[keycloak-dev] keycloak-dev Digest, Vol 71, Issue 7

[khaianisnizar2007]

Dear Keycloak developers,What is the appropriate authorisation flow For mobile ( swift , kotlin) application ? I used before code grant flow for spa app ( react js) To use the same strong flow i m facing during redirect uri to personalise the webview , But the end users continue to make remarks concerning webview, I m thinking to use resource owner user credentials passwords but after a lot search i find a lot of bad recommandations precisely about trusting end user app (mobile).Can u advice or help me to adopt best approach.Best regards.Envoyé depuis mon smartphone Samsung Galaxy.
-------- Message d'origine --------De : keycloak-dev-request at lists.jboss.org Date : 13/05/2019  22:20  (GMT+00:00) À : keycloak-dev at lists.jboss.org Objet : keycloak-dev Digest, Vol 71, Issue 7 Send keycloak-dev mailing list submissions to	keycloak-dev at lists.jboss.orgTo subscribe or unsubscribe via the World Wide Web, visit	https://lists.jboss.org/mailman/listinfo/keycloak-devor, via email, send a message with subject or body 'help' to	keycloak-dev-request at lists.jboss.orgYou can reach the person managing the list at	keycloak-dev-owner at lists.jboss.orgWhen replying, please edit your Subject line so it is more specificthan "Re: Contents of keycloak-dev digest..."Today's Topics:   1. Re: Proposal: REST Endpoint for creating TOTP (Stian Thorgersen)   2. Not properly closed connections in      org.keycloak.adapters.ServerRequest (Maksym Gendin)   3. Re: Cannot get UMA photoz example working (keycloak      quickstart 6.0.1) (Olivier Rivat)   4. How to enable logging on console for dev environment      (Shiva Prasad Thagadur Prakash)   5. Re: How to enable logging on console for dev	environment      (Michal Hajas)   6. Re: How to enable logging on console for dev environment      (Shiva Prasad Thagadur Prakash)   7. Re: Typescript support for Node.js adapter (Bruno Oliveira)----------------------------------------------------------------------Message: 1Date: Mon, 13 May 2019 10:57:50 +0200From: Stian Thorgersen <sthorger at redhat.com>Subject: Re: [keycloak-dev] Proposal: REST Endpoint for creating TOTPTo: Roland Werner <contributing.to.keycloak at gmail.com>Cc: keycloak-dev <keycloak-dev at lists.jboss.org>Message-ID:	<CAJgngAdRCZvrH+Wa13rGi93=0J1ZuN+dWW0NmELW36gDn1U2gw at mail.gmail.com>Content-Type: text/plain; charset="UTF-8"Having an admin create OTP codes in this way and printing it out meansthere are more people with access to confidential secrets that needed. Thisis also a harder way for users to configure/enable OTP. Further, it is notvery future proof. Sofware OTP tokens are already pretty much legacy soyour company will at some point want to move to something more secure likeWebAuthn Security Keys, in which case your approach of printing QR codes onpaper won't work and you will need to change your process.A better approach which is what Keycloak already supports is requiringusers to enable OTP on first login. That way the secret is only exposed toKeycloak and the user, not to other systems and people. Further, this caneasily be changed in the future to require users to register a WebAuthnsecurity key for instance.With regards to the proposed endpoint we do not want specific OTP endpointslike this as we are working towards making Keycloak less hard-coded aroundthe concept of software OTP and allow flexiblity to support any credentialtypes.On Mon, 13 May 2019 at 10:42, Roland Werner <contributing.to.keycloak at gmail.com> wrote:> Hi,>> I noticed that the REST API (> https://www.keycloak.org/docs-api/6.0/rest-api/index.html) does contain an> endpoint "Remove TOTP from the user", but none that allows to create a TOTP> for a user in the first place.>> I'm proposing to add this "create-totp" endpoint and would also contribute> it. The call would look like this:>> curl -X PUT -H 'Content-Type: application/json' -H 'Authorization: Bearer> <token>' -i http://> <keycloak-url>:<port>/auth/admin/realms/myrealm/users/<user-id>/create-totp>> and the reply as follow:> {>   "totpSecret": "aA3mIuIzvxTmC5gqUqpl",>   "qrCode": "iVBORw0KGgoAAA...AAABJRU5ErkJggg=="> }>> I would check the existence of TOTP on the requested user and would reply> with 400-Bad-Request and the message> {>   "errorMessage": "User already has totp. Remove first."> }> in that case (just to make sure that this doesn't happen on accident).> One question in that respect: The JavaDocs of> org.keycloak.representations.idm.UserRepresentation says that isTotp is> deprecated, but doesn't say what to use instead. Can someone point me to> the right direction here?>> I am aware that the current practice in Keycloak when adding a TOTP to a> user is to instantly request a generated OTP and only if that is correct> add the credential-type to the user. Obviously this would not apply for the> REST endpoint. However, as the endpoint is only reachable for an admin I> don't think this would result in a significant security loss, especially as> the "remove-totp" endpoint can also be used without the need to enter an> OTP.>> I suggest to align the code with the behavior of the remove-totp endpoint,> such that> - it uses PUT> - it is called on given user> - it requires the same admin rights>> This reason for my approach is that we want to introduce a process in our> organisation where every user in the given realm is forced to use an OTP to> login and there is no self-registration but instead the users are handed> over the QR-Code outside of Keycloak (on paper or digitally). In the> meantime we use a custom plugin, but I would love to see this also make its> way into the standard Keycloak.>> What do you think?>> Thanks and Regards,> Roland> _______________________________________________> keycloak-dev mailing list> keycloak-dev at lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev>------------------------------Message: 2Date: Mon, 13 May 2019 13:36:30 +0200From: Maksym Gendin <maksym.gendin at gmail.com>Subject: [keycloak-dev] Not properly closed connections in	org.keycloak.adapters.ServerRequestTo: keycloak-dev at lists.jboss.orgMessage-ID:	<CAKm1Xe+3EzfY-_gbLsfHJhbN474O9ift3FLtfFCCFv_yhwbgXA at mail.gmail.com>Content-Type: text/plain; charset="UTF-8"Dear Keycloak developers,I have noticed a potential problem with closing the connectionsin org.keycloak.adapters.ServerRequest#invokeClientManagementRequest method.I'm facing problems with number of opened files on a linux machine andtrying to identify the source...querying the open connections with netstatI see a couple of connections in CLOSE_WAIT status from my microserviceinstances towards Keycloak...Can someone confirm me that the ServerRequest class closes the connectionsin a proper way?Best regardsMaksym------------------------------Message: 3Date: Mon, 13 May 2019 14:16:06 +0200From: Olivier Rivat <orivat at janua.fr>Subject: Re: [keycloak-dev] Cannot get UMA photoz example working	(keycloak quickstart 6.0.1)To: Sebastien Blanc <sblanc at redhat.com>Cc: keycloak-dev <keycloak-dev at lists.jboss.org>,	keycloak-user	<keycloak-user at lists.jboss.org>Message-ID: <646ae16a-96a3-1f24-2b31-62642dd7134e at janua.fr>Content-Type: text/plain; charset=utf-8; format=floweddiscrepancy is :1) I was using the import command of the master realm to upload photoz-realm.json(it was my mistake)2) you should do as follows:a) select "Add realm"b) select "Select File" and upload photoz-realm.json---> quickstart realm and everything is created succesfullyIt is following text which has confused me quite a lot, and which should be clearer documented (indicating to use the button add-realm for exampkle)https://github.com/keycloak/keycloak-quickstarts/tree/latest/app-authz-photoz    /Create the Example Realm and a Resource Server////Considering that your Keycloak Server is up and running, log in to the Keycloak Administration Console.////Now, create a new realm based on the following configuration file:////|keycloak-quickstarts/app-authz-photoz/photoz-realm.json |////That will import a pre-configured realm with everything you need to run this quickstart. For more details about how to import a realm into Keycloak, check the Keycloak's reference documentation.////After importing that file, you'll have a new realm called //|photoz|//./Regarsd,OlivierLe 12/05/2019 ? 07:56, Sebastien Blanc a ?crit?:> I have used the import command, whereas one should use the "add> realm"/select file and doc should you mention to upload file here.> I think keycloak quikstart guide doc example clarity could be improved> with above comment to avoid any further confusion-- <http://www.janua.fr/images/logo-big-sans.png><http://www.janua.fr/images/LogoSignature.gif>	<http://www.janua.fr/images/6g_top.gif>	Olivier RivatCTOorivat at janua.fr <mailto:dchikhaoui at janua.fr>Gsm: +33(0)682 801 609T?l: +33(0)489 829 238Fax: +33(0)955 260 370http://www.janua.fr <http://www.janua.fr/>	<http://www.janua.fr/images/6g_top.gif>------------------------------Message: 4Date: Mon, 13 May 2019 12:42:26 +0000From: Shiva Prasad Thagadur Prakash	<shiva.prasad.thagadur.prakash at ericsson.com>Subject: [keycloak-dev] How to enable logging on console for dev	environmentTo: "keycloak-dev at lists.jboss.org" <keycloak-dev at lists.jboss.org>Message-ID: <1557751346.22248.3.camel at ericsson.com>Content-Type: text/plain; charset="utf-8"Hi Guys,How to enable logging on console in development environment? I am notable to see logs on console when I start keycloak server using "mvn -ftestsuite/utils/pom.xml exec:java -Pkeycloak-server?".?Thanks,Shiva------------------------------Message: 5Date: Mon, 13 May 2019 15:07:53 +0200From: Michal Hajas <mhajas at redhat.com>Subject: Re: [keycloak-dev] How to enable logging on console for dev	environmentTo: Shiva Prasad Thagadur Prakash	<shiva.prasad.thagadur.prakash at ericsson.com>Cc: "keycloak-dev at lists.jboss.org" <keycloak-dev at lists.jboss.org>Message-ID:	<CACv4bCQL996OqNq1C08SGD=X02F9cUpyB5vP=2sUf1p30qOfuw at mail.gmail.com>Content-Type: text/plain; charset="UTF-8"Hi,you need to add property -Dkeycloak.logging.level=debug. See:https://github.com/keycloak/keycloak/blob/master/testsuite/utils/src/main/resources/log4j.properties#L26Regards,Michal HajasOn Mon, May 13, 2019 at 2:44 PM Shiva Prasad Thagadur Prakash <shiva.prasad.thagadur.prakash at ericsson.com> wrote:> Hi Guys,> How to enable logging on console in development environment? I am not> able to see logs on console when I start keycloak server using "mvn -f> testsuite/utils/pom.xml exec:java -Pkeycloak-server ".>> Thanks,> Shiva>> _______________________________________________> keycloak-dev mailing list> keycloak-dev at lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev------------------------------Message: 6Date: Mon, 13 May 2019 13:29:53 +0000From: Shiva Prasad Thagadur Prakash	<shiva.prasad.thagadur.prakash at ericsson.com>Subject: Re: [keycloak-dev] How to enable logging on console for dev	environmentTo: "mhajas at redhat.com" <mhajas at redhat.com>Cc: "keycloak-dev at lists.jboss.org" <keycloak-dev at lists.jboss.org>Message-ID: <1557754193.22248.6.camel at ericsson.com>Content-Type: text/plain; charset="utf-8"Hi Michal Hajas,Thank you very much.Best regards,ShivaOn ma, 2019-05-13 at 15:07 +0200, Michal Hajas wrote:> Hi,> > you need to add property?-Dkeycloak.logging.level=debug. See:?https:/> /github.com/keycloak/keycloak/blob/master/testsuite/utils/src/main/re> sources/log4j.properties#L26> > Regards,> Michal Hajas> > On Mon, May 13, 2019 at 2:44 PM Shiva Prasad Thagadur Prakash <shiva.> prasad.thagadur.prakash at ericsson.com> wrote:> > Hi Guys,> > How to enable logging on console in development environment? I am> > not> > able to see logs on console when I start keycloak server using "mvn> > -f> > testsuite/utils/pom.xml exec:java -Pkeycloak-server?".?> > > > Thanks,> > Shiva> > > > _______________________________________________> > keycloak-dev mailing list> > keycloak-dev at lists.jboss.org> > https://lists.jboss.org/mailman/listinfo/keycloak-dev------------------------------Message: 7Date: Mon, 13 May 2019 19:17:09 -0300From: Bruno Oliveira <bruno at abstractj.org>Subject: Re: [keycloak-dev] Typescript support for Node.js adapterTo: Stan Silvert <ssilvert at redhat.com>Cc: evanshortiss at gmail.com, keycloak-dev at lists.jboss.orgMessage-ID: <20190513221709.GC1516 at abstractj.org>Content-Type: text/plain; charset=utf-8Thanks Stan, I'm adding Evan so he can provide his thoughts on it.On 2019-05-10, Stan Silvert wrote:> On 5/10/2019 8:15 AM, Bruno Oliveira wrote:> > If you ask me, I'm not crazy about the idea of providing Typescript> > definitions inside the Node.js adapter. And there's a single request> > from the community about it.> >> > At the same time, it's hard to ignore some numbers. The weekly NPM> > downloads for Typescript is almost 5 million[1] and for ts-node[2] is> > almost 2 million.> >> > The goal of that PR is to provide only the Typescript definitions for> > the Node.js adapter, so that projects using the adapter can benefit from> > it.  If we agree to move forward with this, I believe some automated way> > to generate it, has to be provided.> >> > Thoughts?> Yes, you should provide it.? These days, every serious javascript > library is expected to have a definition file.> > I don't think there would be any way to automate creation of the file > unless you write your code in TypeScript.> >> > [1] - https://www.npmjs.com/package/typescript> > [2] - https://www.npmjs.com/package/ts-node> >> > On 2019-05-10, Stian Thorgersen wrote:> >> Is Typescript commonly used in the Node.js community? From what> >> I understand it is very popular with client-side js these days.> >>> >> On Thu, 9 May 2019 at 20:59, Bruno Oliveira <bruno at abstractj.org> wrote:> >>> >>> Good morning, we have this PR opened long time ago> >>> https://github.com/keycloak/keycloak-nodejs-connect/pull/123/files.> >>> Before review it and probably update it I would like to ask.> >>>> >>> Is Typescript something that we would like to support in the Node.js> >>> adapter? If your answer is yes, why?> >>>> >>> --> >>> - abstractj> >>> _______________________________________________> >>> keycloak-dev mailing list> >>> keycloak-dev at lists.jboss.org> >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev> >>>> > _______________________________________________> keycloak-dev mailing list> keycloak-dev at lists.jboss.org> https://lists.jboss.org/mailman/listinfo/keycloak-dev-- abstractj------------------------------_______________________________________________keycloak-dev mailing listkeycloak-dev at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-devEnd of keycloak-dev Digest, Vol 71, Issue 7*******************************************