even then no guarantee as we will need some time for PR review etc.

Marek
>
> Cheers,
> Niels
>
> On Wed, Oct 3, 2018 at 12:33 AM Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     I suggest to use the flow like this:
>     1) Exchange the offline token for the 3 tokens, which will include
>     the
>     triplet of (access token, id token, offline token).
>
>     2) Then you can pass the just retrieved IDToken in the authentication
>     request in the "id_token_hint" parameter.
>
>     3) Then you will need to create Authenticator (see our
>     docs/quickstarts
>     for more details), which will be able to see if "id_token_hint"
>     was sent
>     and then verify this token and authenticate user if it was ok. You
>     can
>     probably use some existing code from IDToken introspection
>     endpoint. If
>     parameter is not used, authenticator can be just ignored during the
>     authentication flow.
>
>     4) As last step, you will need to add this authenticator to the
>     browser
>     authentication flow.
>
>     This will cause that if IDToken is sent, it will be able to use it to
>     authenticate the user and hence new UserSessionModel (+cookies and
>     all
>     of this) will be properly created by Keycloak itself.
>
>     If you manage to make this working, we will be happy if you
>     contribute
>     it in the PR :) As this is described in the OIDC specification (see
>     https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
>     ), but
>     we don't yet implement it.
>
>     If you don't want to send PR, you may implement it a bit easier and
>     differently in a non-OIDC standard way (EG. pass the offline_token
>     directly instead of IDToken in step 2).
>
>     Marek
>
>     On 02/10/18 08:24, Niels Bertram wrote:
>     > Hi devs,
>     >
>     > we are trying to turn an offline session back into an "online
>     session" for
>     > which we can generate cookies and send them to the clients browser.
>     >
>     > I tried to create a user session with AuthenticationManager but
>     for some
>     > reason the created session is not showing up as a proper in the user
>     > account management section. Is there anything that needs to
>     happen after
>     > this session is created to make it a normal user session?
>     >
>     > AuthenticatedClientSessionModel clientSession =
>     > session.sessions().createClientSession(realm, client,
>     offlineSession);
>     >
>     > We have a mobile app that uses offline_access to create an
>     "always logged"
>     > in experience for the app user. However when we open a
>     SSO-enabled website
>     > in the app (WebView), there is no KEYCLOAK_SESSION cookie to
>     allow the web
>     > page to initiate a successful pre-auth check.
>     >
>     > We wrote a custom resource which we call in our webview to
>     "redirect" the
>     > user to an SSO enabled site:
>     >
>     > 1. authenticate the user
>     >
>     > AuthResult auth = new
>     AppAuthManager().authenticateBearerToken(session)
>     >
>     > 2. load a valid userSession
>     >
>     > UserSessionModel userSession =
>     session.sessions().getUserSession(realm,
>     > token.getSessionState());
>     >
>     > 3. create the session cookies
>     >
>     > AuthenticationManager.createLoginCookie(session, realm, user,
>     userSession,
>     > ctx.getUri(), ctx.getConnection());
>     >
>     > 4. forward the user to the SSO enabled website
>     >
>     > 5. SSO enabled website would do a normal pre-auth check with
>     prompt=none
>     >
>     > There was a similar conversation about the "lost" session in
>     KEYCLOAK-4201
>     > <https://issues.jboss.org/browse/KEYCLOAK-420>, but that one did
>     not go as
>     > far as creating a new session.
>     >
>     > Anyone of you got any clever idea on how do "preload" a valid
>     SSO session
>     > into a WebView?
>     >
>     > Cheers,
>     > Niels
>     >
>     > PS. we are on RH-SSO 7.2.4 so roughly Keycloak 3.4.3
>     > _______________________________________________
>     > keycloak-dev mailing list
>     > keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>


From sthorger at redhat.com  Wed Oct  3 03:23:02 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 3 Oct 2018 09:23:02 +0200
Subject: [keycloak-dev] Column Sorting
In-Reply-To: <fcc562ce-4a46-f9a6-09ff-c21c48490cd9@redhat.com>
References: <CAF9RioTnTGAwFejPkHxQ5UtkRXw2pgifPxkhwC0bfQVJD5qH5A@mail.gmail.com>
	<fcc562ce-4a46-f9a6-09ff-c21c48490cd9@redhat.com>
Message-ID: <CAJgngAey1djVajRWvSQ=OxU3tsthhSyuG6HU7EjJWeKO9YnQdQ@mail.gmail.com>

For tables that support pagination it isn't as trivial as adding sort on
client side. The sort has to then be done on the server side. A lot of
tables either already do pagination or should do in the future.

On Tue, 2 Oct 2018, 12:59 Stan Silvert, <ssilvert at redhat.com> wrote:

> If you have a PR for this we would welcome it.  However, it might be
> quite awhile before it can be merged into the code base because we are
> fast approaching an extended feature freeze.
>
> Stan
>
> On 10/1/2018 9:05 PM, KevinO wrote:
> > Is there any opposition to me adding column sorting? There is the ticket
> > for it:
> > https://issues.jboss.org/browse/KEYCLOAK-4676
> >
> > I've tested a solution that uses standard angular ordering. I don't want
> to
> > update all the tables if this is a feature that is not wanted.
> >
> > Here is what one option of sorting would look like using Font-Awesoms
> > chevron as the clickable item.
> > [image: image.png]
> > [image: image.png]
> >
> >
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

From sthorger at redhat.com  Wed Oct  3 03:39:19 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 3 Oct 2018 09:39:19 +0200
Subject: [keycloak-dev] Create "online session" from offline session
In-Reply-To: <fd2a86b5-0550-2c13-d4f4-e9cbbea62864@redhat.com>
References: <CAPLPyg=MqBHWsA0E2-Sd=UbYh-E+mHAb33F=cOUv9xSkxzPhxg@mail.gmail.com>
	<0ca41d60-abd2-f716-91ae-9ac0ba00444d@redhat.com>
	<CAPLPygkndifFFNXr27ic8MPiy_oc7Z3wM72UMGHGMnamfducHA@mail.gmail.com>
	<fd2a86b5-0550-2c13-d4f4-e9cbbea62864@redhat.com>
Message-ID: <CAJgngAfjT+iSChQ+eMekpHibhudkxFfQPvv3Ba0EyQhWPxHs6A@mail.gmail.com>

I'm not quite convinced about this approach.

Firstly it seems like a workaround. Offline sessions are designed for
applications that want to have access when the user is not around. Not for
a "permanent" log-in. I would rather consider options that allows different
SSO session expiration depending on device type (or initiating client) for
instance. Once you have an SSO session in the system browser on the phone
you can use an inapp browser tab to enable SSO to all apps, or you can do
it for individual apps by not using the system browser.

Secondly authenticating with id_token_hint is scary. For example a less
trusted application could then use the ID token to authenticate as the user
behind the covers and have access to everything the user has access to
rather than the limited scope that it should have.

On Wed, 3 Oct 2018 at 09:11, Marek Posolda <mposolda at redhat.com> wrote:

> On 02/10/18 17:15, Niels Bertram wrote:
> > Thanks for the response Marek. I implemented a custom authenticator
> > before so that makes all total sense. The parts I am a bit worried
> > about is:
> >
> > a) the GET implementation would require use to send the IDToken
> > unprotected in the URL (POST is fine)
> I see. This makes sense and we support sending POST request to the
> initial Authentication endpoint. Maybe you can add a flag to the
> authenticator like "Allow POST method only" to specify if it accepts
> just POST or allow both POST and GET? Flag can be set to ON by default
> (hence accept only POST).
> >
> > b) a mobile app from which we want to initiate the "sign me in and
> > then redirect me to another website" would effectively need to
> > whitelist every possible URL that it can redirect to.
> >
> > If I send a PR to latest Keycloak, any chance that can be patched into
> > current or next version of RH-SSO?
> Yes, once the PR is accepted, it always go to the latest Keycloak
> upstream and latest Keycloak always "turns" after some time to RH-SSO.
> Some details about this https://www.keycloak.org/support.html .
>
> Just a note that we're close to feature freeze for Keycloak 4.x (RHSSO
> 7.3), so if you want it in RHSSO 7.3, you need to be a bit quick though
> :) And even then no guarantee as we will need some time for PR review etc.
>
> Marek
> >
> > Cheers,
> > Niels
> >
> > On Wed, Oct 3, 2018 at 12:33 AM Marek Posolda <mposolda at redhat.com
> > <mailto:mposolda at redhat.com>> wrote:
> >
> >     I suggest to use the flow like this:
> >     1) Exchange the offline token for the 3 tokens, which will include
> >     the
> >     triplet of (access token, id token, offline token).
> >
> >     2) Then you can pass the just retrieved IDToken in the authentication
> >     request in the "id_token_hint" parameter.
> >
> >     3) Then you will need to create Authenticator (see our
> >     docs/quickstarts
> >     for more details), which will be able to see if "id_token_hint"
> >     was sent
> >     and then verify this token and authenticate user if it was ok. You
> >     can
> >     probably use some existing code from IDToken introspection
> >     endpoint. If
> >     parameter is not used, authenticator can be just ignored during the
> >     authentication flow.
> >
> >     4) As last step, you will need to add this authenticator to the
> >     browser
> >     authentication flow.
> >
> >     This will cause that if IDToken is sent, it will be able to use it to
> >     authenticate the user and hence new UserSessionModel (+cookies and
> >     all
> >     of this) will be properly created by Keycloak itself.
> >
> >     If you manage to make this working, we will be happy if you
> >     contribute
> >     it in the PR :) As this is described in the OIDC specification (see
> >     https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
> >     ), but
> >     we don't yet implement it.
> >
> >     If you don't want to send PR, you may implement it a bit easier and
> >     differently in a non-OIDC standard way (EG. pass the offline_token
> >     directly instead of IDToken in step 2).
> >
> >     Marek
> >
> >     On 02/10/18 08:24, Niels Bertram wrote:
> >     > Hi devs,
> >     >
> >     > we are trying to turn an offline session back into an "online
> >     session" for
> >     > which we can generate cookies and send them to the clients browser.
> >     >
> >     > I tried to create a user session with AuthenticationManager but
> >     for some
> >     > reason the created session is not showing up as a proper in the
> user
> >     > account management section. Is there anything that needs to
> >     happen after
> >     > this session is created to make it a normal user session?
> >     >
> >     > AuthenticatedClientSessionModel clientSession =
> >     > session.sessions().createClientSession(realm, client,
> >     offlineSession);
> >     >
> >     > We have a mobile app that uses offline_access to create an
> >     "always logged"
> >     > in experience for the app user. However when we open a
> >     SSO-enabled website
> >     > in the app (WebView), there is no KEYCLOAK_SESSION cookie to
> >     allow the web
> >     > page to initiate a successful pre-auth check.
> >     >
> >     > We wrote a custom resource which we call in our webview to
> >     "redirect" the
> >     > user to an SSO enabled site:
> >     >
> >     > 1. authenticate the user
> >     >
> >     > AuthResult auth = new
> >     AppAuthManager().authenticateBearerToken(session)
> >     >
> >     > 2. load a valid userSession
> >     >
> >     > UserSessionModel userSession =
> >     session.sessions().getUserSession(realm,
> >     > token.getSessionState());
> >     >
> >     > 3. create the session cookies
> >     >
> >     > AuthenticationManager.createLoginCookie(session, realm, user,
> >     userSession,
> >     > ctx.getUri(), ctx.getConnection());
> >     >
> >     > 4. forward the user to the SSO enabled website
> >     >
> >     > 5. SSO enabled website would do a normal pre-auth check with
> >     prompt=none
> >     >
> >     > There was a similar conversation about the "lost" session in
> >     KEYCLOAK-4201
> >     > <https://issues.jboss.org/browse/KEYCLOAK-420>, but that one did
> >     not go as
> >     > far as creating a new session.
> >     >
> >     > Anyone of you got any clever idea on how do "preload" a valid
> >     SSO session
> >     > into a WebView?
> >     >
> >     > Cheers,
> >     > Niels
> >     >
> >     > PS. we are on RH-SSO 7.2.4 so roughly Keycloak 3.4.3
> >     > _______________________________________________
> >     > keycloak-dev mailing list
> >     > keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> >     > https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
> >
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

From upendra.shyam.gupta at accenture.com  Wed Oct  3 04:56:50 2018
From: upendra.shyam.gupta at accenture.com (Shyam Gupta, Upendra)
Date: Wed, 3 Oct 2018 08:56:50 +0000
Subject: [keycloak-dev] [External] keycloak-dev Digest, Vol 64, Issue 3
In-Reply-To: <mailman.51501.1538550635.4680.keycloak-dev@lists.jboss.org>
References: <mailman.51501.1538550635.4680.keycloak-dev@lists.jboss.org>
Message-ID: <SN4P11401MB02394975916CBEDA2D85DB9FA9E90@SN4P11401MB0239.NAMP114.PROD.OUTLOOK.COM>

Hi Team ,
We have done standalone configuration , but we are struggling with Domain Cluster mode .
We have Angular JS Application ,we have LB in front of key cloak could you please suggest or guide how configuration should be done .
Also may use autoscaling  in our production Environment ,please suggest is Domain Cluster Mode suitable for this and if yes how to configure it .

Thanks ,
Upendra
+91 9765552818

-----Original Message-----
From: keycloak-dev-bounces at lists.jboss.org <keycloak-dev-bounces at lists.jboss.org> On Behalf Of keycloak-dev-request at lists.jboss.org
Sent: Wednesday, October 3, 2018 12:41 PM
To: keycloak-dev at lists.jboss.org
Subject: [External] keycloak-dev Digest, Vol 64, Issue 3

Send keycloak-dev mailing list submissions to
keycloak-dev at lists.jboss.org

To subscribe or unsubscribe via the World Wide Web, visit
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Ddev&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=vtPzZKTG6Ju-WczYEuZ1TJP2HOV-5yvr7Kv5ajKy8gg&e=
or, via email, send a message with subject or body 'help' to
keycloak-dev-request at lists.jboss.org

You can reach the person managing the list at
keycloak-dev-owner at lists.jboss.org

When replying, please edit your Subject line so it is more specific than "Re: Contents of keycloak-dev digest..."


Today's Topics:

   1. Create "online session" from offline session (Niels Bertram)
   2. Re: Column Sorting (Stan Silvert)
   3. Re: Create "online session" from offline session (Marek Posolda)
   4. Re: Create "online session" from offline session (Niels Bertram)
   5. PR for adding 'roles' and 'web-origins' client scopes
      (Marek Posolda)
   6. Re: Create "online session" from offline session (Marek Posolda)


----------------------------------------------------------------------

Message: 1
Date: Tue, 2 Oct 2018 16:24:20 +1000
From: Niels Bertram <nielsbne at gmail.com>
Subject: [keycloak-dev] Create "online session" from offline session
To: keycloak-dev <keycloak-dev at lists.jboss.org>
Message-ID:
<CAPLPyg=MqBHWsA0E2-Sd=UbYh-E+mHAb33F=cOUv9xSkxzPhxg at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

Hi devs,

we are trying to turn an offline session back into an "online session" for which we can generate cookies and send them to the clients browser.

I tried to create a user session with AuthenticationManager but for some reason the created session is not showing up as a proper in the user account management section. Is there anything that needs to happen after this session is created to make it a normal user session?

AuthenticatedClientSessionModel clientSession = session.sessions().createClientSession(realm, client, offlineSession);

We have a mobile app that uses offline_access to create an "always logged"
in experience for the app user. However when we open a SSO-enabled website in the app (WebView), there is no KEYCLOAK_SESSION cookie to allow the web page to initiate a successful pre-auth check.

We wrote a custom resource which we call in our webview to "redirect" the user to an SSO enabled site:

1. authenticate the user

AuthResult auth = new AppAuthManager().authenticateBearerToken(session)

2. load a valid userSession

UserSessionModel userSession = session.sessions().getUserSession(realm,
token.getSessionState());

3. create the session cookies

AuthenticationManager.createLoginCookie(session, realm, user, userSession, ctx.getUri(), ctx.getConnection());

4. forward the user to the SSO enabled website

5. SSO enabled website would do a normal pre-auth check with prompt=none

There was a similar conversation about the "lost" session in KEYCLOAK-4201 <https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D420&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=ZMc4ZmEk48Nmomy36jvaoA3dXdGc4akKoAsKI8KSkuE&e=>, but that one did not go as far as creating a new session.

Anyone of you got any clever idea on how do "preload" a valid SSO session into a WebView?

Cheers,
Niels

PS. we are on RH-SSO 7.2.4 so roughly Keycloak 3.4.3


------------------------------

Message: 2
Date: Tue, 2 Oct 2018 06:58:20 -0400
From: Stan Silvert <ssilvert at redhat.com>
Subject: Re: [keycloak-dev] Column Sorting
To: keycloak-dev at lists.jboss.org
Message-ID: <fcc562ce-4a46-f9a6-09ff-c21c48490cd9 at redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed

If you have a PR for this we would welcome it.? However, it might be quite awhile before it can be merged into the code base because we are fast approaching an extended feature freeze.

Stan

On 10/1/2018 9:05 PM, KevinO wrote:
> Is there any opposition to me adding column sorting? There is the
> ticket for it:
> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_
> browse_KEYCLOAK-2D4676&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8Irw
> NKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqin
> gS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=GXdUVsHcO0O5XcZ7E
> 1ivVWk_t-E1Wdgf3ThuAK6Ldvk&e=
>
> I've tested a solution that uses standard angular ordering. I don't
> want to update all the tables if this is a feature that is not wanted.
>
> Here is what one option of sorting would look like using Font-Awesoms
> chevron as the clickable item.
> [image: image.png]
> [image: image.png]
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m
> ailman_listinfo_keycloak-2Ddev&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nO
> HrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3y
> W0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=vtPzZKTG6
> Ju-WczYEuZ1TJP2HOV-5yvr7Kv5ajKy8gg&e=




------------------------------

Message: 3
Date: Tue, 2 Oct 2018 16:33:00 +0200
From: Marek Posolda <mposolda at redhat.com>
Subject: Re: [keycloak-dev] Create "online session" from offline
session
To: Niels Bertram <nielsbne at gmail.com>,keycloak-dev
<keycloak-dev at lists.jboss.org>
Message-ID: <0ca41d60-abd2-f716-91ae-9ac0ba00444d at redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed

I suggest to use the flow like this:
1) Exchange the offline token for the 3 tokens, which will include the triplet of (access token, id token, offline token).

2) Then you can pass the just retrieved IDToken in the authentication request in the "id_token_hint" parameter.

3) Then you will need to create Authenticator (see our docs/quickstarts for more details), which will be able to see if "id_token_hint" was sent and then verify this token and authenticate user if it was ok. You can probably use some existing code from IDToken introspection endpoint. If parameter is not used, authenticator can be just ignored during the authentication flow.

4) As last step, you will need to add this authenticator to the browser authentication flow.

This will cause that if IDToken is sent, it will be able to use it to authenticate the user and hence new UserSessionModel (+cookies and all of this) will be properly created by Keycloak itself.

If you manage to make this working, we will be happy if you contribute it in the PR :) As this is described in the OIDC specification (see https://urldefense.proofpoint.com/v2/url?u=https-3A__openid.net_specs_openid-2Dconnect-2Dcore-2D1-5F0.html-23AuthRequest&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=WMK8NemyUzNtZIsMw_iLiVxqx9cKk4FCx2FM4hu00KI&e= ), but we don't yet implement it.

If you don't want to send PR, you may implement it a bit easier and differently in a non-OIDC standard way (EG. pass the offline_token directly instead of IDToken in step 2).

Marek

On 02/10/18 08:24, Niels Bertram wrote:
> Hi devs,
>
> we are trying to turn an offline session back into an "online session"
> for which we can generate cookies and send them to the clients browser.
>
> I tried to create a user session with AuthenticationManager but for
> some reason the created session is not showing up as a proper in the
> user account management section. Is there anything that needs to
> happen after this session is created to make it a normal user session?
>
> AuthenticatedClientSessionModel clientSession =
> session.sessions().createClientSession(realm, client, offlineSession);
>
> We have a mobile app that uses offline_access to create an "always logged"
> in experience for the app user. However when we open a SSO-enabled
> website in the app (WebView), there is no KEYCLOAK_SESSION cookie to
> allow the web page to initiate a successful pre-auth check.
>
> We wrote a custom resource which we call in our webview to "redirect"
> the user to an SSO enabled site:
>
> 1. authenticate the user
>
> AuthResult auth = new
> AppAuthManager().authenticateBearerToken(session)
>
> 2. load a valid userSession
>
> UserSessionModel userSession =
> session.sessions().getUserSession(realm,
> token.getSessionState());
>
> 3. create the session cookies
>
> AuthenticationManager.createLoginCookie(session, realm, user,
> userSession, ctx.getUri(), ctx.getConnection());
>
> 4. forward the user to the SSO enabled website
>
> 5. SSO enabled website would do a normal pre-auth check with
> prompt=none
>
> There was a similar conversation about the "lost" session in
> KEYCLOAK-4201
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D420&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=ZMc4ZmEk48Nmomy36jvaoA3dXdGc4akKoAsKI8KSkuE&e=>, but that one did not go as far as creating a new session.
>
> Anyone of you got any clever idea on how do "preload" a valid SSO
> session into a WebView?
>
> Cheers,
> Niels
>
> PS. we are on RH-SSO 7.2.4 so roughly Keycloak 3.4.3
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m
> ailman_listinfo_keycloak-2Ddev&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nO
> HrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3y
> W0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=vtPzZKTG6
> Ju-WczYEuZ1TJP2HOV-5yvr7Kv5ajKy8gg&e=




------------------------------

Message: 4
Date: Wed, 3 Oct 2018 01:15:05 +1000
From: Niels Bertram <nielsbne at gmail.com>
Subject: Re: [keycloak-dev] Create "online session" from offline
session
To: Marek Posolda <mposolda at redhat.com>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org>
Message-ID:
<CAPLPygkndifFFNXr27ic8MPiy_oc7Z3wM72UMGHGMnamfducHA at mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

Thanks for the response Marek. I implemented a custom authenticator before so that makes all total sense. The parts I am a bit worried about is:

a) the GET implementation would require use to send the IDToken unprotected in the URL (POST is fine)

b) a mobile app from which we want to initiate the "sign me in and then redirect me to another website" would effectively need to whitelist every possible URL that it can redirect to.

If I send a PR to latest Keycloak, any chance that can be patched into current or next version of RH-SSO?

Cheers,
Niels

On Wed, Oct 3, 2018 at 12:33 AM Marek Posolda <mposolda at redhat.com> wrote:

> I suggest to use the flow like this:
> 1) Exchange the offline token for the 3 tokens, which will include the
> triplet of (access token, id token, offline token).
>
> 2) Then you can pass the just retrieved IDToken in the authentication
> request in the "id_token_hint" parameter.
>
> 3) Then you will need to create Authenticator (see our
> docs/quickstarts for more details), which will be able to see if
> "id_token_hint" was sent and then verify this token and authenticate
> user if it was ok. You can probably use some existing code from
> IDToken introspection endpoint. If parameter is not used,
> authenticator can be just ignored during the authentication flow.
>
> 4) As last step, you will need to add this authenticator to the
> browser authentication flow.
>
> This will cause that if IDToken is sent, it will be able to use it to
> authenticate the user and hence new UserSessionModel (+cookies and all
> of this) will be properly created by Keycloak itself.
>
> If you manage to make this working, we will be happy if you contribute
> it in the PR :) As this is described in the OIDC specification (see
> https://urldefense.proofpoint.com/v2/url?u=https-3A__openid.net_specs_
> openid-2Dconnect-2Dcore-2D1-5F0.html-23AuthRequest&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=WMK8NemyUzNtZIsMw_iLiVxqx9cKk4FCx2FM4hu00KI&e= ), but we don't yet implement it.
>
> If you don't want to send PR, you may implement it a bit easier and
> differently in a non-OIDC standard way (EG. pass the offline_token
> directly instead of IDToken in step 2).
>
> Marek
>
> On 02/10/18 08:24, Niels Bertram wrote:
> > Hi devs,
> >
> > we are trying to turn an offline session back into an "online session"
> for
> > which we can generate cookies and send them to the clients browser.
> >
> > I tried to create a user session with AuthenticationManager but for
> > some reason the created session is not showing up as a proper in the
> > user account management section. Is there anything that needs to
> > happen after this session is created to make it a normal user session?
> >
> > AuthenticatedClientSessionModel clientSession =
> > session.sessions().createClientSession(realm, client,
> > offlineSession);
> >
> > We have a mobile app that uses offline_access to create an "always
> logged"
> > in experience for the app user. However when we open a SSO-enabled
> website
> > in the app (WebView), there is no KEYCLOAK_SESSION cookie to allow
> > the
> web
> > page to initiate a successful pre-auth check.
> >
> > We wrote a custom resource which we call in our webview to
> > "redirect" the user to an SSO enabled site:
> >
> > 1. authenticate the user
> >
> > AuthResult auth = new
> > AppAuthManager().authenticateBearerToken(session)
> >
> > 2. load a valid userSession
> >
> > UserSessionModel userSession =
> > session.sessions().getUserSession(realm,
> > token.getSessionState());
> >
> > 3. create the session cookies
> >
> > AuthenticationManager.createLoginCookie(session, realm, user,
> userSession,
> > ctx.getUri(), ctx.getConnection());
> >
> > 4. forward the user to the SSO enabled website
> >
> > 5. SSO enabled website would do a normal pre-auth check with
> > prompt=none
> >
> > There was a similar conversation about the "lost" session in
> KEYCLOAK-4201
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.o
> > rg_browse_KEYCLOAK-2D420&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK
> > 8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0
> > mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=ZMc4ZmEk4
> > 8Nmomy36jvaoA3dXdGc4akKoAsKI8KSkuE&e=>, but that one did not go
> as
> > far as creating a new session.
> >
> > Anyone of you got any clever idea on how do "preload" a valid SSO
> > session into a WebView?
> >
> > Cheers,
> > Niels
> >
> > PS. we are on RH-SSO 7.2.4 so roughly Keycloak 3.4.3
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org
> > _mailman_listinfo_keycloak-2Ddev&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJv
> > U8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbE
> > LXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=v
> > tPzZKTG6Ju-WczYEuZ1TJP2HOV-5yvr7Kv5ajKy8gg&e=
>
>
>


------------------------------

Message: 5
Date: Tue, 2 Oct 2018 21:25:34 +0200
From: Marek Posolda <mposolda at redhat.com>
Subject: [keycloak-dev] PR for adding 'roles' and 'web-origins' client
scopes
To: "keycloak-dev at lists.jboss.org" <keycloak-dev at lists.jboss.org>
Message-ID: <c06346c8-e686-4049-c744-5467da8fd7b4 at redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed

I've sent PR https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_keycloak_keycloak_pull_5602&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=huhPyNGMhgYLHNSqmXb0f9btGuvjClSYAeXGkDPCHbg&e= . Summary of
changes:

- The roles and allowed-origins are not added automatically to the access tokens now. Instead of it, the PR introduces 2 default client
scopes: 'roles' and 'web-origins' which adds them

- Client scope 'web-origins' adds allowed-origins to the access token similarly like it was before. So the only advantage is, that it is possible to remove clientScope/protocolMapper if you don't need web origins in the token

- Client scope 'roles' contains protocol mappers for add roles to the access tokens. By default, they are added to the claims "realm_access"
and "resource_access" exactly as it was before. However it is easier to move to completely different claims. The PR doesn't introduce new protocol mapper implementation for roles, but uses the existing implementations UserRealmRoleMappingMapper and UserClientRoleMappingMapper. As a side-effect, it fixes some bug in those mappers claimed by many community users - https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D5259&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=Uqws8bxoWQneaU68lkcYgV55vGM8jQMwXLZJD0KbxL0&e=

- PR introduces new protocol mapper implementation AudienceResolveProtocolMapper, which adds audience of all the clients, for which at least one client role is available in the token. This is added by default to the 'roles' client scope

- There is new switch "Include in Token Scope" on the Client Scope. It is applicable only for OIDC clients. When it is off, the client scope is not added to the "scope" in the access token. It is used for both 'roles' and 'web-origins' scopes, so those are not in the token by default now.

- There is some minor addition to ProtocolMapper SPI. Protocol mapper implementations has "priority" now. This is needed, so that it is ensured that for example we first "compute" the roles to be put in the token (including composite roles etc), then eventually add/move some roles through HardcodedRoleMapper or RoleNameMapper, then figure the audiences and finally move the roles to proper place in the token (which is not necessarily hardcoded to "realm_access" and "resource_access"
claims as it was before).

- Migration is handled, so that 'roles' and 'web-origins' scopes are automatically added during migration and they are added to all the OIDC confidential/public clients.

WDYT?

Marek



------------------------------

Message: 6
Date: Wed, 3 Oct 2018 09:10:31 +0200
From: Marek Posolda <mposolda at redhat.com>
Subject: Re: [keycloak-dev] Create "online session" from offline
session
To: Niels Bertram <nielsbne at gmail.com>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org>
Message-ID: <fd2a86b5-0550-2c13-d4f4-e9cbbea62864 at redhat.com>
Content-Type: text/plain; charset=utf-8; format=flowed

On 02/10/18 17:15, Niels Bertram wrote:
> Thanks for the response Marek. I implemented a custom authenticator
> before so that makes all total sense. The parts I am a bit worried
> about is:
>
> a) the GET implementation would require use to send the IDToken
> unprotected in the URL (POST is fine)
I see. This makes sense and we support sending POST request to the initial Authentication endpoint. Maybe you can add a flag to the authenticator like "Allow POST method only" to specify if it accepts just POST or allow both POST and GET? Flag can be set to ON by default (hence accept only POST).
>
> b) a mobile app from which we want to initiate the "sign me in and
> then redirect me to another website" would effectively need to
> whitelist every possible URL that it can redirect to.
>
> If I send a PR to latest Keycloak, any chance that can be patched into
> current or next version of RH-SSO?
Yes, once the PR is accepted, it always go to the latest Keycloak upstream and latest Keycloak always "turns" after some time to RH-SSO.
Some details about this https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_support.html&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=mo48y52DsFKg-uYJ25AIz8dEdVT7LwYWXUh6Hr6snE0&e= .

Just a note that we're close to feature freeze for Keycloak 4.x (RHSSO 7.3), so if you want it in RHSSO 7.3, you need to be a bit quick though
:) And even then no guarantee as we will need some time for PR review etc.

Marek
>
> Cheers,
> Niels
>
> On Wed, Oct 3, 2018 at 12:33 AM Marek Posolda <mposolda at redhat.com
> <mailto:mposolda at redhat.com>> wrote:
>
>     I suggest to use the flow like this:
>     1) Exchange the offline token for the 3 tokens, which will include
>     the
>     triplet of (access token, id token, offline token).
>
>     2) Then you can pass the just retrieved IDToken in the authentication
>     request in the "id_token_hint" parameter.
>
>     3) Then you will need to create Authenticator (see our
>     docs/quickstarts
>     for more details), which will be able to see if "id_token_hint"
>     was sent
>     and then verify this token and authenticate user if it was ok. You
>     can
>     probably use some existing code from IDToken introspection
>     endpoint. If
>     parameter is not used, authenticator can be just ignored during the
>     authentication flow.
>
>     4) As last step, you will need to add this authenticator to the
>     browser
>     authentication flow.
>
>     This will cause that if IDToken is sent, it will be able to use it to
>     authenticate the user and hence new UserSessionModel (+cookies and
>     all
>     of this) will be properly created by Keycloak itself.
>
>     If you manage to make this working, we will be happy if you
>     contribute
>     it in the PR :) As this is described in the OIDC specification (see
>     https://urldefense.proofpoint.com/v2/url?u=https-3A__openid.net_specs_openid-2Dconnect-2Dcore-2D1-5F0.html-23AuthRequest&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=WMK8NemyUzNtZIsMw_iLiVxqx9cKk4FCx2FM4hu00KI&e=
>     ), but
>     we don't yet implement it.
>
>     If you don't want to send PR, you may implement it a bit easier and
>     differently in a non-OIDC standard way (EG. pass the offline_token
>     directly instead of IDToken in step 2).
>
>     Marek
>
>     On 02/10/18 08:24, Niels Bertram wrote:
>     > Hi devs,
>     >
>     > we are trying to turn an offline session back into an "online
>     session" for
>     > which we can generate cookies and send them to the clients browser.
>     >
>     > I tried to create a user session with AuthenticationManager but
>     for some
>     > reason the created session is not showing up as a proper in the user
>     > account management section. Is there anything that needs to
>     happen after
>     > this session is created to make it a normal user session?
>     >
>     > AuthenticatedClientSessionModel clientSession =
>     > session.sessions().createClientSession(realm, client,
>     offlineSession);
>     >
>     > We have a mobile app that uses offline_access to create an
>     "always logged"
>     > in experience for the app user. However when we open a
>     SSO-enabled website
>     > in the app (WebView), there is no KEYCLOAK_SESSION cookie to
>     allow the web
>     > page to initiate a successful pre-auth check.
>     >
>     > We wrote a custom resource which we call in our webview to
>     "redirect" the
>     > user to an SSO enabled site:
>     >
>     > 1. authenticate the user
>     >
>     > AuthResult auth = new
>     AppAuthManager().authenticateBearerToken(session)
>     >
>     > 2. load a valid userSession
>     >
>     > UserSessionModel userSession =
>     session.sessions().getUserSession(realm,
>     > token.getSessionState());
>     >
>     > 3. create the session cookies
>     >
>     > AuthenticationManager.createLoginCookie(session, realm, user,
>     userSession,
>     > ctx.getUri(), ctx.getConnection());
>     >
>     > 4. forward the user to the SSO enabled website
>     >
>     > 5. SSO enabled website would do a normal pre-auth check with
>     prompt=none
>     >
>     > There was a similar conversation about the "lost" session in
>     KEYCLOAK-4201
>     > <https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D420&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=ZMc4ZmEk48Nmomy36jvaoA3dXdGc4akKoAsKI8KSkuE&e=>, but that one did
>     not go as
>     > far as creating a new session.
>     >
>     > Anyone of you got any clever idea on how do "preload" a valid
>     SSO session
>     > into a WebView?
>     >
>     > Cheers,
>     > Niels
>     >
>     > PS. we are on RH-SSO 7.2.4 so roughly Keycloak 3.4.3
>     > _______________________________________________
>     > keycloak-dev mailing list
>     > keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m
> ailman_listinfo_keycloak-2Ddev&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nO
> HrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3y
> W0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=vtPzZKTG6
> Ju-WczYEuZ1TJP2HOV-5yvr7Kv5ajKy8gg&e=
>
>



------------------------------

_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Ddev&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=vtPzZKTG6Ju-WczYEuZ1TJP2HOV-5yvr7Kv5ajKy8gg&e=

End of keycloak-dev Digest, Vol 64, Issue 3
*******************************************

________________________________

This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. Your privacy is important to us. Accenture uses your personal data only in compliance with data protection laws. For further information on how Accenture processes your personal data, please see our privacy statement at https://www.accenture.com/us-en/privacy-policy.
______________________________________________________________________________________

www.accenture.com


From sthorger at redhat.com  Wed Oct  3 07:39:38 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 3 Oct 2018 13:39:38 +0200
Subject: [keycloak-dev] [External] keycloak-dev Digest, Vol 64, Issue 3
In-Reply-To: <SN4P11401MB02394975916CBEDA2D85DB9FA9E90@SN4P11401MB0239.NAMP114.PROD.OUTLOOK.COM>
References: <mailman.51501.1538550635.4680.keycloak-dev@lists.jboss.org>
	<SN4P11401MB02394975916CBEDA2D85DB9FA9E90@SN4P11401MB0239.NAMP114.PROD.OUTLOOK.COM>
Message-ID: <CAJgngAcVwvTTJkg990rWMavWtgw9nYm0o80r1cDm0Q+vEqfR9Q@mail.gmail.com>

Please use user mailing list (keycloak-user at lists.jboss.org) for general
questions and help. The developer mailing list is dedicated to discussing
development of Keycloak itself, including contributions.

On Wed, 3 Oct 2018 at 12:09, Shyam Gupta, Upendra <
upendra.shyam.gupta at accenture.com> wrote:

> Hi Team ,
> We have done standalone configuration , but we are struggling with Domain
> Cluster mode .
> We have Angular JS Application ,we have LB in front of key cloak could you
> please suggest or guide how configuration should be done .
> Also may use autoscaling  in our production Environment ,please suggest is
> Domain Cluster Mode suitable for this and if yes how to configure it .
>
> Thanks ,
> Upendra
> +91 9765552818
>
> -----Original Message-----
> From: keycloak-dev-bounces at lists.jboss.org <
> keycloak-dev-bounces at lists.jboss.org> On Behalf Of
> keycloak-dev-request at lists.jboss.org
> Sent: Wednesday, October 3, 2018 12:41 PM
> To: keycloak-dev at lists.jboss.org
> Subject: [External] keycloak-dev Digest, Vol 64, Issue 3
>
> Send keycloak-dev mailing list submissions to
> keycloak-dev at lists.jboss.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Ddev&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=vtPzZKTG6Ju-WczYEuZ1TJP2HOV-5yvr7Kv5ajKy8gg&e=
> or, via email, send a message with subject or body 'help' to
> keycloak-dev-request at lists.jboss.org
>
> You can reach the person managing the list at
> keycloak-dev-owner at lists.jboss.org
>
> When replying, please edit your Subject line so it is more specific than
> "Re: Contents of keycloak-dev digest..."
>
>
> Today's Topics:
>
>    1. Create "online session" from offline session (Niels Bertram)
>    2. Re: Column Sorting (Stan Silvert)
>    3. Re: Create "online session" from offline session (Marek Posolda)
>    4. Re: Create "online session" from offline session (Niels Bertram)
>    5. PR for adding 'roles' and 'web-origins' client scopes
>       (Marek Posolda)
>    6. Re: Create "online session" from offline session (Marek Posolda)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 2 Oct 2018 16:24:20 +1000
> From: Niels Bertram <nielsbne at gmail.com>
> Subject: [keycloak-dev] Create "online session" from offline session
> To: keycloak-dev <keycloak-dev at lists.jboss.org>
> Message-ID:
> <CAPLPyg=MqBHWsA0E2-Sd=UbYh-E+mHAb33F=cOUv9xSkxzPhxg at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi devs,
>
> we are trying to turn an offline session back into an "online session" for
> which we can generate cookies and send them to the clients browser.
>
> I tried to create a user session with AuthenticationManager but for some
> reason the created session is not showing up as a proper in the user
> account management section. Is there anything that needs to happen after
> this session is created to make it a normal user session?
>
> AuthenticatedClientSessionModel clientSession =
> session.sessions().createClientSession(realm, client, offlineSession);
>
> We have a mobile app that uses offline_access to create an "always logged"
> in experience for the app user. However when we open a SSO-enabled website
> in the app (WebView), there is no KEYCLOAK_SESSION cookie to allow the web
> page to initiate a successful pre-auth check.
>
> We wrote a custom resource which we call in our webview to "redirect" the
> user to an SSO enabled site:
>
> 1. authenticate the user
>
> AuthResult auth = new AppAuthManager().authenticateBearerToken(session)
>
> 2. load a valid userSession
>
> UserSessionModel userSession = session.sessions().getUserSession(realm,
> token.getSessionState());
>
> 3. create the session cookies
>
> AuthenticationManager.createLoginCookie(session, realm, user, userSession,
> ctx.getUri(), ctx.getConnection());
>
> 4. forward the user to the SSO enabled website
>
> 5. SSO enabled website would do a normal pre-auth check with prompt=none
>
> There was a similar conversation about the "lost" session in KEYCLOAK-4201
> <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D420&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=ZMc4ZmEk48Nmomy36jvaoA3dXdGc4akKoAsKI8KSkuE&e=>,
> but that one did not go as far as creating a new session.
>
> Anyone of you got any clever idea on how do "preload" a valid SSO session
> into a WebView?
>
> Cheers,
> Niels
>
> PS. we are on RH-SSO 7.2.4 so roughly Keycloak 3.4.3
>
>
> ------------------------------
>
> Message: 2
> Date: Tue, 2 Oct 2018 06:58:20 -0400
> From: Stan Silvert <ssilvert at redhat.com>
> Subject: Re: [keycloak-dev] Column Sorting
> To: keycloak-dev at lists.jboss.org
> Message-ID: <fcc562ce-4a46-f9a6-09ff-c21c48490cd9 at redhat.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> If you have a PR for this we would welcome it.? However, it might be quite
> awhile before it can be merged into the code base because we are fast
> approaching an extended feature freeze.
>
> Stan
>
> On 10/1/2018 9:05 PM, KevinO wrote:
> > Is there any opposition to me adding column sorting? There is the
> > ticket for it:
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_
> > browse_KEYCLOAK-2D4676&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8Irw
> > NKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqin
> > gS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=GXdUVsHcO0O5XcZ7E
> > 1ivVWk_t-E1Wdgf3ThuAK6Ldvk&e=
> >
> > I've tested a solution that uses standard angular ordering. I don't
> > want to update all the tables if this is a feature that is not wanted.
> >
> > Here is what one option of sorting would look like using Font-Awesoms
> > chevron as the clickable item.
> > [image: image.png]
> > [image: image.png]
> >
> >
> >
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m
> > ailman_listinfo_keycloak-2Ddev&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nO
> > HrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3y
> > W0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=vtPzZKTG6
> > Ju-WczYEuZ1TJP2HOV-5yvr7Kv5ajKy8gg&e=
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 2 Oct 2018 16:33:00 +0200
> From: Marek Posolda <mposolda at redhat.com>
> Subject: Re: [keycloak-dev] Create "online session" from offline
> session
> To: Niels Bertram <nielsbne at gmail.com>,keycloak-dev
> <keycloak-dev at lists.jboss.org>
> Message-ID: <0ca41d60-abd2-f716-91ae-9ac0ba00444d at redhat.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> I suggest to use the flow like this:
> 1) Exchange the offline token for the 3 tokens, which will include the
> triplet of (access token, id token, offline token).
>
> 2) Then you can pass the just retrieved IDToken in the authentication
> request in the "id_token_hint" parameter.
>
> 3) Then you will need to create Authenticator (see our docs/quickstarts
> for more details), which will be able to see if "id_token_hint" was sent
> and then verify this token and authenticate user if it was ok. You can
> probably use some existing code from IDToken introspection endpoint. If
> parameter is not used, authenticator can be just ignored during the
> authentication flow.
>
> 4) As last step, you will need to add this authenticator to the browser
> authentication flow.
>
> This will cause that if IDToken is sent, it will be able to use it to
> authenticate the user and hence new UserSessionModel (+cookies and all of
> this) will be properly created by Keycloak itself.
>
> If you manage to make this working, we will be happy if you contribute it
> in the PR :) As this is described in the OIDC specification (see
> https://urldefense.proofpoint.com/v2/url?u=https-3A__openid.net_specs_openid-2Dconnect-2Dcore-2D1-5F0.html-23AuthRequest&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=WMK8NemyUzNtZIsMw_iLiVxqx9cKk4FCx2FM4hu00KI&e=
> ), but we don't yet implement it.
>
> If you don't want to send PR, you may implement it a bit easier and
> differently in a non-OIDC standard way (EG. pass the offline_token directly
> instead of IDToken in step 2).
>
> Marek
>
> On 02/10/18 08:24, Niels Bertram wrote:
> > Hi devs,
> >
> > we are trying to turn an offline session back into an "online session"
> > for which we can generate cookies and send them to the clients browser.
> >
> > I tried to create a user session with AuthenticationManager but for
> > some reason the created session is not showing up as a proper in the
> > user account management section. Is there anything that needs to
> > happen after this session is created to make it a normal user session?
> >
> > AuthenticatedClientSessionModel clientSession =
> > session.sessions().createClientSession(realm, client, offlineSession);
> >
> > We have a mobile app that uses offline_access to create an "always
> logged"
> > in experience for the app user. However when we open a SSO-enabled
> > website in the app (WebView), there is no KEYCLOAK_SESSION cookie to
> > allow the web page to initiate a successful pre-auth check.
> >
> > We wrote a custom resource which we call in our webview to "redirect"
> > the user to an SSO enabled site:
> >
> > 1. authenticate the user
> >
> > AuthResult auth = new
> > AppAuthManager().authenticateBearerToken(session)
> >
> > 2. load a valid userSession
> >
> > UserSessionModel userSession =
> > session.sessions().getUserSession(realm,
> > token.getSessionState());
> >
> > 3. create the session cookies
> >
> > AuthenticationManager.createLoginCookie(session, realm, user,
> > userSession, ctx.getUri(), ctx.getConnection());
> >
> > 4. forward the user to the SSO enabled website
> >
> > 5. SSO enabled website would do a normal pre-auth check with
> > prompt=none
> >
> > There was a similar conversation about the "lost" session in
> > KEYCLOAK-4201
> > <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D420&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=ZMc4ZmEk48Nmomy36jvaoA3dXdGc4akKoAsKI8KSkuE&e=>,
> but that one did not go as far as creating a new session.
> >
> > Anyone of you got any clever idea on how do "preload" a valid SSO
> > session into a WebView?
> >
> > Cheers,
> > Niels
> >
> > PS. we are on RH-SSO 7.2.4 so roughly Keycloak 3.4.3
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m
> > ailman_listinfo_keycloak-2Ddev&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nO
> > HrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3y
> > W0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=vtPzZKTG6
> > Ju-WczYEuZ1TJP2HOV-5yvr7Kv5ajKy8gg&e=
>
>
>
>
> ------------------------------
>
> Message: 4
> Date: Wed, 3 Oct 2018 01:15:05 +1000
> From: Niels Bertram <nielsbne at gmail.com>
> Subject: Re: [keycloak-dev] Create "online session" from offline
> session
> To: Marek Posolda <mposolda at redhat.com>
> Cc: keycloak-dev <keycloak-dev at lists.jboss.org>
> Message-ID:
> <CAPLPygkndifFFNXr27ic8MPiy_oc7Z3wM72UMGHGMnamfducHA at mail.gmail.com>
> Content-Type: text/plain; charset="UTF-8"
>
> Thanks for the response Marek. I implemented a custom authenticator before
> so that makes all total sense. The parts I am a bit worried about is:
>
> a) the GET implementation would require use to send the IDToken
> unprotected in the URL (POST is fine)
>
> b) a mobile app from which we want to initiate the "sign me in and then
> redirect me to another website" would effectively need to whitelist every
> possible URL that it can redirect to.
>
> If I send a PR to latest Keycloak, any chance that can be patched into
> current or next version of RH-SSO?
>
> Cheers,
> Niels
>
> On Wed, Oct 3, 2018 at 12:33 AM Marek Posolda <mposolda at redhat.com> wrote:
>
> > I suggest to use the flow like this:
> > 1) Exchange the offline token for the 3 tokens, which will include the
> > triplet of (access token, id token, offline token).
> >
> > 2) Then you can pass the just retrieved IDToken in the authentication
> > request in the "id_token_hint" parameter.
> >
> > 3) Then you will need to create Authenticator (see our
> > docs/quickstarts for more details), which will be able to see if
> > "id_token_hint" was sent and then verify this token and authenticate
> > user if it was ok. You can probably use some existing code from
> > IDToken introspection endpoint. If parameter is not used,
> > authenticator can be just ignored during the authentication flow.
> >
> > 4) As last step, you will need to add this authenticator to the
> > browser authentication flow.
> >
> > This will cause that if IDToken is sent, it will be able to use it to
> > authenticate the user and hence new UserSessionModel (+cookies and all
> > of this) will be properly created by Keycloak itself.
> >
> > If you manage to make this working, we will be happy if you contribute
> > it in the PR :) As this is described in the OIDC specification (see
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__openid.net_specs_
> >
> openid-2Dconnect-2Dcore-2D1-5F0.html-23AuthRequest&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=WMK8NemyUzNtZIsMw_iLiVxqx9cKk4FCx2FM4hu00KI&e=
> ), but we don't yet implement it.
> >
> > If you don't want to send PR, you may implement it a bit easier and
> > differently in a non-OIDC standard way (EG. pass the offline_token
> > directly instead of IDToken in step 2).
> >
> > Marek
> >
> > On 02/10/18 08:24, Niels Bertram wrote:
> > > Hi devs,
> > >
> > > we are trying to turn an offline session back into an "online session"
> > for
> > > which we can generate cookies and send them to the clients browser.
> > >
> > > I tried to create a user session with AuthenticationManager but for
> > > some reason the created session is not showing up as a proper in the
> > > user account management section. Is there anything that needs to
> > > happen after this session is created to make it a normal user session?
> > >
> > > AuthenticatedClientSessionModel clientSession =
> > > session.sessions().createClientSession(realm, client,
> > > offlineSession);
> > >
> > > We have a mobile app that uses offline_access to create an "always
> > logged"
> > > in experience for the app user. However when we open a SSO-enabled
> > website
> > > in the app (WebView), there is no KEYCLOAK_SESSION cookie to allow
> > > the
> > web
> > > page to initiate a successful pre-auth check.
> > >
> > > We wrote a custom resource which we call in our webview to
> > > "redirect" the user to an SSO enabled site:
> > >
> > > 1. authenticate the user
> > >
> > > AuthResult auth = new
> > > AppAuthManager().authenticateBearerToken(session)
> > >
> > > 2. load a valid userSession
> > >
> > > UserSessionModel userSession =
> > > session.sessions().getUserSession(realm,
> > > token.getSessionState());
> > >
> > > 3. create the session cookies
> > >
> > > AuthenticationManager.createLoginCookie(session, realm, user,
> > userSession,
> > > ctx.getUri(), ctx.getConnection());
> > >
> > > 4. forward the user to the SSO enabled website
> > >
> > > 5. SSO enabled website would do a normal pre-auth check with
> > > prompt=none
> > >
> > > There was a similar conversation about the "lost" session in
> > KEYCLOAK-4201
> > > <https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.o
> > > rg_browse_KEYCLOAK-2D420&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK
> > > 8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0
> > > mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=ZMc4ZmEk4
> > > 8Nmomy36jvaoA3dXdGc4akKoAsKI8KSkuE&e=>, but that one did not go
> > as
> > > far as creating a new session.
> > >
> > > Anyone of you got any clever idea on how do "preload" a valid SSO
> > > session into a WebView?
> > >
> > > Cheers,
> > > Niels
> > >
> > > PS. we are on RH-SSO 7.2.4 so roughly Keycloak 3.4.3
> > > _______________________________________________
> > > keycloak-dev mailing list
> > > keycloak-dev at lists.jboss.org
> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org
> > > _mailman_listinfo_keycloak-2Ddev&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJv
> > > U8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbE
> > > LXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=v
> > > tPzZKTG6Ju-WczYEuZ1TJP2HOV-5yvr7Kv5ajKy8gg&e=
> >
> >
> >
>
>
> ------------------------------
>
> Message: 5
> Date: Tue, 2 Oct 2018 21:25:34 +0200
> From: Marek Posolda <mposolda at redhat.com>
> Subject: [keycloak-dev] PR for adding 'roles' and 'web-origins' client
> scopes
> To: "keycloak-dev at lists.jboss.org" <keycloak-dev at lists.jboss.org>
> Message-ID: <c06346c8-e686-4049-c744-5467da8fd7b4 at redhat.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> I've sent PR
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_keycloak_keycloak_pull_5602&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=huhPyNGMhgYLHNSqmXb0f9btGuvjClSYAeXGkDPCHbg&e=
> . Summary of
> changes:
>
> - The roles and allowed-origins are not added automatically to the access
> tokens now. Instead of it, the PR introduces 2 default client
> scopes: 'roles' and 'web-origins' which adds them
>
> - Client scope 'web-origins' adds allowed-origins to the access token
> similarly like it was before. So the only advantage is, that it is possible
> to remove clientScope/protocolMapper if you don't need web origins in the
> token
>
> - Client scope 'roles' contains protocol mappers for add roles to the
> access tokens. By default, they are added to the claims "realm_access"
> and "resource_access" exactly as it was before. However it is easier to
> move to completely different claims. The PR doesn't introduce new protocol
> mapper implementation for roles, but uses the existing implementations
> UserRealmRoleMappingMapper and UserClientRoleMappingMapper. As a
> side-effect, it fixes some bug in those mappers claimed by many community
> users -
> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D5259&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=Uqws8bxoWQneaU68lkcYgV55vGM8jQMwXLZJD0KbxL0&e=
>
> - PR introduces new protocol mapper implementation
> AudienceResolveProtocolMapper, which adds audience of all the clients, for
> which at least one client role is available in the token. This is added by
> default to the 'roles' client scope
>
> - There is new switch "Include in Token Scope" on the Client Scope. It is
> applicable only for OIDC clients. When it is off, the client scope is not
> added to the "scope" in the access token. It is used for both 'roles' and
> 'web-origins' scopes, so those are not in the token by default now.
>
> - There is some minor addition to ProtocolMapper SPI. Protocol mapper
> implementations has "priority" now. This is needed, so that it is ensured
> that for example we first "compute" the roles to be put in the token
> (including composite roles etc), then eventually add/move some roles
> through HardcodedRoleMapper or RoleNameMapper, then figure the audiences
> and finally move the roles to proper place in the token (which is not
> necessarily hardcoded to "realm_access" and "resource_access"
> claims as it was before).
>
> - Migration is handled, so that 'roles' and 'web-origins' scopes are
> automatically added during migration and they are added to all the OIDC
> confidential/public clients.
>
> WDYT?
>
> Marek
>
>
>
> ------------------------------
>
> Message: 6
> Date: Wed, 3 Oct 2018 09:10:31 +0200
> From: Marek Posolda <mposolda at redhat.com>
> Subject: Re: [keycloak-dev] Create "online session" from offline
> session
> To: Niels Bertram <nielsbne at gmail.com>
> Cc: keycloak-dev <keycloak-dev at lists.jboss.org>
> Message-ID: <fd2a86b5-0550-2c13-d4f4-e9cbbea62864 at redhat.com>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> On 02/10/18 17:15, Niels Bertram wrote:
> > Thanks for the response Marek. I implemented a custom authenticator
> > before so that makes all total sense. The parts I am a bit worried
> > about is:
> >
> > a) the GET implementation would require use to send the IDToken
> > unprotected in the URL (POST is fine)
> I see. This makes sense and we support sending POST request to the initial
> Authentication endpoint. Maybe you can add a flag to the authenticator like
> "Allow POST method only" to specify if it accepts just POST or allow both
> POST and GET? Flag can be set to ON by default (hence accept only POST).
> >
> > b) a mobile app from which we want to initiate the "sign me in and
> > then redirect me to another website" would effectively need to
> > whitelist every possible URL that it can redirect to.
> >
> > If I send a PR to latest Keycloak, any chance that can be patched into
> > current or next version of RH-SSO?
> Yes, once the PR is accepted, it always go to the latest Keycloak upstream
> and latest Keycloak always "turns" after some time to RH-SSO.
> Some details about this
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.keycloak.org_support.html&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=mo48y52DsFKg-uYJ25AIz8dEdVT7LwYWXUh6Hr6snE0&e=
> .
>
> Just a note that we're close to feature freeze for Keycloak 4.x (RHSSO
> 7.3), so if you want it in RHSSO 7.3, you need to be a bit quick though
> :) And even then no guarantee as we will need some time for PR review etc.
>
> Marek
> >
> > Cheers,
> > Niels
> >
> > On Wed, Oct 3, 2018 at 12:33 AM Marek Posolda <mposolda at redhat.com
> > <mailto:mposolda at redhat.com>> wrote:
> >
> >     I suggest to use the flow like this:
> >     1) Exchange the offline token for the 3 tokens, which will include
> >     the
> >     triplet of (access token, id token, offline token).
> >
> >     2) Then you can pass the just retrieved IDToken in the authentication
> >     request in the "id_token_hint" parameter.
> >
> >     3) Then you will need to create Authenticator (see our
> >     docs/quickstarts
> >     for more details), which will be able to see if "id_token_hint"
> >     was sent
> >     and then verify this token and authenticate user if it was ok. You
> >     can
> >     probably use some existing code from IDToken introspection
> >     endpoint. If
> >     parameter is not used, authenticator can be just ignored during the
> >     authentication flow.
> >
> >     4) As last step, you will need to add this authenticator to the
> >     browser
> >     authentication flow.
> >
> >     This will cause that if IDToken is sent, it will be able to use it to
> >     authenticate the user and hence new UserSessionModel (+cookies and
> >     all
> >     of this) will be properly created by Keycloak itself.
> >
> >     If you manage to make this working, we will be happy if you
> >     contribute
> >     it in the PR :) As this is described in the OIDC specification (see
> >
> https://urldefense.proofpoint.com/v2/url?u=https-3A__openid.net_specs_openid-2Dconnect-2Dcore-2D1-5F0.html-23AuthRequest&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=WMK8NemyUzNtZIsMw_iLiVxqx9cKk4FCx2FM4hu00KI&e=
> >     ), but
> >     we don't yet implement it.
> >
> >     If you don't want to send PR, you may implement it a bit easier and
> >     differently in a non-OIDC standard way (EG. pass the offline_token
> >     directly instead of IDToken in step 2).
> >
> >     Marek
> >
> >     On 02/10/18 08:24, Niels Bertram wrote:
> >     > Hi devs,
> >     >
> >     > we are trying to turn an offline session back into an "online
> >     session" for
> >     > which we can generate cookies and send them to the clients browser.
> >     >
> >     > I tried to create a user session with AuthenticationManager but
> >     for some
> >     > reason the created session is not showing up as a proper in the
> user
> >     > account management section. Is there anything that needs to
> >     happen after
> >     > this session is created to make it a normal user session?
> >     >
> >     > AuthenticatedClientSessionModel clientSession =
> >     > session.sessions().createClientSession(realm, client,
> >     offlineSession);
> >     >
> >     > We have a mobile app that uses offline_access to create an
> >     "always logged"
> >     > in experience for the app user. However when we open a
> >     SSO-enabled website
> >     > in the app (WebView), there is no KEYCLOAK_SESSION cookie to
> >     allow the web
> >     > page to initiate a successful pre-auth check.
> >     >
> >     > We wrote a custom resource which we call in our webview to
> >     "redirect" the
> >     > user to an SSO enabled site:
> >     >
> >     > 1. authenticate the user
> >     >
> >     > AuthResult auth = new
> >     AppAuthManager().authenticateBearerToken(session)
> >     >
> >     > 2. load a valid userSession
> >     >
> >     > UserSessionModel userSession =
> >     session.sessions().getUserSession(realm,
> >     > token.getSessionState());
> >     >
> >     > 3. create the session cookies
> >     >
> >     > AuthenticationManager.createLoginCookie(session, realm, user,
> >     userSession,
> >     > ctx.getUri(), ctx.getConnection());
> >     >
> >     > 4. forward the user to the SSO enabled website
> >     >
> >     > 5. SSO enabled website would do a normal pre-auth check with
> >     prompt=none
> >     >
> >     > There was a similar conversation about the "lost" session in
> >     KEYCLOAK-4201
> >     > <
> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.jboss.org_browse_KEYCLOAK-2D420&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=ZMc4ZmEk48Nmomy36jvaoA3dXdGc4akKoAsKI8KSkuE&e=>,
> but that one did
> >     not go as
> >     > far as creating a new session.
> >     >
> >     > Anyone of you got any clever idea on how do "preload" a valid
> >     SSO session
> >     > into a WebView?
> >     >
> >     > Cheers,
> >     > Niels
> >     >
> >     > PS. we are on RH-SSO 7.2.4 so roughly Keycloak 3.4.3
> >     > _______________________________________________
> >     > keycloak-dev mailing list
> >     > keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
> >     >
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_m
> > ailman_listinfo_keycloak-2Ddev&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nO
> > HrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3y
> > W0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=vtPzZKTG6
> > Ju-WczYEuZ1TJP2HOV-5yvr7Kv5ajKy8gg&e=
> >
> >
>
>
>
> ------------------------------
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.jboss.org_mailman_listinfo_keycloak-2Ddev&d=DwICAg&c=eIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU&r=0u41OaohNycTZQOwnnZYNmvujL8_9c9Upx3kK2RlVGifbELXY-3yW0mrWqingS7U&m=iRh6nEotbfKHFIXI9A54mn8mX9WnOFa1RLKMlXDQAjk&s=vtPzZKTG6Ju-WczYEuZ1TJP2HOV-5yvr7Kv5ajKy8gg&e=
>
> End of keycloak-dev Digest, Vol 64, Issue 3
> *******************************************
>
> ________________________________
>
> This message is for the designated recipient only and may contain
> privileged, proprietary, or otherwise confidential information. If you have
> received it in error, please notify the sender immediately and delete the
> original. Any other use of the e-mail by you is prohibited. Where allowed
> by local law, electronic communications with Accenture and its affiliates,
> including e-mail and instant messaging (including content), may be scanned
> by our systems for the purposes of information security and assessment of
> internal compliance with Accenture policy. Your privacy is important to us.
> Accenture uses your personal data only in compliance with data protection
> laws. For further information on how Accenture processes your personal
> data, please see our privacy statement at
> https://www.accenture.com/us-en/privacy-policy.
>
> ______________________________________________________________________________________
>
> www.accenture.com
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

From mposolda at redhat.com  Wed Oct  3 08:00:30 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 3 Oct 2018 14:00:30 +0200
Subject: [keycloak-dev] Create "online session" from offline session
In-Reply-To: <CAJgngAfjT+iSChQ+eMekpHibhudkxFfQPvv3Ba0EyQhWPxHs6A@mail.gmail.com>
References: <CAPLPyg=MqBHWsA0E2-Sd=UbYh-E+mHAb33F=cOUv9xSkxzPhxg@mail.gmail.com>
	<0ca41d60-abd2-f716-91ae-9ac0ba00444d@redhat.com>
	<CAPLPygkndifFFNXr27ic8MPiy_oc7Z3wM72UMGHGMnamfducHA@mail.gmail.com>
	<fd2a86b5-0550-2c13-d4f4-e9cbbea62864@redhat.com>
	<CAJgngAfjT+iSChQ+eMekpHibhudkxFfQPvv3Ba0EyQhWPxHs6A@mail.gmail.com>
Message-ID: <1b9586d0-6268-6767-881f-1cc7be6f7559@redhat.com>

Yes, I see some possible issues with it. IMO if we add it, it should 
probably not even be added in default "browser" flow, so it's more 
"hard" to have it working and just someone, who knows what he is doing, 
will be able to setup it.

On the other hand, may be useful for some deployments where the 
applications are "trusted". IMO it could be fine if the security 
implications are described in the documentation.

Marek

On 03/10/18 09:39, Stian Thorgersen wrote:
> I'm not quite convinced about this approach.
>
> Firstly it seems like a workaround. Offline sessions are designed for 
> applications that want to have access when the user is not around. Not 
> for a "permanent" log-in. I would rather consider options that allows 
> different SSO session expiration depending on device type (or 
> initiating client) for instance. Once you have an SSO session in the 
> system browser on the phone you can use an inapp browser tab to enable 
> SSO to all apps, or you can do it for individual apps by not using the 
> system browser.
>
> Secondly authenticating with id_token_hint is scary. For example a 
> less trusted application could then use the ID token to authenticate 
> as the user behind the covers and have access to everything the user 
> has access to rather than the limited scope that it should have.
>
> On Wed, 3 Oct 2018 at 09:11, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     On 02/10/18 17:15, Niels Bertram wrote:
>     > Thanks for the response Marek. I implemented a custom authenticator
>     > before so that makes all total sense. The parts I am a bit worried
>     > about is:
>     >
>     > a) the GET implementation would require use to send the IDToken
>     > unprotected in the URL (POST is fine)
>     I see. This makes sense and we support sending POST request to the
>     initial Authentication endpoint. Maybe you can add a flag to the
>     authenticator like "Allow POST method only" to specify if it accepts
>     just POST or allow both POST and GET? Flag can be set to ON by
>     default
>     (hence accept only POST).
>     >
>     > b) a mobile app from which we want to initiate the "sign me in and
>     > then redirect me to another website" would effectively need to
>     > whitelist every possible URL that it can redirect to.
>     >
>     > If I send a PR to latest Keycloak, any chance that can be
>     patched into
>     > current or next version of RH-SSO?
>     Yes, once the PR is accepted, it always go to the latest Keycloak
>     upstream and latest Keycloak always "turns" after some time to
>     RH-SSO.
>     Some details about this https://www.keycloak.org/support.html .
>
>     Just a note that we're close to feature freeze for Keycloak 4.x
>     (RHSSO
>     7.3), so if you want it in RHSSO 7.3, you need to be a bit quick
>     though
>     :) And even then no guarantee as we will need some time for PR
>     review etc.
>
>     Marek
>     >
>     > Cheers,
>     > Niels
>     >
>     > On Wed, Oct 3, 2018 at 12:33 AM Marek Posolda
>     <mposolda at redhat.com <mailto:mposolda at redhat.com>
>     > <mailto:mposolda at redhat.com <mailto:mposolda at redhat.com>>> wrote:
>     >
>     >? ? ?I suggest to use the flow like this:
>     >? ? ?1) Exchange the offline token for the 3 tokens, which will
>     include
>     >? ? ?the
>     >? ? ?triplet of (access token, id token, offline token).
>     >
>     >? ? ?2) Then you can pass the just retrieved IDToken in the
>     authentication
>     >? ? ?request in the "id_token_hint" parameter.
>     >
>     >? ? ?3) Then you will need to create Authenticator (see our
>     >? ? ?docs/quickstarts
>     >? ? ?for more details), which will be able to see if "id_token_hint"
>     >? ? ?was sent
>     >? ? ?and then verify this token and authenticate user if it was
>     ok. You
>     >? ? ?can
>     >? ? ?probably use some existing code from IDToken introspection
>     >? ? ?endpoint. If
>     >? ? ?parameter is not used, authenticator can be just ignored
>     during the
>     >? ? ?authentication flow.
>     >
>     >? ? ?4) As last step, you will need to add this authenticator to the
>     >? ? ?browser
>     >? ? ?authentication flow.
>     >
>     >? ? ?This will cause that if IDToken is sent, it will be able to
>     use it to
>     >? ? ?authenticate the user and hence new UserSessionModel
>     (+cookies and
>     >? ? ?all
>     >? ? ?of this) will be properly created by Keycloak itself.
>     >
>     >? ? ?If you manage to make this working, we will be happy if you
>     >? ? ?contribute
>     >? ? ?it in the PR :) As this is described in the OIDC
>     specification (see
>     > https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
>     >? ? ?), but
>     >? ? ?we don't yet implement it.
>     >
>     >? ? ?If you don't want to send PR, you may implement it a bit
>     easier and
>     >? ? ?differently in a non-OIDC standard way (EG. pass the
>     offline_token
>     >? ? ?directly instead of IDToken in step 2).
>     >
>     >? ? ?Marek
>     >
>     >? ? ?On 02/10/18 08:24, Niels Bertram wrote:
>     >? ? ?> Hi devs,
>     >? ? ?>
>     >? ? ?> we are trying to turn an offline session back into an "online
>     >? ? ?session" for
>     >? ? ?> which we can generate cookies and send them to the clients
>     browser.
>     >? ? ?>
>     >? ? ?> I tried to create a user session with
>     AuthenticationManager but
>     >? ? ?for some
>     >? ? ?> reason the created session is not showing up as a proper
>     in the user
>     >? ? ?> account management section. Is there anything that needs to
>     >? ? ?happen after
>     >? ? ?> this session is created to make it a normal user session?
>     >? ? ?>
>     >? ? ?> AuthenticatedClientSessionModel clientSession =
>     >? ? ?> session.sessions().createClientSession(realm, client,
>     >? ? ?offlineSession);
>     >? ? ?>
>     >? ? ?> We have a mobile app that uses offline_access to create an
>     >? ? ?"always logged"
>     >? ? ?> in experience for the app user. However when we open a
>     >? ? ?SSO-enabled website
>     >? ? ?> in the app (WebView), there is no KEYCLOAK_SESSION cookie to
>     >? ? ?allow the web
>     >? ? ?> page to initiate a successful pre-auth check.
>     >? ? ?>
>     >? ? ?> We wrote a custom resource which we call in our webview to
>     >? ? ?"redirect" the
>     >? ? ?> user to an SSO enabled site:
>     >? ? ?>
>     >? ? ?> 1. authenticate the user
>     >? ? ?>
>     >? ? ?> AuthResult auth = new
>     >? ? ?AppAuthManager().authenticateBearerToken(session)
>     >? ? ?>
>     >? ? ?> 2. load a valid userSession
>     >? ? ?>
>     >? ? ?> UserSessionModel userSession =
>     >? ? ?session.sessions().getUserSession(realm,
>     >? ? ?> token.getSessionState());
>     >? ? ?>
>     >? ? ?> 3. create the session cookies
>     >? ? ?>
>     >? ? ?> AuthenticationManager.createLoginCookie(session, realm, user,
>     >? ? ?userSession,
>     >? ? ?> ctx.getUri(), ctx.getConnection());
>     >? ? ?>
>     >? ? ?> 4. forward the user to the SSO enabled website
>     >? ? ?>
>     >? ? ?> 5. SSO enabled website would do a normal pre-auth check with
>     >? ? ?prompt=none
>     >? ? ?>
>     >? ? ?> There was a similar conversation about the "lost" session in
>     >? ? ?KEYCLOAK-4201
>     >? ? ?> <https://issues.jboss.org/browse/KEYCLOAK-420>, but that
>     one did
>     >? ? ?not go as
>     >? ? ?> far as creating a new session.
>     >? ? ?>
>     >? ? ?> Anyone of you got any clever idea on how do "preload" a valid
>     >? ? ?SSO session
>     >? ? ?> into a WebView?
>     >? ? ?>
>     >? ? ?> Cheers,
>     >? ? ?> Niels
>     >? ? ?>
>     >? ? ?> PS. we are on RH-SSO 7.2.4 so roughly Keycloak 3.4.3
>     >? ? ?> _______________________________________________
>     >? ? ?> keycloak-dev mailing list
>     >? ? ?> keycloak-dev at lists.jboss.org
>     <mailto:keycloak-dev at lists.jboss.org>
>     <mailto:keycloak-dev at lists.jboss.org
>     <mailto:keycloak-dev at lists.jboss.org>>
>     >? ? ?> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>     >
>     >
>
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


From sthorger at redhat.com  Wed Oct  3 08:16:44 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 3 Oct 2018 14:16:44 +0200
Subject: [keycloak-dev] Create "online session" from offline session
In-Reply-To: <1b9586d0-6268-6767-881f-1cc7be6f7559@redhat.com>
References: <CAPLPyg=MqBHWsA0E2-Sd=UbYh-E+mHAb33F=cOUv9xSkxzPhxg@mail.gmail.com>
	<0ca41d60-abd2-f716-91ae-9ac0ba00444d@redhat.com>
	<CAPLPygkndifFFNXr27ic8MPiy_oc7Z3wM72UMGHGMnamfducHA@mail.gmail.com>
	<fd2a86b5-0550-2c13-d4f4-e9cbbea62864@redhat.com>
	<CAJgngAfjT+iSChQ+eMekpHibhudkxFfQPvv3Ba0EyQhWPxHs6A@mail.gmail.com>
	<1b9586d0-6268-6767-881f-1cc7be6f7559@redhat.com>
Message-ID: <CAJgngAdWOKB8D6TbwrBQwEML=4S2eQmt3fWCBUPeg7Q0ihny_A@mail.gmail.com>

I think we really need to consider if and how we add it properly. You
shouldn't be able to use any odd id token to authenticate, but rather a
special token. Further, it probably does require proper handling of
authentication levels. Or even perhaps you can authenticate for a specific
client with an id token, but when you try to use a different client you
need to provider username/password. End of the day we just need to be very
careful about adding something like this.

By the way a long time ago I actually had this in mind as a way of doing
SSO for CLIs. You simply get a special id token that serves as the sso
cookie. Never got around to think it through in depth though. Bill had some
concerns with that idea, can't remember exactly what, so he ended up doing
token exchange for kcinit (I have quite a lot of concerns around that and
token exchange though).

On Wed, 3 Oct 2018 at 14:00, Marek Posolda <mposolda at redhat.com> wrote:

> Yes, I see some possible issues with it. IMO if we add it, it should
> probably not even be added in default "browser" flow, so it's more "hard"
> to have it working and just someone, who knows what he is doing, will be
> able to setup it.
>
> On the other hand, may be useful for some deployments where the
> applications are "trusted". IMO it could be fine if the security
> implications are described in the documentation.
>
> Marek
>
> On 03/10/18 09:39, Stian Thorgersen wrote:
>
> I'm not quite convinced about this approach.
>
> Firstly it seems like a workaround. Offline sessions are designed for
> applications that want to have access when the user is not around. Not for
> a "permanent" log-in. I would rather consider options that allows different
> SSO session expiration depending on device type (or initiating client) for
> instance. Once you have an SSO session in the system browser on the phone
> you can use an inapp browser tab to enable SSO to all apps, or you can do
> it for individual apps by not using the system browser.
>
> Secondly authenticating with id_token_hint is scary. For example a less
> trusted application could then use the ID token to authenticate as the user
> behind the covers and have access to everything the user has access to
> rather than the limited scope that it should have.
>
> On Wed, 3 Oct 2018 at 09:11, Marek Posolda <mposolda at redhat.com> wrote:
>
>> On 02/10/18 17:15, Niels Bertram wrote:
>> > Thanks for the response Marek. I implemented a custom authenticator
>> > before so that makes all total sense. The parts I am a bit worried
>> > about is:
>> >
>> > a) the GET implementation would require use to send the IDToken
>> > unprotected in the URL (POST is fine)
>> I see. This makes sense and we support sending POST request to the
>> initial Authentication endpoint. Maybe you can add a flag to the
>> authenticator like "Allow POST method only" to specify if it accepts
>> just POST or allow both POST and GET? Flag can be set to ON by default
>> (hence accept only POST).
>> >
>> > b) a mobile app from which we want to initiate the "sign me in and
>> > then redirect me to another website" would effectively need to
>> > whitelist every possible URL that it can redirect to.
>> >
>> > If I send a PR to latest Keycloak, any chance that can be patched into
>> > current or next version of RH-SSO?
>> Yes, once the PR is accepted, it always go to the latest Keycloak
>> upstream and latest Keycloak always "turns" after some time to RH-SSO.
>> Some details about this https://www.keycloak.org/support.html .
>>
>> Just a note that we're close to feature freeze for Keycloak 4.x (RHSSO
>> 7.3), so if you want it in RHSSO 7.3, you need to be a bit quick though
>> :) And even then no guarantee as we will need some time for PR review etc.
>>
>> Marek
>> >
>> > Cheers,
>> > Niels
>> >
>> > On Wed, Oct 3, 2018 at 12:33 AM Marek Posolda <mposolda at redhat.com
>> > <mailto:mposolda at redhat.com>> wrote:
>> >
>> >     I suggest to use the flow like this:
>> >     1) Exchange the offline token for the 3 tokens, which will include
>> >     the
>> >     triplet of (access token, id token, offline token).
>> >
>> >     2) Then you can pass the just retrieved IDToken in the
>> authentication
>> >     request in the "id_token_hint" parameter.
>> >
>> >     3) Then you will need to create Authenticator (see our
>> >     docs/quickstarts
>> >     for more details), which will be able to see if "id_token_hint"
>> >     was sent
>> >     and then verify this token and authenticate user if it was ok. You
>> >     can
>> >     probably use some existing code from IDToken introspection
>> >     endpoint. If
>> >     parameter is not used, authenticator can be just ignored during the
>> >     authentication flow.
>> >
>> >     4) As last step, you will need to add this authenticator to the
>> >     browser
>> >     authentication flow.
>> >
>> >     This will cause that if IDToken is sent, it will be able to use it
>> to
>> >     authenticate the user and hence new UserSessionModel (+cookies and
>> >     all
>> >     of this) will be properly created by Keycloak itself.
>> >
>> >     If you manage to make this working, we will be happy if you
>> >     contribute
>> >     it in the PR :) As this is described in the OIDC specification (see
>> >     https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
>> >     ), but
>> >     we don't yet implement it.
>> >
>> >     If you don't want to send PR, you may implement it a bit easier and
>> >     differently in a non-OIDC standard way (EG. pass the offline_token
>> >     directly instead of IDToken in step 2).
>> >
>> >     Marek
>> >
>> >     On 02/10/18 08:24, Niels Bertram wrote:
>> >     > Hi devs,
>> >     >
>> >     > we are trying to turn an offline session back into an "online
>> >     session" for
>> >     > which we can generate cookies and send them to the clients
>> browser.
>> >     >
>> >     > I tried to create a user session with AuthenticationManager but
>> >     for some
>> >     > reason the created session is not showing up as a proper in the
>> user
>> >     > account management section. Is there anything that needs to
>> >     happen after
>> >     > this session is created to make it a normal user session?
>> >     >
>> >     > AuthenticatedClientSessionModel clientSession =
>> >     > session.sessions().createClientSession(realm, client,
>> >     offlineSession);
>> >     >
>> >     > We have a mobile app that uses offline_access to create an
>> >     "always logged"
>> >     > in experience for the app user. However when we open a
>> >     SSO-enabled website
>> >     > in the app (WebView), there is no KEYCLOAK_SESSION cookie to
>> >     allow the web
>> >     > page to initiate a successful pre-auth check.
>> >     >
>> >     > We wrote a custom resource which we call in our webview to
>> >     "redirect" the
>> >     > user to an SSO enabled site:
>> >     >
>> >     > 1. authenticate the user
>> >     >
>> >     > AuthResult auth = new
>> >     AppAuthManager().authenticateBearerToken(session)
>> >     >
>> >     > 2. load a valid userSession
>> >     >
>> >     > UserSessionModel userSession =
>> >     session.sessions().getUserSession(realm,
>> >     > token.getSessionState());
>> >     >
>> >     > 3. create the session cookies
>> >     >
>> >     > AuthenticationManager.createLoginCookie(session, realm, user,
>> >     userSession,
>> >     > ctx.getUri(), ctx.getConnection());
>> >     >
>> >     > 4. forward the user to the SSO enabled website
>> >     >
>> >     > 5. SSO enabled website would do a normal pre-auth check with
>> >     prompt=none
>> >     >
>> >     > There was a similar conversation about the "lost" session in
>> >     KEYCLOAK-4201
>> >     > <https://issues.jboss.org/browse/KEYCLOAK-420>, but that one did
>> >     not go as
>> >     > far as creating a new session.
>> >     >
>> >     > Anyone of you got any clever idea on how do "preload" a valid
>> >     SSO session
>> >     > into a WebView?
>> >     >
>> >     > Cheers,
>> >     > Niels
>> >     >
>> >     > PS. we are on RH-SSO 7.2.4 so roughly Keycloak 3.4.3
>> >     > _______________________________________________
>> >     > keycloak-dev mailing list
>> >     > keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org
>> >
>> >     > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> >
>> >
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>

From mposolda at redhat.com  Wed Oct  3 09:07:21 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 3 Oct 2018 15:07:21 +0200
Subject: [keycloak-dev] PR for adding 'roles' and 'web-origins' client
	scopes
In-Reply-To: <c06346c8-e686-4049-c744-5467da8fd7b4@redhat.com>
References: <c06346c8-e686-4049-c744-5467da8fd7b4@redhat.com>
Message-ID: <4d5bdb42-cbdf-91bd-89df-296eb2b749ab@redhat.com>

Fixed test failures in the PR. Should be ready to review. Docs PR is: 
https://github.com/keycloak/keycloak-documentation/pull/487

Marek

On 02/10/18 21:25, Marek Posolda wrote:
> I've sent PR https://github.com/keycloak/keycloak/pull/5602 . Summary 
> of changes:
>
> - The roles and allowed-origins are not added automatically to the 
> access tokens now. Instead of it, the PR introduces 2 default client 
> scopes: 'roles' and 'web-origins' which adds them
>
> - Client scope 'web-origins' adds allowed-origins to the access token 
> similarly like it was before. So the only advantage is, that it is 
> possible to remove clientScope/protocolMapper if you don't need web 
> origins in the token
>
> - Client scope 'roles' contains protocol mappers for add roles to the 
> access tokens. By default, they are added to the claims "realm_access" 
> and "resource_access" exactly as it was before. However it is easier 
> to move to completely different claims. The PR doesn't introduce new 
> protocol mapper implementation for roles, but uses the existing 
> implementations UserRealmRoleMappingMapper and 
> UserClientRoleMappingMapper. As a side-effect, it fixes some bug in 
> those mappers claimed by many community users - 
> https://issues.jboss.org/browse/KEYCLOAK-5259
>
> - PR introduces new protocol mapper implementation 
> AudienceResolveProtocolMapper, which adds audience of all the clients, 
> for which at least one client role is available in the token. This is 
> added by default to the 'roles' client scope
>
> - There is new switch "Include in Token Scope" on the Client Scope. It 
> is applicable only for OIDC clients. When it is off, the client scope 
> is not added to the "scope" in the access token. It is used for both 
> 'roles' and 'web-origins' scopes, so those are not in the token by 
> default now.
>
> - There is some minor addition to ProtocolMapper SPI. Protocol mapper 
> implementations has "priority" now. This is needed, so that it is 
> ensured that for example we first "compute" the roles to be put in the 
> token (including composite roles etc), then eventually add/move some 
> roles through HardcodedRoleMapper or RoleNameMapper, then figure the 
> audiences and finally move the roles to proper place in the token 
> (which is not necessarily hardcoded to "realm_access" and 
> "resource_access" claims as it was before).
>
> - Migration is handled, so that 'roles' and 'web-origins' scopes are 
> automatically added during migration and they are added to all the 
> OIDC confidential/public clients.
>
> WDYT?
>
> Marek
>


From oneal.kevin at gmail.com  Wed Oct  3 09:49:28 2018
From: oneal.kevin at gmail.com (KevinO)
Date: Wed, 3 Oct 2018 08:49:28 -0500
Subject: [keycloak-dev] Column Sorting
In-Reply-To: <CAF9RioTnTGAwFejPkHxQ5UtkRXw2pgifPxkhwC0bfQVJD5qH5A@mail.gmail.com>
References: <CAF9RioTnTGAwFejPkHxQ5UtkRXw2pgifPxkhwC0bfQVJD5qH5A@mail.gmail.com>
Message-ID: <CAF9RioT-fxZmkX=F_2+71+YYFeGDWxDQNeutUB0gsFvE9FC3=Q@mail.gmail.com>

Stian, could you point me to a table that currently has server side
pagination? And is there currently an effort to make all tables have
server-side pagination?

On Mon, Oct 1, 2018 at 8:05 PM KevinO <oneal.kevin at gmail.com> wrote:

> Is there any opposition to me adding column sorting? There is the ticket
> for it:
> https://issues.jboss.org/browse/KEYCLOAK-4676
>
> I've tested a solution that uses standard angular ordering. I don't want
> to update all the tables if this is a feature that is not wanted.
>
> Here is what one option of sorting would look like using Font-Awesoms
> chevron as the clickable item.
> [image: image.png]
> [image: image.png]
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 27122 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-dev/attachments/20181003/9318f425/attachment-0002.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 22330 bytes
Desc: not available
Url : http://lists.jboss.org/pipermail/keycloak-dev/attachments/20181003/9318f425/attachment-0003.png 

From sthorger at redhat.com  Wed Oct  3 10:38:18 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 3 Oct 2018 16:38:18 +0200
Subject: [keycloak-dev] Column Sorting
In-Reply-To: <CAF9RioT-fxZmkX=F_2+71+YYFeGDWxDQNeutUB0gsFvE9FC3=Q@mail.gmail.com>
References: <CAF9RioTnTGAwFejPkHxQ5UtkRXw2pgifPxkhwC0bfQVJD5qH5A@mail.gmail.com>
	<CAF9RioT-fxZmkX=F_2+71+YYFeGDWxDQNeutUB0gsFvE9FC3=Q@mail.gmail.com>
Message-ID: <CAJgngAe9SN5V3HgYZ51-syDQ685tMFdiC+=3sCSs4gFhY5Wz7w@mail.gmail.com>

Not 100% sure what the current status is. Some are paginated server-side,
some on client-side, some are missing pagination. Users are paginated on
server side for sure.

For a large portion of tables though pagination has to be done on server
side (users, clients, roles, groups, etc. can all have large number of
entries). With that in mind I think to keep things consistent we should do
pagination and sorting on the server side for everything.

On Wed, 3 Oct 2018 at 15:57, KevinO <oneal.kevin at gmail.com> wrote:

> Stian, could you point me to a table that currently has server side
> pagination? And is there currently an effort to make all tables have
> server-side pagination?
>
> On Mon, Oct 1, 2018 at 8:05 PM KevinO <oneal.kevin at gmail.com> wrote:
>
> > Is there any opposition to me adding column sorting? There is the ticket
> > for it:
> > https://issues.jboss.org/browse/KEYCLOAK-4676
> >
> > I've tested a solution that uses standard angular ordering. I don't want
> > to update all the tables if this is a feature that is not wanted.
> >
> > Here is what one option of sorting would look like using Font-Awesoms
> > chevron as the clickable item.
> > [image: image.png]
> > [image: image.png]
> >
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

From nielsbne at gmail.com  Wed Oct  3 10:54:29 2018
From: nielsbne at gmail.com (Niels Bertram)
Date: Thu, 4 Oct 2018 00:24:29 +0930
Subject: [keycloak-dev] Create "online session" from offline session
In-Reply-To: <CAJgngAdWOKB8D6TbwrBQwEML=4S2eQmt3fWCBUPeg7Q0ihny_A@mail.gmail.com>
References: <CAPLPyg=MqBHWsA0E2-Sd=UbYh-E+mHAb33F=cOUv9xSkxzPhxg@mail.gmail.com>
	<0ca41d60-abd2-f716-91ae-9ac0ba00444d@redhat.com>
	<CAPLPygkndifFFNXr27ic8MPiy_oc7Z3wM72UMGHGMnamfducHA@mail.gmail.com>
	<fd2a86b5-0550-2c13-d4f4-e9cbbea62864@redhat.com>
	<CAJgngAfjT+iSChQ+eMekpHibhudkxFfQPvv3Ba0EyQhWPxHs6A@mail.gmail.com>
	<1b9586d0-6268-6767-881f-1cc7be6f7559@redhat.com>
	<CAJgngAdWOKB8D6TbwrBQwEML=4S2eQmt3fWCBUPeg7Q0ihny_A@mail.gmail.com>
Message-ID: <CAPLPygnKVK2pdddNbnJsTWzOJpdSNXPMuH8TKL3nehKcApTP7A@mail.gmail.com>

We mainly need a function to create a "long lived" session in a mobile app
where we have more options to secure the refresh/id token (e.g. place
refresh/id tokens into iOS keychain and after some interval let the
device/user unlock the tokens for the app using face id, fingerprint or
pin). Inside the app we want to display a website that also participates in
SSO and be seamlessly recognised as logged in. The current remember me
function does not work for this as we do not want to increase the Max
Session Idle time for *all* SSO enabled systems to anything beyond an hour.
The only way we found to get a longer token for a mobile app is to use
offline access scope - not ideal but we exhausted all avenues on remember
me including 2 RH support tickets without a resolution.

The challenge we face now is that having an offline session is managed
outside the browser and after the initial 30 minute Max Session Idle time,
we can no longer SSO someone in a browser window due to no valid user
session in KC backend.

I dug around a bit and found that one can setup a "sub session" from the id
token from an offline session. This session and related cookies can be
used like any other normal "user session" within a website. The trick was
to load the "offline session" belonging to the offline access token and
then create a user session like this:

        userSession = session.sessions().createUserSession(
          offlineSession.getId(),
          realm,
          offlineSession.getUser(),
          offlineSession.getLoginUsername(),
          ctx.getConnection().getRemoteAddr(),
          "openid-connect",
          false,
          offlineSession.getBrokerSessionId(),
          offlineSession.getBrokerUserId());

We tested this with the approach outlined in my initial email and it does
appear to work as intended (bar the client id not populated on the created
session - the method call is missing a client param). The advantage of this
approach is that we merely create a valid user session for the client_id of
the current mobile app in KC server, set the session and id cookie in the
webview and then refer out to another website via regular link. I do not
need to know where this link leads to or if the client(_id) of the other
site requires different scope, consent or whatever. I simply created a
"short lived" user session for the mobile app that can be consulted by the
SSO server in an auth check on another SSO enabled system.

So taking all of this, we could build an authenticator that sets up a child
session for the offline session under the same client that owns the ID
token and send the cookies for that child session to the client browser.
The big question is, where do you redirect the response to? If you redirect
to another system that uses their own client, I am not sure what would
happen if that client tried to swap the code grant for tokens - my
assumption would be, it would get whatever the client swapping the code
grant could get - but that is flawed if consent is required before hand for
instance. I think the use case for which to use such adapter will be vital
for the design - the use case I have does appear to be more like a rework
of session and remember me is required than an authz adapter.

Hope all that makes any sense.


On Wed, Oct 3, 2018 at 9:46 PM Stian Thorgersen <sthorger at redhat.com> wrote:

> I think we really need to consider if and how we add it properly. You
> shouldn't be able to use any odd id token to authenticate, but rather a
> special token. Further, it probably does require proper handling of
> authentication levels. Or even perhaps you can authenticate for a specific
> client with an id token, but when you try to use a different client you
> need to provider username/password. End of the day we just need to be very
> careful about adding something like this.
>
> By the way a long time ago I actually had this in mind as a way of doing
> SSO for CLIs. You simply get a special id token that serves as the sso
> cookie. Never got around to think it through in depth though. Bill had some
> concerns with that idea, can't remember exactly what, so he ended up doing
> token exchange for kcinit (I have quite a lot of concerns around that and
> token exchange though).
>
> On Wed, 3 Oct 2018 at 14:00, Marek Posolda <mposolda at redhat.com> wrote:
>
>> Yes, I see some possible issues with it. IMO if we add it, it should
>> probably not even be added in default "browser" flow, so it's more "hard"
>> to have it working and just someone, who knows what he is doing, will be
>> able to setup it.
>>
>> On the other hand, may be useful for some deployments where the
>> applications are "trusted". IMO it could be fine if the security
>> implications are described in the documentation.
>>
>> Marek
>>
>> On 03/10/18 09:39, Stian Thorgersen wrote:
>>
>> I'm not quite convinced about this approach.
>>
>> Firstly it seems like a workaround. Offline sessions are designed for
>> applications that want to have access when the user is not around. Not for
>> a "permanent" log-in. I would rather consider options that allows different
>> SSO session expiration depending on device type (or initiating client) for
>> instance. Once you have an SSO session in the system browser on the phone
>> you can use an inapp browser tab to enable SSO to all apps, or you can do
>> it for individual apps by not using the system browser.
>>
>> Secondly authenticating with id_token_hint is scary. For example a less
>> trusted application could then use the ID token to authenticate as the user
>> behind the covers and have access to everything the user has access to
>> rather than the limited scope that it should have.
>>
>> On Wed, 3 Oct 2018 at 09:11, Marek Posolda <mposolda at redhat.com> wrote:
>>
>>> On 02/10/18 17:15, Niels Bertram wrote:
>>> > Thanks for the response Marek. I implemented a custom authenticator
>>> > before so that makes all total sense. The parts I am a bit worried
>>> > about is:
>>> >
>>> > a) the GET implementation would require use to send the IDToken
>>> > unprotected in the URL (POST is fine)
>>> I see. This makes sense and we support sending POST request to the
>>> initial Authentication endpoint. Maybe you can add a flag to the
>>> authenticator like "Allow POST method only" to specify if it accepts
>>> just POST or allow both POST and GET? Flag can be set to ON by default
>>> (hence accept only POST).
>>> >
>>> > b) a mobile app from which we want to initiate the "sign me in and
>>> > then redirect me to another website" would effectively need to
>>> > whitelist every possible URL that it can redirect to.
>>> >
>>> > If I send a PR to latest Keycloak, any chance that can be patched into
>>> > current or next version of RH-SSO?
>>> Yes, once the PR is accepted, it always go to the latest Keycloak
>>> upstream and latest Keycloak always "turns" after some time to RH-SSO.
>>> Some details about this https://www.keycloak.org/support.html .
>>>
>>> Just a note that we're close to feature freeze for Keycloak 4.x (RHSSO
>>> 7.3), so if you want it in RHSSO 7.3, you need to be a bit quick though
>>> :) And even then no guarantee as we will need some time for PR review
>>> etc.
>>>
>>> Marek
>>> >
>>> > Cheers,
>>> > Niels
>>> >
>>> > On Wed, Oct 3, 2018 at 12:33 AM Marek Posolda <mposolda at redhat.com
>>> > <mailto:mposolda at redhat.com>> wrote:
>>> >
>>> >     I suggest to use the flow like this:
>>> >     1) Exchange the offline token for the 3 tokens, which will include
>>> >     the
>>> >     triplet of (access token, id token, offline token).
>>> >
>>> >     2) Then you can pass the just retrieved IDToken in the
>>> authentication
>>> >     request in the "id_token_hint" parameter.
>>> >
>>> >     3) Then you will need to create Authenticator (see our
>>> >     docs/quickstarts
>>> >     for more details), which will be able to see if "id_token_hint"
>>> >     was sent
>>> >     and then verify this token and authenticate user if it was ok. You
>>> >     can
>>> >     probably use some existing code from IDToken introspection
>>> >     endpoint. If
>>> >     parameter is not used, authenticator can be just ignored during the
>>> >     authentication flow.
>>> >
>>> >     4) As last step, you will need to add this authenticator to the
>>> >     browser
>>> >     authentication flow.
>>> >
>>> >     This will cause that if IDToken is sent, it will be able to use it
>>> to
>>> >     authenticate the user and hence new UserSessionModel (+cookies and
>>> >     all
>>> >     of this) will be properly created by Keycloak itself.
>>> >
>>> >     If you manage to make this working, we will be happy if you
>>> >     contribute
>>> >     it in the PR :) As this is described in the OIDC specification (see
>>> >     https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
>>> >     ), but
>>> >     we don't yet implement it.
>>> >
>>> >     If you don't want to send PR, you may implement it a bit easier and
>>> >     differently in a non-OIDC standard way (EG. pass the offline_token
>>> >     directly instead of IDToken in step 2).
>>> >
>>> >     Marek
>>> >
>>> >     On 02/10/18 08:24, Niels Bertram wrote:
>>> >     > Hi devs,
>>> >     >
>>> >     > we are trying to turn an offline session back into an "online
>>> >     session" for
>>> >     > which we can generate cookies and send them to the clients
>>> browser.
>>> >     >
>>> >     > I tried to create a user session with AuthenticationManager but
>>> >     for some
>>> >     > reason the created session is not showing up as a proper in the
>>> user
>>> >     > account management section. Is there anything that needs to
>>> >     happen after
>>> >     > this session is created to make it a normal user session?
>>> >     >
>>> >     > AuthenticatedClientSessionModel clientSession =
>>> >     > session.sessions().createClientSession(realm, client,
>>> >     offlineSession);
>>> >     >
>>> >     > We have a mobile app that uses offline_access to create an
>>> >     "always logged"
>>> >     > in experience for the app user. However when we open a
>>> >     SSO-enabled website
>>> >     > in the app (WebView), there is no KEYCLOAK_SESSION cookie to
>>> >     allow the web
>>> >     > page to initiate a successful pre-auth check.
>>> >     >
>>> >     > We wrote a custom resource which we call in our webview to
>>> >     "redirect" the
>>> >     > user to an SSO enabled site:
>>> >     >
>>> >     > 1. authenticate the user
>>> >     >
>>> >     > AuthResult auth = new
>>> >     AppAuthManager().authenticateBearerToken(session)
>>> >     >
>>> >     > 2. load a valid userSession
>>> >     >
>>> >     > UserSessionModel userSession =
>>> >     session.sessions().getUserSession(realm,
>>> >     > token.getSessionState());
>>> >     >
>>> >     > 3. create the session cookies
>>> >     >
>>> >     > AuthenticationManager.createLoginCookie(session, realm, user,
>>> >     userSession,
>>> >     > ctx.getUri(), ctx.getConnection());
>>> >     >
>>> >     > 4. forward the user to the SSO enabled website
>>> >     >
>>> >     > 5. SSO enabled website would do a normal pre-auth check with
>>> >     prompt=none
>>> >     >
>>> >     > There was a similar conversation about the "lost" session in
>>> >     KEYCLOAK-4201
>>> >     > <https://issues.jboss.org/browse/KEYCLOAK-420>, but that one did
>>> >     not go as
>>> >     > far as creating a new session.
>>> >     >
>>> >     > Anyone of you got any clever idea on how do "preload" a valid
>>> >     SSO session
>>> >     > into a WebView?
>>> >     >
>>> >     > Cheers,
>>> >     > Niels
>>> >     >
>>> >     > PS. we are on RH-SSO 7.2.4 so roughly Keycloak 3.4.3
>>> >     > _______________________________________________
>>> >     > keycloak-dev mailing list
>>> >     > keycloak-dev at lists.jboss.org <mailto:
>>> keycloak-dev at lists.jboss.org>
>>> >     > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>> >
>>> >
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>>

From sthorger at redhat.com  Wed Oct  3 15:33:14 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 3 Oct 2018 21:33:14 +0200
Subject: [keycloak-dev] Create "online session" from offline session
In-Reply-To: <CAPLPygnKVK2pdddNbnJsTWzOJpdSNXPMuH8TKL3nehKcApTP7A@mail.gmail.com>
References: <CAPLPyg=MqBHWsA0E2-Sd=UbYh-E+mHAb33F=cOUv9xSkxzPhxg@mail.gmail.com>
	<0ca41d60-abd2-f716-91ae-9ac0ba00444d@redhat.com>
	<CAPLPygkndifFFNXr27ic8MPiy_oc7Z3wM72UMGHGMnamfducHA@mail.gmail.com>
	<fd2a86b5-0550-2c13-d4f4-e9cbbea62864@redhat.com>
	<CAJgngAfjT+iSChQ+eMekpHibhudkxFfQPvv3Ba0EyQhWPxHs6A@mail.gmail.com>
	<1b9586d0-6268-6767-881f-1cc7be6f7559@redhat.com>
	<CAJgngAdWOKB8D6TbwrBQwEML=4S2eQmt3fWCBUPeg7Q0ihny_A@mail.gmail.com>
	<CAPLPygnKVK2pdddNbnJsTWzOJpdSNXPMuH8TKL3nehKcApTP7A@mail.gmail.com>
Message-ID: <CAJgngAeVnuSz=s6PB6ZgjwNvL7db8=-T+O_s6mLD658ewF8Taw@mail.gmail.com>

I would say this is a common use-case and is something we should support
properly. Can you open an RFE for it? We can't include it for 7.3 I'm
afraid, but it's something we could aim to include in the release after
that. Without having thought too deeply on how it could be solved I would
imagine something that lets you decide what type of session you want based
on some sort of condition. Perhaps we could have a per-client option to
control the SSO session type and if the initial authentication is trigger
with login to such a client it would trigger a long lived session.

I guess the best option for you then is a custom authenticator, which
hopefully in the not to distant future you can drop and no longer have to
maintain. Hopefully Marek can help you with this one ;)

On Wed, 3 Oct 2018 at 16:54, Niels Bertram <nielsbne at gmail.com> wrote:

> We mainly need a function to create a "long lived" session in a mobile app
> where we have more options to secure the refresh/id token (e.g. place
> refresh/id tokens into iOS keychain and after some interval let the
> device/user unlock the tokens for the app using face id, fingerprint or
> pin). Inside the app we want to display a website that also participates in
> SSO and be seamlessly recognised as logged in. The current remember me
> function does not work for this as we do not want to increase the Max
> Session Idle time for *all* SSO enabled systems to anything beyond an
> hour. The only way we found to get a longer token for a mobile app is to
> use offline access scope - not ideal but we exhausted all avenues on
> remember me including 2 RH support tickets without a resolution.
>
> The challenge we face now is that having an offline session is managed
> outside the browser and after the initial 30 minute Max Session Idle time,
> we can no longer SSO someone in a browser window due to no valid user
> session in KC backend.
>
> I dug around a bit and found that one can setup a "sub session" from the
> id token from an offline session. This session and related cookies can be
> used like any other normal "user session" within a website. The trick was
> to load the "offline session" belonging to the offline access token and
> then create a user session like this:
>
>         userSession = session.sessions().createUserSession(
>           offlineSession.getId(),
>           realm,
>           offlineSession.getUser(),
>           offlineSession.getLoginUsername(),
>           ctx.getConnection().getRemoteAddr(),
>           "openid-connect",
>           false,
>           offlineSession.getBrokerSessionId(),
>           offlineSession.getBrokerUserId());
>
> We tested this with the approach outlined in my initial email and it does
> appear to work as intended (bar the client id not populated on the created
> session - the method call is missing a client param). The advantage of this
> approach is that we merely create a valid user session for the client_id of
> the current mobile app in KC server, set the session and id cookie in the
> webview and then refer out to another website via regular link. I do not
> need to know where this link leads to or if the client(_id) of the other
> site requires different scope, consent or whatever. I simply created a
> "short lived" user session for the mobile app that can be consulted by the
> SSO server in an auth check on another SSO enabled system.
>
> So taking all of this, we could build an authenticator that sets up a
> child session for the offline session under the same client that owns the
> ID token and send the cookies for that child session to the client browser.
> The big question is, where do you redirect the response to? If you redirect
> to another system that uses their own client, I am not sure what would
> happen if that client tried to swap the code grant for tokens - my
> assumption would be, it would get whatever the client swapping the code
> grant could get - but that is flawed if consent is required before hand for
> instance. I think the use case for which to use such adapter will be vital
> for the design - the use case I have does appear to be more like a rework
> of session and remember me is required than an authz adapter.
>
> Hope all that makes any sense.
>
>
> On Wed, Oct 3, 2018 at 9:46 PM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> I think we really need to consider if and how we add it properly. You
>> shouldn't be able to use any odd id token to authenticate, but rather a
>> special token. Further, it probably does require proper handling of
>> authentication levels. Or even perhaps you can authenticate for a specific
>> client with an id token, but when you try to use a different client you
>> need to provider username/password. End of the day we just need to be very
>> careful about adding something like this.
>>
>> By the way a long time ago I actually had this in mind as a way of doing
>> SSO for CLIs. You simply get a special id token that serves as the sso
>> cookie. Never got around to think it through in depth though. Bill had some
>> concerns with that idea, can't remember exactly what, so he ended up doing
>> token exchange for kcinit (I have quite a lot of concerns around that and
>> token exchange though).
>>
>> On Wed, 3 Oct 2018 at 14:00, Marek Posolda <mposolda at redhat.com> wrote:
>>
>>> Yes, I see some possible issues with it. IMO if we add it, it should
>>> probably not even be added in default "browser" flow, so it's more "hard"
>>> to have it working and just someone, who knows what he is doing, will be
>>> able to setup it.
>>>
>>> On the other hand, may be useful for some deployments where the
>>> applications are "trusted". IMO it could be fine if the security
>>> implications are described in the documentation.
>>>
>>> Marek
>>>
>>> On 03/10/18 09:39, Stian Thorgersen wrote:
>>>
>>> I'm not quite convinced about this approach.
>>>
>>> Firstly it seems like a workaround. Offline sessions are designed for
>>> applications that want to have access when the user is not around. Not for
>>> a "permanent" log-in. I would rather consider options that allows different
>>> SSO session expiration depending on device type (or initiating client) for
>>> instance. Once you have an SSO session in the system browser on the phone
>>> you can use an inapp browser tab to enable SSO to all apps, or you can do
>>> it for individual apps by not using the system browser.
>>>
>>> Secondly authenticating with id_token_hint is scary. For example a less
>>> trusted application could then use the ID token to authenticate as the user
>>> behind the covers and have access to everything the user has access to
>>> rather than the limited scope that it should have.
>>>
>>> On Wed, 3 Oct 2018 at 09:11, Marek Posolda <mposolda at redhat.com> wrote:
>>>
>>>> On 02/10/18 17:15, Niels Bertram wrote:
>>>> > Thanks for the response Marek. I implemented a custom authenticator
>>>> > before so that makes all total sense. The parts I am a bit worried
>>>> > about is:
>>>> >
>>>> > a) the GET implementation would require use to send the IDToken
>>>> > unprotected in the URL (POST is fine)
>>>> I see. This makes sense and we support sending POST request to the
>>>> initial Authentication endpoint. Maybe you can add a flag to the
>>>> authenticator like "Allow POST method only" to specify if it accepts
>>>> just POST or allow both POST and GET? Flag can be set to ON by default
>>>> (hence accept only POST).
>>>> >
>>>> > b) a mobile app from which we want to initiate the "sign me in and
>>>> > then redirect me to another website" would effectively need to
>>>> > whitelist every possible URL that it can redirect to.
>>>> >
>>>> > If I send a PR to latest Keycloak, any chance that can be patched
>>>> into
>>>> > current or next version of RH-SSO?
>>>> Yes, once the PR is accepted, it always go to the latest Keycloak
>>>> upstream and latest Keycloak always "turns" after some time to RH-SSO.
>>>> Some details about this https://www.keycloak.org/support.html .
>>>>
>>>> Just a note that we're close to feature freeze for Keycloak 4.x (RHSSO
>>>> 7.3), so if you want it in RHSSO 7.3, you need to be a bit quick though
>>>> :) And even then no guarantee as we will need some time for PR review
>>>> etc.
>>>>
>>>> Marek
>>>> >
>>>> > Cheers,
>>>> > Niels
>>>> >
>>>> > On Wed, Oct 3, 2018 at 12:33 AM Marek Posolda <mposolda at redhat.com
>>>> > <mailto:mposolda at redhat.com>> wrote:
>>>> >
>>>> >     I suggest to use the flow like this:
>>>> >     1) Exchange the offline token for the 3 tokens, which will include
>>>> >     the
>>>> >     triplet of (access token, id token, offline token).
>>>> >
>>>> >     2) Then you can pass the just retrieved IDToken in the
>>>> authentication
>>>> >     request in the "id_token_hint" parameter.
>>>> >
>>>> >     3) Then you will need to create Authenticator (see our
>>>> >     docs/quickstarts
>>>> >     for more details), which will be able to see if "id_token_hint"
>>>> >     was sent
>>>> >     and then verify this token and authenticate user if it was ok. You
>>>> >     can
>>>> >     probably use some existing code from IDToken introspection
>>>> >     endpoint. If
>>>> >     parameter is not used, authenticator can be just ignored during
>>>> the
>>>> >     authentication flow.
>>>> >
>>>> >     4) As last step, you will need to add this authenticator to the
>>>> >     browser
>>>> >     authentication flow.
>>>> >
>>>> >     This will cause that if IDToken is sent, it will be able to use
>>>> it to
>>>> >     authenticate the user and hence new UserSessionModel (+cookies and
>>>> >     all
>>>> >     of this) will be properly created by Keycloak itself.
>>>> >
>>>> >     If you manage to make this working, we will be happy if you
>>>> >     contribute
>>>> >     it in the PR :) As this is described in the OIDC specification
>>>> (see
>>>> >     https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
>>>> >     ), but
>>>> >     we don't yet implement it.
>>>> >
>>>> >     If you don't want to send PR, you may implement it a bit easier
>>>> and
>>>> >     differently in a non-OIDC standard way (EG. pass the offline_token
>>>> >     directly instead of IDToken in step 2).
>>>> >
>>>> >     Marek
>>>> >
>>>> >     On 02/10/18 08:24, Niels Bertram wrote:
>>>> >     > Hi devs,
>>>> >     >
>>>> >     > we are trying to turn an offline session back into an "online
>>>> >     session" for
>>>> >     > which we can generate cookies and send them to the clients
>>>> browser.
>>>> >     >
>>>> >     > I tried to create a user session with AuthenticationManager but
>>>> >     for some
>>>> >     > reason the created session is not showing up as a proper in the
>>>> user
>>>> >     > account management section. Is there anything that needs to
>>>> >     happen after
>>>> >     > this session is created to make it a normal user session?
>>>> >     >
>>>> >     > AuthenticatedClientSessionModel clientSession =
>>>> >     > session.sessions().createClientSession(realm, client,
>>>> >     offlineSession);
>>>> >     >
>>>> >     > We have a mobile app that uses offline_access to create an
>>>> >     "always logged"
>>>> >     > in experience for the app user. However when we open a
>>>> >     SSO-enabled website
>>>> >     > in the app (WebView), there is no KEYCLOAK_SESSION cookie to
>>>> >     allow the web
>>>> >     > page to initiate a successful pre-auth check.
>>>> >     >
>>>> >     > We wrote a custom resource which we call in our webview to
>>>> >     "redirect" the
>>>> >     > user to an SSO enabled site:
>>>> >     >
>>>> >     > 1. authenticate the user
>>>> >     >
>>>> >     > AuthResult auth = new
>>>> >     AppAuthManager().authenticateBearerToken(session)
>>>> >     >
>>>> >     > 2. load a valid userSession
>>>> >     >
>>>> >     > UserSessionModel userSession =
>>>> >     session.sessions().getUserSession(realm,
>>>> >     > token.getSessionState());
>>>> >     >
>>>> >     > 3. create the session cookies
>>>> >     >
>>>> >     > AuthenticationManager.createLoginCookie(session, realm, user,
>>>> >     userSession,
>>>> >     > ctx.getUri(), ctx.getConnection());
>>>> >     >
>>>> >     > 4. forward the user to the SSO enabled website
>>>> >     >
>>>> >     > 5. SSO enabled website would do a normal pre-auth check with
>>>> >     prompt=none
>>>> >     >
>>>> >     > There was a similar conversation about the "lost" session in
>>>> >     KEYCLOAK-4201
>>>> >     > <https://issues.jboss.org/browse/KEYCLOAK-420>, but that one
>>>> did
>>>> >     not go as
>>>> >     > far as creating a new session.
>>>> >     >
>>>> >     > Anyone of you got any clever idea on how do "preload" a valid
>>>> >     SSO session
>>>> >     > into a WebView?
>>>> >     >
>>>> >     > Cheers,
>>>> >     > Niels
>>>> >     >
>>>> >     > PS. we are on RH-SSO 7.2.4 so roughly Keycloak 3.4.3
>>>> >     > _______________________________________________
>>>> >     > keycloak-dev mailing list
>>>> >     > keycloak-dev at lists.jboss.org <mailto:
>>>> keycloak-dev at lists.jboss.org>
>>>> >     > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>> >
>>>> >
>>>>
>>>> _______________________________________________
>>>> keycloak-dev mailing list
>>>> keycloak-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>
>>>
>>>

From sthorger at redhat.com  Thu Oct  4 06:53:46 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 4 Oct 2018 12:53:46 +0200
Subject: [keycloak-dev] Review for German translation of admin messages
Message-ID: <CAJgngAdVUw41LMZ6SyP-wjsSW1BsDsoyhS4BkbKpGEhVdhFG2w@mail.gmail.com>

Can someone please review https://github.com/keycloak/keycloak/pull/5549

From sthorger at redhat.com  Thu Oct  4 08:32:16 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 4 Oct 2018 14:32:16 +0200
Subject: [keycloak-dev] Improved CSP support
In-Reply-To: <CAJgngAefxAqTj50SKXugCurEoi72jJWdx4vVSdGP=0dkHmPBqw@mail.gmail.com>
References: <CAF71dvG5jBaWpM0=1af4HkB3CmEYhd8FZ0eOaqyFAUQgPBF3vw@mail.gmail.com>
	<CAJgngAfC3VaEv_WpXWXoXZD=B-QVw1RTUxe0Zh-mpQBx8=1tvQ@mail.gmail.com>
	<CAF71dvHKEXiJVD8Gba1JR4FoFhSDqhoGoohuoPMeo6pBHQ_Djw@mail.gmail.com>
	<CAJgngAefxAqTj50SKXugCurEoi72jJWdx4vVSdGP=0dkHmPBqw@mail.gmail.com>
Message-ID: <CAJgngAfy+bs4PmCtEoO7Psz2ZN-csxpH9vj+kwb3PP8D71jxpg@mail.gmail.com>

Forgot about this one, sorry.

Any updates from your end Johannes?

On Tue, 31 Jul 2018 at 20:39, Stian Thorgersen <sthorger at redhat.com> wrote:

>
>
> On Mon, 30 Jul 2018 at 20:19, Johannes Knutsen <johannes at kodet.no> wrote:
>
>> Actually, your suggestion to inject a cspNonce value through the
>> FreeMarkerLoginProvder/AccountProvider is the exact solution I chose
>> to implement in the example implementation,
>>
>> https://github.com/keycloak/keycloak/compare/master...knutz3n:feature/support-stricter-csp-headers
>> .
>>
>
> Sounds good, I'm leaving for holiday today so won't have time to take a
> look at it before I'm back in a week or so.
>
>
>>
>> CSP support in the admin GUI, seems to be a hard problem. I did some
>> work to get this working and most issues were resolveable. However,
>> the ACE editor has an open issue,
>> https://github.com/ajaxorg/ace/issues/3260, regarding CSP and there
>> was also a minor change required to ng-file-upload.
>>
>
> Is it only the ACE editor that is an issue? If that remains an issue we
> could consider removing it. It's only used when editing js authenticators
> and policies, but I don't think it's all that useful afaik.
>
>
>>
>> Our first priority is anyways to be able to disable inline scripts on
>> our customer's authentication realm and currently we get a CSP error
>> when setting a script-src 'self' rule:
>> "Refused to execute inline script because it violates the following
>> Content Security Policy directive: "script-src 'self'". Either the
>> 'unsafe-inline' keyword, a hash ('sha256-h/...'), or a nonce
>> ('nonce-...') is required to enable inline execution."
>> This is due to the inline script injected by BrowserHistoryHelper.java
>> and adding a CSP nonce solves this.
>>
>
> Do you generate the nonce on demand in your branch? As it's only needed
> for very few requests we should generate one in the FreeMarker providers
> unless it's actually needed.
>
>
>>
>> I don't think CSP should replace using a sanitizer, since CSP support
>> is varying between browsers. However, if you would consider merging
>> the addition of adding a CSP nonce value to the Freemarker context as
>> shown in the diff above, I would be happy to add some tests. At least
>> it would allow template developers to also use inline scripts, by
>> using the CSP nonce value as you mentioned.
>>
>
> We'll keep the sanitizer as well. Always good to have more layers of
> defence than less ;)
>
> Would be ideal to have a complete solution. Nonce available, updated
> default value for CSP header for realms, including migrating existing
> realms when the value hasn't changed.
>
>
>>
>> - Johannes
>>
>> On Mon, Jul 30, 2018 at 7:48 PM, Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>> > Not sure if it's an option to remove all inline scripts/styles. Maybe
>> it is.
>> >
>> > With regards to the other options. SHA hash seems rather brittle and
>> hard to
>> > maintain, so a nonce would probably be the better option. I haven't
>> looked
>> > to much at the details on how that's handled, but I assume it's a
>> > per-request so you can easily generate one in
>> > FreeMarkerLoginProvider/AccountProvider, add it to the header, then
>> > templates can themselves add the nonce using something like
>> > none="${cspNonce}".
>> >
>> > Seems like an elegant solution to something we're working on at the
>> moment.
>> > Currently most fields are escaped so it's not possible to for example
>> inject
>> > scripts, but there are some that are not as they need to output HTML
>> tags
>> > (realm display name for instance). We've ended up with using OWASP HTML
>> > sanitizer library to escape unsafe elements. It's a bit messy code + we
>> need
>> > to productize the OWASP library. It sounds like this could remove the
>> need
>> > to do that altogether.
>> >
>> > On Wed, 20 Jun 2018 at 00:30, Johannes Knutsen <johannes at kodet.no>
>> wrote:
>> >>
>> >> Hi,
>> >>
>> >> I am currently looking at improvements in the Content Security Policy
>> >> (CSP) support.
>> >>
>> >> In our deployment, we have security requirements stating that a CSP
>> >> header should be used and inline scripts, styles and resources should
>> >> be blocked. For example by setting a CSP value like default-src
>> >> 'self';.
>> >>
>> >> Such a policy breaks Keycloak's manipulation of the browser history
>> >> implemented in the BrowserHistoryHelper, since the
>> >> JavascriptHistoryReplace injects an inline JavaScript.
>> >>
>> >> The simplest workaround is to also inject a nonce value or SHA hash of
>> >> the script to the existing CSP header.
>> >>
>> >> However, while implementing this, I found that a CSP nonce in general
>> >> would be nice to have available in any template context. This will
>> >> also make it easier to migrate the default Keycloak theme to support
>> >> stricter security policies.
>> >>
>> >> An example implementation can be found here:
>> >>
>> >>
>> https://github.com/knutz3n/keycloak/commit/c6cfb3efa2942d7569066c0e4bd90a2ed75a0005
>> >>
>> >> Would you be interested in merging a change like the one above? If
>> >> not, what is your view on how to allow stricter content security
>> >> policies?
>> >> Tests and documentation is currently missing, but I will add both if
>> >> this is something you would consider merging.
>> >>
>> >> As a note, I have also done some work on supporting a strict CSP value
>> >> for the default theme. But there are some issues with included 3rd
>> >> party scripts which must/should be resolved. Let me know if you want
>> >> more details regarding this.
>> >>
>> >> Best regards,
>> >> Johannes Knutsen
>> >> _______________________________________________
>> >> keycloak-dev mailing list
>> >> keycloak-dev at lists.jboss.org
>> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>

From gideonray at gmail.com  Thu Oct  4 11:26:38 2018
From: gideonray at gmail.com (Gideon Caranzo)
Date: Thu, 4 Oct 2018 10:26:38 -0500
Subject: [keycloak-dev] large number of realms causing slow api calls
Message-ID: <CAFTOGtdGsfcVdOaWBTBOT=4Zq_BTNEt1OcAxbCaU0ZuMJ2zGQw@mail.gmail.com>

Hi,

I'm encountering slow api calls after reaching 1700 realms. I profiled it
and found that role checking is causing the issue particularly
*KeycloakModelUtils.searchFor(RoleModel
role, RoleModel composite, Set<String> visited)*.

I'm using a user with "admin" role to call get realm API. And since i have
1700 realms, "admin" role now have about 30K composite roles under it. The
line below from KeycloakModelUtils.searchFor() will load all 30K composite
roles causing the slow down.

        *Set<RoleModel> compositeRoles = composite.getComposites();*

Is there a way to avoid this issue? Or is it possible to fix the code such
that it will do a database query instead of searching in memory to check if
the role exist?

Best regards,
Gideon

From sthorger at redhat.com  Fri Oct  5 07:22:27 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 5 Oct 2018 13:22:27 +0200
Subject: [keycloak-dev] large number of realms causing slow api calls
In-Reply-To: <CAFTOGtdGsfcVdOaWBTBOT=4Zq_BTNEt1OcAxbCaU0ZuMJ2zGQw@mail.gmail.com>
References: <CAFTOGtdGsfcVdOaWBTBOT=4Zq_BTNEt1OcAxbCaU0ZuMJ2zGQw@mail.gmail.com>
Message-ID: <CAJgngAd5gJMrrtPG8V388zM3HVRnxy8kF-Ko7LsC-EesUkaYDg@mail.gmail.com>

Keycloak simply doesn't scale well with regards to large number of realms
today and it's not something we currently support.

That's just one of several issues around large number of realms that have
to be resolved. Another example is upgrading the server with 1700 realms is
also going to be painful.

At the moment we are not able to priorities this though. We are planning to
resolve it, but it will be quite some time until we do.

For the particular issue you've mentioned the work-around is to remove the
realm roles from the admin composite in master realm. That will work, but
you will only be able to login and manage realms individually.

On Thu, 4 Oct 2018 at 18:07, Gideon Caranzo <gideonray at gmail.com> wrote:

> Hi,
>
> I'm encountering slow api calls after reaching 1700 realms. I profiled it
> and found that role checking is causing the issue particularly
> *KeycloakModelUtils.searchFor(RoleModel
> role, RoleModel composite, Set<String> visited)*.
>
> I'm using a user with "admin" role to call get realm API. And since i have
> 1700 realms, "admin" role now have about 30K composite roles under it. The
> line below from KeycloakModelUtils.searchFor() will load all 30K composite
> roles causing the slow down.
>
>         *Set<RoleModel> compositeRoles = composite.getComposites();*
>
> Is there a way to avoid this issue? Or is it possible to fix the code such
> that it will do a database query instead of searching in memory to check if
> the role exist?
>
> Best regards,
> Gideon
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

From nielsbne at gmail.com  Sun Oct  7 19:22:32 2018
From: nielsbne at gmail.com (Niels Bertram)
Date: Mon, 8 Oct 2018 09:22:32 +1000
Subject: [keycloak-dev] Create "online session" from offline session
In-Reply-To: <CAJgngAeVnuSz=s6PB6ZgjwNvL7db8=-T+O_s6mLD658ewF8Taw@mail.gmail.com>
References: <CAPLPyg=MqBHWsA0E2-Sd=UbYh-E+mHAb33F=cOUv9xSkxzPhxg@mail.gmail.com>
	<0ca41d60-abd2-f716-91ae-9ac0ba00444d@redhat.com>
	<CAPLPygkndifFFNXr27ic8MPiy_oc7Z3wM72UMGHGMnamfducHA@mail.gmail.com>
	<fd2a86b5-0550-2c13-d4f4-e9cbbea62864@redhat.com>
	<CAJgngAfjT+iSChQ+eMekpHibhudkxFfQPvv3Ba0EyQhWPxHs6A@mail.gmail.com>
	<1b9586d0-6268-6767-881f-1cc7be6f7559@redhat.com>
	<CAJgngAdWOKB8D6TbwrBQwEML=4S2eQmt3fWCBUPeg7Q0ihny_A@mail.gmail.com>
	<CAPLPygnKVK2pdddNbnJsTWzOJpdSNXPMuH8TKL3nehKcApTP7A@mail.gmail.com>
	<CAJgngAeVnuSz=s6PB6ZgjwNvL7db8=-T+O_s6mLD658ewF8Taw@mail.gmail.com>
Message-ID: <CAPLPygk3vuTGMfZdF-o8J3wRd7pgUN4fJZ8GkXV+qhroL69mUQ@mail.gmail.com>

I created an RFE and submitted it under case 02171397

On Thu, Oct 4, 2018 at 5:33 AM Stian Thorgersen <sthorger at redhat.com> wrote:

> I would say this is a common use-case and is something we should support
> properly. Can you open an RFE for it? We can't include it for 7.3 I'm
> afraid, but it's something we could aim to include in the release after
> that. Without having thought too deeply on how it could be solved I would
> imagine something that lets you decide what type of session you want based
> on some sort of condition. Perhaps we could have a per-client option to
> control the SSO session type and if the initial authentication is trigger
> with login to such a client it would trigger a long lived session.
>
> I guess the best option for you then is a custom authenticator, which
> hopefully in the not to distant future you can drop and no longer have to
> maintain. Hopefully Marek can help you with this one ;)
>
> On Wed, 3 Oct 2018 at 16:54, Niels Bertram <nielsbne at gmail.com> wrote:
>
>> We mainly need a function to create a "long lived" session in a mobile
>> app where we have more options to secure the refresh/id token (e.g. place
>> refresh/id tokens into iOS keychain and after some interval let the
>> device/user unlock the tokens for the app using face id, fingerprint or
>> pin). Inside the app we want to display a website that also participates in
>> SSO and be seamlessly recognised as logged in. The current remember me
>> function does not work for this as we do not want to increase the Max
>> Session Idle time for *all* SSO enabled systems to anything beyond an
>> hour. The only way we found to get a longer token for a mobile app is to
>> use offline access scope - not ideal but we exhausted all avenues on
>> remember me including 2 RH support tickets without a resolution.
>>
>> The challenge we face now is that having an offline session is managed
>> outside the browser and after the initial 30 minute Max Session Idle time,
>> we can no longer SSO someone in a browser window due to no valid user
>> session in KC backend.
>>
>> I dug around a bit and found that one can setup a "sub session" from the
>> id token from an offline session. This session and related cookies can be
>> used like any other normal "user session" within a website. The trick was
>> to load the "offline session" belonging to the offline access token and
>> then create a user session like this:
>>
>>         userSession = session.sessions().createUserSession(
>>           offlineSession.getId(),
>>           realm,
>>           offlineSession.getUser(),
>>           offlineSession.getLoginUsername(),
>>           ctx.getConnection().getRemoteAddr(),
>>           "openid-connect",
>>           false,
>>           offlineSession.getBrokerSessionId(),
>>           offlineSession.getBrokerUserId());
>>
>> We tested this with the approach outlined in my initial email and it does
>> appear to work as intended (bar the client id not populated on the created
>> session - the method call is missing a client param). The advantage of this
>> approach is that we merely create a valid user session for the client_id of
>> the current mobile app in KC server, set the session and id cookie in the
>> webview and then refer out to another website via regular link. I do not
>> need to know where this link leads to or if the client(_id) of the other
>> site requires different scope, consent or whatever. I simply created a
>> "short lived" user session for the mobile app that can be consulted by the
>> SSO server in an auth check on another SSO enabled system.
>>
>> So taking all of this, we could build an authenticator that sets up a
>> child session for the offline session under the same client that owns the
>> ID token and send the cookies for that child session to the client browser.
>> The big question is, where do you redirect the response to? If you redirect
>> to another system that uses their own client, I am not sure what would
>> happen if that client tried to swap the code grant for tokens - my
>> assumption would be, it would get whatever the client swapping the code
>> grant could get - but that is flawed if consent is required before hand for
>> instance. I think the use case for which to use such adapter will be vital
>> for the design - the use case I have does appear to be more like a rework
>> of session and remember me is required than an authz adapter.
>>
>> Hope all that makes any sense.
>>
>>
>> On Wed, Oct 3, 2018 at 9:46 PM Stian Thorgersen <sthorger at redhat.com>
>> wrote:
>>
>>> I think we really need to consider if and how we add it properly. You
>>> shouldn't be able to use any odd id token to authenticate, but rather a
>>> special token. Further, it probably does require proper handling of
>>> authentication levels. Or even perhaps you can authenticate for a specific
>>> client with an id token, but when you try to use a different client you
>>> need to provider username/password. End of the day we just need to be very
>>> careful about adding something like this.
>>>
>>> By the way a long time ago I actually had this in mind as a way of doing
>>> SSO for CLIs. You simply get a special id token that serves as the sso
>>> cookie. Never got around to think it through in depth though. Bill had some
>>> concerns with that idea, can't remember exactly what, so he ended up doing
>>> token exchange for kcinit (I have quite a lot of concerns around that and
>>> token exchange though).
>>>
>>> On Wed, 3 Oct 2018 at 14:00, Marek Posolda <mposolda at redhat.com> wrote:
>>>
>>>> Yes, I see some possible issues with it. IMO if we add it, it should
>>>> probably not even be added in default "browser" flow, so it's more "hard"
>>>> to have it working and just someone, who knows what he is doing, will be
>>>> able to setup it.
>>>>
>>>> On the other hand, may be useful for some deployments where the
>>>> applications are "trusted". IMO it could be fine if the security
>>>> implications are described in the documentation.
>>>>
>>>> Marek
>>>>
>>>> On 03/10/18 09:39, Stian Thorgersen wrote:
>>>>
>>>> I'm not quite convinced about this approach.
>>>>
>>>> Firstly it seems like a workaround. Offline sessions are designed for
>>>> applications that want to have access when the user is not around. Not for
>>>> a "permanent" log-in. I would rather consider options that allows different
>>>> SSO session expiration depending on device type (or initiating client) for
>>>> instance. Once you have an SSO session in the system browser on the phone
>>>> you can use an inapp browser tab to enable SSO to all apps, or you can do
>>>> it for individual apps by not using the system browser.
>>>>
>>>> Secondly authenticating with id_token_hint is scary. For example a
>>>> less trusted application could then use the ID token to authenticate as the
>>>> user behind the covers and have access to everything the user has access to
>>>> rather than the limited scope that it should have.
>>>>
>>>> On Wed, 3 Oct 2018 at 09:11, Marek Posolda <mposolda at redhat.com> wrote:
>>>>
>>>>> On 02/10/18 17:15, Niels Bertram wrote:
>>>>> > Thanks for the response Marek. I implemented a custom authenticator
>>>>> > before so that makes all total sense. The parts I am a bit worried
>>>>> > about is:
>>>>> >
>>>>> > a) the GET implementation would require use to send the IDToken
>>>>> > unprotected in the URL (POST is fine)
>>>>> I see. This makes sense and we support sending POST request to the
>>>>> initial Authentication endpoint. Maybe you can add a flag to the
>>>>> authenticator like "Allow POST method only" to specify if it accepts
>>>>> just POST or allow both POST and GET? Flag can be set to ON by default
>>>>> (hence accept only POST).
>>>>> >
>>>>> > b) a mobile app from which we want to initiate the "sign me in and
>>>>> > then redirect me to another website" would effectively need to
>>>>> > whitelist every possible URL that it can redirect to.
>>>>> >
>>>>> > If I send a PR to latest Keycloak, any chance that can be patched
>>>>> into
>>>>> > current or next version of RH-SSO?
>>>>> Yes, once the PR is accepted, it always go to the latest Keycloak
>>>>> upstream and latest Keycloak always "turns" after some time to RH-SSO.
>>>>> Some details about this https://www.keycloak.org/support.html .
>>>>>
>>>>> Just a note that we're close to feature freeze for Keycloak 4.x (RHSSO
>>>>> 7.3), so if you want it in RHSSO 7.3, you need to be a bit quick
>>>>> though
>>>>> :) And even then no guarantee as we will need some time for PR review
>>>>> etc.
>>>>>
>>>>> Marek
>>>>> >
>>>>> > Cheers,
>>>>> > Niels
>>>>> >
>>>>> > On Wed, Oct 3, 2018 at 12:33 AM Marek Posolda <mposolda at redhat.com
>>>>> > <mailto:mposolda at redhat.com>> wrote:
>>>>> >
>>>>> >     I suggest to use the flow like this:
>>>>> >     1) Exchange the offline token for the 3 tokens, which will
>>>>> include
>>>>> >     the
>>>>> >     triplet of (access token, id token, offline token).
>>>>> >
>>>>> >     2) Then you can pass the just retrieved IDToken in the
>>>>> authentication
>>>>> >     request in the "id_token_hint" parameter.
>>>>> >
>>>>> >     3) Then you will need to create Authenticator (see our
>>>>> >     docs/quickstarts
>>>>> >     for more details), which will be able to see if "id_token_hint"
>>>>> >     was sent
>>>>> >     and then verify this token and authenticate user if it was ok.
>>>>> You
>>>>> >     can
>>>>> >     probably use some existing code from IDToken introspection
>>>>> >     endpoint. If
>>>>> >     parameter is not used, authenticator can be just ignored during
>>>>> the
>>>>> >     authentication flow.
>>>>> >
>>>>> >     4) As last step, you will need to add this authenticator to the
>>>>> >     browser
>>>>> >     authentication flow.
>>>>> >
>>>>> >     This will cause that if IDToken is sent, it will be able to use
>>>>> it to
>>>>> >     authenticate the user and hence new UserSessionModel (+cookies
>>>>> and
>>>>> >     all
>>>>> >     of this) will be properly created by Keycloak itself.
>>>>> >
>>>>> >     If you manage to make this working, we will be happy if you
>>>>> >     contribute
>>>>> >     it in the PR :) As this is described in the OIDC specification
>>>>> (see
>>>>> >
>>>>> https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
>>>>> >     ), but
>>>>> >     we don't yet implement it.
>>>>> >
>>>>> >     If you don't want to send PR, you may implement it a bit easier
>>>>> and
>>>>> >     differently in a non-OIDC standard way (EG. pass the
>>>>> offline_token
>>>>> >     directly instead of IDToken in step 2).
>>>>> >
>>>>> >     Marek
>>>>> >
>>>>> >     On 02/10/18 08:24, Niels Bertram wrote:
>>>>> >     > Hi devs,
>>>>> >     >
>>>>> >     > we are trying to turn an offline session back into an "online
>>>>> >     session" for
>>>>> >     > which we can generate cookies and send them to the clients
>>>>> browser.
>>>>> >     >
>>>>> >     > I tried to create a user session with AuthenticationManager but
>>>>> >     for some
>>>>> >     > reason the created session is not showing up as a proper in
>>>>> the user
>>>>> >     > account management section. Is there anything that needs to
>>>>> >     happen after
>>>>> >     > this session is created to make it a normal user session?
>>>>> >     >
>>>>> >     > AuthenticatedClientSessionModel clientSession =
>>>>> >     > session.sessions().createClientSession(realm, client,
>>>>> >     offlineSession);
>>>>> >     >
>>>>> >     > We have a mobile app that uses offline_access to create an
>>>>> >     "always logged"
>>>>> >     > in experience for the app user. However when we open a
>>>>> >     SSO-enabled website
>>>>> >     > in the app (WebView), there is no KEYCLOAK_SESSION cookie to
>>>>> >     allow the web
>>>>> >     > page to initiate a successful pre-auth check.
>>>>> >     >
>>>>> >     > We wrote a custom resource which we call in our webview to
>>>>> >     "redirect" the
>>>>> >     > user to an SSO enabled site:
>>>>> >     >
>>>>> >     > 1. authenticate the user
>>>>> >     >
>>>>> >     > AuthResult auth = new
>>>>> >     AppAuthManager().authenticateBearerToken(session)
>>>>> >     >
>>>>> >     > 2. load a valid userSession
>>>>> >     >
>>>>> >     > UserSessionModel userSession =
>>>>> >     session.sessions().getUserSession(realm,
>>>>> >     > token.getSessionState());
>>>>> >     >
>>>>> >     > 3. create the session cookies
>>>>> >     >
>>>>> >     > AuthenticationManager.createLoginCookie(session, realm, user,
>>>>> >     userSession,
>>>>> >     > ctx.getUri(), ctx.getConnection());
>>>>> >     >
>>>>> >     > 4. forward the user to the SSO enabled website
>>>>> >     >
>>>>> >     > 5. SSO enabled website would do a normal pre-auth check with
>>>>> >     prompt=none
>>>>> >     >
>>>>> >     > There was a similar conversation about the "lost" session in
>>>>> >     KEYCLOAK-4201
>>>>> >     > <https://issues.jboss.org/browse/KEYCLOAK-420>, but that one
>>>>> did
>>>>> >     not go as
>>>>> >     > far as creating a new session.
>>>>> >     >
>>>>> >     > Anyone of you got any clever idea on how do "preload" a valid
>>>>> >     SSO session
>>>>> >     > into a WebView?
>>>>> >     >
>>>>> >     > Cheers,
>>>>> >     > Niels
>>>>> >     >
>>>>> >     > PS. we are on RH-SSO 7.2.4 so roughly Keycloak 3.4.3
>>>>> >     > _______________________________________________
>>>>> >     > keycloak-dev mailing list
>>>>> >     > keycloak-dev at lists.jboss.org <mailto:
>>>>> keycloak-dev at lists.jboss.org>
>>>>> >     > https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>> >
>>>>> >
>>>>>
>>>>> _______________________________________________
>>>>> keycloak-dev mailing list
>>>>> keycloak-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>>>
>>>>
>>>>

From slaskawi at redhat.com  Mon Oct  8 05:05:31 2018
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Mon, 8 Oct 2018 11:05:31 +0200
Subject: [keycloak-dev] Duplicated code in client-registration-cli and
	admin-cli
Message-ID: <CAA9R9O6DuxU2gZDmok6LyQYDfN6T7bmnZ+iUqYtrGwnATUKbwQ@mail.gmail.com>

Hey guys,

I just noticed that both modules mentioned in the subject contain lots of
duplicated code. Since both modules are pretty similar (from the code point
of view), maybe we should collapse them into one?

Thanks,
Sebastian

From sthorger at redhat.com  Mon Oct  8 07:53:11 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 8 Oct 2018 13:53:11 +0200
Subject: [keycloak-dev] Duplicated code in client-registration-cli and
	admin-cli
In-Reply-To: <CAA9R9O6DuxU2gZDmok6LyQYDfN6T7bmnZ+iUqYtrGwnATUKbwQ@mail.gmail.com>
References: <CAA9R9O6DuxU2gZDmok6LyQYDfN6T7bmnZ+iUqYtrGwnATUKbwQ@mail.gmail.com>
Message-ID: <CAJgngAe0VX6oYOFHjD+4JHeWXRn5Z93bFuncZ8PEH2hR86upfA@mail.gmail.com>

-1 We're not doing any refactoring at least not at this point. In the
future at some point we may need to revisit though.

On Mon, 8 Oct 2018 at 12:10, Sebastian Laskawiec <slaskawi at redhat.com>
wrote:

> Hey guys,
>
> I just noticed that both modules mentioned in the subject contain lots of
> duplicated code. Since both modules are pretty similar (from the code point
> of view), maybe we should collapse them into one?
>
> Thanks,
> Sebastian
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

From slaskawi at redhat.com  Tue Oct  9 05:22:59 2018
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Tue, 9 Oct 2018 11:22:59 +0200
Subject: [keycloak-dev] Duplicated code in client-registration-cli and
	admin-cli
In-Reply-To: <CAJgngAe0VX6oYOFHjD+4JHeWXRn5Z93bFuncZ8PEH2hR86upfA@mail.gmail.com>
References: <CAA9R9O6DuxU2gZDmok6LyQYDfN6T7bmnZ+iUqYtrGwnATUKbwQ@mail.gmail.com>
	<CAJgngAe0VX6oYOFHjD+4JHeWXRn5Z93bFuncZ8PEH2hR86upfA@mail.gmail.com>
Message-ID: <CAA9R9O4fq+24TU+0tY59_Pm_6xb9Uk5yd4OVy+S77z3Zg9AYKw@mail.gmail.com>

Of course! Let's focus on our current priorities now.

In case we wanted to revisit this in the future, here's a JIRA:
https://issues.jboss.org/browse/KEYCLOAK-8517

On Mon, Oct 8, 2018 at 1:53 PM Stian Thorgersen <sthorger at redhat.com> wrote:

> -1 We're not doing any refactoring at least not at this point. In the
> future at some point we may need to revisit though.
>
> On Mon, 8 Oct 2018 at 12:10, Sebastian Laskawiec <slaskawi at redhat.com>
> wrote:
>
>> Hey guys,
>>
>> I just noticed that both modules mentioned in the subject contain lots of
>> duplicated code. Since both modules are pretty similar (from the code
>> point
>> of view), maybe we should collapse them into one?
>>
>> Thanks,
>> Sebastian
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>

From gideonray at gmail.com  Tue Oct  9 16:49:50 2018
From: gideonray at gmail.com (Gideon Caranzo)
Date: Tue, 9 Oct 2018 15:49:50 -0500
Subject: [keycloak-dev] large number of realms causing slow api calls
In-Reply-To: <CAJgngAd5gJMrrtPG8V388zM3HVRnxy8kF-Ko7LsC-EesUkaYDg@mail.gmail.com>
References: <CAFTOGtdGsfcVdOaWBTBOT=4Zq_BTNEt1OcAxbCaU0ZuMJ2zGQw@mail.gmail.com>
	<CAJgngAd5gJMrrtPG8V388zM3HVRnxy8kF-Ko7LsC-EesUkaYDg@mail.gmail.com>
Message-ID: <CAFTOGtfint7Vsv-ZuPL=xh3v3k10P2BJpgGbS4Ve2Mt3NDpUdw@mail.gmail.com>

Thank Stian for your reply. API calls have improved after using a different
composite role (with few realm roles).

Aside from API calls, I also observed slow startup time (about 20 mins). I
found the following calls during startup is taking more time.

*First*, the check for new installation using
applianceBootstrap.isNewInstall() at
KeycloakApplication.migrateAndBootstrap() is causing all realms to be
queried.

    public boolean isNewInstall() {
        if (session.realms().getRealms().size() > 0) {
            return false;
        } else {
            return true;
        }
    }

A count query will make this faster. So the condition can be something
like: if (session.realms().getRealmCount() > 0)

*Second*, call to UserStorageSyncManager.bootstrapPeriodic() is also
causing all realms to be queried.

    public void bootstrapPeriodic(final KeycloakSessionFactory
sessionFactory, final TimerProvider timer) {
        KeycloakModelUtils.runJobInTransaction(sessionFactory, new
KeycloakSessionTask() {

            @Override
            public void run(KeycloakSession session) {
                List<RealmModel> realms = session.realms().getRealms();
                for (final RealmModel realm : realms) {
                    List<UserStorageProviderModel> providers =
realm.getUserStorageProviders();
                    for (final UserStorageProviderModel provider :
providers) {

I'm thinking of querying only realms with user storage providers to improve
performance.

I can create a PR for this. Let me know if it's okay or if there's a better
solution than the ones I proposed.

Thanks,
Gideon

On Fri, Oct 5, 2018 at 6:22 AM Stian Thorgersen <sthorger at redhat.com> wrote:

> Keycloak simply doesn't scale well with regards to large number of realms
> today and it's not something we currently support.
>
> That's just one of several issues around large number of realms that have
> to be resolved. Another example is upgrading the server with 1700 realms is
> also going to be painful.
>
> At the moment we are not able to priorities this though. We are planning
> to resolve it, but it will be quite some time until we do.
>
> For the particular issue you've mentioned the work-around is to remove the
> realm roles from the admin composite in master realm. That will work, but
> you will only be able to login and manage realms individually.
>
> On Thu, 4 Oct 2018 at 18:07, Gideon Caranzo <gideonray at gmail.com> wrote:
>
>> Hi,
>>
>> I'm encountering slow api calls after reaching 1700 realms. I profiled it
>> and found that role checking is causing the issue particularly
>> *KeycloakModelUtils.searchFor(RoleModel
>> role, RoleModel composite, Set<String> visited)*.
>>
>> I'm using a user with "admin" role to call get realm API. And since i have
>> 1700 realms, "admin" role now have about 30K composite roles under it. The
>> line below from KeycloakModelUtils.searchFor() will load all 30K composite
>> roles causing the slow down.
>>
>>         *Set<RoleModel> compositeRoles = composite.getComposites();*
>>
>> Is there a way to avoid this issue? Or is it possible to fix the code such
>> that it will do a database query instead of searching in memory to check
>> if
>> the role exist?
>>
>> Best regards,
>> Gideon
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>

From l.lech at ringler.ch  Wed Oct 10 05:16:49 2018
From: l.lech at ringler.ch (Lukasz Lech)
Date: Wed, 10 Oct 2018 09:16:49 +0000
Subject: [keycloak-dev] Which part of keycloak code is responsible for
 processing standalone.xml ?
Message-ID: <5E48B917000C984B86B77170F441903A11D8FEF3@exch.ringler.ch>

Hello,

Could you please point me in the right direction?

I'm trying to find out, why the providers map in DefaultKeycloakSessionFactory doesn't contain value for a provider, after I provide my own implementation? I have a configuration that works as expected in standalone desktop version, but doesn't work inside Docker.

My researches lead me to org.keycloak.Config.getProvider(), so I've checked out the whole keycloak source, to find out, who is calling init() (I expect that there lands the parsed standalone.xml), but I've found out only org.keycloak.services.resources.KeycloakApplication, which is, I guess, not used in standalone mode?

Where should I start my research? Do https://github.com/keycloak/keycloak contains all relevant sources, or I need to checkout more?

Best regards,
Lukasz Lech

From l.lech at ringler.ch  Wed Oct 10 07:42:23 2018
From: l.lech at ringler.ch (Lukasz Lech)
Date: Wed, 10 Oct 2018 11:42:23 +0000
Subject: [keycloak-dev] Confusion about standalone.xml in docker image
 jboss/keycloak.4.5.0.Final
Message-ID: <5E48B917000C984B86B77170F441903A11D8FF31@exch.ringler.ch>

Hello,

I'm finally confused about docker image jboss/keycloak.4.5.0.Final and config files there.

I've applied changes to /opt/jboss/keycloak/standalone/configuration/standalone.xml but they've take no effect. I've checked that server starts in standalone mode, positive. After many tries I've made a mad step, deleting that configuration file (in my Dockerfile, not in running container!).
To my full surprise the keycloak started without any warning.

What is the purpose of that configuration file, then? If that file is not used, what configuration file is used? I can delete standalone_ha.xml as well as the whole /opt/jboss/keycloak/domain/configuration, it doesn't disturb the server in any way.

Best regards,
Lukasz Lech

From slaskawi at redhat.com  Wed Oct 10 08:03:46 2018
From: slaskawi at redhat.com (Sebastian Laskawiec)
Date: Wed, 10 Oct 2018 14:03:46 +0200
Subject: [keycloak-dev] Confusion about standalone.xml in docker image
	jboss/keycloak.4.5.0.Final
In-Reply-To: <5E48B917000C984B86B77170F441903A11D8FF31@exch.ringler.ch>
References: <5E48B917000C984B86B77170F441903A11D8FF31@exch.ringler.ch>
Message-ID: <CAA9R9O56HN=afwY-7z-SFR6Yj=MHC0tbyyATiD1iiY_kstYSmA@mail.gmail.com>

We've changed the default configuration to standalone-ha.xml recently. Try
modifying that one.

On Wed, Oct 10, 2018 at 1:45 PM Lukasz Lech <l.lech at ringler.ch> wrote:

> Hello,
>
> I'm finally confused about docker image jboss/keycloak.4.5.0.Final and
> config files there.
>
> I've applied changes to
> /opt/jboss/keycloak/standalone/configuration/standalone.xml but they've
> take no effect. I've checked that server starts in standalone mode,
> positive. After many tries I've made a mad step, deleting that
> configuration file (in my Dockerfile, not in running container!).
> To my full surprise the keycloak started without any warning.
>
> What is the purpose of that configuration file, then? If that file is not
> used, what configuration file is used? I can delete standalone_ha.xml as
> well as the whole /opt/jboss/keycloak/domain/configuration, it doesn't
> disturb the server in any way.
>
> Best regards,
> Lukasz Lech
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

From l.lech at ringler.ch  Wed Oct 10 08:15:51 2018
From: l.lech at ringler.ch (Lukasz Lech)
Date: Wed, 10 Oct 2018 12:15:51 +0000
Subject: [keycloak-dev] Confusion about standalone.xml in docker image
 jboss/keycloak.4.5.0.Final
In-Reply-To: <CAA9R9O56HN=afwY-7z-SFR6Yj=MHC0tbyyATiD1iiY_kstYSmA@mail.gmail.com>
References: <5E48B917000C984B86B77170F441903A11D8FF31@exch.ringler.ch>
	<CAA9R9O56HN=afwY-7z-SFR6Yj=MHC0tbyyATiD1iiY_kstYSmA@mail.gmail.com>
Message-ID: <5E48B917000C984B86B77170F441903A11D8FF66@exch.ringler.ch>

OK thank you, this was exactly the problem.

My previous questions are rendered obsolete by this answer. All works now as expected.

Best regards,
Lukasz Lech


From: Sebastian Laskawiec [mailto:slaskawi at redhat.com]
Sent: Mittwoch, 10. Oktober 2018 14:04
To: Lukasz Lech <l.lech at ringler.ch>
Cc: keycloak-dev at lists.jboss.org
Subject: Re: [keycloak-dev] Confusion about standalone.xml in docker image jboss/keycloak.4.5.0.Final

We've changed the default configuration to standalone-ha.xml recently. Try modifying that one.

On Wed, Oct 10, 2018 at 1:45 PM Lukasz Lech <l.lech at ringler.ch<mailto:l.lech at ringler.ch>> wrote:
Hello,

I'm finally confused about docker image jboss/keycloak.4.5.0.Final and config files there.

I've applied changes to /opt/jboss/keycloak/standalone/configuration/standalone.xml but they've take no effect. I've checked that server starts in standalone mode, positive. After many tries I've made a mad step, deleting that configuration file (in my Dockerfile, not in running container!).
To my full surprise the keycloak started without any warning.

What is the purpose of that configuration file, then? If that file is not used, what configuration file is used? I can delete standalone_ha.xml as well as the whole /opt/jboss/keycloak/domain/configuration, it doesn't disturb the server in any way.

Best regards,
Lukasz Lech
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev

From mposolda at redhat.com  Wed Oct 10 08:46:24 2018
From: mposolda at redhat.com (Marek Posolda)
Date: Wed, 10 Oct 2018 14:46:24 +0200
Subject: [keycloak-dev] Which part of keycloak code is responsible for
 processing standalone.xml ?
In-Reply-To: <5E48B917000C984B86B77170F441903A11D8FEF3@exch.ringler.ch>
References: <5E48B917000C984B86B77170F441903A11D8FEF3@exch.ringler.ch>
Message-ID: <80e2dc32-eb95-7a98-cc74-46d2d1b127f5@redhat.com>

https://github.com/keycloak/keycloak contains all relevant sources. I suggest to look at wildfly susbystem in the codebase (Directory wildfly/server-subsystem ). Also it may help if you try the quickstarts for providers. This may give you some hint what could be wrong on your side.

Good luck,
Marek


On 10/10/18 11:16, Lukasz Lech wrote:
> Hello,
>
> Could you please point me in the right direction?
>
> I'm trying to find out, why the providers map in DefaultKeycloakSessionFactory doesn't contain value for a provider, after I provide my own implementation? I have a configuration that works as expected in standalone desktop version, but doesn't work inside Docker.
>
> My researches lead me to org.keycloak.Config.getProvider(), so I've checked out the whole keycloak source, to find out, who is calling init() (I expect that there lands the parsed standalone.xml), but I've found out only org.keycloak.services.resources.KeycloakApplication, which is, I guess, not used in standalone mode?
>
> Where should I start my research? Do https://github.com/keycloak/keycloak contains all relevant sources, or I need to checkout more?
>
> Best regards,
> Lukasz Lech
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



From sthorger at redhat.com  Thu Oct 11 02:34:40 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 11 Oct 2018 08:34:40 +0200
Subject: [keycloak-dev] large number of realms causing slow api calls
In-Reply-To: <CAFTOGtfint7Vsv-ZuPL=xh3v3k10P2BJpgGbS4Ve2Mt3NDpUdw@mail.gmail.com>
References: <CAFTOGtdGsfcVdOaWBTBOT=4Zq_BTNEt1OcAxbCaU0ZuMJ2zGQw@mail.gmail.com>
	<CAJgngAd5gJMrrtPG8V388zM3HVRnxy8kF-Ko7LsC-EesUkaYDg@mail.gmail.com>
	<CAFTOGtfint7Vsv-ZuPL=xh3v3k10P2BJpgGbS4Ve2Mt3NDpUdw@mail.gmail.com>
Message-ID: <CAJgngAeVyHhGRQMPbx0miAGfHE0ALFdFTmhbQTgpNuHU1QPROA@mail.gmail.com>

On Tue, 9 Oct 2018 at 22:50, Gideon Caranzo <gideonray at gmail.com> wrote:

> Thank Stian for your reply. API calls have improved after using a
> different composite role (with few realm roles).
>
> Aside from API calls, I also observed slow startup time (about 20 mins). I
> found the following calls during startup is taking more time.
>
> *First*, the check for new installation using
> applianceBootstrap.isNewInstall() at
> KeycloakApplication.migrateAndBootstrap() is causing all realms to be
> queried.
>
>     public boolean isNewInstall() {
>         if (session.realms().getRealms().size() > 0) {
>             return false;
>         } else {
>             return true;
>         }
>     }
>
> A count query will make this faster. So the condition can be something
> like: if (session.realms().getRealmCount() > 0)
>

You could also just check if the master realm (Config.getAdminRealm()) is
there as it is required. Either should work and I'm not sure which is best.


>
> *Second*, call to UserStorageSyncManager.bootstrapPeriodic() is also
> causing all realms to be queried.
>
>     public void bootstrapPeriodic(final KeycloakSessionFactory
> sessionFactory, final TimerProvider timer) {
>         KeycloakModelUtils.runJobInTransaction(sessionFactory, new
> KeycloakSessionTask() {
>
>             @Override
>             public void run(KeycloakSession session) {
>                 List<RealmModel> realms = session.realms().getRealms();
>                 for (final RealmModel realm : realms) {
>                     List<UserStorageProviderModel> providers =
> realm.getUserStorageProviders();
>                     for (final UserStorageProviderModel provider :
> providers) {
>
> I'm thinking of querying only realms with user storage providers to
> improve performance.
>

Can't think of a better way which wouldn't require a lot of changes.
Ideally scheduled tasks should be a separate thing to allow easily query
those directly without having to look into realm details.


>
> I can create a PR for this. Let me know if it's okay or if there's a
> better solution than the ones I proposed.
>

PRs would be welcome. I'd recommend sending a separate PR per item to make
it easier to review and get it merged.


>
> Thanks,
> Gideon
>
> On Fri, Oct 5, 2018 at 6:22 AM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Keycloak simply doesn't scale well with regards to large number of realms
>> today and it's not something we currently support.
>>
>> That's just one of several issues around large number of realms that have
>> to be resolved. Another example is upgrading the server with 1700 realms is
>> also going to be painful.
>>
>> At the moment we are not able to priorities this though. We are planning
>> to resolve it, but it will be quite some time until we do.
>>
>> For the particular issue you've mentioned the work-around is to remove
>> the realm roles from the admin composite in master realm. That will work,
>> but you will only be able to login and manage realms individually.
>>
>> On Thu, 4 Oct 2018 at 18:07, Gideon Caranzo <gideonray at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> I'm encountering slow api calls after reaching 1700 realms. I profiled it
>>> and found that role checking is causing the issue particularly
>>> *KeycloakModelUtils.searchFor(RoleModel
>>> role, RoleModel composite, Set<String> visited)*.
>>>
>>> I'm using a user with "admin" role to call get realm API. And since i
>>> have
>>> 1700 realms, "admin" role now have about 30K composite roles under it.
>>> The
>>> line below from KeycloakModelUtils.searchFor() will load all 30K
>>> composite
>>> roles causing the slow down.
>>>
>>>         *Set<RoleModel> compositeRoles = composite.getComposites();*
>>>
>>> Is there a way to avoid this issue? Or is it possible to fix the code
>>> such
>>> that it will do a database query instead of searching in memory to check
>>> if
>>> the role exist?
>>>
>>> Best regards,
>>> Gideon
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>

From Mattia.Bello at horsa.it  Thu Oct 11 08:30:19 2018
From: Mattia.Bello at horsa.it (Mattia Bello)
Date: Thu, 11 Oct 2018 12:30:19 +0000
Subject: [keycloak-dev] Problem with login using Keycloak + Spring Security
 Adapter in Multi Tenancy mode
Message-ID: <92E1246EF925084F978BEEDBCF3711F10275F16D6F@barcellona.horsa.local>

Hello,
       i am using keycloak with the keycloak Spring Security adapter and a multi tenancy configuration.
I need to manage the following use case:
I want to use only a single login page where user must enter the realm, username and password.
I can't use the standard keycloak login page because keycloak needs to know the realm before showing the relative login page.
How can I do that?
Does exist a way to pass  to keycloak these three fields in a single form ?

Thank's to all.


Mattia Bello
Developer

[Descrizione: cid:image001.jpg at 01CEB308.188717E0]
Horsa S.p.A.
Via Cadorna, 67
Vimodrone (MI)
Mobile  (+39) 347 37 64 875
www.horsa.it<http://www.horsa.it/>

From sthorger at redhat.com  Thu Oct 11 11:38:58 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 11 Oct 2018 17:38:58 +0200
Subject: [keycloak-dev] Problem with login using Keycloak + Spring
 Security Adapter in Multi Tenancy mode
In-Reply-To: <92E1246EF925084F978BEEDBCF3711F10275F16D6F@barcellona.horsa.local>
References: <92E1246EF925084F978BEEDBCF3711F10275F16D6F@barcellona.horsa.local>
Message-ID: <CAJgngAeF=yNGx4uAgauBTb3JD6UBDi4kGOpsSbWfK9esS6Xgig@mail.gmail.com>

This mailing list is for Keycloak development and contribution discussions
only! Please use the user mailing list for questions and help.

On Thu, 11 Oct 2018, 14:31 Mattia Bello, <Mattia.Bello at horsa.it> wrote:

> Hello,
>        i am using keycloak with the keycloak Spring Security adapter and a
> multi tenancy configuration.
> I need to manage the following use case:
> I want to use only a single login page where user must enter the realm,
> username and password.
> I can't use the standard keycloak login page because keycloak needs to
> know the realm before showing the relative login page.
> How can I do that?
> Does exist a way to pass  to keycloak these three fields in a single form ?
>
> Thank's to all.
>
>
> Mattia Bello
> Developer
>
> [Descrizione: cid:image001.jpg at 01CEB308.188717E0]
> Horsa S.p.A.
> Via Cadorna, 67
> Vimodrone (MI)
> Mobile  (+39) 347 37 64 875
> www.horsa.it<http://www.horsa.it/>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

From hmlnarik at redhat.com  Mon Oct 15 07:13:31 2018
From: hmlnarik at redhat.com (Hynek Mlnarik)
Date: Mon, 15 Oct 2018 13:13:31 +0200
Subject: [keycloak-dev] Implementation of artifact binding (JIRA
	KEYCLOAK-831)
In-Reply-To: <dc527510d6c042e68fdbb6ecd1f14167@elca.ch>
References: <dc527510d6c042e68fdbb6ecd1f14167@elca.ch>
Message-ID: <CAMvXD=FM7CzDw_-FcFrh7cFr6+ATToLB=A_RNF9FEjWHKo8f2g@mail.gmail.com>

Hi Alistair,

thank you for your willingness to contribute!

However the ARTIFACT binding would need to be implemented in full, with a
sufficient test coverage. Partial implementation cannot be accepted. It
would also need some changes in the SAML code since currently it is
basically expecting either POST or REDIRECT. One of the implications is
that boolean has been widely used to discriminate the two while enum would
be more appropriate. Such places would need to be cleaned up first.

If you would like to do that, we could start with such refactorings once
the feature freeze phase [1] finishes.

Thank you

--Hynek

[1] http://lists.jboss.org/pipermail/keycloak-dev/2018-September/011263.html

On Fri, Sep 28, 2018 at 2:35 PM Doswald Alistair <alistair.doswald at elca.ch>
wrote:

> Implementation of artifact binding (JIRA KEYCLOAK-831)
>
> Hello,
>
> Last week I did a PoC implementation of the SAML artifact binding in a
> branch off keycloak 4.3.0.Final. The implementation can be seen here at
> https://github.com/AlistairDoswald/keycloak/tree/projectathon (don't
> judge me too harshly for the quality of the code if you look at it, I had
> about 2 days to have a working implementation, which included finding out
> how that part of the protocol worked).
>
> However, I now want to write a "correct" implementation against
> keycloak/master and if possible I'd like some feedback/advice on my
> intended implementation.
>
>
> 1. General implementation
>
> >From the description in the SAML specification (see here section 3.6,
> https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf),
> artifact binding can be used for transmitting the request message, the
> response message or both.
>
> Initially, I intend only to do the implementation for the response
> messages. If I'm not mistaken, this means only for the Response and
> LogoutResponse messages. Would this be considered a suitable implementation
> of the JIRA?
>
>
> 2. User interface
>
> When a SP requests an artifact, it can do so by specifying HTTP-Artifact
> instead of HTTP-POST or HTTP-redirect, and the process is then transparent
> with regard to the configuration of the client. However, I believe that the
> client should have a "Force artifact binding" binary slider and also a
> field to specify an artifact binding address. In this manner, the artifact
> binding can be used in conjunction with the IdP initiated login method.
>
> Importing must also set the artifact binding address if it is present in
> the SP metadata.
>
>
> 3. IdP metadata
>
> IdP metadata must contain at least one ArtifactResolutionService, I intend
> to have only one, with its index set to 0 and isDefault=true, and the
> binding set to the same address as the HTTP-POST (as for ECP)
>
>
> 4. Sending an artifact instead of the normal saml message
>
> This is the section for which I have the greatest uncertainty with respect
> to a correct implementation.
>
> Broadly this means intercepting the output response, and sending a 302
> redirect or a POSTed form with the artifact instead. Considering the length
> of the artifact, I see no reason to use a form, but should this be an
> option in the GUI?
>
> More practically, this means generating the response, saving it in the
> cache, and sending the redirect (or form) instead. I believe that the
> client's cache would be the best place to save this information (through
> the AuthenticatedClientSessionModel to be precise), but I'm not certain
> because it's the first time I'm seeking to store some new information in
> the cache. The key would be the artifact, and the value in my view should
> be the document, as that way we can create a complete signed/encrypted
> ArtifactResponse containing the Response or LogoutResponse.
>
> For the implementation details I'm not sure if it would be best to make
> the changes directly in the SamlProtocol class, or to do something similar
> to the SamlECPProfileService which overrides the methods of the
> SamlProtocol. For SamlECPProfileService the current implementation makes
> sense, but for artifact binding I fear there would be significant code
> duplication (of course, I could also do a mix with some small modifications
> in the SamlProtocol class and a SamlArtifactProfileService, or something
> similar).
>
> For triggering this artifact workflow, it would either be if the
> AuthnRequest has a ProtocolBinding set to
> urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact, or if the client has
> "force artifact binding" set to true.
>
>
> 5. Receiving an ArtifactResolve message
>
> For this part, my current implementation seems correct to me: the
> soapBinding method in class SamlService is modified to check the contents
> of the soap message arriving: if it is an ArtifactResolve, the
> corresponding ArtifactResponse generated earlier is packaged in a soap
> message and sent as a response. If not, the ECP profile is tried.
>
> The key-ArtifactResponse pair is removed from the cache during this
> operation. I am, however, not sure yet how the cache should handle purging
> of expired ArtifactResponse messages that are never asked for.
>
>
> 6. Errors, logging and audit
>
> Obviously, the error handling should work as described in the protocol,
> but also be logged as such. I don't think there's any messages to log in
> INFO, but the DEBUG logs should show the messages and allow an admin to
> easily put the entire sequence together.
>
> Also, I don't think there's any need for any extra information in the
> audit logs.
>
>
> 7. Tests
>
> Obviously, I'll have to add some tests for these functions, which should
> be:
>
> - Standard unit tests for individual functions that can be separated from
> objects that would otherwise have to be mocked
> - Tests with arquillian to test the flow with artifact binding (sp
> initiated and idp initiated), the options available in the GUI (extra
> field, forced) as well as the error cases (i.e. asking twice for the same
> artifact, for an artifact that doesn't exist, etc...).
>
>
> If you have any comments (anything missing, things that should be
> implemented differently in your view, etc...) feel free to let me know.
>
> Best regards,
>
> Alistair Doswald
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

From shiva.prasad.thagadur.prakash at ericsson.com  Mon Oct 15 07:27:23 2018
From: shiva.prasad.thagadur.prakash at ericsson.com (Shiva Prasad Thagadur Prakash)
Date: Mon, 15 Oct 2018 11:27:23 +0000
Subject: [keycloak-dev] How to contribute to Keycloak
Message-ID: <1539602843.8542.11.camel@ericsson.com>

Hi All,


This is Shiva. I am keen to know how about contributing to Keycloak.
For example, fix a bug in JIRA i.e. How/where to request for pushing
the bug fix to upstream etc. Eagerly waiting for the reply.


Best regards,

Shiva


From s.kreutz at yieldlab.de  Mon Oct 15 07:35:03 2018
From: s.kreutz at yieldlab.de (Steffen Kreutz)
Date: Mon, 15 Oct 2018 13:35:03 +0200
Subject: [keycloak-dev] How to contribute to Keycloak
In-Reply-To: <1539602843.8542.11.camel@ericsson.com>
References: <1539602843.8542.11.camel@ericsson.com>
Message-ID: <6F744F59-87C3-4A0F-83DE-94F8A8098E8F@yieldlab.de>

Hi Shiva,

Keycloak's README contains a section about contributing: https://github.com/keycloak/keycloak/blob/master/README.md <https://github.com/keycloak/keycloak/blob/master/README.md>

Best,

Steffen

> Am 15.10.2018 um 13:27 schrieb Shiva Prasad Thagadur Prakash <shiva.prasad.thagadur.prakash at ericsson.com>:
> 
> Hi All,
> 
> 
> This is Shiva. I am keen to know how about contributing to Keycloak.
> For example, fix a bug in JIRA i.e. How/where to request for pushing
> the bug fix to upstream etc. Eagerly waiting for the reply.
> 
> 
> Best regards,
> 
> Shiva
> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev


From shiva.prasad.thagadur.prakash at ericsson.com  Mon Oct 15 07:54:30 2018
From: shiva.prasad.thagadur.prakash at ericsson.com (Shiva Prasad Thagadur Prakash)
Date: Mon, 15 Oct 2018 11:54:30 +0000
Subject: [keycloak-dev] How to contribute to Keycloak
In-Reply-To: <6F744F59-87C3-4A0F-83DE-94F8A8098E8F@yieldlab.de>
References: <1539602843.8542.11.camel@ericsson.com>
	<6F744F59-87C3-4A0F-83DE-94F8A8098E8F@yieldlab.de>
Message-ID: <1539604469.8542.12.camel@ericsson.com>

Hi Steffen,
Thank you very much!
Best regards,
Shiva

On ma, 2018-10-15 at 13:35 +0200, Steffen Kreutz wrote:
> Hi Shiva,
> 
> Keycloak's README contains a section about contributing:?https://gith
> ub.com/keycloak/keycloak/blob/master/README.md
> 
> Best,
> 
> Steffen
> 
> > Am 15.10.2018 um 13:27 schrieb Shiva Prasad Thagadur Prakash <shiva
> > .prasad.thagadur.prakash at ericsson.com>:
> > 
> > Hi All,
> > 
> > 
> > This is Shiva. I am keen to know how about contributing to
> > Keycloak.
> > For example, fix a bug in JIRA i.e. How/where to request for
> > pushing
> > the bug fix to upstream etc. Eagerly waiting for the reply.
> > 
> > 
> > Best regards,
> > 
> > Shiva
> > 
> > _______________________________________________
> > keycloak-dev mailing list
> > keycloak-dev at lists.jboss.org
> > https://lists.jboss.org/mailman/listinfo/keycloak-dev


From oneal.kevin at gmail.com  Mon Oct 15 11:55:21 2018
From: oneal.kevin at gmail.com (KevinO)
Date: Mon, 15 Oct 2018 10:55:21 -0500
Subject: [keycloak-dev] Column Sorting
In-Reply-To: <CAF9RioSShKJ5DGhq8DSNziwzfYN-Aubk0zWOHx+695oQkgYsKw@mail.gmail.com>
References: <CAF9RioTnTGAwFejPkHxQ5UtkRXw2pgifPxkhwC0bfQVJD5qH5A@mail.gmail.com>
	<CAF9RioT-fxZmkX=F_2+71+YYFeGDWxDQNeutUB0gsFvE9FC3=Q@mail.gmail.com>
	<CAJgngAe9SN5V3HgYZ51-syDQ685tMFdiC+=3sCSs4gFhY5Wz7w@mail.gmail.com>
	<CAF9RioSShKJ5DGhq8DSNziwzfYN-Aubk0zWOHx+695oQkgYsKw@mail.gmail.com>
Message-ID: <CAF9RioQKmWHLg8WonejCz-C7gLqH72ZUZ11XG8qc9ne6a=+yxA@mail.gmail.com>

Question about the API for ordering resources. There are a couple of
different ways that ordering can be handled.

Option 1
auth/admin/realms/external/groups?first=20&max=20&search=test&sort_by=+group
auth/admin/realms/external/groups?first=20&max=20&search=test&sort_by=-group


Option 2
auth/admin/realms/external/groups?first=20&max=20&search=test&sort_by=group:asc
auth/admin/realms/external/groups?first=20&max=20&search=test&sort_by=group:desc

Option 3
auth/admin/realms/external/groups?first=20&max=20&search=test&sort_by=group&order_by=asc
auth/admin/realms/external/groups?first=20&max=20&search=test&sort_by=group&order_by=desc

I don't think multi-column sorting is necessary, so I skipped that option.
Let me know if I missed an example of sorting that has defined how to do
sorting or if there is an alternative to the three options I've given.

Kevin


On Wed, Oct 3, 2018 at 11:04 AM KevinO <oneal.kevin at gmail.com> wrote:

> I 100% agree with pagination on the server side. I'd like to start with
> the Groups page. I'm assuming the API will have to change. I'll use the
> Users page as a template.
>
> On Wed, Oct 3, 2018 at 9:38 AM Stian Thorgersen <sthorger at redhat.com>
> wrote:
>
>> Not 100% sure what the current status is. Some are paginated server-side,
>> some on client-side, some are missing pagination. Users are paginated on
>> server side for sure.
>>
>> For a large portion of tables though pagination has to be done on server
>> side (users, clients, roles, groups, etc. can all have large number of
>> entries). With that in mind I think to keep things consistent we should do
>> pagination and sorting on the server side for everything.
>>
>> On Wed, 3 Oct 2018 at 15:57, KevinO <oneal.kevin at gmail.com> wrote:
>>
>>> Stian, could you point me to a table that currently has server side
>>> pagination? And is there currently an effort to make all tables have
>>> server-side pagination?
>>>
>>> On Mon, Oct 1, 2018 at 8:05 PM KevinO <oneal.kevin at gmail.com> wrote:
>>>
>>> > Is there any opposition to me adding column sorting? There is the
>>> ticket
>>> > for it:
>>> > https://issues.jboss.org/browse/KEYCLOAK-4676
>>> >
>>> > I've tested a solution that uses standard angular ordering. I don't
>>> want
>>> > to update all the tables if this is a feature that is not wanted.
>>> >
>>> > Here is what one option of sorting would look like using Font-Awesoms
>>> > chevron as the clickable item.
>>> > [image: image.png]
>>> > [image: image.png]
>>> >
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>>

From craig at baseventure.com  Tue Oct 16 11:56:03 2018
From: craig at baseventure.com (Craig Setera)
Date: Tue, 16 Oct 2018 10:56:03 -0500
Subject: [keycloak-dev] Make user account tabs configurable?
Message-ID: <CAPVdwjpSZ-FpANsChLBGpeN1YpjqMPVKyaEGvAQLNH93jcB_qw@mail.gmail.com>

I asked over in the users list if this was possible and I was pointed to
creating a custom theme.  However, this strikes me as something that others
might want to be able to do.  Would this be something of interest as a PR
if I were able to put something together?  I can't say whether I'm actually
in a position to do that or not, but before I even try it seemed worth
asking whether it was of interest.  If there is interest, does anyone have
any suggestions on how they would want this to be built?  Conceptually, it
would be nice to have switches somewhere in the realm configuration
admininstrative UI that can turn those tabs on/off.

Craig

=================================
*Craig Setera*

*Chief Technology Officer*

From marco.scheuermann at daimler.com  Wed Oct 17 18:00:40 2018
From: marco.scheuermann at daimler.com (marco.scheuermann at daimler.com)
Date: Wed, 17 Oct 2018 22:00:40 +0000
Subject: [keycloak-dev] User Profile Extension
Message-ID: <58587558-8979-41E0-8612-4147CA0ED31D@daimler.com>

Hi keykloak developers,

my Name is Marco and I am currently working on a keykloak based usermanagement solution for our company and have the following requirement:
We implemented a native One Time Password (OTP) login for our app. That means a user can login using email or mobile number.
After that he gets a PIN via SMS/email which he can enter into the app to trigger the authentication flow.
During login we check if the user already exists. If not we guide him to a registration page. This check is implemented by using keykloaks admin rest API.
We search for a user by email. It must also be possible to search by phone number because this attribute could also be used for login as already mentioned.
We added a custom attribute ?mobile? to the user but the REST API does not allow to search for custom attributes.

Our Requirement:
The user should be able to use email OR phone number for login. For that it should be possible to enter both attributes while registering a new user.
Currently keykloak only offers a custom field for email, but no phone number.
Therefore we want to extend the User Profile by phone number. Would you accept such a Pull Request?

Thank you,
Marco

If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.


From sthorger at redhat.com  Thu Oct 18 05:33:23 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Thu, 18 Oct 2018 11:33:23 +0200
Subject: [keycloak-dev] User Profile Extension
In-Reply-To: <58587558-8979-41E0-8612-4147CA0ED31D@daimler.com>
References: <58587558-8979-41E0-8612-4147CA0ED31D@daimler.com>
Message-ID: <CAJgngAdk9wFGqff-dFk9ApVQ8u-8ojdwD8XkhL2j276cQW1JRA@mail.gmail.com>

Adding support for login with phone number isn't as trivial as simply
adding another user attribute. The user storage spi also have implications
here since it's a supported API we can't break backwards compatibility.

To do this right we should discuss the correct approach. This would involve
some configuration option for a realm to allow specifying what attributes
can be used to authenticate the user. Some strategy for when there is more
than one user with the same phone number. That could be unique, allowing
user to select from users with the phone number, or simply returning an
error stating username has to be used.

Then there's indexing to consider. For the phone number to be useful for a
login it has to be indexed in the db. Caches should be able to lookup user
based on phone number.

Finally, and this is something we have problems with for email today. For
email we had a limitation that email had to be unique. One email per user
basically. This doesn't really work all that well and we had a rather hacky
approach to allowing multiple users with the same email address. To extend
to phone numbers we would need to address this properly and not introduce
additional problems.

On Thu, 18 Oct 2018 at 00:01, <marco.scheuermann at daimler.com> wrote:

> Hi keykloak developers,
>
> my Name is Marco and I am currently working on a keykloak based
> usermanagement solution for our company and have the following requirement:
> We implemented a native One Time Password (OTP) login for our app. That
> means a user can login using email or mobile number.
> After that he gets a PIN via SMS/email which he can enter into the app to
> trigger the authentication flow.
> During login we check if the user already exists. If not we guide him to a
> registration page. This check is implemented by using keykloaks admin rest
> API.
> We search for a user by email. It must also be possible to search by phone
> number because this attribute could also be used for login as already
> mentioned.
> We added a custom attribute ?mobile? to the user but the REST API does not
> allow to search for custom attributes.
>
> Our Requirement:
> The user should be able to use email OR phone number for login. For that
> it should be possible to enter both attributes while registering a new user.
> Currently keykloak only offers a custom field for email, but no phone
> number.
> Therefore we want to extend the User Profile by phone number. Would you
> accept such a Pull Request?
>
> Thank you,
> Marco
>
> If you are not the addressee, please inform us immediately that you have
> received this e-mail by mistake, and delete it. We thank you for your
> support.
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

From marco.scheuermann at daimler.com  Thu Oct 18 05:50:52 2018
From: marco.scheuermann at daimler.com (marco.scheuermann at daimler.com)
Date: Thu, 18 Oct 2018 09:50:52 +0000
Subject: [keycloak-dev] User Profile Extension
In-Reply-To: <CAJgngAdk9wFGqff-dFk9ApVQ8u-8ojdwD8XkhL2j276cQW1JRA@mail.gmail.com>
References: <58587558-8979-41E0-8612-4147CA0ED31D@daimler.com>
	<CAJgngAdk9wFGqff-dFk9ApVQ8u-8ojdwD8XkhL2j276cQW1JRA@mail.gmail.com>
Message-ID: <6715C587-FC63-4CA6-A42F-DC4CC557CDCD@daimler.com>

Hi Stian,

thank you for your answer.
We already implemented login with phone number. For that we created a microservice that communicates with keykloak. The service does a ROPC with keykloak, so from keykloak perspective we DO NOT NEED support for login with
phone number.
Our only requirement was to extend the existing user profile by phone number, NOT to allow login via phone number.

Greetings,
Marco

Von: Stian Thorgersen <sthorger at redhat.com>
Antworten an: "stian at redhat.com" <stian at redhat.com>
Datum: Donnerstag, 18. Oktober 2018 um 11:33
An: "Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org>, "fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo, Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David Christian (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)" <lukas.schmitt at daimler.com>
Betreff: Re: [keycloak-dev] User Profile Extension

Adding support for login with phone number isn't as trivial as simply adding another user attribute. The user storage spi also have implications here since it's a supported API we can't break backwards compatibility.

To do this right we should discuss the correct approach. This would involve some configuration option for a realm to allow specifying what attributes can be used to authenticate the user. Some strategy for when there is more than one user with the same phone number. That could be unique, allowing user to select from users with the phone number, or simply returning an error stating username has to be used.

Then there's indexing to consider. For the phone number to be useful for a login it has to be indexed in the db. Caches should be able to lookup user based on phone number.

Finally, and this is something we have problems with for email today. For email we had a limitation that email had to be unique. One email per user basically. This doesn't really work all that well and we had a rather hacky approach to allowing multiple users with the same email address. To extend to phone numbers we would need to address this properly and not introduce additional problems.

On Thu, 18 Oct 2018 at 00:01, <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>> wrote:
Hi keykloak developers,

my Name is Marco and I am currently working on a keykloak based usermanagement solution for our company and have the following requirement:
We implemented a native One Time Password (OTP) login for our app. That means a user can login using email or mobile number.
After that he gets a PIN via SMS/email which he can enter into the app to trigger the authentication flow.
During login we check if the user already exists. If not we guide him to a registration page. This check is implemented by using keykloaks admin rest API.
We search for a user by email. It must also be possible to search by phone number because this attribute could also be used for login as already mentioned.
We added a custom attribute ?mobile? to the user but the REST API does not allow to search for custom attributes.

Our Requirement:
The user should be able to use email OR phone number for login. For that it should be possible to enter both attributes while registering a new user.
Currently keykloak only offers a custom field for email, but no phone number.
Therefore we want to extend the User Profile by phone number. Would you accept such a Pull Request?

Thank you,
Marco

If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.

_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev

If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.


From jambo_mcd at yahoo.co.uk  Thu Oct 18 09:21:48 2018
From: jambo_mcd at yahoo.co.uk (Jamie McDowell)
Date: Thu, 18 Oct 2018 13:21:48 +0000 (UTC)
Subject: [keycloak-dev] Keycloak realm certificates be passed to Knox?
In-Reply-To: <366471873.18450736.1539868880248@mail.yahoo.com>
References: <366471873.18450736.1539868880248.ref@mail.yahoo.com>
	<366471873.18450736.1539868880248@mail.yahoo.com>
Message-ID: <275061978.18417381.1539868908251@mail.yahoo.com>

Hi,

I am trying to find a way to be able to retrieve a realm certificate which can then be passed to Knox. When a realm is deployed, it generates a new public key, therefore any Knox Configuration would have to be updated with new corresponding certificates.?
Knox is used to decrypt singed JWT's.
Is this something that can be achieved?
Thanks
Jamie  

From sthorger at redhat.com  Fri Oct 19 02:10:19 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 19 Oct 2018 08:10:19 +0200
Subject: [keycloak-dev] Keycloak realm certificates be passed to Knox?
In-Reply-To: <275061978.18417381.1539868908251@mail.yahoo.com>
References: <366471873.18450736.1539868880248.ref@mail.yahoo.com>
	<366471873.18450736.1539868880248@mail.yahoo.com>
	<275061978.18417381.1539868908251@mail.yahoo.com>
Message-ID: <CAJgngAe3cagjBU33ujuqTiEj5Putj3Z9g8ynjVAtta8LKP8BDw@mail.gmail.com>

Please use user mailing list for general questions and help. The dev maiing
list is for discussion around development of Keycloak and contributions.

On Thu, 18 Oct 2018 at 15:27, Jamie McDowell <jambo_mcd at yahoo.co.uk> wrote:

> Hi,
>
> I am trying to find a way to be able to retrieve a realm certificate which
> can then be passed to Knox. When a realm is deployed, it generates a new
> public key, therefore any Knox Configuration would have to be updated with
> new corresponding certificates.
> Knox is used to decrypt singed JWT's.
> Is this something that can be achieved?
> Thanks
> Jamie
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

From sthorger at redhat.com  Fri Oct 19 02:14:36 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 19 Oct 2018 08:14:36 +0200
Subject: [keycloak-dev] User Profile Extension
In-Reply-To: <6715C587-FC63-4CA6-A42F-DC4CC557CDCD@daimler.com>
References: <58587558-8979-41E0-8612-4147CA0ED31D@daimler.com>
	<CAJgngAdk9wFGqff-dFk9ApVQ8u-8ojdwD8XkhL2j276cQW1JRA@mail.gmail.com>
	<6715C587-FC63-4CA6-A42F-DC4CC557CDCD@daimler.com>
Message-ID: <CAJgngAdt8qoaY64Rc0Gnp2nVmj8gf1hi+GpPU-tpcUWfDwdVMg@mail.gmail.com>

I understand that you don't need it, but that's past the point. When adding
new features and capabilities in Keycloak we need to consider the bigger
picture and add things in a way that has wider use. We do not add solutions
for one person.

On Thu, 18 Oct 2018 at 11:51, <marco.scheuermann at daimler.com> wrote:

> Hi Stian,
>
>
>
> thank you for your answer.
>
> We already implemented login with phone number. For that we created a
> microservice that communicates with keykloak. The service does a ROPC with
> keykloak, so from keykloak perspective we DO NOT NEED support for login with
>
> phone number.
>
> Our only requirement was to extend the existing user profile by phone
> number, NOT to allow login via phone number.
>
>
>
> Greetings,
>
> Marco
>
>
>
> *Von: *Stian Thorgersen <sthorger at redhat.com>
> *Antworten an: *"stian at redhat.com" <stian at redhat.com>
> *Datum: *Donnerstag, 18. Oktober 2018 um 11:33
> *An: *"Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
> *Cc: *keycloak-dev <keycloak-dev at lists.jboss.org>, "
> fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo,
> Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David Christian
> (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)" <
> lukas.schmitt at daimler.com>
> *Betreff: *Re: [keycloak-dev] User Profile Extension
>
>
>
> Adding support for login with phone number isn't as trivial as simply
> adding another user attribute. The user storage spi also have implications
> here since it's a supported API we can't break backwards compatibility.
>
>
>
> To do this right we should discuss the correct approach. This would
> involve some configuration option for a realm to allow specifying what
> attributes can be used to authenticate the user. Some strategy for when
> there is more than one user with the same phone number. That could be
> unique, allowing user to select from users with the phone number, or simply
> returning an error stating username has to be used.
>
>
>
> Then there's indexing to consider. For the phone number to be useful for a
> login it has to be indexed in the db. Caches should be able to lookup user
> based on phone number.
>
>
>
> Finally, and this is something we have problems with for email today. For
> email we had a limitation that email had to be unique. One email per user
> basically. This doesn't really work all that well and we had a rather hacky
> approach to allowing multiple users with the same email address. To extend
> to phone numbers we would need to address this properly and not introduce
> additional problems.
>
>
>
> On Thu, 18 Oct 2018 at 00:01, <marco.scheuermann at daimler.com> wrote:
>
> Hi keykloak developers,
>
> my Name is Marco and I am currently working on a keykloak based
> usermanagement solution for our company and have the following requirement:
> We implemented a native One Time Password (OTP) login for our app. That
> means a user can login using email or mobile number.
> After that he gets a PIN via SMS/email which he can enter into the app to
> trigger the authentication flow.
> During login we check if the user already exists. If not we guide him to a
> registration page. This check is implemented by using keykloaks admin rest
> API.
> We search for a user by email. It must also be possible to search by phone
> number because this attribute could also be used for login as already
> mentioned.
> We added a custom attribute ?mobile? to the user but the REST API does not
> allow to search for custom attributes.
>
> Our Requirement:
> The user should be able to use email OR phone number for login. For that
> it should be possible to enter both attributes while registering a new user.
> Currently keykloak only offers a custom field for email, but no phone
> number.
> Therefore we want to extend the User Profile by phone number. Would you
> accept such a Pull Request?
>
> Thank you,
> Marco
>
> If you are not the addressee, please inform us immediately that you have
> received this e-mail by mistake, and delete it. We thank you for your
> support.
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> If you are not the addressee, please inform us immediately that you have
> received this e-mail by mistake, and delete it. We thank you for your
> support.
>
>

From marco.scheuermann at daimler.com  Fri Oct 19 02:21:24 2018
From: marco.scheuermann at daimler.com (marco.scheuermann at daimler.com)
Date: Fri, 19 Oct 2018 06:21:24 +0000
Subject: [keycloak-dev] User Profile Extension
In-Reply-To: <CAJgngAdt8qoaY64Rc0Gnp2nVmj8gf1hi+GpPU-tpcUWfDwdVMg@mail.gmail.com>
References: <58587558-8979-41E0-8612-4147CA0ED31D@daimler.com>
	<CAJgngAdk9wFGqff-dFk9ApVQ8u-8ojdwD8XkhL2j276cQW1JRA@mail.gmail.com>
	<6715C587-FC63-4CA6-A42F-DC4CC557CDCD@daimler.com>
	<CAJgngAdt8qoaY64Rc0Gnp2nVmj8gf1hi+GpPU-tpcUWfDwdVMg@mail.gmail.com>
Message-ID: <7A027B91-1D78-466F-8EFA-8B3F4B2A4A02@daimler.com>

Thank you Stian,

I understand your point. I will create a longer description of our requirement and why it has a benefit for the community.
Is that ok for you?

Thank you,
Marco

Von: Stian Thorgersen <sthorger at redhat.com>
Antworten an: "stian at redhat.com" <stian at redhat.com>
Datum: Freitag, 19. Oktober 2018 um 08:14
An: "Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org>, "fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo, Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David Christian (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)" <lukas.schmitt at daimler.com>
Betreff: Re: [keycloak-dev] User Profile Extension

I understand that you don't need it, but that's past the point. When adding new features and capabilities in Keycloak we need to consider the bigger picture and add things in a way that has wider use. We do not add solutions for one person.

On Thu, 18 Oct 2018 at 11:51, <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>> wrote:
Hi Stian,

thank you for your answer.
We already implemented login with phone number. For that we created a microservice that communicates with keykloak. The service does a ROPC with keykloak, so from keykloak perspective we DO NOT NEED support for login with
phone number.
Our only requirement was to extend the existing user profile by phone number, NOT to allow login via phone number.

Greetings,
Marco

Von: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Antworten an: "stian at redhat.com<mailto:stian at redhat.com>" <stian at redhat.com<mailto:stian at redhat.com>>
Datum: Donnerstag, 18. Oktober 2018 um 11:33
An: "Scheuermann, Marco (059)" <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>>, "fabian.loewner at freiheit.com<mailto:fabian.loewner at freiheit.com>" <fabian.loewner at freiheit.com<mailto:fabian.loewner at freiheit.com>>, "Scollo, Carmelo (059)" <carmelo.scollo at daimler.com<mailto:carmelo.scollo at daimler.com>>, "Herrmann, David Christian (059)" <david_christian.herrmann at daimler.com<mailto:david_christian.herrmann at daimler.com>>, "Schmitt, Lukas (059)" <lukas.schmitt at daimler.com<mailto:lukas.schmitt at daimler.com>>
Betreff: Re: [keycloak-dev] User Profile Extension

Adding support for login with phone number isn't as trivial as simply adding another user attribute. The user storage spi also have implications here since it's a supported API we can't break backwards compatibility.

To do this right we should discuss the correct approach. This would involve some configuration option for a realm to allow specifying what attributes can be used to authenticate the user. Some strategy for when there is more than one user with the same phone number. That could be unique, allowing user to select from users with the phone number, or simply returning an error stating username has to be used.

Then there's indexing to consider. For the phone number to be useful for a login it has to be indexed in the db. Caches should be able to lookup user based on phone number.

Finally, and this is something we have problems with for email today. For email we had a limitation that email had to be unique. One email per user basically. This doesn't really work all that well and we had a rather hacky approach to allowing multiple users with the same email address. To extend to phone numbers we would need to address this properly and not introduce additional problems.

On Thu, 18 Oct 2018 at 00:01, <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>> wrote:
Hi keykloak developers,

my Name is Marco and I am currently working on a keykloak based usermanagement solution for our company and have the following requirement:
We implemented a native One Time Password (OTP) login for our app. That means a user can login using email or mobile number.
After that he gets a PIN via SMS/email which he can enter into the app to trigger the authentication flow.
During login we check if the user already exists. If not we guide him to a registration page. This check is implemented by using keykloaks admin rest API.
We search for a user by email. It must also be possible to search by phone number because this attribute could also be used for login as already mentioned.
We added a custom attribute ?mobile? to the user but the REST API does not allow to search for custom attributes.

Our Requirement:
The user should be able to use email OR phone number for login. For that it should be possible to enter both attributes while registering a new user.
Currently keykloak only offers a custom field for email, but no phone number.
Therefore we want to extend the User Profile by phone number. Would you accept such a Pull Request?

Thank you,
Marco

If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.

_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev

If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.



If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.


From sthorger at redhat.com  Fri Oct 19 02:26:30 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Fri, 19 Oct 2018 08:26:30 +0200
Subject: [keycloak-dev] User Profile Extension
In-Reply-To: <7A027B91-1D78-466F-8EFA-8B3F4B2A4A02@daimler.com>
References: <58587558-8979-41E0-8612-4147CA0ED31D@daimler.com>
	<CAJgngAdk9wFGqff-dFk9ApVQ8u-8ojdwD8XkhL2j276cQW1JRA@mail.gmail.com>
	<6715C587-FC63-4CA6-A42F-DC4CC557CDCD@daimler.com>
	<CAJgngAdt8qoaY64Rc0Gnp2nVmj8gf1hi+GpPU-tpcUWfDwdVMg@mail.gmail.com>
	<7A027B91-1D78-466F-8EFA-8B3F4B2A4A02@daimler.com>
Message-ID: <CAJgngAdRpKcF3Je1yPTccsyP+_LiwWGZnQWFo5Fmh60TKMiNLA@mail.gmail.com>

I'd rather you consider contributing a fully functional feature in Keycloak
itself, rather than extracting most of it into a separate service and only
contributing a part of the feature to the rest of the community.

On Fri, 19 Oct 2018 at 08:21, <marco.scheuermann at daimler.com> wrote:

> Thank you Stian,
>
>
>
> I understand your point. I will create a longer description of our
> requirement and why it has a benefit for the community.
>
> Is that ok for you?
>
>
>
> Thank you,
>
> Marco
>
>
>
> *Von: *Stian Thorgersen <sthorger at redhat.com>
> *Antworten an: *"stian at redhat.com" <stian at redhat.com>
> *Datum: *Freitag, 19. Oktober 2018 um 08:14
> *An: *"Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
> *Cc: *keycloak-dev <keycloak-dev at lists.jboss.org>, "
> fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo,
> Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David Christian
> (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)" <
> lukas.schmitt at daimler.com>
> *Betreff: *Re: [keycloak-dev] User Profile Extension
>
>
>
> I understand that you don't need it, but that's past the point. When
> adding new features and capabilities in Keycloak we need to consider the
> bigger picture and add things in a way that has wider use. We do not add
> solutions for one person.
>
>
>
> On Thu, 18 Oct 2018 at 11:51, <marco.scheuermann at daimler.com> wrote:
>
> Hi Stian,
>
>
>
> thank you for your answer.
>
> We already implemented login with phone number. For that we created a
> microservice that communicates with keykloak. The service does a ROPC with
> keykloak, so from keykloak perspective we DO NOT NEED support for login with
>
> phone number.
>
> Our only requirement was to extend the existing user profile by phone
> number, NOT to allow login via phone number.
>
>
>
> Greetings,
>
> Marco
>
>
>
> *Von: *Stian Thorgersen <sthorger at redhat.com>
> *Antworten an: *"stian at redhat.com" <stian at redhat.com>
> *Datum: *Donnerstag, 18. Oktober 2018 um 11:33
> *An: *"Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
> *Cc: *keycloak-dev <keycloak-dev at lists.jboss.org>, "
> fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo,
> Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David Christian
> (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)" <
> lukas.schmitt at daimler.com>
> *Betreff: *Re: [keycloak-dev] User Profile Extension
>
>
>
> Adding support for login with phone number isn't as trivial as simply
> adding another user attribute. The user storage spi also have implications
> here since it's a supported API we can't break backwards compatibility.
>
>
>
> To do this right we should discuss the correct approach. This would
> involve some configuration option for a realm to allow specifying what
> attributes can be used to authenticate the user. Some strategy for when
> there is more than one user with the same phone number. That could be
> unique, allowing user to select from users with the phone number, or simply
> returning an error stating username has to be used.
>
>
>
> Then there's indexing to consider. For the phone number to be useful for a
> login it has to be indexed in the db. Caches should be able to lookup user
> based on phone number.
>
>
>
> Finally, and this is something we have problems with for email today. For
> email we had a limitation that email had to be unique. One email per user
> basically. This doesn't really work all that well and we had a rather hacky
> approach to allowing multiple users with the same email address. To extend
> to phone numbers we would need to address this properly and not introduce
> additional problems.
>
>
>
> On Thu, 18 Oct 2018 at 00:01, <marco.scheuermann at daimler.com> wrote:
>
> Hi keykloak developers,
>
> my Name is Marco and I am currently working on a keykloak based
> usermanagement solution for our company and have the following requirement:
> We implemented a native One Time Password (OTP) login for our app. That
> means a user can login using email or mobile number.
> After that he gets a PIN via SMS/email which he can enter into the app to
> trigger the authentication flow.
> During login we check if the user already exists. If not we guide him to a
> registration page. This check is implemented by using keykloaks admin rest
> API.
> We search for a user by email. It must also be possible to search by phone
> number because this attribute could also be used for login as already
> mentioned.
> We added a custom attribute ?mobile? to the user but the REST API does not
> allow to search for custom attributes.
>
> Our Requirement:
> The user should be able to use email OR phone number for login. For that
> it should be possible to enter both attributes while registering a new user.
> Currently keykloak only offers a custom field for email, but no phone
> number.
> Therefore we want to extend the User Profile by phone number. Would you
> accept such a Pull Request?
>
> Thank you,
> Marco
>
> If you are not the addressee, please inform us immediately that you have
> received this e-mail by mistake, and delete it. We thank you for your
> support.
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> If you are not the addressee, please inform us immediately that you have
> received this e-mail by mistake, and delete it. We thank you for your
> support.
>
>
>
>
> If you are not the addressee, please inform us immediately that you have
> received this e-mail by mistake, and delete it. We thank you for your
> support.
>
>

From marco.scheuermann at daimler.com  Fri Oct 19 02:29:30 2018
From: marco.scheuermann at daimler.com (marco.scheuermann at daimler.com)
Date: Fri, 19 Oct 2018 06:29:30 +0000
Subject: [keycloak-dev] User Profile Extension
In-Reply-To: <CAJgngAdRpKcF3Je1yPTccsyP+_LiwWGZnQWFo5Fmh60TKMiNLA@mail.gmail.com>
References: <58587558-8979-41E0-8612-4147CA0ED31D@daimler.com>
	<CAJgngAdk9wFGqff-dFk9ApVQ8u-8ojdwD8XkhL2j276cQW1JRA@mail.gmail.com>
	<6715C587-FC63-4CA6-A42F-DC4CC557CDCD@daimler.com>
	<CAJgngAdt8qoaY64Rc0Gnp2nVmj8gf1hi+GpPU-tpcUWfDwdVMg@mail.gmail.com>
	<7A027B91-1D78-466F-8EFA-8B3F4B2A4A02@daimler.com>
	<CAJgngAdRpKcF3Je1yPTccsyP+_LiwWGZnQWFo5Fmh60TKMiNLA@mail.gmail.com>
Message-ID: <BC07DDFF-08BE-40CD-9A40-8690AC00D56B@daimler.com>

Thats very good. Would you support a full implementation for passwordless login in keykloak?
User has to enter email address, presses login and then he gets a One Time Password to login.

If that`s fine for you, I would discuss with my colleagues if we create a PR.

Ok?
Marco

Von: Stian Thorgersen <sthorger at redhat.com>
Antworten an: "stian at redhat.com" <stian at redhat.com>
Datum: Freitag, 19. Oktober 2018 um 08:26
An: "Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org>, "fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo, Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David Christian (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)" <lukas.schmitt at daimler.com>
Betreff: Re: [keycloak-dev] User Profile Extension

I'd rather you consider contributing a fully functional feature in Keycloak itself, rather than extracting most of it into a separate service and only contributing a part of the feature to the rest of the community.

On Fri, 19 Oct 2018 at 08:21, <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>> wrote:
Thank you Stian,

I understand your point. I will create a longer description of our requirement and why it has a benefit for the community.
Is that ok for you?

Thank you,
Marco

Von: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Antworten an: "stian at redhat.com<mailto:stian at redhat.com>" <stian at redhat.com<mailto:stian at redhat.com>>
Datum: Freitag, 19. Oktober 2018 um 08:14
An: "Scheuermann, Marco (059)" <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>>, "fabian.loewner at freiheit.com<mailto:fabian.loewner at freiheit.com>" <fabian.loewner at freiheit.com<mailto:fabian.loewner at freiheit.com>>, "Scollo, Carmelo (059)" <carmelo.scollo at daimler.com<mailto:carmelo.scollo at daimler.com>>, "Herrmann, David Christian (059)" <david_christian.herrmann at daimler.com<mailto:david_christian.herrmann at daimler.com>>, "Schmitt, Lukas (059)" <lukas.schmitt at daimler.com<mailto:lukas.schmitt at daimler.com>>
Betreff: Re: [keycloak-dev] User Profile Extension

I understand that you don't need it, but that's past the point. When adding new features and capabilities in Keycloak we need to consider the bigger picture and add things in a way that has wider use. We do not add solutions for one person.

On Thu, 18 Oct 2018 at 11:51, <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>> wrote:
Hi Stian,

thank you for your answer.
We already implemented login with phone number. For that we created a microservice that communicates with keykloak. The service does a ROPC with keykloak, so from keykloak perspective we DO NOT NEED support for login with
phone number.
Our only requirement was to extend the existing user profile by phone number, NOT to allow login via phone number.

Greetings,
Marco

Von: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Antworten an: "stian at redhat.com<mailto:stian at redhat.com>" <stian at redhat.com<mailto:stian at redhat.com>>
Datum: Donnerstag, 18. Oktober 2018 um 11:33
An: "Scheuermann, Marco (059)" <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>>, "fabian.loewner at freiheit.com<mailto:fabian.loewner at freiheit.com>" <fabian.loewner at freiheit.com<mailto:fabian.loewner at freiheit.com>>, "Scollo, Carmelo (059)" <carmelo.scollo at daimler.com<mailto:carmelo.scollo at daimler.com>>, "Herrmann, David Christian (059)" <david_christian.herrmann at daimler.com<mailto:david_christian.herrmann at daimler.com>>, "Schmitt, Lukas (059)" <lukas.schmitt at daimler.com<mailto:lukas.schmitt at daimler.com>>
Betreff: Re: [keycloak-dev] User Profile Extension

Adding support for login with phone number isn't as trivial as simply adding another user attribute. The user storage spi also have implications here since it's a supported API we can't break backwards compatibility.

To do this right we should discuss the correct approach. This would involve some configuration option for a realm to allow specifying what attributes can be used to authenticate the user. Some strategy for when there is more than one user with the same phone number. That could be unique, allowing user to select from users with the phone number, or simply returning an error stating username has to be used.

Then there's indexing to consider. For the phone number to be useful for a login it has to be indexed in the db. Caches should be able to lookup user based on phone number.

Finally, and this is something we have problems with for email today. For email we had a limitation that email had to be unique. One email per user basically. This doesn't really work all that well and we had a rather hacky approach to allowing multiple users with the same email address. To extend to phone numbers we would need to address this properly and not introduce additional problems.

On Thu, 18 Oct 2018 at 00:01, <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>> wrote:
Hi keykloak developers,

my Name is Marco and I am currently working on a keykloak based usermanagement solution for our company and have the following requirement:
We implemented a native One Time Password (OTP) login for our app. That means a user can login using email or mobile number.
After that he gets a PIN via SMS/email which he can enter into the app to trigger the authentication flow.
During login we check if the user already exists. If not we guide him to a registration page. This check is implemented by using keykloaks admin rest API.
We search for a user by email. It must also be possible to search by phone number because this attribute could also be used for login as already mentioned.
We added a custom attribute ?mobile? to the user but the REST API does not allow to search for custom attributes.

Our Requirement:
The user should be able to use email OR phone number for login. For that it should be possible to enter both attributes while registering a new user.
Currently keykloak only offers a custom field for email, but no phone number.
Therefore we want to extend the User Profile by phone number. Would you accept such a Pull Request?

Thank you,
Marco

If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.

_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev

If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.



If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.



If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.


From shiva.prasad.thagadur.prakash at ericsson.com  Fri Oct 19 03:03:17 2018
From: shiva.prasad.thagadur.prakash at ericsson.com (Shiva Prasad Thagadur Prakash)
Date: Fri, 19 Oct 2018 07:03:17 +0000
Subject: [keycloak-dev] [KEYCLOAK-6788] Regarding fixing the bug
Message-ID: <1539932597.6633.27.camel@ericsson.com>

Dear All,

I would like to propse a fix to the bug?KEYCLOAK-6788. I have already
fixed the bug and verified that it works.?

The fix includes a small function that ensures that the string given by
the user as the flow name is not empty or doesn?t contain the character
?/?.?

Should I also include the source file with this email? Eagerly waiting
to hear from you guys! Please correct me if I am wrong as I am pretty
new to opensource contribution.

Best regards,
Shiva


From K.Buler at adbglobal.com  Fri Oct 19 06:20:57 2018
From: K.Buler at adbglobal.com (Karol Buler)
Date: Fri, 19 Oct 2018 10:20:57 +0000
Subject: [keycloak-dev] Can not unstage/stash vertical-nav.component.ts
Message-ID: <0e92f4ab-e900-b1c1-238d-57707ce92dee@adbglobal.com>

Hello guys,

I have a git problem with this file:

themes/src/main/resources/theme/keycloak-preview/account/resources/app/vertical-nav/vertical-nav.component.ts

I can't unstage or stash it. Very weird, but I can't even change the branch locally. Any ideas? Someone had the same problem?

BR, Karol

[https://www.adbglobal.com/wp-content/uploads/adb.png]
adbglobal.com<https://www.adbglobal.com>
This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED.
Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy<https://www.adbglobal.com/privacy-policy/> and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions.

From ssilvert at redhat.com  Fri Oct 19 08:42:33 2018
From: ssilvert at redhat.com (Stan Silvert)
Date: Fri, 19 Oct 2018 08:42:33 -0400
Subject: [keycloak-dev] Can not unstage/stash vertical-nav.component.ts
In-Reply-To: <0e92f4ab-e900-b1c1-238d-57707ce92dee@adbglobal.com>
References: <0e92f4ab-e900-b1c1-238d-57707ce92dee@adbglobal.com>
Message-ID: <750abc06-5bc1-c0c4-bd09-7daac46b0347@redhat.com>

I'm not sure I understand your problem, but that file was removed from 
Keycloak.? So you can just delete it locally.

It's not something you should have been using anyway because 
keycloak-preview (aka "New Account Management Console") is not code 
complete.

On 10/19/2018 6:20 AM, Karol Buler wrote:
> Hello guys,
>
> I have a git problem with this file:
>
> themes/src/main/resources/theme/keycloak-preview/account/resources/app/vertical-nav/vertical-nav.component.ts
>
> I can't unstage or stash it. Very weird, but I can't even change the branch locally. Any ideas? Someone had the same problem?
>
> BR, Karol
>
> [https://www.adbglobal.com/wp-content/uploads/adb.png]
> adbglobal.com<https://www.adbglobal.com>
> This message (including any attachments) may contain confidential, proprietary, privileged and/or private information. The information is intended for the use of the individual or entity designated above. If you are not the intended recipient of this message, please notify the sender immediately, and delete the message and any attachments. Any disclosure, reproduction, distribution or other use of this message or any attachments by an individual or entity other than the intended recipient is STRICTLY PROHIBITED.
> Please note that ADB protects your privacy. Any personal information we collect from you is used in accordance with our Privacy Policy<https://www.adbglobal.com/privacy-policy/> and in compliance with applicable European data protection law (Regulation (EU) 2016/679, General Data Protection Regulation) and other statutory provisions.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev



From gideonray at gmail.com  Fri Oct 19 16:52:57 2018
From: gideonray at gmail.com (Gideon Caranzo)
Date: Fri, 19 Oct 2018 15:52:57 -0500
Subject: [keycloak-dev] using the same master client to manage multiple
	realms
Message-ID: <CAFTOGtfqY38Y=ddkA6mOszW4b-7Rk3-PhiJR=wqa1Pr3yi0c7w@mail.gmail.com>

Hi All,

I'd like to propose a feature wherein you can assign the same master client
to manage multiple realms.

Right now we are using composite roles for some api client credentials. The
issue we have is that if we need to assign or remove roles, we need to
update all realm clients. Also, if we add a new realm, we also need update
our composite roles and assign roles needed for the realm client.

So basically, in our case, we just need one client since all the realm
clients will have exactly the same assigned roles.
This will also improve performance if you have large number of realms since
you won't have a scenario wherein one composite role ends up loading all
roles for each realm client.

This can be implemented by having an option to specify the master client
when creating a realm. If a master client is specified, it will be created
or reused if it already exist.
Since this is only an option, the existing behavior will still be there
(create a master client for the realm).

I've created a proof of concept and got it working. It think this should be
feasible.

Let me know what you think. I'll be happy to submit a PR for this. Thanks.

Best regards,
Gideon

From sthorger at redhat.com  Mon Oct 22 02:54:46 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 22 Oct 2018 08:54:46 +0200
Subject: [keycloak-dev] using the same master client to manage multiple
	realms
In-Reply-To: <CAFTOGtfqY38Y=ddkA6mOszW4b-7Rk3-PhiJR=wqa1Pr3yi0c7w@mail.gmail.com>
References: <CAFTOGtfqY38Y=ddkA6mOszW4b-7Rk3-PhiJR=wqa1Pr3yi0c7w@mail.gmail.com>
Message-ID: <CAJgngAfPW=hQbQfyOQ-0XryZjGaf1s48O=qpgRMHBY4tbwybPQ@mail.gmail.com>

Although I appreciate how this could be useful, this is introducing yet
another complexity into a rather messy part of the code base. I'd like to
see the way realms are managed being made simpler, not more complex with
introducing alternatives here.

On Fri, 19 Oct 2018 at 22:58, Gideon Caranzo <gideonray at gmail.com> wrote:

> Hi All,
>
> I'd like to propose a feature wherein you can assign the same master client
> to manage multiple realms.
>
> Right now we are using composite roles for some api client credentials. The
> issue we have is that if we need to assign or remove roles, we need to
> update all realm clients. Also, if we add a new realm, we also need update
> our composite roles and assign roles needed for the realm client.
>
> So basically, in our case, we just need one client since all the realm
> clients will have exactly the same assigned roles.
> This will also improve performance if you have large number of realms since
> you won't have a scenario wherein one composite role ends up loading all
> roles for each realm client.
>
> This can be implemented by having an option to specify the master client
> when creating a realm. If a master client is specified, it will be created
> or reused if it already exist.
> Since this is only an option, the existing behavior will still be there
> (create a master client for the realm).
>
> I've created a proof of concept and got it working. It think this should be
> feasible.
>
> Let me know what you think. I'll be happy to submit a PR for this. Thanks.
>
> Best regards,
> Gideon
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>

From sthorger at redhat.com  Mon Oct 22 03:00:08 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 22 Oct 2018 09:00:08 +0200
Subject: [keycloak-dev] User Profile Extension
In-Reply-To: <BC07DDFF-08BE-40CD-9A40-8690AC00D56B@daimler.com>
References: <58587558-8979-41E0-8612-4147CA0ED31D@daimler.com>
	<CAJgngAdk9wFGqff-dFk9ApVQ8u-8ojdwD8XkhL2j276cQW1JRA@mail.gmail.com>
	<6715C587-FC63-4CA6-A42F-DC4CC557CDCD@daimler.com>
	<CAJgngAdt8qoaY64Rc0Gnp2nVmj8gf1hi+GpPU-tpcUWfDwdVMg@mail.gmail.com>
	<7A027B91-1D78-466F-8EFA-8B3F4B2A4A02@daimler.com>
	<CAJgngAdRpKcF3Je1yPTccsyP+_LiwWGZnQWFo5Fmh60TKMiNLA@mail.gmail.com>
	<BC07DDFF-08BE-40CD-9A40-8690AC00D56B@daimler.com>
Message-ID: <CAJgngAc+c9pDHzfawoeP03E_TEjKWwVLyqwg2HAbfk7TYRj+Bg@mail.gmail.com>

We would be open to that. It would be great if you could start with
describing it in more detail first though. It's pretty simple to implement
something like that, but making it user friendly and a generic feature is
more complicated. See
https://github.com/stianst/keycloak-experimental/tree/master/magic-link for
instance. It does passwordless, but it's not very nice for those setting up
Keycloak or the end user.

I presume you are talking about a SMS with the one time password?

On Fri, 19 Oct 2018 at 08:29, <marco.scheuermann at daimler.com> wrote:

> Thats very good. Would you support a full implementation for passwordless
> login in keykloak?
>
> User has to enter email address, presses login and then he gets a One Time
> Password to login.
>
>
>
> If that`s fine for you, I would discuss with my colleagues if we create a
> PR.
>
>
>
> Ok?
>
> Marco
>
>
>
> *Von: *Stian Thorgersen <sthorger at redhat.com>
> *Antworten an: *"stian at redhat.com" <stian at redhat.com>
> *Datum: *Freitag, 19. Oktober 2018 um 08:26
> *An: *"Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
> *Cc: *keycloak-dev <keycloak-dev at lists.jboss.org>, "
> fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo,
> Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David Christian
> (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)" <
> lukas.schmitt at daimler.com>
> *Betreff: *Re: [keycloak-dev] User Profile Extension
>
>
>
> I'd rather you consider contributing a fully functional feature in
> Keycloak itself, rather than extracting most of it into a separate service
> and only contributing a part of the feature to the rest of the community.
>
>
>
> On Fri, 19 Oct 2018 at 08:21, <marco.scheuermann at daimler.com> wrote:
>
> Thank you Stian,
>
>
>
> I understand your point. I will create a longer description of our
> requirement and why it has a benefit for the community.
>
> Is that ok for you?
>
>
>
> Thank you,
>
> Marco
>
>
>
> *Von: *Stian Thorgersen <sthorger at redhat.com>
> *Antworten an: *"stian at redhat.com" <stian at redhat.com>
> *Datum: *Freitag, 19. Oktober 2018 um 08:14
> *An: *"Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
> *Cc: *keycloak-dev <keycloak-dev at lists.jboss.org>, "
> fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo,
> Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David Christian
> (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)" <
> lukas.schmitt at daimler.com>
> *Betreff: *Re: [keycloak-dev] User Profile Extension
>
>
>
> I understand that you don't need it, but that's past the point. When
> adding new features and capabilities in Keycloak we need to consider the
> bigger picture and add things in a way that has wider use. We do not add
> solutions for one person.
>
>
>
> On Thu, 18 Oct 2018 at 11:51, <marco.scheuermann at daimler.com> wrote:
>
> Hi Stian,
>
>
>
> thank you for your answer.
>
> We already implemented login with phone number. For that we created a
> microservice that communicates with keykloak. The service does a ROPC with
> keykloak, so from keykloak perspective we DO NOT NEED support for login with
>
> phone number.
>
> Our only requirement was to extend the existing user profile by phone
> number, NOT to allow login via phone number.
>
>
>
> Greetings,
>
> Marco
>
>
>
> *Von: *Stian Thorgersen <sthorger at redhat.com>
> *Antworten an: *"stian at redhat.com" <stian at redhat.com>
> *Datum: *Donnerstag, 18. Oktober 2018 um 11:33
> *An: *"Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
> *Cc: *keycloak-dev <keycloak-dev at lists.jboss.org>, "
> fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo,
> Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David Christian
> (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)" <
> lukas.schmitt at daimler.com>
> *Betreff: *Re: [keycloak-dev] User Profile Extension
>
>
>
> Adding support for login with phone number isn't as trivial as simply
> adding another user attribute. The user storage spi also have implications
> here since it's a supported API we can't break backwards compatibility.
>
>
>
> To do this right we should discuss the correct approach. This would
> involve some configuration option for a realm to allow specifying what
> attributes can be used to authenticate the user. Some strategy for when
> there is more than one user with the same phone number. That could be
> unique, allowing user to select from users with the phone number, or simply
> returning an error stating username has to be used.
>
>
>
> Then there's indexing to consider. For the phone number to be useful for a
> login it has to be indexed in the db. Caches should be able to lookup user
> based on phone number.
>
>
>
> Finally, and this is something we have problems with for email today. For
> email we had a limitation that email had to be unique. One email per user
> basically. This doesn't really work all that well and we had a rather hacky
> approach to allowing multiple users with the same email address. To extend
> to phone numbers we would need to address this properly and not introduce
> additional problems.
>
>
>
> On Thu, 18 Oct 2018 at 00:01, <marco.scheuermann at daimler.com> wrote:
>
> Hi keykloak developers,
>
> my Name is Marco and I am currently working on a keykloak based
> usermanagement solution for our company and have the following requirement:
> We implemented a native One Time Password (OTP) login for our app. That
> means a user can login using email or mobile number.
> After that he gets a PIN via SMS/email which he can enter into the app to
> trigger the authentication flow.
> During login we check if the user already exists. If not we guide him to a
> registration page. This check is implemented by using keykloaks admin rest
> API.
> We search for a user by email. It must also be possible to search by phone
> number because this attribute could also be used for login as already
> mentioned.
> We added a custom attribute ?mobile? to the user but the REST API does not
> allow to search for custom attributes.
>
> Our Requirement:
> The user should be able to use email OR phone number for login. For that
> it should be possible to enter both attributes while registering a new user.
> Currently keykloak only offers a custom field for email, but no phone
> number.
> Therefore we want to extend the User Profile by phone number. Would you
> accept such a Pull Request?
>
> Thank you,
> Marco
>
> If you are not the addressee, please inform us immediately that you have
> received this e-mail by mistake, and delete it. We thank you for your
> support.
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>
> If you are not the addressee, please inform us immediately that you have
> received this e-mail by mistake, and delete it. We thank you for your
> support.
>
>
>
>
> If you are not the addressee, please inform us immediately that you have
> received this e-mail by mistake, and delete it. We thank you for your
> support.
>
>
>
>
> If you are not the addressee, please inform us immediately that you have
> received this e-mail by mistake, and delete it. We thank you for your
> support.
>
>

From sthorger at redhat.com  Mon Oct 22 03:02:52 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Mon, 22 Oct 2018 09:02:52 +0200
Subject: [keycloak-dev] [KEYCLOAK-6788] Regarding fixing the bug
In-Reply-To: <1539932597.6633.27.camel@ericsson.com>
References: <1539932597.6633.27.camel@ericsson.com>
Message-ID: <CAJgngAfEt5kA592m9Maw0fmVmKNEXcv9H7kGofuHLjmrAuxXmg@mail.gmail.com>

Doesn't sound like you've really fixed the bug, but rather added
validation. We do not want small snippets of code everywhere to do
validation in the admin endpoints. Rather, we need a proper way of doing
validation using a validation framework that we should leverage. Hence, why
this issue is a subtask to KEYCLOAK-2355.

On Fri, 19 Oct 2018 at 09:04, Shiva Prasad Thagadur Prakash <
shiva.prasad.thagadur.prakash at ericsson.com> wrote:

> Dear All,
>
> I would like to propse a fix to the bug KEYCLOAK-6788. I have already
> fixed the bug and verified that it works.
>
> The fix includes a small function that ensures that the string given by
> the user as the flow name is not empty or doesn?t contain the character
> ?/?.
>
> Should I also include the source file with this email? Eagerly waiting
> to hear from you guys! Please correct me if I am wrong as I am pretty
> new to opensource contribution.
>
> Best regards,
> Shiva
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

From lilian.benoit at lbenoit.fr  Tue Oct 23 08:07:31 2018
From: lilian.benoit at lbenoit.fr (Lilian BENOIT)
Date: Tue, 23 Oct 2018 14:07:31 +0200
Subject: [keycloak-dev] User Profile Extension
In-Reply-To: <CAJgngAdRpKcF3Je1yPTccsyP+_LiwWGZnQWFo5Fmh60TKMiNLA@mail.gmail.com>
References: <58587558-8979-41E0-8612-4147CA0ED31D@daimler.com>
	<CAJgngAdk9wFGqff-dFk9ApVQ8u-8ojdwD8XkhL2j276cQW1JRA@mail.gmail.com>
	<6715C587-FC63-4CA6-A42F-DC4CC557CDCD@daimler.com>
	<CAJgngAdt8qoaY64Rc0Gnp2nVmj8gf1hi+GpPU-tpcUWfDwdVMg@mail.gmail.com>
	<7A027B91-1D78-466F-8EFA-8B3F4B2A4A02@daimler.com>
	<CAJgngAdRpKcF3Je1yPTccsyP+_LiwWGZnQWFo5Fmh60TKMiNLA@mail.gmail.com>
Message-ID: <cf9ae33276eb26391b1b85761d79ebcc@lbenoit.fr>

Hi.

For one project, i extended Keycloak for implement login with mobile 
number or email.
I have implemented login, registration by mobile number.

I used activation by code because a link is too long by SMS. But i could 
use a link reducer (internal or external)
I developed a new SPI for send SMS (inspired by EmailSenderProvider). 
It's to permit to implement a specific solution with our SMS provider.

Currently, i saved mobile number in a attribute but it's more elegant 
that using mobile number same email (for example, activate or not 
authentication by mobile)

If there is a subject, i am interested to contribute.

Best Regards.
Lilian BENOIT.


Le 2018-10-19 08:26, Stian Thorgersen a ?crit?:
> I'd rather you consider contributing a fully functional feature in 
> Keycloak
> itself, rather than extracting most of it into a separate service and 
> only
> contributing a part of the feature to the rest of the community.
> 
> On Fri, 19 Oct 2018 at 08:21, <marco.scheuermann at daimler.com> wrote:
> 
>> Thank you Stian,
>> 
>> 
>> 
>> I understand your point. I will create a longer description of our
>> requirement and why it has a benefit for the community.
>> 
>> Is that ok for you?
>> 
>> 
>> 
>> Thank you,
>> 
>> Marco
>> 
>> 
>> 
>> *Von: *Stian Thorgersen <sthorger at redhat.com>
>> *Antworten an: *"stian at redhat.com" <stian at redhat.com>
>> *Datum: *Freitag, 19. Oktober 2018 um 08:14
>> *An: *"Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
>> *Cc: *keycloak-dev <keycloak-dev at lists.jboss.org>, "
>> fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo,
>> Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David 
>> Christian
>> (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)" 
>> <
>> lukas.schmitt at daimler.com>
>> *Betreff: *Re: [keycloak-dev] User Profile Extension
>> 
>> 
>> 
>> I understand that you don't need it, but that's past the point. When
>> adding new features and capabilities in Keycloak we need to consider 
>> the
>> bigger picture and add things in a way that has wider use. We do not 
>> add
>> solutions for one person.
>> 
>> 
>> 
>> On Thu, 18 Oct 2018 at 11:51, <marco.scheuermann at daimler.com> wrote:
>> 
>> Hi Stian,
>> 
>> 
>> 
>> thank you for your answer.
>> 
>> We already implemented login with phone number. For that we created a
>> microservice that communicates with keykloak. The service does a ROPC 
>> with
>> keykloak, so from keykloak perspective we DO NOT NEED support for 
>> login with
>> 
>> phone number.
>> 
>> Our only requirement was to extend the existing user profile by phone
>> number, NOT to allow login via phone number.
>> 
>> 
>> 
>> Greetings,
>> 
>> Marco
>> 
>> 
>> 
>> *Von: *Stian Thorgersen <sthorger at redhat.com>
>> *Antworten an: *"stian at redhat.com" <stian at redhat.com>
>> *Datum: *Donnerstag, 18. Oktober 2018 um 11:33
>> *An: *"Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
>> *Cc: *keycloak-dev <keycloak-dev at lists.jboss.org>, "
>> fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo,
>> Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David 
>> Christian
>> (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)" 
>> <
>> lukas.schmitt at daimler.com>
>> *Betreff: *Re: [keycloak-dev] User Profile Extension
>> 
>> 
>> 
>> Adding support for login with phone number isn't as trivial as simply
>> adding another user attribute. The user storage spi also have 
>> implications
>> here since it's a supported API we can't break backwards 
>> compatibility.
>> 
>> 
>> 
>> To do this right we should discuss the correct approach. This would
>> involve some configuration option for a realm to allow specifying what
>> attributes can be used to authenticate the user. Some strategy for 
>> when
>> there is more than one user with the same phone number. That could be
>> unique, allowing user to select from users with the phone number, or 
>> simply
>> returning an error stating username has to be used.
>> 
>> 
>> 
>> Then there's indexing to consider. For the phone number to be useful 
>> for a
>> login it has to be indexed in the db. Caches should be able to lookup 
>> user
>> based on phone number.
>> 
>> 
>> 
>> Finally, and this is something we have problems with for email today. 
>> For
>> email we had a limitation that email had to be unique. One email per 
>> user
>> basically. This doesn't really work all that well and we had a rather 
>> hacky
>> approach to allowing multiple users with the same email address. To 
>> extend
>> to phone numbers we would need to address this properly and not 
>> introduce
>> additional problems.
>> 
>> 
>> 
>> On Thu, 18 Oct 2018 at 00:01, <marco.scheuermann at daimler.com> wrote:
>> 
>> Hi keykloak developers,
>> 
>> my Name is Marco and I am currently working on a keykloak based
>> usermanagement solution for our company and have the following 
>> requirement:
>> We implemented a native One Time Password (OTP) login for our app. 
>> That
>> means a user can login using email or mobile number.
>> After that he gets a PIN via SMS/email which he can enter into the app 
>> to
>> trigger the authentication flow.
>> During login we check if the user already exists. If not we guide him 
>> to a
>> registration page. This check is implemented by using keykloaks admin 
>> rest
>> API.
>> We search for a user by email. It must also be possible to search by 
>> phone
>> number because this attribute could also be used for login as already
>> mentioned.
>> We added a custom attribute ?mobile? to the user but the REST API does 
>> not
>> allow to search for custom attributes.
>> 
>> Our Requirement:
>> The user should be able to use email OR phone number for login. For 
>> that
>> it should be possible to enter both attributes while registering a new 
>> user.
>> Currently keykloak only offers a custom field for email, but no phone
>> number.
>> Therefore we want to extend the User Profile by phone number. Would 
>> you
>> accept such a Pull Request?
>> 
>> Thank you,
>> Marco
>> 
>> If you are not the addressee, please inform us immediately that you 
>> have
>> received this e-mail by mistake, and delete it. We thank you for your
>> support.
>> 
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>> 
>> 
>> If you are not the addressee, please inform us immediately that you 
>> have
>> received this e-mail by mistake, and delete it. We thank you for your
>> support.
>> 
>> 
>> 
>> 
>> If you are not the addressee, please inform us immediately that you 
>> have
>> received this e-mail by mistake, and delete it. We thank you for your
>> support.
>> 
>> 
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev


From marco.scheuermann at daimler.com  Tue Oct 23 08:12:16 2018
From: marco.scheuermann at daimler.com (marco.scheuermann at daimler.com)
Date: Tue, 23 Oct 2018 12:12:16 +0000
Subject: [keycloak-dev] User Profile Extension
In-Reply-To: <CAJgngAc+c9pDHzfawoeP03E_TEjKWwVLyqwg2HAbfk7TYRj+Bg@mail.gmail.com>
References: <58587558-8979-41E0-8612-4147CA0ED31D@daimler.com>
	<CAJgngAdk9wFGqff-dFk9ApVQ8u-8ojdwD8XkhL2j276cQW1JRA@mail.gmail.com>
	<6715C587-FC63-4CA6-A42F-DC4CC557CDCD@daimler.com>
	<CAJgngAdt8qoaY64Rc0Gnp2nVmj8gf1hi+GpPU-tpcUWfDwdVMg@mail.gmail.com>
	<7A027B91-1D78-466F-8EFA-8B3F4B2A4A02@daimler.com>
	<CAJgngAdRpKcF3Je1yPTccsyP+_LiwWGZnQWFo5Fmh60TKMiNLA@mail.gmail.com>
	<BC07DDFF-08BE-40CD-9A40-8690AC00D56B@daimler.com>
	<CAJgngAc+c9pDHzfawoeP03E_TEjKWwVLyqwg2HAbfk7TYRj+Bg@mail.gmail.com>
Message-ID: <D73A0D5E-D026-4AEE-84EC-B5BD5C0690A3@daimler.com>

Right. SMS with OTP.

Marco

Von meinem iPhone gesendet

Am 22.10.2018 um 09:00 schrieb Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>:

We would be open to that. It would be great if you could start with describing it in more detail first though. It's pretty simple to implement something like that, but making it user friendly and a generic feature is more complicated. See https://github.com/stianst/keycloak-experimental/tree/master/magic-link for instance. It does passwordless, but it's not very nice for those setting up Keycloak or the end user.

I presume you are talking about a SMS with the one time password?

On Fri, 19 Oct 2018 at 08:29, <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>> wrote:
Thats very good. Would you support a full implementation for passwordless login in keykloak?
User has to enter email address, presses login and then he gets a One Time Password to login.

If that`s fine for you, I would discuss with my colleagues if we create a PR.

Ok?
Marco

Von: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Antworten an: "stian at redhat.com<mailto:stian at redhat.com>" <stian at redhat.com<mailto:stian at redhat.com>>
Datum: Freitag, 19. Oktober 2018 um 08:26
An: "Scheuermann, Marco (059)" <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>>, "fabian.loewner at freiheit.com<mailto:fabian.loewner at freiheit.com>" <fabian.loewner at freiheit.com<mailto:fabian.loewner at freiheit.com>>, "Scollo, Carmelo (059)" <carmelo.scollo at daimler.com<mailto:carmelo.scollo at daimler.com>>, "Herrmann, David Christian (059)" <david_christian.herrmann at daimler.com<mailto:david_christian.herrmann at daimler.com>>, "Schmitt, Lukas (059)" <lukas.schmitt at daimler.com<mailto:lukas.schmitt at daimler.com>>
Betreff: Re: [keycloak-dev] User Profile Extension

I'd rather you consider contributing a fully functional feature in Keycloak itself, rather than extracting most of it into a separate service and only contributing a part of the feature to the rest of the community.

On Fri, 19 Oct 2018 at 08:21, <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>> wrote:
Thank you Stian,

I understand your point. I will create a longer description of our requirement and why it has a benefit for the community.
Is that ok for you?

Thank you,
Marco

Von: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Antworten an: "stian at redhat.com<mailto:stian at redhat.com>" <stian at redhat.com<mailto:stian at redhat.com>>
Datum: Freitag, 19. Oktober 2018 um 08:14
An: "Scheuermann, Marco (059)" <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>>, "fabian.loewner at freiheit.com<mailto:fabian.loewner at freiheit.com>" <fabian.loewner at freiheit.com<mailto:fabian.loewner at freiheit.com>>, "Scollo, Carmelo (059)" <carmelo.scollo at daimler.com<mailto:carmelo.scollo at daimler.com>>, "Herrmann, David Christian (059)" <david_christian.herrmann at daimler.com<mailto:david_christian.herrmann at daimler.com>>, "Schmitt, Lukas (059)" <lukas.schmitt at daimler.com<mailto:lukas.schmitt at daimler.com>>
Betreff: Re: [keycloak-dev] User Profile Extension

I understand that you don't need it, but that's past the point. When adding new features and capabilities in Keycloak we need to consider the bigger picture and add things in a way that has wider use. We do not add solutions for one person.

On Thu, 18 Oct 2018 at 11:51, <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>> wrote:
Hi Stian,

thank you for your answer.
We already implemented login with phone number. For that we created a microservice that communicates with keykloak. The service does a ROPC with keykloak, so from keykloak perspective we DO NOT NEED support for login with
phone number.
Our only requirement was to extend the existing user profile by phone number, NOT to allow login via phone number.

Greetings,
Marco

Von: Stian Thorgersen <sthorger at redhat.com<mailto:sthorger at redhat.com>>
Antworten an: "stian at redhat.com<mailto:stian at redhat.com>" <stian at redhat.com<mailto:stian at redhat.com>>
Datum: Donnerstag, 18. Oktober 2018 um 11:33
An: "Scheuermann, Marco (059)" <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>>, "fabian.loewner at freiheit.com<mailto:fabian.loewner at freiheit.com>" <fabian.loewner at freiheit.com<mailto:fabian.loewner at freiheit.com>>, "Scollo, Carmelo (059)" <carmelo.scollo at daimler.com<mailto:carmelo.scollo at daimler.com>>, "Herrmann, David Christian (059)" <david_christian.herrmann at daimler.com<mailto:david_christian.herrmann at daimler.com>>, "Schmitt, Lukas (059)" <lukas.schmitt at daimler.com<mailto:lukas.schmitt at daimler.com>>
Betreff: Re: [keycloak-dev] User Profile Extension

Adding support for login with phone number isn't as trivial as simply adding another user attribute. The user storage spi also have implications here since it's a supported API we can't break backwards compatibility.

To do this right we should discuss the correct approach. This would involve some configuration option for a realm to allow specifying what attributes can be used to authenticate the user. Some strategy for when there is more than one user with the same phone number. That could be unique, allowing user to select from users with the phone number, or simply returning an error stating username has to be used.

Then there's indexing to consider. For the phone number to be useful for a login it has to be indexed in the db. Caches should be able to lookup user based on phone number.

Finally, and this is something we have problems with for email today. For email we had a limitation that email had to be unique. One email per user basically. This doesn't really work all that well and we had a rather hacky approach to allowing multiple users with the same email address. To extend to phone numbers we would need to address this properly and not introduce additional problems.

On Thu, 18 Oct 2018 at 00:01, <marco.scheuermann at daimler.com<mailto:marco.scheuermann at daimler.com>> wrote:
Hi keykloak developers,

my Name is Marco and I am currently working on a keykloak based usermanagement solution for our company and have the following requirement:
We implemented a native One Time Password (OTP) login for our app. That means a user can login using email or mobile number.
After that he gets a PIN via SMS/email which he can enter into the app to trigger the authentication flow.
During login we check if the user already exists. If not we guide him to a registration page. This check is implemented by using keykloaks admin rest API.
We search for a user by email. It must also be possible to search by phone number because this attribute could also be used for login as already mentioned.
We added a custom attribute ?mobile? to the user but the REST API does not allow to search for custom attributes.

Our Requirement:
The user should be able to use email OR phone number for login. For that it should be possible to enter both attributes while registering a new user.
Currently keykloak only offers a custom field for email, but no phone number.
Therefore we want to extend the User Profile by phone number. Would you accept such a Pull Request?

Thank you,
Marco

If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.

_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev

If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.



If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.



If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.



If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.


From dchrzascik at novomatic-tech.com  Tue Oct 23 11:22:14 2018
From: dchrzascik at novomatic-tech.com (Dariusz Chrzascik)
Date: Tue, 23 Oct 2018 17:22:14 +0200
Subject: [keycloak-dev] How to beging hacking with keycloak
Message-ID: <5BCF58C602000086000C3C68@gwia-internal01.atsisa.com>

Hi,
I'd like to contribute to Keycloak. I've read the
https://github.com/keycloak/keycloak/blob/master/misc/HackingOnKeycloak.md
but I still don't know how to start. I don't have any specific issue or
problem that I'd like to fix. In the JIRA
(https://issues.jboss.org/projects/KEYCLOAK/issues) I see that there is
a lot open issues but I'm not sure if I can start working on anything
that suits me. Can somebody point me in the right direction?

Regards,
Dariusz Chrz??cik



CONFIDENTIALITY NOTICE
------------------------------------
This E-mail is intended only to be read or used by the addressee. The information contained in this E-mail message may be confidential information. If you are not the intended recipient, any use, interference with, distribution, disclosure or copying of this material is unauthorized and prohibited. Confidentiality attached to this communication is not waived or lost by reason of the mistaken delivery to you.
If you have received this message in error, please delete it and notify us by return E-mail or telephone NOVOMATIC Technologies Poland S.A. +48 12 258 00 50. Any E-mail attachment may contain software viruses which could damage your own computer system. Whilst reasonable precaution has been taken to minimize this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should therefore carry out your own virus checks before opening any attachments.
------------------------------------
NOVOMATIC Technologies Poland S.A., Poland, Krakowska 368, 32-080 Zabierz?w


From alistair.doswald at elca.ch  Tue Oct 23 11:26:28 2018
From: alistair.doswald at elca.ch (Doswald Alistair)
Date: Tue, 23 Oct 2018 15:26:28 +0000
Subject: [keycloak-dev] Implementation of artifact binding (JIRA
 KEYCLOAK-831)
In-Reply-To: <CAMvXD=FM7CzDw_-FcFrh7cFr6+ATToLB=A_RNF9FEjWHKo8f2g@mail.gmail.com>
References: <dc527510d6c042e68fdbb6ecd1f14167@elca.ch>
	<CAMvXD=FM7CzDw_-FcFrh7cFr6+ATToLB=A_RNF9FEjWHKo8f2g@mail.gmail.com>
Message-ID: <da125d1df4414c9991a5a3c6b46db394@elca.ch>

Hello,

I think that a full implementation of SAML?s artifact binding can be functionally divided into three separate parts:

  1.  Answering a Redirect or POSTed form containing an artifact from an SP with an ArtifactResolve, and then handling the contents of the received ArtifactResponse
  2.  Upon receiving an AuthnRequest, performing the login, but answering with an artifact rather than saml Response. Then, upon receiving the ArtifactResolve from the SP, sending the Reponse in an ArtifactResponse.
  3.  Upon receiving a Logout request, answering with an artifact. Then, upon receiving  the ArtrifactResolve, completing the logout, and sending the LogoutResponse in an ArtifactResponse. This step is a bit complicated by the fact that there may be multiple clients to which to send a logout for the SSO, and we must track which sessions are using artifact binding.

Currently I have the part 2) completely written, commented and fully automatically tested. To fully implement the JIRA KEYCLOAK-831, all 3 need to be implemented, but I?m already going to do a pull request with the current code, to allow for the existing code to be revised. From what you said, such a PR wouldn?t be accepted but from my point of view it wouldn?t be a problem if it were, as it is already functional as-is.

The rest of the code will be coming, since Artifact Binding one of our required features on the Cloudtrust project. I hope to have it ready within the next two weeks. If I can submit within this timeframe, would it be in time before the feature freeze?

Best regards,

Alistair Doswald

From: Hynek Mlnarik <hmlnarik at redhat.com>
Sent: lundi 15 octobre 2018 13:14
To: Doswald Alistair <alistair.doswald at elca.ch>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org>
Subject: Re: [keycloak-dev] Implementation of artifact binding (JIRA KEYCLOAK-831)

Hi Alistair,

thank you for your willingness to contribute!

However the ARTIFACT binding would need to be implemented in full, with a sufficient test coverage. Partial implementation cannot be accepted. It would also need some changes in the SAML code since currently it is basically expecting either POST or REDIRECT. One of the implications is that boolean has been widely used to discriminate the two while enum would be more appropriate. Such places would need to be cleaned up first.

If you would like to do that, we could start with such refactorings once the feature freeze phase [1] finishes.

Thank you

--Hynek

[1] http://lists.jboss.org/pipermail/keycloak-dev/2018-September/011263.html

On Fri, Sep 28, 2018 at 2:35 PM Doswald Alistair <alistair.doswald at elca.ch<mailto:alistair.doswald at elca.ch>> wrote:
Implementation of artifact binding (JIRA KEYCLOAK-831)

Hello,

Last week I did a PoC implementation of the SAML artifact binding in a branch off keycloak 4.3.0.Final. The implementation can be seen here at https://github.com/AlistairDoswald/keycloak/tree/projectathon (don't judge me too harshly for the quality of the code if you look at it, I had about 2 days to have a working implementation, which included finding out how that part of the protocol worked).

However, I now want to write a "correct" implementation against keycloak/master and if possible I'd like some feedback/advice on my intended implementation.


1. General implementation

>From the description in the SAML specification (see here section 3.6, https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf), artifact binding can be used for transmitting the request message, the response message or both.

Initially, I intend only to do the implementation for the response messages. If I'm not mistaken, this means only for the Response and LogoutResponse messages. Would this be considered a suitable implementation of the JIRA?


2. User interface

When a SP requests an artifact, it can do so by specifying HTTP-Artifact instead of HTTP-POST or HTTP-redirect, and the process is then transparent with regard to the configuration of the client. However, I believe that the client should have a "Force artifact binding" binary slider and also a field to specify an artifact binding address. In this manner, the artifact binding can be used in conjunction with the IdP initiated login method.

Importing must also set the artifact binding address if it is present in the SP metadata.


3. IdP metadata

IdP metadata must contain at least one ArtifactResolutionService, I intend to have only one, with its index set to 0 and isDefault=true, and the binding set to the same address as the HTTP-POST (as for ECP)


4. Sending an artifact instead of the normal saml message

This is the section for which I have the greatest uncertainty with respect to a correct implementation.

Broadly this means intercepting the output response, and sending a 302 redirect or a POSTed form with the artifact instead. Considering the length of the artifact, I see no reason to use a form, but should this be an option in the GUI?

More practically, this means generating the response, saving it in the cache, and sending the redirect (or form) instead. I believe that the client's cache would be the best place to save this information (through the AuthenticatedClientSessionModel to be precise), but I'm not certain because it's the first time I'm seeking to store some new information in the cache. The key would be the artifact, and the value in my view should be the document, as that way we can create a complete signed/encrypted ArtifactResponse containing the Response or LogoutResponse.

For the implementation details I'm not sure if it would be best to make the changes directly in the SamlProtocol class, or to do something similar to the SamlECPProfileService which overrides the methods of the SamlProtocol. For SamlECPProfileService the current implementation makes sense, but for artifact binding I fear there would be significant code duplication (of course, I could also do a mix with some small modifications in the SamlProtocol class and a SamlArtifactProfileService, or something similar).

For triggering this artifact workflow, it would either be if the AuthnRequest has a ProtocolBinding set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact, or if the client has "force artifact binding" set to true.


5. Receiving an ArtifactResolve message

For this part, my current implementation seems correct to me: the soapBinding method in class SamlService is modified to check the contents of the soap message arriving: if it is an ArtifactResolve, the corresponding ArtifactResponse generated earlier is packaged in a soap message and sent as a response. If not, the ECP profile is tried.

The key-ArtifactResponse pair is removed from the cache during this operation. I am, however, not sure yet how the cache should handle purging of expired ArtifactResponse messages that are never asked for.


6. Errors, logging and audit

Obviously, the error handling should work as described in the protocol, but also be logged as such. I don't think there's any messages to log in INFO, but the DEBUG logs should show the messages and allow an admin to easily put the entire sequence together.

Also, I don't think there's any need for any extra information in the audit logs.


7. Tests

Obviously, I'll have to add some tests for these functions, which should be:

- Standard unit tests for individual functions that can be separated from objects that would otherwise have to be mocked
- Tests with arquillian to test the flow with artifact binding (sp initiated and idp initiated), the options available in the GUI (extra field, forced) as well as the error cases (i.e. asking twice for the same artifact, for an artifact that doesn't exist, etc...).


If you have any comments (anything missing, things that should be implemented differently in your view, etc...) feel free to let me know.

Best regards,

Alistair Doswald


_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev

From jerry.saravia at virginpulse.com  Tue Oct 23 12:24:49 2018
From: jerry.saravia at virginpulse.com (Jerry Saravia)
Date: Tue, 23 Oct 2018 16:24:49 +0000
Subject: [keycloak-dev] How to beging hacking with keycloak
In-Reply-To: <5BCF58C602000086000C3C68@gwia-internal01.atsisa.com>
References: <5BCF58C602000086000C3C68@gwia-internal01.atsisa.com>
Message-ID: <D7CB7121-95B9-4DA7-8F00-CC429F9B0184@virginpulse.com>

I haven't contributed but I would suggest you do as they say

1. Fork the repo
2. Build it and make sure you can run the tests and run it locally.
3. Open up an issue on the repo to talk about something you'd like to fix, why you think it needs to be fixed and maybe a PR showing the initial development.

?
Jerry Saravia
Software Engineer
M516-603-6914
virginpulse.com
|globalchallenge.virginpulse.com
492 Old Connecticut Path, Framingham, MA 01701, USA
Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore | Switzerland | United Kingdom | USA
Confidentiality Notice: The information contained in this e-mail, including any attachment(s), is intended solely for use by the designated recipient(s). Unauthorized use, dissemination, distribution, or reproduction of this message by anyone other than the intended recipient(s), or a person designated as responsible for delivering such messages to the intended recipient, is strictly prohibited and may be unlawful. This e-mail may contain proprietary, confidential or privileged information. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Virgin Pulse, Inc. If you have received this message in error, or are not the named recipient(s), please immediately notify the sender and delete this e-mail message.
v2.17
On 10/23/18, 11:22, "Dariusz Chrzascik" <dchrzascik at novomatic-tech.com> wrote:

    Hi,
    I'd like to contribute to Keycloak. I've read the
    https://github.com/keycloak/keycloak/blob/master/misc/HackingOnKeycloak.md
    but I still don't know how to start. I don't have any specific issue or
    problem that I'd like to fix. In the JIRA
    (https://issues.jboss.org/projects/KEYCLOAK/issues) I see that there is
    a lot open issues but I'm not sure if I can start working on anything
    that suits me. Can somebody point me in the right direction?
    
    Regards,
    Dariusz Chrz??cik
    
    
    
    CONFIDENTIALITY NOTICE
    ------------------------------------
    This E-mail is intended only to be read or used by the addressee. The information contained in this E-mail message may be confidential information. If you are not the intended recipient, any use, interference with, distribution, disclosure or copying of this material is unauthorized and prohibited. Confidentiality attached to this communication is not waived or lost by reason of the mistaken delivery to you.
    If you have received this message in error, please delete it and notify us by return E-mail or telephone NOVOMATIC Technologies Poland S.A. +48 12 258 00 50. Any E-mail attachment may contain software viruses which could damage your own computer system. Whilst reasonable precaution has been taken to minimize this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should therefore carry out your own virus checks before opening any attachments.
    ------------------------------------
    NOVOMATIC Technologies Poland S.A., Poland, Krakowska 368, 32-080 Zabierz?w
    
    

-------------- next part --------------
A non-text attachment was scrubbed...
Name: image230883.png
Type: image/png
Size: 681 bytes
Desc: image230883.png
Url : http://lists.jboss.org/pipermail/keycloak-dev/attachments/20181023/14788ca2/attachment-0003.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image488732.png
Type: image/png
Size: 687 bytes
Desc: image488732.png
Url : http://lists.jboss.org/pipermail/keycloak-dev/attachments/20181023/14788ca2/attachment-0004.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image893798.png
Type: image/png
Size: 757 bytes
Desc: image893798.png
Url : http://lists.jboss.org/pipermail/keycloak-dev/attachments/20181023/14788ca2/attachment-0005.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image772132.jpg
Type: image/jpeg
Size: 48767 bytes
Desc: image772132.jpg
Url : http://lists.jboss.org/pipermail/keycloak-dev/attachments/20181023/14788ca2/attachment-0001.jpg 

From sthorger at redhat.com  Tue Oct 23 13:44:05 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Tue, 23 Oct 2018 19:44:05 +0200
Subject: [keycloak-dev] How to beging hacking with keycloak
In-Reply-To: <D7CB7121-95B9-4DA7-8F00-CC429F9B0184@virginpulse.com>
References: <5BCF58C602000086000C3C68@gwia-internal01.atsisa.com>
	<D7CB7121-95B9-4DA7-8F00-CC429F9B0184@virginpulse.com>
Message-ID: <CAJgngAeKaUA93PuToOr2bUAcXSoq3xDDDvtpYXwOhSAiBaN-og@mail.gmail.com>

To get your feet wet it is a good idea to start with a bug. Look for bugs
that do not already have anyone assigned, add a comment and state that you
would like to contribute a fix. Remember we do like a bug fix to be
accompanied by a test.

Once you've done a few bugs you should understand better what we expect
from you, as well as the code base and testsuite, you can look at
implementing a feature or an enhancement. For feature requests and
enhancements we do suggest you start a thread on keycloak-dev mailing list
prior to putting effort into it. This way we can confirm that it is a
feature that we actually would like and we can have an initial chat around
design. Having the conversation on keycloak-dev first can save you both
time and frustration. At times we may need to reject particular features
and enhancements as we do not want Keycloak to become bloated. This can be
very disappointing if you have spent time on a feature only to have it
rejected, so talk to us first! We also expect you to put the effort into
fully testing and documenting your contributions.

Last point is it may make sense to pick something that you care about. A
bug that may affect you, or is in an area of your expertise, or just
something that sounds cool for you to work on.



On Tue, 23 Oct 2018 at 18:29, Jerry Saravia <jerry.saravia at virginpulse.com>
wrote:

> I haven't contributed but I would suggest you do as they say
>
> 1. Fork the repo
> 2. Build it and make sure you can run the tests and run it locally.
> 3. Open up an issue on the repo to talk about something you'd like to fix,
> why you think it needs to be fixed and maybe a PR showing the initial
> development.
>
> ?
> Jerry Saravia
> Software Engineer
> M516-603-6914
> virginpulse.com
> |globalchallenge.virginpulse.com
> 492 Old Connecticut Path, Framingham, MA 01701, USA
> Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore |
> Switzerland | United Kingdom | USA
> Confidentiality Notice: The information contained in this e-mail,
> including any attachment(s), is intended solely for use by the designated
> recipient(s). Unauthorized use, dissemination, distribution, or
> reproduction of this message by anyone other than the intended
> recipient(s), or a person designated as responsible for delivering such
> messages to the intended recipient, is strictly prohibited and may be
> unlawful. This e-mail may contain proprietary, confidential or privileged
> information. Any views or opinions expressed are solely those of the author
> and do not necessarily represent those of Virgin Pulse, Inc. If you have
> received this message in error, or are not the named recipient(s), please
> immediately notify the sender and delete this e-mail message.
> v2.17
> On 10/23/18, 11:22, "Dariusz Chrzascik" <dchrzascik at novomatic-tech.com>
> wrote:
>
>     Hi,
>     I'd like to contribute to Keycloak. I've read the
>
> https://github.com/keycloak/keycloak/blob/master/misc/HackingOnKeycloak.md
>     but I still don't know how to start. I don't have any specific issue or
>     problem that I'd like to fix. In the JIRA
>     (https://issues.jboss.org/projects/KEYCLOAK/issues) I see that there
> is
>     a lot open issues but I'm not sure if I can start working on anything
>     that suits me. Can somebody point me in the right direction?
>
>     Regards,
>     Dariusz Chrz??cik
>
>
>
>     CONFIDENTIALITY NOTICE
>     ------------------------------------
>     This E-mail is intended only to be read or used by the addressee. The
> information contained in this E-mail message may be confidential
> information. If you are not the intended recipient, any use, interference
> with, distribution, disclosure or copying of this material is unauthorized
> and prohibited. Confidentiality attached to this communication is not
> waived or lost by reason of the mistaken delivery to you.
>     If you have received this message in error, please delete it and
> notify us by return E-mail or telephone NOVOMATIC Technologies Poland S.A.
> +48 12 258 00 50. Any E-mail attachment may contain software viruses which
> could damage your own computer system. Whilst reasonable precaution has
> been taken to minimize this risk, we cannot accept liability for any damage
> which you sustain as a result of software viruses. You should therefore
> carry out your own virus checks before opening any attachments.
>     ------------------------------------
>     NOVOMATIC Technologies Poland S.A., Poland, Krakowska 368, 32-080
> Zabierz?w
>
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

From marco.scheuermann at daimler.com  Wed Oct 24 02:05:26 2018
From: marco.scheuermann at daimler.com (marco.scheuermann at daimler.com)
Date: Wed, 24 Oct 2018 06:05:26 +0000
Subject: [keycloak-dev] User Profile Extension
In-Reply-To: <cf9ae33276eb26391b1b85761d79ebcc@lbenoit.fr>
References: <58587558-8979-41E0-8612-4147CA0ED31D@daimler.com>
	<CAJgngAdk9wFGqff-dFk9ApVQ8u-8ojdwD8XkhL2j276cQW1JRA@mail.gmail.com>
	<6715C587-FC63-4CA6-A42F-DC4CC557CDCD@daimler.com>
	<CAJgngAdt8qoaY64Rc0Gnp2nVmj8gf1hi+GpPU-tpcUWfDwdVMg@mail.gmail.com>
	<7A027B91-1D78-466F-8EFA-8B3F4B2A4A02@daimler.com>
	<CAJgngAdRpKcF3Je1yPTccsyP+_LiwWGZnQWFo5Fmh60TKMiNLA@mail.gmail.com>
	<cf9ae33276eb26391b1b85761d79ebcc@lbenoit.fr>
Message-ID: <5E21F3F8-53DB-444B-B58C-36A4FE1506AC@daimler.com>

Hi Lilian,

that sounds really good.
I`d like to review your implementation if it also fulfills our requirements.
How could we proceed?

Thx,
Marco

?Am 23.10.18, 14:07 schrieb "Lilian BENOIT" <lilian.benoit at lbenoit.fr>:

    Hi.

    For one project, i extended Keycloak for implement login with mobile
    number or email.
    I have implemented login, registration by mobile number.

    I used activation by code because a link is too long by SMS. But i could
    use a link reducer (internal or external)
    I developed a new SPI for send SMS (inspired by EmailSenderProvider).
    It's to permit to implement a specific solution with our SMS provider.

    Currently, i saved mobile number in a attribute but it's more elegant
    that using mobile number same email (for example, activate or not
    authentication by mobile)

    If there is a subject, i am interested to contribute.

    Best Regards.
    Lilian BENOIT.


    Le 2018-10-19 08:26, Stian Thorgersen a ?crit :
    > I'd rather you consider contributing a fully functional feature in
    > Keycloak
    > itself, rather than extracting most of it into a separate service and
    > only
    > contributing a part of the feature to the rest of the community.
    >
    > On Fri, 19 Oct 2018 at 08:21, <marco.scheuermann at daimler.com> wrote:
    >
    >> Thank you Stian,
    >>
    >>
    >>
    >> I understand your point. I will create a longer description of our
    >> requirement and why it has a benefit for the community.
    >>
    >> Is that ok for you?
    >>
    >>
    >>
    >> Thank you,
    >>
    >> Marco
    >>
    >>
    >>
    >> *Von: *Stian Thorgersen <sthorger at redhat.com>
    >> *Antworten an: *"stian at redhat.com" <stian at redhat.com>
    >> *Datum: *Freitag, 19. Oktober 2018 um 08:14
    >> *An: *"Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
    >> *Cc: *keycloak-dev <keycloak-dev at lists.jboss.org>, "
    >> fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo,
    >> Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David
    >> Christian
    >> (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)"
    >> <
    >> lukas.schmitt at daimler.com>
    >> *Betreff: *Re: [keycloak-dev] User Profile Extension
    >>
    >>
    >>
    >> I understand that you don't need it, but that's past the point. When
    >> adding new features and capabilities in Keycloak we need to consider
    >> the
    >> bigger picture and add things in a way that has wider use. We do not
    >> add
    >> solutions for one person.
    >>
    >>
    >>
    >> On Thu, 18 Oct 2018 at 11:51, <marco.scheuermann at daimler.com> wrote:
    >>
    >> Hi Stian,
    >>
    >>
    >>
    >> thank you for your answer.
    >>
    >> We already implemented login with phone number. For that we created a
    >> microservice that communicates with keykloak. The service does a ROPC
    >> with
    >> keykloak, so from keykloak perspective we DO NOT NEED support for
    >> login with
    >>
    >> phone number.
    >>
    >> Our only requirement was to extend the existing user profile by phone
    >> number, NOT to allow login via phone number.
    >>
    >>
    >>
    >> Greetings,
    >>
    >> Marco
    >>
    >>
    >>
    >> *Von: *Stian Thorgersen <sthorger at redhat.com>
    >> *Antworten an: *"stian at redhat.com" <stian at redhat.com>
    >> *Datum: *Donnerstag, 18. Oktober 2018 um 11:33
    >> *An: *"Scheuermann, Marco (059)" <marco.scheuermann at daimler.com>
    >> *Cc: *keycloak-dev <keycloak-dev at lists.jboss.org>, "
    >> fabian.loewner at freiheit.com" <fabian.loewner at freiheit.com>, "Scollo,
    >> Carmelo (059)" <carmelo.scollo at daimler.com>, "Herrmann, David
    >> Christian
    >> (059)" <david_christian.herrmann at daimler.com>, "Schmitt, Lukas (059)"
    >> <
    >> lukas.schmitt at daimler.com>
    >> *Betreff: *Re: [keycloak-dev] User Profile Extension
    >>
    >>
    >>
    >> Adding support for login with phone number isn't as trivial as simply
    >> adding another user attribute. The user storage spi also have
    >> implications
    >> here since it's a supported API we can't break backwards
    >> compatibility.
    >>
    >>
    >>
    >> To do this right we should discuss the correct approach. This would
    >> involve some configuration option for a realm to allow specifying what
    >> attributes can be used to authenticate the user. Some strategy for
    >> when
    >> there is more than one user with the same phone number. That could be
    >> unique, allowing user to select from users with the phone number, or
    >> simply
    >> returning an error stating username has to be used.
    >>
    >>
    >>
    >> Then there's indexing to consider. For the phone number to be useful
    >> for a
    >> login it has to be indexed in the db. Caches should be able to lookup
    >> user
    >> based on phone number.
    >>
    >>
    >>
    >> Finally, and this is something we have problems with for email today.
    >> For
    >> email we had a limitation that email had to be unique. One email per
    >> user
    >> basically. This doesn't really work all that well and we had a rather
    >> hacky
    >> approach to allowing multiple users with the same email address. To
    >> extend
    >> to phone numbers we would need to address this properly and not
    >> introduce
    >> additional problems.
    >>
    >>
    >>
    >> On Thu, 18 Oct 2018 at 00:01, <marco.scheuermann at daimler.com> wrote:
    >>
    >> Hi keykloak developers,
    >>
    >> my Name is Marco and I am currently working on a keykloak based
    >> usermanagement solution for our company and have the following
    >> requirement:
    >> We implemented a native One Time Password (OTP) login for our app.
    >> That
    >> means a user can login using email or mobile number.
    >> After that he gets a PIN via SMS/email which he can enter into the app
    >> to
    >> trigger the authentication flow.
    >> During login we check if the user already exists. If not we guide him
    >> to a
    >> registration page. This check is implemented by using keykloaks admin
    >> rest
    >> API.
    >> We search for a user by email. It must also be possible to search by
    >> phone
    >> number because this attribute could also be used for login as already
    >> mentioned.
    >> We added a custom attribute ?mobile? to the user but the REST API does
    >> not
    >> allow to search for custom attributes.
    >>
    >> Our Requirement:
    >> The user should be able to use email OR phone number for login. For
    >> that
    >> it should be possible to enter both attributes while registering a new
    >> user.
    >> Currently keykloak only offers a custom field for email, but no phone
    >> number.
    >> Therefore we want to extend the User Profile by phone number. Would
    >> you
    >> accept such a Pull Request?
    >>
    >> Thank you,
    >> Marco
    >>
    >> If you are not the addressee, please inform us immediately that you
    >> have
    >> received this e-mail by mistake, and delete it. We thank you for your
    >> support.
    >>
    >> _______________________________________________
    >> keycloak-dev mailing list
    >> keycloak-dev at lists.jboss.org
    >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
    >>
    >>
    >> If you are not the addressee, please inform us immediately that you
    >> have
    >> received this e-mail by mistake, and delete it. We thank you for your
    >> support.
    >>
    >>
    >>
    >>
    >> If you are not the addressee, please inform us immediately that you
    >> have
    >> received this e-mail by mistake, and delete it. We thank you for your
    >> support.
    >>
    >>
    > _______________________________________________
    > keycloak-dev mailing list
    > keycloak-dev at lists.jboss.org
    > https://lists.jboss.org/mailman/listinfo/keycloak-dev




If you are not the addressee, please inform us immediately that you have received this e-mail by mistake, and delete it. We thank you for your support.



From dchrzascik at novomatic-tech.com  Wed Oct 24 04:06:09 2018
From: dchrzascik at novomatic-tech.com (Dariusz Chrzascik)
Date: Wed, 24 Oct 2018 10:06:09 +0200
Subject: [keycloak-dev] How to beging hacking with keycloak
In-Reply-To: <CAJgngAeKaUA93PuToOr2bUAcXSoq3xDDDvtpYXwOhSAiBaN-og@mail.gmail.com>
References: <5BCF58C602000086000C3C68@gwia-internal01.atsisa.com>
	<D7CB7121-95B9-4DA7-8F00-CC429F9B0184@virginpulse.com>
	<CAJgngAeKaUA93PuToOr2bUAcXSoq3xDDDvtpYXwOhSAiBaN-og@mail.gmail.com>
Message-ID: <5BD0441102000086000C3D2B@gwia-internal01.atsisa.com>

Thank you for your exhaustive answer. This is what I was looking for.

Cheers,
Dariusz Chrzascik



>>> Stian Thorgersen <sthorger at redhat.com> 10/23/18 7:44 PM >>>
To get your feet wet it is a good idea to start with a bug. Look for
bugs that do not already have anyone assigned, add a comment and state
that you would like to contribute a fix. Remember we do like a bug fix
to be accompanied by a test.
Once you've done a few bugs you should understand better what we expect
from you, as well as the code base and testsuite, you can look at
implementing a feature or an enhancement. For feature requests and
enhancements we do suggest you start a thread on keycloak-dev mailing
list prior to putting effort into it. This way we can confirm that it is
a feature that we actually would like and we can have an initial chat
around design. Having the conversation on keycloak-dev first can save
you both time and frustration. At times we may need to reject particular
features and enhancements as we do not want Keycloak to become bloated.
This can be very disappointing if you have spent time on a feature only
to have it rejected, so talk to us first! We also expect you to put the
effort into fully testing and documenting your contributions.

Last point is it may make sense to pick something that you care about. A
bug that may affect you, or is in an area of your expertise, or just
something that sounds cool for you to work on. 




On Tue, 23 Oct 2018 at 18:29, Jerry Saravia
<jerry.saravia at virginpulse.com> wrote:

I haven't contributed but I would suggest you do as they say
 
 1. Fork the repo
 2. Build it and make sure you can run the tests and run it locally.
 3. Open up an issue on the repo to talk about something you'd like to
fix, why you think it needs to be fixed and maybe a PR showing the
initial development.
 
 ?
 Jerry Saravia
 Software Engineer
 M516-603-6914
 virginpulse.com
 |globalchallenge.virginpulse.com
 492 Old Connecticut Path, Framingham, MA 01701, USA
 Australia | Bosnia and Herzegovina | Brazil | Canada | Singapore |
Switzerland | United Kingdom | USA
 Confidentiality Notice: The information contained in this e-mail,
including any attachment(s), is intended solely for use by the
designated recipient(s). Unauthorized use, dissemination, distribution,
or reproduction of this message by anyone other than the intended
recipient(s), or a person designated as responsible for delivering such
messages to the intended recipient, is strictly prohibited and may be
unlawful. This e-mail may contain proprietary, confidential or
privileged information. Any views or opinions expressed are solely those
of the author and do not necessarily represent those of Virgin Pulse,
Inc. If you have received this message in error, or are not the named
recipient(s), please immediately notify the sender and delete this
e-mail message.
 v2.17
 On 10/23/18, 11:22, "Dariusz Chrzascik" <dchrzascik at novomatic-tech.com>
wrote:
 
     Hi,
     I'd like to contribute to Keycloak. I've read the
    
https://github.com/keycloak/keycloak/blob/master/misc/HackingOnKeycloak.md
     but I still don't know how to start. I don't have any specific
issue or
     problem that I'd like to fix. In the JIRA
     (https://issues.jboss.org/projects/KEYCLOAK/issues) I see that
there is
     a lot open issues but I'm not sure if I can start working on
anything
     that suits me. Can somebody point me in the right direction?
 
     Regards,
     Dariusz Chrz??cik
 
 
 
     CONFIDENTIALITY NOTICE
     ------------------------------------
     This E-mail is intended only to be read or used by the addressee.
The information contained in this E-mail message may be confidential
information. If you are not the intended recipient, any use,
interference with, distribution, disclosure or copying of this material
is unauthorized and prohibited. Confidentiality attached to this
communication is not waived or lost by reason of the mistaken delivery
to you.
     If you have received tnotify us by return E-mail or telephone NOVOMATIC Technologies Poland
S.A. +48 12 258 00 50. Any E-mail attachment may contain software
viruses which could damage your own computer system. Whilst reasonable
precaution has been taken to minimize this risk, we cannot accept
liability for any damage which you sustain as a result of software
viruses. You should therefore carry out your own virus checks before
opening any attachments.
     ------------------------------------
     NOVOMATIC Technologies Poland S.A., Poland, Krakowska 368, 32-080
Zabierz?w
 
 
 
 _______________________________________________
 keycloak-dev mailing list
 keycloak-dev at lists.jboss.org
 https://lists.jboss.org/mailman/listinfo/keycloak-dev
 




CONFIDENTIALITY NOTICE
------------------------------------
This E-mail is intended only to be read or used by the addressee. The information contained in this E-mail message may be confidential information. If you are not the intended recipient, any use, interference with, distribution, disclosure or copying of this material is unauthorized and prohibited. Confidentiality attached to this communication is not waived or lost by reason of the mistaken delivery to you.
If you have received this message in error, please delete it and notify us by return E-mail or telephone NOVOMATIC Technologies Poland S.A. +48 12 258 00 50. Any E-mail attachment may contain software viruses which could damage your own computer system. Whilst reasonable precaution has been taken to minimize this risk, we cannot accept liability for any damage which you sustain as a result of software viruses. You should therefore carry out your own virus checks before opening any attachments.
------------------------------------
NOVOMATIC Technologies Poland S.A., Poland, Krakowska 368, 32-080 Zabierz?w


From sai-soma-kala.kalidindi at microfocus.com  Thu Oct 25 12:24:33 2018
From: sai-soma-kala.kalidindi at microfocus.com (Kalidindi, Sai Soma Kala)
Date: Thu, 25 Oct 2018 16:24:33 +0000
Subject: [keycloak-dev] Keycloak Error : "User with user name XXXX
 already exists. How do you want to continue"
In-Reply-To: <CAE8YqZ_dLTOj4AW=WXZEuJWLGJXhmWnDNjwC-5UK3uzovVoVUw@mail.gmail.com>
References: <DF4PR8401MB0553B58B2009D6F70D491932EB1C0@DF4PR8401MB0553.NAMPRD84.PROD.OUTLOOK.COM>
	<CAE8YqZ_dLTOj4AW=WXZEuJWLGJXhmWnDNjwC-5UK3uzovVoVUw@mail.gmail.com>
Message-ID: <AT5PR8401MB10606724257ABDDAC779578DEBF70@AT5PR8401MB1060.NAMPRD84.PROD.OUTLOOK.COM>

Hi,

We are planning on upgrading keycloak to latest 4.5.0 version from our old version 1.9.8. reading through the docs we can not directly go from our old 1.9.8 to 4.5.0, we have to upgrade to intermediate versions first. Is this right, if so what is the latest intermediate version we can migrate to, is it 2.5.5.?

Thanks,
Sai.

From: Marek Posolda [mailto:mposolda at redhat.com]
Sent: Thursday, September 20, 2018 11:53 AM
To: Kalidindi, Sai Soma Kala <sai-soma-kala.kalidindi at microfocus.com>
Cc: keycloak-dev <keycloak-dev at lists.jboss.org>
Subject: Re: [keycloak-dev] Keycloak Error : "User with user name XXXX already exists. How do you want to continue"

Hi, this version is very old and no longer supported. Upgrade to the later version (ideally latest) is highly recommended. Marek

Dne st 19. 9. 2018 20:51 u?ivatel Kalidindi, Sai Soma Kala <sai-soma-kala.kalidindi at microfocus.com<mailto:sai-soma-kala.kalidindi at microfocus.com>> napsal:
Hi,

We are using 1.9.8 version of keycloak. We have few customers,  who has integrated their identity providers like ADFS, OKTA, Ldap ...with our Key cloak and it works. Lately we are seeing this below error message after their successful initial login, this happens to couple of users once in two weeks or so . When they try to login they see the error "User with user name XXXX already exists. How do you want to continue". Initially it used to happens once in few months, at that time,  I would go to user_entity table in keycloak and delete the entry with this username and then when user try to log in, it works and entry gets re-created . This is our fix for now, every time any user hits above error, I delete the entry form user_entity tabel.

Lately it has been happening once in few days, and we are trying to find permanent fix for this. I would like to understand why this is happening after a series of successful logins by the same user .  We are using old version of keycloak, does upgrading to latest version solve this issue? Any recommendation or help on above error is greatly appreciated.

Thanks,
Sai.
_______________________________________________
keycloak-dev mailing list
keycloak-dev at lists.jboss.org<mailto:keycloak-dev at lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev

From sthorger at redhat.com  Wed Oct 31 01:36:07 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 31 Oct 2018 06:36:07 +0100
Subject: [keycloak-dev] Review Latvian translation
Message-ID: <CAJgngAcwS5bRXpN+cLtGi=fTExqsUJH_9yaJx4GL1d82d0r-AA@mail.gmail.com>

We have a PR for Latvian translations for Keycloak. Can someone from the
community review it please?

https://github.com/keycloak/keycloak/pull/5676

From sthorger at redhat.com  Wed Oct 31 01:37:51 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 31 Oct 2018 06:37:51 +0100
Subject: [keycloak-dev] Turkish translation review needed
Message-ID: <CAJgngAdr53nXc6cHgC2yvnOp9WvApeYy-nKNT9JYmRzDC5XqTQ@mail.gmail.com>

We have a PR for Turkish translations for Keycloak. Can someone from the
community review this please?

https://github.com/keycloak/keycloak/pull/5678

From sthorger at redhat.com  Wed Oct 31 01:42:36 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 31 Oct 2018 06:42:36 +0100
Subject: [keycloak-dev] Review Dutch translation update
Message-ID: <CAJgngAfHit1H5A8K7o-TPu3mWaoz7g16NZQ0vUwHngdbEUgh=w@mail.gmail.com>

Can someone from the community please review updates to the Dutch
translation?

From sthorger at redhat.com  Wed Oct 31 01:42:52 2018
From: sthorger at redhat.com (Stian Thorgersen)
Date: Wed, 31 Oct 2018 06:42:52 +0100
Subject: [keycloak-dev] Review Dutch translation update
In-Reply-To: <CAJgngAfHit1H5A8K7o-TPu3mWaoz7g16NZQ0vUwHngdbEUgh=w@mail.gmail.com>
References: <CAJgngAfHit1H5A8K7o-TPu3mWaoz7g16NZQ0vUwHngdbEUgh=w@mail.gmail.com>
Message-ID: <CAJgngAfdNEozc=FbNLVG7Ubp4NZ=1n5p8LQMQ4W0=TRPa_uj3g@mail.gmail.com>

A bit to hasty with clicking send, here's the link:
https://github.com/keycloak/keycloak/pull/5677

On Wed, 31 Oct 2018 at 06:42, Stian Thorgersen <sthorger at redhat.com> wrote:

> Can someone from the community please review updates to the Dutch
> translation?
>
>

From uo67113 at gmail.com  Wed Oct 31 13:03:26 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Wed, 31 Oct 2018 18:03:26 +0100
Subject: [keycloak-dev] keycloak tomcat8 custom tests
In-Reply-To: <1539602843.8542.11.camel@ericsson.com>
References: <1539602843.8542.11.camel@ericsson.com>
Message-ID: <CACp70M=dLm8cUixZhgxK3Mw=XnTXPNgW206FtYYojCPsicek_A@mail.gmail.com>

Hello there,

I need to write some tests and I would like to use the classes under
org.keycloak.testsuite.pages and org.keycloak.testsuite.rule

Including integration-arquillian-tests-base (4.6.0.Final-SNAPSHOT) allows
me to use LoginPage (ho-ho!).However it fails miserabily when I
try loginPage.login("bburke", "password"); cause  usernameInput attribute
is null (ouch!)

I've tried desesperately including the
keycloak-testsuite-integration-deprecated artifact (4.6.0.Final-SNAPSHOT)
in my project but no luck...

Any thoughts on this?

Thanks in advance,

Luis

From uo67113 at gmail.com  Wed Oct 31 14:10:33 2018
From: uo67113 at gmail.com (=?UTF-8?Q?Luis_Rodr=C3=ADguez_Fern=C3=A1ndez?=)
Date: Wed, 31 Oct 2018 19:10:33 +0100
Subject: [keycloak-dev] keycloak tomcat8 custom tests
In-Reply-To: <CACp70M=dLm8cUixZhgxK3Mw=XnTXPNgW206FtYYojCPsicek_A@mail.gmail.com>
References: <1539602843.8542.11.camel@ericsson.com>
	<CACp70M=dLm8cUixZhgxK3Mw=XnTXPNgW206FtYYojCPsicek_A@mail.gmail.com>
Message-ID: <CACp70MmP7rDpyBZJHKszjoZhNdBqyCERvgq5atCS_FVHEiOf9Q@mail.gmail.com>

Hello there,

OK for the moment with something like

@Before
    public void initBrowser() {
        HtmlUnitTestDriver d = new HtmlUnitTestDriver();
        d.getWebClient().getOptions().setJavaScriptEnabled(true);
        d.getWebClient().getOptions().setCssEnabled(false);
        d.getWebClient().getOptions().setTimeout(1000000);
        browser = d;
    }

plus LoginPage loginPage = PageFactory.initElements(browser,
LoginPage.class);

I can continue working.

Thanks!

Luis








El mi?., 31 oct. 2018 a las 18:03, Luis Rodr?guez Fern?ndez (<
uo67113 at gmail.com>) escribi?:

> Hello there,
>
> I need to write some tests and I would like to use the classes under
> org.keycloak.testsuite.pages and org.keycloak.testsuite.rule
>
> Including integration-arquillian-tests-base (4.6.0.Final-SNAPSHOT) allows
> me to use LoginPage (ho-ho!).However it fails miserabily when I
> try loginPage.login("bburke", "password"); cause  usernameInput attribute
> is null (ouch!)
>
> I've tried desesperately including the
> keycloak-testsuite-integration-deprecated artifact (4.6.0.Final-SNAPSHOT)
> in my project but no luck...
>
> Any thoughts on this?
>
> Thanks in advance,
>
> Luis
>
>
>
>
>
>
>

-- 

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett